Merge pull request #1466 from gravitl/bugfix_v0.14.7_check_firewall

add checks for firewall

logic/gateway.go

@@ -21,6 +21,9 @@ func CreateEgressGateway(gateway models.EgressGatewayRequest) (models.Node, erro
 	if node.OS != "linux" && node.OS != "freebsd" { // add in darwin later
 		return models.Node{}, errors.New(node.OS + " is unsupported for egress gateways")
 	}
+	if node.OS == "linux" && node.FirewallInUse == models.FIREWALL_NONE {
+		return models.Node{}, errors.New("firewall is not supported for egress gateways")
+	}
 	if gateway.NatEnabled == "" {
 		gateway.NatEnabled = "yes"
 	}
@@ -163,6 +166,9 @@ func CreateIngressGateway(netid string, nodeid string) (models.Node, error) {
 	if node.OS != "linux" { // add in darwin later
 		return models.Node{}, errors.New(node.OS + " is unsupported for ingress gateways")
 	}
+	if node.OS == "linux" && node.FirewallInUse == models.FIREWALL_NONE {
+		return models.Node{}, errors.New("firewall is not supported for ingress gateways")
+	}
 
 	if err != nil {
 		return models.Node{}, err

models/node.go

@@ -32,6 +32,8 @@ const (
 	FIREWALL_IPTABLES = "iptables"
 	// FIREWALL_NFTABLES - indicates nftables is in use (Linux only)
 	FIREWALL_NFTABLES = "nftables"
+	// FIREWALL_NONE - indicates that no supported firewall in use
+	FIREWALL_NONE = "none"
 )
 
 var seededRand *rand.Rand = rand.New(
@@ -89,7 +91,7 @@ type Node struct {
 	Version         string      `json:"version" bson:"version" yaml:"version"`
 	Server          string      `json:"server" bson:"server" yaml:"server"`
 	TrafficKeys     TrafficKeys `json:"traffickeys" bson:"traffickeys" yaml:"traffickeys"`
-  FirewallInUse string      `json:"firewallinuse" bson:"firewallinuse" yaml:"firewallinuse"`
+	FirewallInUse   string      `json:"firewallinuse" bson:"firewallinuse" yaml:"firewallinuse"`
 	InternetGateway string      `json:"internetgateway" bson:"internetgateway" yaml:"internetgateway"`
 }
 

netclient/functions/join.go

@@ -120,8 +120,10 @@ func JoinNetwork(cfg *config.ClientConfig, privateKey string) error {
 	if cfg.Node.FirewallInUse == "" {
 		if ncutils.IsNFTablesPresent() {
 			cfg.Node.FirewallInUse = models.FIREWALL_NFTABLES
-		} else {
+		} else if ncutils.IsIPTablesPresent() {
 			cfg.Node.FirewallInUse = models.FIREWALL_IPTABLES
+		} else {
+			cfg.Node.FirewallInUse = models.FIREWALL_NONE
 		}
 	}
 

netclient/main.go

@@ -35,6 +35,9 @@ func main() {
 	} else {
 		ncutils.CheckUID()
 		ncutils.CheckWG()
+		if ncutils.IsLinux() {
+			ncutils.CheckFirewall()
+		}
 	}
 
 	if len(os.Args) <= 1 && config.GuiActive {

netclient/ncutils/netclientutils.go

@@ -113,9 +113,23 @@ func GetWireGuard() string {
 // IsNFTablesPresent - returns true if nftables is present, false otherwise.
 // Does not consider OS, up to the caller to determine if the OS supports nftables/whether this check is valid.
 func IsNFTablesPresent() bool {
-	nftFound := FileExists("/usr/sbin/nft")
-	logger.Log(3, "nftables found:", strconv.FormatBool(nftFound))
-	return nftFound
+	found := false
+	_, err := exec.LookPath("nft")
+	if err == nil {
+		found = true
+	}
+	return found
+}
+
+// IsIPTablesPresent - returns true if iptables is present, false otherwise
+// Does not consider OS, up to the caller to determine if the OS supports iptables/whether this check is valid.
+func IsIPTablesPresent() bool {
+	found := false
+	_, err := exec.LookPath("iptables")
+	if err == nil {
+		found = true
+	}
+	return found
 }
 
 // IsKernel - checks if running kernel WireGuard
@@ -515,6 +529,13 @@ func CheckUID() {
 	}
 }
 
+// CheckFirewall - checks if iptables of nft install, if not exit
+func CheckFirewall() {
+	if !IsIPTablesPresent() && !IsNFTablesPresent() {
+		log.Fatal("neither iptables nor nft is installed - please install one or the other and try again")
+	}
+}
+
 // CheckWG - Checks if WireGuard is installed. If not, exit
 func CheckWG() {
 	uspace := GetWireGuard()