Change to expandable switch-based firewall detection.

logic/gateway.go

@@ -33,8 +33,9 @@ func CreateEgressGateway(gateway models.EgressGatewayRequest) (models.Node, erro
 	postUpCmd := ""
 	postDownCmd := ""
 	if node.OS == "linux" {
-		// nftables only supported on Linux
-		if node.IsNFTablesPresent == "yes" {
+		switch node.FirewallInUse {
+		case models.FIREWALL_NFTABLES:
+			// nftables only supported on Linux
 			// assumes chains eg FORWARD and POSTROUTING already exist
 			logger.Log(3, "creating egress gateway using nftables")
 			postUpCmd = "nft add rule ip filter FORWARD iifname " + node.Interface + " counter accept ; "
@@ -46,7 +47,7 @@ func CreateEgressGateway(gateway models.EgressGatewayRequest) (models.Node, erro
 				postUpCmd += "nft add rule ip nat POSTROUTING oifname " + node.Interface + " counter masquerade ;"
 				postDownCmd += "nft delete rule ip nat POSTROUTING oifname " + node.Interface + " counter masquerade ;"
 			}
-		} else {
+		default: // iptables assumed
 			logger.Log(3, "creating egress gateway using iptables")
 			postUpCmd = "iptables -A FORWARD -i " + node.Interface + " -j ACCEPT; "
 			postUpCmd += "iptables -A FORWARD -o " + node.Interface + " -j ACCEPT"
@@ -136,8 +137,9 @@ func DeleteEgressGateway(network, nodeid string) (models.Node, error) {
 	if node.IsIngressGateway == "yes" { // check if node is still an ingress gateway before completely deleting postdown/up rules
 		// still have an ingress gateway so preserve it
 		if node.OS == "linux" {
-			// nftables only supported on Linux
-			if node.IsNFTablesPresent == "yes" {
+			switch node.FirewallInUse {
+			case models.FIREWALL_NFTABLES:
+				// nftables only supported on Linux
 				// assumes chains eg FORWARD and POSTROUTING already exist
 				logger.Log(3, "deleting egress gateway using nftables")
 				node.PostUp = "nft add rule ip filter FORWARD iifname " + node.Interface + " counter accept ; "
@@ -146,7 +148,7 @@ func DeleteEgressGateway(network, nodeid string) (models.Node, error) {
 				node.PostDown = "nft delete rule ip filter FORWARD iifname " + node.Interface + " counter accept ;"
 				node.PostDown += "nft delete rule ip filter FORWARD iifname " + node.Interface + " counter accept ;"
 				node.PostDown += "nft delete rule ip nat POSTROUTING oifname " + node.Interface + " counter masquerade "
-			} else {
+			default:
 				logger.Log(3, "deleting egress gateway using iptables")
 				node.PostUp = "iptables -A FORWARD -i " + node.Interface + " -j ACCEPT ; "
 				node.PostUp += "iptables -A FORWARD -o " + node.Interface + " -j ACCEPT ; "
@@ -192,7 +194,9 @@ func CreateIngressGateway(netid string, nodeid string) (models.Node, error) {
 	}
 	node.IsIngressGateway = "yes"
 	node.IngressGatewayRange = network.AddressRange
-	if node.IsNFTablesPresent == "yes" {
+	switch node.FirewallInUse {
+	case models.FIREWALL_NFTABLES:
+		// nftables only supported on Linux
 		// assumes chains eg FORWARD and POSTROUTING already exist
 		logger.Log(3, "creating ingress gateway using nftables")
 		postUpCmd = "nft add rule ip filter FORWARD iifname " + node.Interface + " counter accept ; "
@@ -201,7 +205,7 @@ func CreateIngressGateway(netid string, nodeid string) (models.Node, error) {
 		postDownCmd = "nft delete rule ip filter FORWARD iifname " + node.Interface + " counter accept ; "
 		postDownCmd += "nft delete rule ip filter FORWARD oifname " + node.Interface + " counter accept ; "
 		postDownCmd += "nft delete rule ip nat POSTROUTING oifname " + node.Interface + " counter masquerade"
-	} else {
+	default:
 		logger.Log(3, "creating ingress gateway using iptables")
 		postUpCmd = "iptables -A FORWARD -i " + node.Interface + " -j ACCEPT ; "
 		postUpCmd += "iptables -A FORWARD -o " + node.Interface + " -j ACCEPT ; "
@@ -262,33 +266,32 @@ func DeleteIngressGateway(networkName string, nodeid string) (models.Node, error
 
 	if node.IsEgressGateway == "yes" { // check if node is still an egress gateway before completely deleting postdown/up rules
 		// still have an egress gateway so preserve it
-		if node.OS == "linux" {
+		switch node.FirewallInUse {
+		case models.FIREWALL_NFTABLES:
 			// nftables only supported on Linux
-			if node.IsNFTablesPresent == "yes" {
-				// preserve egress gateway via the setup that createegressgateway used
-				// assumes chains eg FORWARD and POSTROUTING already exist
-				logger.Log(3, "deleting ingress gateway: nftables in use")
-				node.PostUp = "nft add rule ip filter FORWARD iifname " + node.Interface + " counter accept ; "
-				node.PostUp += "nft add rule ip filter FORWARD oifname " + node.Interface + " counter accept ; "
-				node.PostDown = "nft delete rule ip filter FORWARD iifname " + node.Interface + " counter accept ; "
-				node.PostDown += "nft delete rule ip filter FORWARD oifname " + node.Interface + " counter accept ; "
+			// preserve egress gateway via the setup that createegressgateway used
+			// assumes chains eg FORWARD and POSTROUTING already exist
+			logger.Log(3, "deleting ingress gateway: nftables in use")
+			node.PostUp = "nft add rule ip filter FORWARD iifname " + node.Interface + " counter accept ; "
+			node.PostUp += "nft add rule ip filter FORWARD oifname " + node.Interface + " counter accept ; "
+			node.PostDown = "nft delete rule ip filter FORWARD iifname " + node.Interface + " counter accept ; "
+			node.PostDown += "nft delete rule ip filter FORWARD oifname " + node.Interface + " counter accept ; "
 
-				if node.EgressGatewayNatEnabled == "yes" {
-					node.PostUp += "nft add rule ip nat POSTROUTING oifname " + node.Interface + " counter masquerade ;"
-					node.PostDown += "nft delete rule ip nat POSTROUTING oifname " + node.Interface + " counter masquerade ;"
-				}
-			} else {
-				// preserve egress gateway via the setup that createegressgateway used
-				logger.Log(3, "deleting ingress gateway: iptables in use")
-				node.PostUp = "iptables -A FORWARD -i " + node.Interface + " -j ACCEPT; "
-				node.PostUp += "iptables -A FORWARD -o " + node.Interface + " -j ACCEPT"
-				node.PostDown = "iptables -D FORWARD -i " + node.Interface + " -j ACCEPT; "
-				node.PostDown += "iptables -D FORWARD -o " + node.Interface + " -j ACCEPT"
+			if node.EgressGatewayNatEnabled == "yes" {
+				node.PostUp += "nft add rule ip nat POSTROUTING oifname " + node.Interface + " counter masquerade ;"
+				node.PostDown += "nft delete rule ip nat POSTROUTING oifname " + node.Interface + " counter masquerade ;"
+			}
+		default:
+			// preserve egress gateway via the setup that createegressgateway used
+			logger.Log(3, "deleting ingress gateway: iptables in use")
+			node.PostUp = "iptables -A FORWARD -i " + node.Interface + " -j ACCEPT; "
+			node.PostUp += "iptables -A FORWARD -o " + node.Interface + " -j ACCEPT"
+			node.PostDown = "iptables -D FORWARD -i " + node.Interface + " -j ACCEPT; "
+			node.PostDown += "iptables -D FORWARD -o " + node.Interface + " -j ACCEPT"
 
-				if node.EgressGatewayNatEnabled == "yes" {
-					node.PostUp += "; iptables -t nat -A POSTROUTING -o " + node.Interface + " -j MASQUERADE"
-					node.PostDown += "; iptables -t nat -D POSTROUTING -o " + node.Interface + " -j MASQUERADE"
-				}
+			if node.EgressGatewayNatEnabled == "yes" {
+				node.PostUp += "; iptables -t nat -A POSTROUTING -o " + node.Interface + " -j MASQUERADE"
+				node.PostDown += "; iptables -t nat -D POSTROUTING -o " + node.Interface + " -j MASQUERADE"
 			}
 		}
 		// preserve egress gateway via the setup that createegressgateway used

models/node.go

@@ -28,6 +28,10 @@ const (
 	NODE_NOOP = "noop"
 	// NODE_FORCE_UPDATE - indicates a node should pull all changes
 	NODE_FORCE_UPDATE = "force"
+	// FIREWALL_IPTABLES - indicates that iptables is the firewall in use
+	FIREWALL_IPTABLES = "iptables"
+	// FIREWALL_NFTABLES - indicates nftables is in use (Linux only)
+	FIREWALL_NFTABLES = "nftables"
 )
 
 var seededRand *rand.Rand = rand.New(
@@ -71,20 +75,20 @@ type Node struct {
 	RelayAddrs              []string `json:"relayaddrs" bson:"relayaddrs" yaml:"relayaddrs"`
 	IngressGatewayRange     string   `json:"ingressgatewayrange" bson:"ingressgatewayrange" yaml:"ingressgatewayrange"`
 	// IsStatic - refers to if the Endpoint is set manually or dynamically
-	IsStatic          string      `json:"isstatic" bson:"isstatic" yaml:"isstatic" validate:"checkyesorno"`
-	UDPHolePunch      string      `json:"udpholepunch" bson:"udpholepunch" yaml:"udpholepunch" validate:"checkyesorno"`
-	DNSOn             string      `json:"dnson" bson:"dnson" yaml:"dnson" validate:"checkyesorno"`
-	IsServer          string      `json:"isserver" bson:"isserver" yaml:"isserver" validate:"checkyesorno"`
-	Action            string      `json:"action" bson:"action" yaml:"action"`
-	IsLocal           string      `json:"islocal" bson:"islocal" yaml:"islocal" validate:"checkyesorno"`
-	LocalRange        string      `json:"localrange" bson:"localrange" yaml:"localrange"`
-	IPForwarding      string      `json:"ipforwarding" bson:"ipforwarding" yaml:"ipforwarding" validate:"checkyesorno"`
-	OS                string      `json:"os" bson:"os" yaml:"os"`
-	MTU               int32       `json:"mtu" bson:"mtu" yaml:"mtu"`
-	Version           string      `json:"version" bson:"version" yaml:"version"`
-	Server            string      `json:"server" bson:"server" yaml:"server"`
-	TrafficKeys       TrafficKeys `json:"traffickeys" bson:"traffickeys" yaml:"traffickeys"`
-	IsNFTablesPresent string      `json:"isnftablespresent" bson:"isnftablespresent" yaml:"isnftablespresent"`
+	IsStatic      string      `json:"isstatic" bson:"isstatic" yaml:"isstatic" validate:"checkyesorno"`
+	UDPHolePunch  string      `json:"udpholepunch" bson:"udpholepunch" yaml:"udpholepunch" validate:"checkyesorno"`
+	DNSOn         string      `json:"dnson" bson:"dnson" yaml:"dnson" validate:"checkyesorno"`
+	IsServer      string      `json:"isserver" bson:"isserver" yaml:"isserver" validate:"checkyesorno"`
+	Action        string      `json:"action" bson:"action" yaml:"action"`
+	IsLocal       string      `json:"islocal" bson:"islocal" yaml:"islocal" validate:"checkyesorno"`
+	LocalRange    string      `json:"localrange" bson:"localrange" yaml:"localrange"`
+	IPForwarding  string      `json:"ipforwarding" bson:"ipforwarding" yaml:"ipforwarding" validate:"checkyesorno"`
+	OS            string      `json:"os" bson:"os" yaml:"os"`
+	MTU           int32       `json:"mtu" bson:"mtu" yaml:"mtu"`
+	Version       string      `json:"version" bson:"version" yaml:"version"`
+	Server        string      `json:"server" bson:"server" yaml:"server"`
+	TrafficKeys   TrafficKeys `json:"traffickeys" bson:"traffickeys" yaml:"traffickeys"`
+	FirewallInUse string      `json:"firewallinuse" bson:"firewallinuse" yaml:"firewallinuse"`
 }
 
 // NodesArray - used for node sorting
@@ -122,8 +126,8 @@ func (node *Node) SetDefaultMTU() {
 
 // Node.SetDefaultNFTablesPresent - sets default for nftables check
 func (node *Node) SetDefaultNFTablesPresent() {
-	if node.IsNFTablesPresent == "" {
-		node.IsNFTablesPresent = "no"
+	if node.FirewallInUse == "" {
+		node.FirewallInUse = FIREWALL_IPTABLES // default to iptables
 	}
 }
 

netclient/functions/join.go

@@ -114,14 +114,14 @@ func JoinNetwork(cfg *config.ClientConfig, privateKey string) error {
 
 	if ncutils.IsFreeBSD() {
 		cfg.Node.UDPHolePunch = "no"
-		cfg.Node.IsNFTablesPresent = "no" // nftables not supported by FreeBSD
+		cfg.Node.FirewallInUse = models.FIREWALL_IPTABLES // nftables not supported by FreeBSD
 	}
 
-	if cfg.Node.IsNFTablesPresent == "" {
+	if cfg.Node.FirewallInUse == "" {
 		if ncutils.IsNFTablesPresent() {
-			cfg.Node.IsNFTablesPresent = "yes"
+			cfg.Node.FirewallInUse = models.FIREWALL_NFTABLES
 		} else {
-			cfg.Node.IsNFTablesPresent = "no"
+			cfg.Node.FirewallInUse = models.FIREWALL_IPTABLES
 		}
 	}
 

netclient/functions/mqpublish.go

@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"github.com/gravitl/netmaker/models"
 	"net"
 	"os"
 	"strconv"
@@ -46,12 +47,13 @@ func checkin() {
 		// check for nftables present if on Linux
 		if ncutils.IsLinux() {
 			if ncutils.IsNFTablesPresent() {
-				nodeCfg.Node.IsNFTablesPresent = "yes"
+				nodeCfg.Node.FirewallInUse = models.FIREWALL_NFTABLES
 			} else {
-				nodeCfg.Node.IsNFTablesPresent = "no"
+				nodeCfg.Node.FirewallInUse = models.FIREWALL_IPTABLES
 			}
 		} else {
-			nodeCfg.Node.IsNFTablesPresent = "no"
+			// defaults to iptables for now, may need another default for non-Linux OSes
+			nodeCfg.Node.FirewallInUse = models.FIREWALL_IPTABLES
 		}
 		if nodeCfg.Node.IsStatic != "yes" {
 			extIP, err := ncutils.GetPublicIP()