mirror of
https://github.com/qdm12/gluetun.git
synced 2026-05-07 04:20:12 +02:00
Quentin McGaw
4a78989d9d
- main reason being it's a burden to always define sentinel errors at global scope, wrap them with `%w` instead of using a string directly - only use sentinel errors when it has to be checked using `errors.Is` - replace all usage of these sentinel errors in `fmt.Errorf` with direct strings that were in the sentinel error - exclude the sentinel error definition requirement from .golangci.yml - update unit tests to use ContainersError instead of ErrorIs so it stays as a "not a change detector test" without requiring a sentinel error
97 lines
2.4 KiB
Go
97 lines
2.4 KiB
Go
package iptables
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"os/exec"
|
|
"strings"
|
|
)
|
|
|
|
// findIP6tablesSupported checks for multiple iptables implementations
|
|
// and returns the iptables path that is supported. If none work, an
|
|
// empty string path is returned.
|
|
func findIP6tablesSupported(ctx context.Context, runner CmdRunner) (
|
|
ip6tablesPath string, err error,
|
|
) {
|
|
ip6tablesPath, err = checkIptablesSupport(ctx, runner, "ip6tables", "ip6tables-legacy")
|
|
if errors.Is(err, ErrNotSupported) {
|
|
return "", nil
|
|
} else if err != nil {
|
|
return "", err
|
|
}
|
|
return ip6tablesPath, nil
|
|
}
|
|
|
|
func (c *Config) runIP6tablesInstructions(ctx context.Context, instructions []string) error {
|
|
c.iptablesMutex.Lock() // only one iptables command at once
|
|
defer c.iptablesMutex.Unlock()
|
|
|
|
restore, err := c.saveAndRestoreIPv6(ctx)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
err = c.runIP6tablesInstructionsNoSave(ctx, instructions)
|
|
if err != nil {
|
|
restore(ctx)
|
|
}
|
|
return err
|
|
}
|
|
|
|
func (c *Config) runIP6tablesInstructionsNoSave(ctx context.Context, instructions []string) error {
|
|
for _, instruction := range instructions {
|
|
if err := c.runIP6tablesInstructionNoSave(ctx, instruction); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (c *Config) runIP6tablesInstruction(ctx context.Context, instruction string) error {
|
|
c.iptablesMutex.Lock() // only one iptables command at once
|
|
defer c.iptablesMutex.Unlock()
|
|
|
|
restore, err := c.saveAndRestoreIPv6(ctx)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
err = c.runIP6tablesInstructionNoSave(ctx, instruction)
|
|
if err != nil {
|
|
restore(ctx)
|
|
}
|
|
return err
|
|
}
|
|
|
|
func (c *Config) runIP6tablesInstructionNoSave(ctx context.Context, instruction string) error {
|
|
if c.ip6Tables == "" {
|
|
return nil
|
|
}
|
|
|
|
if isDeleteMatchInstruction(instruction) {
|
|
return deleteIPTablesRule(ctx, c.ip6Tables, instruction,
|
|
c.runner, c.logger)
|
|
}
|
|
|
|
flags := strings.Fields(instruction)
|
|
cmd := exec.CommandContext(ctx, c.ip6Tables, flags...) // #nosec G204
|
|
c.logger.Debug(cmd.String())
|
|
if output, err := c.runner.Run(cmd); err != nil {
|
|
return fmt.Errorf("command failed: \"%s %s\": %s: %w",
|
|
c.ip6Tables, instruction, output, err)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (c *Config) SetIPv6AllPolicies(ctx context.Context, policy string) error {
|
|
switch policy {
|
|
case "ACCEPT", "DROP":
|
|
default:
|
|
return fmt.Errorf("policy is not valid: %s", policy)
|
|
}
|
|
return c.runIP6tablesInstructions(ctx, []string{
|
|
"--policy INPUT " + policy,
|
|
"--policy OUTPUT " + policy,
|
|
"--policy FORWARD " + policy,
|
|
})
|
|
}
|