diff options
| author | James Tucker <james@tailscale.com> | 2023-08-18 11:42:41 -0700 |
|---|---|---|
| committer | James Tucker <james@tailscale.com> | 2023-08-25 16:40:36 -0700 |
| commit | 0206098dbbc387d9684181ebdd2fa59f1dff0a9c (patch) | |
| tree | 8b32a2f2353156f9e4aec8c3ddad29f6604b79d4 | |
| parent | 94304819263b0553d7a93d2c061e8f824233456d (diff) | |
| download | tailscale-raggi/netfilter-runtime.tar.xz tailscale-raggi/netfilter-runtime.zip | |
wgengine/router: create netfilter runner in setNetfilterModeraggi/netfilter-runtime
This will enable the runner to be replaced as a configuration side
effect in a later change.
Updates tailscale/corp#14029
Signed-off-by: James Tucker <james@tailscale.com>
| -rw-r--r-- | wgengine/router/router_linux.go | 27 | ||||
| -rw-r--r-- | wgengine/router/router_linux_test.go | 3 |
2 files changed, 17 insertions, 13 deletions
diff --git a/wgengine/router/router_linux.go b/wgengine/router/router_linux.go index 8a7273bd2..bd978d645 100644 --- a/wgengine/router/router_linux.go +++ b/wgengine/router/router_linux.go @@ -200,8 +200,8 @@ type linuxRouter struct { // ipPolicyPrefBase is the base priority at which ip rules are installed. ipPolicyPrefBase int - nfr netfilterRunner cmd commandRunner + nfr netfilterRunner } func newUserspaceRouter(logf logger.Logf, tunDev tun.Device, netMon *netmon.Monitor) (Router, error) { @@ -210,26 +210,20 @@ func newUserspaceRouter(logf logger.Logf, tunDev tun.Device, netMon *netmon.Moni return nil, err } - nfr, err := newNetfilterRunner(logf) - if err != nil { - return nil, err - } - cmd := osCommandRunner{ ambientCapNetAdmin: useAmbientCaps(), } - return newUserspaceRouterAdvanced(logf, tunname, netMon, nfr, cmd) + return newUserspaceRouterAdvanced(logf, tunname, netMon, cmd) } -func newUserspaceRouterAdvanced(logf logger.Logf, tunname string, netMon *netmon.Monitor, nfr netfilterRunner, cmd commandRunner) (Router, error) { +func newUserspaceRouterAdvanced(logf logger.Logf, tunname string, netMon *netmon.Monitor, cmd commandRunner) (Router, error) { r := &linuxRouter{ logf: logf, tunname: tunname, netfilterMode: netfilterOff, netMon: netMon, - nfr: nfr, cmd: cmd, ipRuleFixLimiter: rate.NewLimiter(rate.Every(5*time.Second), 10), @@ -434,12 +428,12 @@ func (r *linuxRouter) Up() error { if r.unregNetMon == nil && r.netMon != nil { r.unregNetMon = r.netMon.RegisterRuleDeleteCallback(r.onIPRuleDeleted) } - if err := r.addIPRules(); err != nil { - return fmt.Errorf("adding IP rules: %w", err) - } if err := r.setNetfilterMode(netfilterOff); err != nil { return fmt.Errorf("setting netfilter mode: %w", err) } + if err := r.addIPRules(); err != nil { + return fmt.Errorf("adding IP rules: %w", err) + } if err := r.upInterface(); err != nil { return fmt.Errorf("bringing interface up: %w", err) } @@ -526,6 +520,15 @@ func (r *linuxRouter) setNetfilterMode(mode preftype.NetfilterMode) error { if distro.Get() == distro.Synology { mode = netfilterOff } + + if r.nfr == nil { + var err error + r.nfr, err = newNetfilterRunner(r.logf) + if err != nil { + return err + } + } + if r.netfilterMode == mode { return nil } diff --git a/wgengine/router/router_linux_test.go b/wgengine/router/router_linux_test.go index 761cdc44b..be98d3494 100644 --- a/wgengine/router/router_linux_test.go +++ b/wgengine/router/router_linux_test.go @@ -331,7 +331,8 @@ ip route add throw 192.168.0.0/24 table 52` + basic, defer mon.Close() fake := NewFakeOS(t) - router, err := newUserspaceRouterAdvanced(t.Logf, "tailscale0", mon, fake.nfr, fake) + router, err := newUserspaceRouterAdvanced(t.Logf, "tailscale0", mon, fake) + router.(*linuxRouter).nfr = fake.nfr if err != nil { t.Fatalf("failed to create router: %v", err) } |