-
Notifications
You must be signed in to change notification settings - Fork 2
/
firewall_load.go
38 lines (32 loc) · 1.31 KB
/
firewall_load.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
package firewall
import (
"github.com/lxc/lxd/lxd/firewall/drivers"
)
const driverXtables = "xtables"
const driverNftables = "nftables"
// New returns an appropriate firewall implementation.
// Uses xtables if nftables isn't compatible or isn't in use already, otherwise uses nftables.
func New() Firewall {
nftables := drivers.Nftables{}
xtables := drivers.Xtables{}
// If nftables is compatible and already in use, then we prefer to use the nftables driver irrespective of
// whether xtables is in use or not.
nftablesCompat, nftablesInUse := nftables.Compat()
if nftablesCompat && nftablesInUse {
return nftables
} else if !nftablesCompat {
// Note: If nftables isn't compatible, we fallback to xtables without considering whether xtables
// is itself compatible. This continues the existing behaviour of allowing LXD to start with
// potentially an incomplete firewall backend, so that only networks and instances using those
// features will fail to start later.
return xtables
}
// If xtables is compatible and already in use, then we prefer to stick with the xtables driver rather than
// mix the use of firewall drivers on the system.
xtablesCompat, xtablesInUse := xtables.Compat()
if xtablesCompat && xtablesInUse {
return xtables
}
// Otherwise prefer nftables as default.
return nftables
}