mirror of
https://github.com/qdm12/gluetun.git
synced 2026-05-10 04:30:20 +02:00
give up on kernel modules checks
This commit is contained in:
Quentin McGaw
@@ -17,7 +17,6 @@ type Config struct {
|
|||||||
// Fixed state
|
// Fixed state
|
||||||
ipTables string
|
ipTables string
|
||||||
ip6Tables string
|
ip6Tables string
|
||||||
modules kernelModules
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func New(ctx context.Context, runner CmdRunner, logger Logger) (*Config, error) {
|
func New(ctx context.Context, runner CmdRunner, logger Logger) (*Config, error) {
|
||||||
@@ -36,6 +35,5 @@ func New(ctx context.Context, runner CmdRunner, logger Logger) (*Config, error)
|
|||||||
logger: logger,
|
logger: logger,
|
||||||
ipTables: iptables,
|
ipTables: iptables,
|
||||||
ip6Tables: ip6tables,
|
ip6Tables: ip6tables,
|
||||||
modules: newKernelModules(),
|
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -141,22 +141,18 @@ func (c *Config) AcceptOutputThroughInterface(ctx context.Context, intf string,
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (c *Config) AcceptEstablishedRelatedTraffic(ctx context.Context) error {
|
func (c *Config) AcceptEstablishedRelatedTraffic(ctx context.Context) error {
|
||||||
err := c.runMixedIptablesInstructions(ctx, []string{
|
return c.runMixedIptablesInstructions(ctx, []string{
|
||||||
"--append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT",
|
"--append OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT",
|
||||||
"--append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT",
|
"--append INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT",
|
||||||
})
|
})
|
||||||
if err != nil && !c.modules.nfConntrack.ok {
|
|
||||||
return fmt.Errorf("%w: %s", ErrKernelModuleMissing, c.modules.nfConntrack.name)
|
|
||||||
}
|
|
||||||
return err
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// AcceptOutputPublicOnlyNewTraffic adds rules to mark new output connections, and to accept
|
// AcceptOutputPublicOnlyNewTraffic adds rules to mark new output connections, and to accept
|
||||||
// established or related packets with this mark only. This effectively forces
|
// established or related packets with this mark only. This effectively forces
|
||||||
// previously established or related traffic to be blocked.
|
// previously established or related traffic to be blocked.
|
||||||
// If remove is true, the rules are removed instead of appended.
|
// If remove is true, the rules are removed instead of appended.
|
||||||
// If the relevant kernel modules (nf_conntrack, xt_conntrack and xt_connmark)
|
// If the relevant kernel modules are not available, it returns an error indicating
|
||||||
// are not available, it returns an error indicating which kernel module is missing.
|
// which kernel module is missing.
|
||||||
func (c *Config) AcceptOutputPublicOnlyNewTraffic(ctx context.Context) error {
|
func (c *Config) AcceptOutputPublicOnlyNewTraffic(ctx context.Context) error {
|
||||||
ipv4Instructions, ipv6Instructions := makeCreatePublicIPChainInstructions()
|
ipv4Instructions, ipv6Instructions := makeCreatePublicIPChainInstructions()
|
||||||
appendToBoth := func(instruction string) {
|
appendToBoth := func(instruction string) {
|
||||||
@@ -184,23 +180,14 @@ func (c *Config) AcceptOutputPublicOnlyNewTraffic(ctx context.Context) error {
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
kernelErr := checkKernelModulesAreOK(c.modules.nfConntrack,
|
|
||||||
c.modules.xtConntrack, c.modules.xtConnmark, c.modules.xtCONNMARK)
|
|
||||||
|
|
||||||
err = c.runIptablesInstructionsNoSave(ctx, ipv4Instructions)
|
err = c.runIptablesInstructionsNoSave(ctx, ipv4Instructions)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
restore(ctx)
|
restore(ctx)
|
||||||
if strings.Contains(err.Error(), "support") && kernelErr != nil {
|
|
||||||
err = fmt.Errorf("%w: %w", err, kernelErr)
|
|
||||||
}
|
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
err = c.runIP6tablesInstructionsNoSave(ctx, ipv6Instructions)
|
err = c.runIP6tablesInstructionsNoSave(ctx, ipv6Instructions)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
restore(ctx)
|
restore(ctx)
|
||||||
if strings.Contains(err.Error(), "support") && kernelErr != nil {
|
|
||||||
err = fmt.Errorf("%w: %w", err, kernelErr)
|
|
||||||
}
|
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -242,22 +229,18 @@ func (c *Config) targetOutputPublicTraffic(ctx context.Context, target string, r
|
|||||||
}
|
}
|
||||||
appendToBoth("-I OUTPUT -j PUBLIC_ONLY")
|
appendToBoth("-I OUTPUT -j PUBLIC_ONLY")
|
||||||
|
|
||||||
kernelErr := checkKernelModulesAreOK(c.modules.nfConntrack,
|
|
||||||
c.modules.nfRejectIPv4, c.modules.xtReject)
|
|
||||||
|
|
||||||
err := c.runIptablesInstructions(ctx, ipv4Instructions)
|
err := c.runIptablesInstructions(ctx, ipv4Instructions)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if strings.Contains(err.Error(), "support") && kernelErr != nil {
|
if strings.Contains(err.Error(), " support") {
|
||||||
err = fmt.Errorf("%w: %w", err, kernelErr)
|
return fmt.Errorf("%w: %w", ErrKernelModuleMissing, err)
|
||||||
}
|
}
|
||||||
return err
|
|
||||||
}
|
}
|
||||||
|
|
||||||
err = c.runIP6tablesInstructions(ctx, ipv6Instructions)
|
err = c.runIP6tablesInstructions(ctx, ipv6Instructions)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
_ = c.runIptablesInstructions(ctx, removeInstructions)
|
_ = c.runIptablesInstructions(ctx, removeInstructions)
|
||||||
if strings.Contains(err.Error(), "support") && kernelErr != nil {
|
if strings.Contains(err.Error(), " support") {
|
||||||
err = fmt.Errorf("%w: %w", err, kernelErr)
|
return fmt.Errorf("%w: %w", ErrKernelModuleMissing, err)
|
||||||
}
|
}
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,53 +0,0 @@
|
|||||||
package iptables
|
|
||||||
|
|
||||||
import (
|
|
||||||
"fmt"
|
|
||||||
"strings"
|
|
||||||
|
|
||||||
"github.com/qdm12/gluetun/internal/mod"
|
|
||||||
)
|
|
||||||
|
|
||||||
type kernelModules struct {
|
|
||||||
nfConntrack kernelModule
|
|
||||||
nfRejectIPv4 kernelModule
|
|
||||||
xtConnmark kernelModule
|
|
||||||
xtCONNMARK kernelModule
|
|
||||||
xtConntrack kernelModule
|
|
||||||
xtReject kernelModule
|
|
||||||
}
|
|
||||||
|
|
||||||
type kernelModule struct {
|
|
||||||
name string
|
|
||||||
ok bool
|
|
||||||
}
|
|
||||||
|
|
||||||
func newKernelModules() kernelModules {
|
|
||||||
var m kernelModules
|
|
||||||
nameToFieldPtr := map[string]*kernelModule{
|
|
||||||
"nf_conntrack_netlink": &m.nfConntrack,
|
|
||||||
"nf_reject_ipv4": &m.nfRejectIPv4,
|
|
||||||
"xt_connmark": &m.xtConnmark,
|
|
||||||
"xt_CONNMARK": &m.xtCONNMARK,
|
|
||||||
"xt_conntrack": &m.xtConntrack,
|
|
||||||
"xt_REJECT": &m.xtReject,
|
|
||||||
}
|
|
||||||
for name, fieldPtr := range nameToFieldPtr {
|
|
||||||
fieldPtr.name = name
|
|
||||||
err := mod.Probe(name)
|
|
||||||
fieldPtr.ok = err == nil
|
|
||||||
}
|
|
||||||
return m
|
|
||||||
}
|
|
||||||
|
|
||||||
func checkKernelModulesAreOK(modules ...kernelModule) error {
|
|
||||||
missing := make([]string, 0, len(modules))
|
|
||||||
for _, module := range modules {
|
|
||||||
if !module.ok {
|
|
||||||
missing = append(missing, module.name)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if len(missing) > 0 {
|
|
||||||
return fmt.Errorf("%w: %s", ErrKernelModuleMissing, strings.Join(missing, ", "))
|
|
||||||
}
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
Reference in New Issue
Block a user