New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
darwin nat implementation #298
Conversation
9af81a0
to
91e79b9
Compare
nat/service_pfctl.go
Outdated
} | ||
|
||
func (service *servicePFCtl) disableRules() { | ||
arguments := fmt.Sprintf("/sbin/pfctl -a nat-anchor:myst -F nat") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No arguments, do You really need to format it?
nat/service_pfctl.go
Outdated
return err | ||
} | ||
natRule := fmt.Sprintf("nat on %v inet from %v to any -> %v", iface, rule.SourceAddress, rule.TargetIP) | ||
arguments := fmt.Sprintf("echo \"%v\" | /sbin/pfctl -vEf -", natRule) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use qoute ` to avoid \" escaping
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could could be just /sbin/pfctl -vE -f %s
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no, its input from stdin (-)
nat/service_pfctl.go
Outdated
} | ||
|
||
func (service *servicePFCtl) disableRules() { | ||
arguments := fmt.Sprintf("/sbin/pfctl -F nat") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sprintf
is redundant, because there aren't variables
nat/service_pfctl.go
Outdated
cmd := exec.Command( | ||
"sh", | ||
"-c", | ||
arguments, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like sub-command quoting is missing, is not it?
nat/service_pfctl.go
Outdated
} | ||
} | ||
} | ||
return "undefined", nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is not it error?
nat/service_pfctl.go
Outdated
return | ||
} | ||
|
||
cmd := utils.SplitCommand("/usr/sbin/sysctl", "-w net.inet.ip.forwarding=0") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like duplicated code, could be DRY'ied
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
its not, different path of command and different arguments.
nat/service_pfctl.go
Outdated
if output, err := cmd.CombinedOutput(); err != nil { | ||
if !strings.Contains(string(output), natRule) { | ||
log.Warn("Failed to create pfctl rule: ", cmd.Args, " Returned exit error: ", err.Error(), " Cmd output: ", string(output)) | ||
log.Flush() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is so special about your logs, that you flush it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is no need to flush logs on every step. Flushing is done on main package just before program exiting
960725f
to
2aa9e30
Compare
2aa9e30
to
3148ca4
Compare
3148ca4
to
2aa9e30
Compare
2aa9e30
to
db5642e
Compare
Signed-off-by: Waldz <valdas@mysterium.network>
db5642e
to
f51efd0
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Client still has to be on different machine.
This is due to 10.8.0.0/24 subnet clash. That is server wants to tunnel it through utun1, but client would need to tunnel it through utun2, but cannot do it since route already exists.