detect iptables-nft

beaf9cdd · nanahira · e81a46ca · beaf9cdd · beaf9cdd · beaf9cdd
Commit beaf9cdd authored Jan 11, 2021 by nanahira
6 changed files
--- a/ansible/configure.yaml
+++ b/ansible/configure.yaml
@@ -16,6 +16,19 @@
        - scripts
        - services
        - ipsets
+    - name: check iptables Type
+      become: true
+      shell: iptables --version | grep nf_tables
+      register: iptables_type_result
+      failed_when: iptables_type_result.rc > 1
+    - name: use iptables-legacy
+      set_fact:
+        iptables_type: legacy
+      when: iptables_type_result.rc == 1
+    - name: use iptables-nft
+      set_fact:
+        iptables_type: nft
+      when: iptables_type_result.rc > 1
    - name: post scripts
      template:
        src: scripts/{{item}}.sh.j2

--- a/ansible/migrate-chnroute.yaml
+++ b/ansible/migrate-chnroute.yaml
@@ -7,6 +7,19 @@
      with_items:
        - global-vars
        - vars-{{inventory_hostname_short}}
+    - name: check iptables Type
+      become: true
+      shell: iptables --version | grep nf_tables
+      register: iptables_type_result
+      failed_when: iptables_type_result.rc > 1
+    - name: use iptables-legacy
+      set_fact:
+        iptables_type: legacy
+      when: iptables_type_result.rc == 1
+    - name: use iptables-nft
+      set_fact:
+        iptables_type: nft
+      when: iptables_type_result.rc > 1
    - name: post scripts
      template:
        src: scripts/{{item}}.sh.j2

--- a/ansible/scripts/postup.sh.j2
+++ b/ansible/scripts/postup.sh.j2
@@ -17,8 +17,8 @@ fi

 mss=$((mtu - 40))

-iptables -t mangle -A FORWARD -i "$dev" -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss $mss:1460 -j TCPMSS --set-mss $mss
-iptables -t mangle -A FORWARD -o "$dev" -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss $mss:1460 -j TCPMSS --set-mss $mss
+$IPTABLES_EXEC -t mangle -A FORWARD -i "$dev" -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss $mss:1460 -j TCPMSS --set-mss $mss
+$IPTABLES_EXEC -t mangle -A FORWARD -o "$dev" -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss $mss:1460 -j TCPMSS --set-mss $mss

 if [ "$inbound" == True ] ; then
  interface_origin -A "$dev" "$remoteNextMark"

--- a/ansible/scripts/predown.sh.j2
+++ b/ansible/scripts/predown.sh.j2
@@ -11,8 +11,8 @@ fi

 mss=$((mtu - 40))

-iptables -t mangle -D FORWARD -i "$dev" -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss $mss:1460 -j TCPMSS --set-mss $mss
-iptables -t mangle -D FORWARD -o "$dev" -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss $mss:1460 -j TCPMSS --set-mss $mss
+$IPTABLES_EXEC -t mangle -D FORWARD -i "$dev" -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss $mss:1460 -j TCPMSS --set-mss $mss
+$IPTABLES_EXEC -t mangle -D FORWARD -o "$dev" -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss $mss:1460 -j TCPMSS --set-mss $mss

 if [ "$inbound" == True ] ; then
  interface_origin -D "$dev" "$remoteNextMark"

--- a/ansible/scripts/utility.sh.j2
+++ b/ansible/scripts/utility.sh.j2
+IPTABLES_EXEC=ipables-{{iptables_type}}
+
 wait_lock() {
  if [[ ! -f /tmp/mycard_global_postup_done ]]; then
    {{ansible_user_dir}}/nextgen-network/scripts/global-postup.sh
@@ -11,15 +13,15 @@ wait_lock() {
 restore_mark_origin() {
  OPTION=$1
  MARK=$2
-  iptables -t mangle "$OPTION" NEXTGEN_ORIGIN -m connmark --mark "$MARK" -j CONNMARK --restore-mark
-  iptables -t mangle "$OPTION" OUTPUT -m connmark --mark "$MARK" -j CONNMARK --restore-mark
+  $IPTABLES_EXEC -t mangle "$OPTION" NEXTGEN_ORIGIN -m connmark --mark "$MARK" -j CONNMARK --restore-mark
+  $IPTABLES_EXEC -t mangle "$OPTION" OUTPUT -m connmark --mark "$MARK" -j CONNMARK --restore-mark
 }

 restore_mark_switch() {
  OPTION=$1
  MARK=$2
-  iptables -t mangle "$OPTION" NEXTGEN_SWITCH -m connmark --mark "$MARK" -j CONNMARK --restore-mark
-  iptables -t mangle "$OPTION" OUTPUT -m connmark --mark "$MARK" -j CONNMARK --restore-mark
+  $IPTABLES_EXEC -t mangle "$OPTION" NEXTGEN_SWITCH -m connmark --mark "$MARK" -j CONNMARK --restore-mark
+  $IPTABLES_EXEC -t mangle "$OPTION" OUTPUT -m connmark --mark "$MARK" -j CONNMARK --restore-mark
 }


@@ -27,7 +29,7 @@ interface_origin() {
  OPTION=$1
  INTERFACE=$2
  MARK=$3
-  iptables -t mangle "$OPTION" NEXTGEN_ORIGIN ! -p ospf -i "$INTERFACE" ! -d 224.0.0.0/3 -m set ! --match-set mycard src -j CONNMARK --set-xmark "$MARK"
+  $IPTABLES_EXEC -t mangle "$OPTION" NEXTGEN_ORIGIN ! -p ospf -i "$INTERFACE" ! -d 224.0.0.0/3 -m set ! --match-set mycard src -j CONNMARK --set-xmark "$MARK"
  restore_mark_origin "$OPTION" "$MARK"
 }

@@ -36,7 +38,7 @@ interface_switch() {
  IPSET=$2
  MARK=$3
  ipset create "$IPSET" hash:net maxelem 1000000 || true
-  iptables -t mangle "$OPTION" NEXTGEN_SWITCH -m mark --mark 0 -m set --match-set "$IPSET" src -m set ! --match-set mycard dst -j CONNMARK --set-xmark "$MARK"
+  $IPTABLES_EXEC -t mangle "$OPTION" NEXTGEN_SWITCH -m mark --mark 0 -m set --match-set "$IPSET" src -m set ! --match-set mycard dst -j CONNMARK --set-xmark "$MARK"
 }

 interface_switch_chnroute() {
@@ -44,5 +46,5 @@ interface_switch_chnroute() {
  IPSET=$2
  MARK=$3
  ipset create "$IPSET" hash:net maxelem 1000000 || true
-  iptables -t mangle "$OPTION" NEXTGEN_SWITCH -m mark --mark 0 -m set --match-set "$IPSET" src -m set --match-set chnrouter dst -j CONNMARK --set-xmark "$MARK"
+  $IPTABLES_EXEC -t mangle "$OPTION" NEXTGEN_SWITCH -m mark --mark 0 -m set --match-set "$IPSET" src -m set --match-set chnrouter dst -j CONNMARK --set-xmark "$MARK"
 }
--- a/src/inventory.ts
+++ b/src/inventory.ts
@@ -411,6 +411,9 @@ class InventoryBuilder {
        command: ['bash', '-c', startupCommand],
        cap_add: ['NET_ADMIN'],
        devices: ['/dev/net/tun:/dev/net/tun'],
+        environment: {
+          'FORCE_RELOAD': '2020.1.11'
+        },
        volumes: [
          `./client-scripts/${name}:/etc/vpnc:ro`,
          '$HOME/nextgen-network/scripts:$HOME/nextgen-network/scripts:ro'