forked from tailscale/tailscale
/
iptables.go
70 lines (62 loc) · 1.97 KB
/
iptables.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
// Copyright (c) Tailscale Inc & AUTHORS
// SPDX-License-Identifier: BSD-3-Clause
// TODO(#8502): add support for more architectures
//go:build linux && (arm64 || amd64)
package linuxfw
import (
"fmt"
"os/exec"
"strings"
"unicode"
"tailscale.com/types/logger"
"tailscale.com/util/multierr"
)
// DebugNetfilter prints debug information about iptables rules to the
// provided log function.
func DebugIptables(logf logger.Logf) error {
// unused.
return nil
}
// detectIptables returns the number of iptables rules that are present in the
// system, ignoring the default "ACCEPT" rule present in the standard iptables
// chains.
//
// It only returns an error when there is no iptables binary, or when iptables -S
// fails. In all other cases, it returns the number of non-default rules.
func detectIptables() (int, error) {
// run "iptables -S" to get the list of rules using iptables
// exec.Command returns an error if the binary is not found
cmd := exec.Command("iptables", "-S")
output, err := cmd.Output()
ip6cmd := exec.Command("ip6tables", "-S")
ip6output, ip6err := ip6cmd.Output()
var allLines []string
outputStr := string(output)
lines := strings.Split(outputStr, "\n")
ip6outputStr := string(ip6output)
ip6lines := strings.Split(ip6outputStr, "\n")
switch {
case err == nil && ip6err == nil:
allLines = append(lines, ip6lines...)
case err == nil && ip6err != nil:
allLines = lines
case err != nil && ip6err == nil:
allLines = ip6lines
default:
return 0, FWModeNotSupportedError{
Mode: FirewallModeIPTables,
Err: fmt.Errorf("iptables command run fail: %w", multierr.New(err, ip6err)),
}
}
// count the number of non-default rules
count := 0
for _, line := range allLines {
trimmedLine := strings.TrimLeftFunc(line, unicode.IsSpace)
if line != "" && strings.HasPrefix(trimmedLine, "-A") {
// if the line is not empty and starts with "-A", it is a rule appended not default
count++
}
}
// return the count of non-default rules
return count, nil
}