feat(network): enable ipv6 connection and tunneling (#1114)
Co-authored-by: Quentin McGaw <quentin.mcgaw@gmail.com>
This commit is contained in:
EkilDeew
@@ -10,6 +10,7 @@ import (
|
||||
"github.com/qdm12/gluetun/internal/netlink"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
"golang.org/x/sys/unix"
|
||||
)
|
||||
|
||||
func Test_netlink_Wireguard_addAddresses(t *testing.T) {
|
||||
@@ -75,15 +76,17 @@ func Test_netlink_Wireguard_addRule(t *testing.T) {
|
||||
|
||||
rulePriority := 10000
|
||||
const firewallMark = 999
|
||||
const family = unix.AF_INET // ipv4
|
||||
|
||||
cleanup, err := wg.addRule(rulePriority, firewallMark)
|
||||
cleanup, err := wg.addRule(rulePriority,
|
||||
firewallMark, family)
|
||||
require.NoError(t, err)
|
||||
defer func() {
|
||||
err := cleanup()
|
||||
assert.NoError(t, err)
|
||||
}()
|
||||
|
||||
rules, err := netlinker.RuleList(netlink.FAMILY_ALL)
|
||||
rules, err := netlinker.RuleList(netlink.FAMILY_V4)
|
||||
require.NoError(t, err)
|
||||
var rule netlink.Rule
|
||||
var ruleFound bool
|
||||
@@ -108,7 +111,8 @@ func Test_netlink_Wireguard_addRule(t *testing.T) {
|
||||
assert.Equal(t, expectedRule, rule)
|
||||
|
||||
// Existing rule cannot be added
|
||||
nilCleanup, err := wg.addRule(rulePriority, firewallMark)
|
||||
nilCleanup, err := wg.addRule(rulePriority,
|
||||
firewallMark, family)
|
||||
if nilCleanup != nil {
|
||||
_ = nilCleanup() // in case it succeeds
|
||||
}
|
||||
|
||||
@@ -6,13 +6,14 @@ import (
|
||||
"github.com/qdm12/gluetun/internal/netlink"
|
||||
)
|
||||
|
||||
func (w *Wireguard) addRule(rulePriority, firewallMark int) (
|
||||
func (w *Wireguard) addRule(rulePriority, firewallMark, family int) (
|
||||
cleanup func() error, err error) {
|
||||
rule := netlink.NewRule()
|
||||
rule.Invert = true
|
||||
rule.Priority = rulePriority
|
||||
rule.Mark = firewallMark
|
||||
rule.Table = firewallMark
|
||||
rule.Family = family
|
||||
if err := w.netlink.RuleAdd(rule); err != nil {
|
||||
return nil, fmt.Errorf("cannot add rule %s: %w", rule, err)
|
||||
}
|
||||
|
||||
@@ -8,6 +8,7 @@ import (
|
||||
"github.com/qdm12/gluetun/internal/netlink"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
"golang.org/x/sys/unix"
|
||||
)
|
||||
|
||||
func Test_Wireguard_addRule(t *testing.T) {
|
||||
@@ -15,6 +16,7 @@ func Test_Wireguard_addRule(t *testing.T) {
|
||||
|
||||
const rulePriority = 987
|
||||
const firewallMark = 456
|
||||
const family = unix.AF_INET
|
||||
|
||||
errDummy := errors.New("dummy")
|
||||
|
||||
@@ -36,6 +38,7 @@ func Test_Wireguard_addRule(t *testing.T) {
|
||||
Flow: -1,
|
||||
SuppressIfgroup: -1,
|
||||
SuppressPrefixlen: -1,
|
||||
Family: family,
|
||||
},
|
||||
},
|
||||
"rule add error": {
|
||||
@@ -49,6 +52,7 @@ func Test_Wireguard_addRule(t *testing.T) {
|
||||
Flow: -1,
|
||||
SuppressIfgroup: -1,
|
||||
SuppressPrefixlen: -1,
|
||||
Family: family,
|
||||
},
|
||||
ruleAddErr: errDummy,
|
||||
err: errors.New("cannot add rule ip rule 987: from all to all table 456: dummy"),
|
||||
@@ -64,6 +68,7 @@ func Test_Wireguard_addRule(t *testing.T) {
|
||||
Flow: -1,
|
||||
SuppressIfgroup: -1,
|
||||
SuppressPrefixlen: -1,
|
||||
Family: family,
|
||||
},
|
||||
ruleDelErr: errDummy,
|
||||
cleanupErr: errors.New("cannot delete rule ip rule 987: from all to all table 456: dummy"),
|
||||
@@ -83,7 +88,7 @@ func Test_Wireguard_addRule(t *testing.T) {
|
||||
|
||||
netLinker.EXPECT().RuleAdd(testCase.expectedRule).
|
||||
Return(testCase.ruleAddErr)
|
||||
cleanup, err := wg.addRule(rulePriority, firewallMark)
|
||||
cleanup, err := wg.addRule(rulePriority, firewallMark, family)
|
||||
if testCase.err != nil {
|
||||
require.Error(t, err)
|
||||
assert.Equal(t, testCase.err.Error(), err.Error())
|
||||
|
||||
@@ -8,6 +8,7 @@ import (
|
||||
"strings"
|
||||
|
||||
"github.com/qdm12/gluetun/internal/netlink"
|
||||
"golang.org/x/sys/unix"
|
||||
"golang.zx2c4.com/wireguard/conn"
|
||||
"golang.zx2c4.com/wireguard/device"
|
||||
"golang.zx2c4.com/wireguard/ipc"
|
||||
@@ -29,7 +30,6 @@ var (
|
||||
ErrDeviceInfo = errors.New("cannot get wireguard device information")
|
||||
ErrIfaceUp = errors.New("cannot set the interface to UP")
|
||||
ErrRouteAdd = errors.New("cannot add route for interface")
|
||||
ErrRuleAdd = errors.New("cannot add rule for interface")
|
||||
ErrDeviceWaited = errors.New("device waited for")
|
||||
)
|
||||
|
||||
@@ -96,34 +96,52 @@ func (w *Wireguard) Run(ctx context.Context, waitError chan<- error, ready chan<
|
||||
|
||||
if *w.settings.IPv6 {
|
||||
// requires net.ipv6.conf.all.disable_ipv6=0
|
||||
err = w.addRoute(link, allIPv6(), w.settings.FirewallMark)
|
||||
err = w.setupIPv6(link, &closers)
|
||||
if err != nil {
|
||||
if strings.Contains(err.Error(), "permission denied") {
|
||||
w.logger.Errorf("cannot add route for IPv6 due to a permission denial. "+
|
||||
"Ignoring and continuing execution; "+
|
||||
"Please report to https://github.com/qdm12/gluetun/issues/998 if you find a fix. "+
|
||||
"Full error string: %s", err)
|
||||
} else {
|
||||
waitError <- fmt.Errorf("%w: %s", ErrRouteAdd, err)
|
||||
return
|
||||
}
|
||||
waitError <- fmt.Errorf("setting up IPv6: %w", err)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
ruleCleanup, err := w.addRule(
|
||||
w.settings.RulePriority, w.settings.FirewallMark)
|
||||
ruleCleanup, err := w.addRule(w.settings.RulePriority,
|
||||
w.settings.FirewallMark, unix.AF_INET)
|
||||
if err != nil {
|
||||
waitError <- fmt.Errorf("%w: %s", ErrRuleAdd, err)
|
||||
waitError <- fmt.Errorf("adding IPv4 rule: %w", err)
|
||||
return
|
||||
}
|
||||
closers.add("removing rule", stepOne, ruleCleanup)
|
||||
|
||||
closers.add("removing IPv4 rule", stepOne, ruleCleanup)
|
||||
w.logger.Info("Wireguard is up")
|
||||
ready <- struct{}{}
|
||||
|
||||
waitError <- waitAndCleanup()
|
||||
}
|
||||
|
||||
func (w *Wireguard) setupIPv6(link netlink.Link, closers *closers) (err error) {
|
||||
// requires net.ipv6.conf.all.disable_ipv6=0
|
||||
err = w.addRoute(link, allIPv6(), w.settings.FirewallMark)
|
||||
if err != nil {
|
||||
if strings.Contains(err.Error(), "permission denied") {
|
||||
w.logger.Errorf("cannot add route for IPv6 due to a permission denial. "+
|
||||
"Ignoring and continuing execution; "+
|
||||
"Please report to https://github.com/qdm12/gluetun/issues/998 if you find a fix. "+
|
||||
"Full error string: %s", err)
|
||||
return nil
|
||||
}
|
||||
return fmt.Errorf("%w: %s", ErrRouteAdd, err)
|
||||
}
|
||||
|
||||
ruleCleanup6, ruleErr := w.addRule(
|
||||
w.settings.RulePriority, w.settings.FirewallMark,
|
||||
unix.AF_INET6)
|
||||
if ruleErr != nil {
|
||||
return fmt.Errorf("adding IPv6 rule: %w", err)
|
||||
}
|
||||
|
||||
closers.add("removing IPv6 rule", stepOne, ruleCleanup6)
|
||||
return nil
|
||||
}
|
||||
|
||||
type waitAndCleanupFunc func() error
|
||||
|
||||
func setupKernelSpace(ctx context.Context,
|
||||
|
||||
Reference in New Issue
Block a user