Merge pull request #1483 from gravitl/revert_v0.14.7_prefer_nft

Revert v0.14.7 prefer nft

logic/gateway.go

@@ -78,12 +78,12 @@ func CreateEgressGateway(gateway models.EgressGatewayRequest) (models.Node, erro
 	}
 	if node.PostUp != "" {
 		if !strings.Contains(node.PostUp, postUpCmd) {
-			postUpCmd = node.PostUp + "; " + postUpCmd
+			postUpCmd = node.PostUp + " ; " + postUpCmd
 		}
 	}
 	if node.PostDown != "" {
 		if !strings.Contains(node.PostDown, postDownCmd) {
-			postDownCmd = node.PostDown + "; " + postDownCmd
+			postDownCmd = node.PostDown + " ; " + postDownCmd
 		}
 	}
 
@@ -195,12 +195,12 @@ func CreateIngressGateway(netid string, nodeid string) (models.Node, error) {
 
 	if node.PostUp != "" {
 		if !strings.Contains(node.PostUp, postUpCmd) {
-			postUpCmd = node.PostUp + "; " + postUpCmd
+			postUpCmd = node.PostUp + " ; " + postUpCmd
 		}
 	}
 	if node.PostDown != "" {
 		if !strings.Contains(node.PostDown, postDownCmd) {
-			postDownCmd = node.PostDown + "; " + postDownCmd
+			postDownCmd = node.PostDown + " ; " + postDownCmd
 		}
 	}
 	node.SetLastModified()
@@ -296,8 +296,8 @@ func firewallNFTCommandsCreateIngress(networkInterface string) (string, string)
 	postUp += "nft add rule ip nat POSTROUTING oifname " + networkInterface + " counter masquerade"
 
 	// doesn't remove potentially empty tables or chains
-	postDown := "nft flush table filter; "
-	postDown += "nft flush table nat; "
+	postDown := "nft flush table filter ; "
+	postDown += "nft flush table nat ; "
 
 	return postUp, postDown
 }
@@ -310,14 +310,14 @@ func firewallNFTCommandsCreateEgress(networkInterface string, gatewayInterface s
 	postUp += "nft add rule ip filter FORWARD iifname " + networkInterface + " counter accept ; "
 	postUp += "nft add rule ip filter FORWARD oifname " + networkInterface + " counter accept ; "
 
-	postDown := "nft flush table filter; "
+	postDown := "nft flush table filter ; "
 
 	if egressNatEnabled == "yes" {
 		postUp += "nft add table nat ; "
 		postUp += "nft add chain nat POSTROUTING ; "
-		postUp += "nft add rule ip nat POSTROUTING oifname " + gatewayInterface + " counter masquerade ;"
+		postUp += "nft add rule ip nat POSTROUTING oifname " + gatewayInterface + " counter masquerade ; "
 
-		postDown += "nft flush table nat; "
+		postDown += "nft flush table nat ; "
 	}
 
 	return postUp, postDown
@@ -341,14 +341,14 @@ func firewallIPTablesCommandsCreateIngress(networkInterface string) (string, str
 // firewallIPTablesCommandsCreateEgress - used to centralize firewall command maintenance for creating an egress gateway using the iptables firewall.
 func firewallIPTablesCommandsCreateEgress(networkInterface string, gatewayInterface string, egressNatEnabled string) (string, string) {
 	// spacing around ; is important for later parsing of postup/postdown in wireguard/common.go
-	postUp := "iptables -A FORWARD -i " + networkInterface + " -j ACCEPT; "
+	postUp := "iptables -A FORWARD -i " + networkInterface + " -j ACCEPT ; "
 	postUp += "iptables -A FORWARD -o " + networkInterface + " -j ACCEPT"
-	postDown := "iptables -D FORWARD -i " + networkInterface + " -j ACCEPT; "
+	postDown := "iptables -D FORWARD -i " + networkInterface + " -j ACCEPT ; "
 	postDown += "iptables -D FORWARD -o " + networkInterface + " -j ACCEPT"
 
 	if egressNatEnabled == "yes" {
-		postUp += "; iptables -t nat -A POSTROUTING -o " + gatewayInterface + " -j MASQUERADE"
-		postDown += "; iptables -t nat -D POSTROUTING -o " + gatewayInterface + " -j MASQUERADE"
+		postUp += " ; iptables -t nat -A POSTROUTING -o " + gatewayInterface + " -j MASQUERADE"
+		postDown += " ; iptables -t nat -D POSTROUTING -o " + gatewayInterface + " -j MASQUERADE"
 	}
 
 	return postUp, postDown

netclient/functions/join.go

@@ -118,10 +118,10 @@ func JoinNetwork(cfg *config.ClientConfig, privateKey string) error {
 	}
 
 	if cfg.Node.FirewallInUse == "" {
-		if ncutils.IsIPTablesPresent() {
-			cfg.Node.FirewallInUse = models.FIREWALL_IPTABLES
-		} else if ncutils.IsNFTablesPresent() {
+		if ncutils.IsNFTablesPresent() {
 			cfg.Node.FirewallInUse = models.FIREWALL_NFTABLES
+		} else if ncutils.IsIPTablesPresent() {
+			cfg.Node.FirewallInUse = models.FIREWALL_IPTABLES
 		} else {
 			cfg.Node.FirewallInUse = models.FIREWALL_NONE
 		}

netclient/wireguard/common.go

@@ -474,7 +474,7 @@ func UpdateWgInterface(file, privateKey, nameserver string, node models.Node) er
 		}
 	}
 	if node.PostDown != "" {
-		parts := strings.Split(node.PostDown, ";")
+		parts := strings.Split(node.PostDown, " ; ")
 		for i, part := range parts {
 			if i == 0 {
 				wireguard.Section(section_interface).Key("PostDown").SetValue(part)