Added Nftables compatibility to containerboot, create the ts-prerouti…

…ng chain & use nft to add rules
tailscale · Aug 11, 2023 · b852f9d · b852f9d
1 parent 10acc06
commit b852f9d
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 6 deletions.
diff --git a/Dockerfile.base b/Dockerfile.base
@@ -2,4 +2,4 @@
 # SPDX-License-Identifier: BSD-3-Clause
 
 FROM alpine:3.16
-RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables iputils
+RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables iputils nftables
diff --git a/cmd/containerboot/main.go b/cmd/containerboot/main.go
@@ -497,10 +497,7 @@ func installIPTablesRule(ctx context.Context, dstStr string, tsIPs []netip.Prefi
 	if err != nil {
 		return err
 	}
-	argv0 := "iptables"
-	if dst.Is6() {
-		argv0 = "ip6tables"
-	}
+
 	var local string
 	for _, pfx := range tsIPs {
 		if !pfx.IsSingleIP() {
@@ -518,7 +515,7 @@ func installIPTablesRule(ctx context.Context, dstStr string, tsIPs []netip.Prefi
 	// Technically, if the control server ever changes the IPs assigned to this
 	// node, we'll slowly accumulate iptables rules. This shouldn't happen, so
 	// for now we'll live with it.
-	cmd := exec.CommandContext(ctx, argv0, "-t", "nat", "-I", "PREROUTING", "1", "-d", local, "-j", "DNAT", "--to-destination", dstStr)
+	cmd := exec.CommandContext(ctx, "nft", "add", "rule", "ip", "ts-nat", "ts-prerouting", "ip", "daddr", local, "dnat", dstStr)
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
 	if err := cmd.Run(); err != nil {

diff --git a/util/linuxfw/nftables_runner.go b/util/linuxfw/nftables_runner.go
@@ -24,6 +24,7 @@ const (
 	chainNameForward     = "ts-forward"
 	chainNameInput       = "ts-input"
 	chainNamePostrouting = "ts-postrouting"
+	chainNamePrerouting  = "ts-prerouting"
 )
 
 type chainInfo struct {
@@ -411,6 +412,9 @@ func (n *nftablesRunner) AddChains() error {
 		if err = createChainIfNotExist(n.conn, chainInfo{nat, chainNamePostrouting, nftables.ChainTypeNAT, nftables.ChainHookPostrouting, nftables.ChainPriorityNATDest}); err != nil {
 			return fmt.Errorf("create postrouting chain: %w", err)
 		}
+		if err = createChainIfNotExist(n.conn, chainInfo{nat, chainNamePrerouting, nftables.ChainTypeNAT, nftables.ChainHookPrerouting, nftables.ChainPriorityNATDest}); err != nil {
+			return fmt.Errorf("create prerouting chain: %w", err)
+		}
 	}
 
 	return n.conn.Flush()