check firewall type on gateway creation

2025-09-08 06:04:20 +08:00 · 2022-08-19 15:32:25 -04:00 · 2022-08-19 15:32:25 -04:00 · f536f0465c
commit f536f0465c
parent 157a8f02cd
4 changed files with 19 additions and 3 deletions
--- a/logic/gateway.go
+++ b/logic/gateway.go
@ -21,6 +21,9 @@ func CreateEgressGateway(gateway models.EgressGatewayRequest) (models.Node, erro
 	if node.OS != "linux" && node.OS != "freebsd" { // add in darwin later
 		return models.Node{}, errors.New(node.OS + " is unsupported for egress gateways")
 	}
+	if node.OS == "linux" && node.FirewallInUse == models.FIREWALL_NONE {
+		return models.Node{}, errors.New("firewall is not supported for egress gateways")
+	}
 	if gateway.NatEnabled == "" {
 		gateway.NatEnabled = "yes"
 	}
@ -163,6 +166,9 @@ func CreateIngressGateway(netid string, nodeid string) (models.Node, error) {
 	if node.OS != "linux" { // add in darwin later
 		return models.Node{}, errors.New(node.OS + " is unsupported for ingress gateways")
 	}
+	if node.OS == "linux" && node.FirewallInUse == models.FIREWALL_NONE {
+		return models.Node{}, errors.New("firewall is not supported for ingress gateways")
+	}

 	if err != nil {
 		return models.Node{}, err
--- a/models/node.go
+++ b/models/node.go
@ -32,6 +32,8 @@ const (
 	FIREWALL_IPTABLES = "iptables"
 	// FIREWALL_NFTABLES - indicates nftables is in use (Linux only)
 	FIREWALL_NFTABLES = "nftables"
+	// FIREWALL_NONE - indicates that no supported firewall in use
+	FIREWALL_NONE = "none"
 )

 var seededRand *rand.Rand = rand.New(
@ -89,7 +91,7 @@ type Node struct {
 	Version         string      `json:"version" bson:"version" yaml:"version"`
 	Server          string      `json:"server" bson:"server" yaml:"server"`
 	TrafficKeys     TrafficKeys `json:"traffickeys" bson:"traffickeys" yaml:"traffickeys"`
-  FirewallInUse string      `json:"firewallinuse" bson:"firewallinuse" yaml:"firewallinuse"`
+	FirewallInUse   string      `json:"firewallinuse" bson:"firewallinuse" yaml:"firewallinuse"`
 	InternetGateway string      `json:"internetgateway" bson:"internetgateway" yaml:"internetgateway"`
 }

--- a/netclient/functions/join.go
+++ b/netclient/functions/join.go
@ -120,8 +120,10 @@ func JoinNetwork(cfg *config.ClientConfig, privateKey string) error {
 	if cfg.Node.FirewallInUse == "" {
 		if ncutils.IsNFTablesPresent() {
 			cfg.Node.FirewallInUse = models.FIREWALL_NFTABLES
-		} else {
+		} else if ncutils.IsIPTablesPresent() {
 			cfg.Node.FirewallInUse = models.FIREWALL_IPTABLES
+		} else {
+			cfg.Node.FirewallInUse = models.FIREWALL_NONE
 		}
 	}

--- a/netclient/ncutils/netclientutils.go
+++ b/netclient/ncutils/netclientutils.go
@ -118,6 +118,12 @@ func IsNFTablesPresent() bool {
 	return nftFound
 }

+// IsIPTablesPresent - returns true if iptables is present, false otherwise
+// Does not consider OS, up to the caller to determine if the OS supports iptables/whether this check is valid.
+func IsIPTablesPresent() bool {
+	return FileExists("/usr/sbin/iptables")
+}
+
 // IsKernel - checks if running kernel WireGuard
 func IsKernel() bool {
 	//TODO
@ -527,7 +533,7 @@ func CheckFirewall() {
 		found = true
 	}
 	if !found {
-		log.Fatal("neither iptables nor nft is installed - please install one or the other and try again")
+		logger.Log(0, "neither iptables nor nft is installed - node cannot be used as a gateway")
 	}
 }