[client] Allow INPUT traffic on the compat iptables filter table for nftables (#4742)

2026-04-16 07:16:38 +00:00 · 2025-11-04 21:56:53 +01:00
parent 45c25dca84
commit 641eb5140b
6 changed files with 146 additions and 210 deletions
--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@@ -298,17 +298,12 @@ func (e *Engine) Stop() error {
 		e.ingressGatewayMgr = nil
 	}

+	e.stopDNSForwarder()
+
 	if e.routeManager != nil {
 		e.routeManager.Stop(e.stateManager)
 	}

-	if e.dnsForwardMgr != nil {
-		if err := e.dnsForwardMgr.Stop(context.Background()); err != nil {
-			log.Errorf("failed to stop DNS forward: %v", err)
-		}
-		e.dnsForwardMgr = nil
-	}
-
 	if e.srWatcher != nil {
 		e.srWatcher.Close()
 	}
@@ -1873,7 +1868,6 @@ func (e *Engine) updateDNSForwarder(

 func (e *Engine) startDNSForwarder(fwdEntries []*dnsfwd.ForwarderEntry) {
 	e.dnsForwardMgr = dnsfwd.NewManager(e.firewall, e.statusRecorder, e.wgInterface)
-	e.registerDNSServices()

 	if err := e.dnsForwardMgr.Start(fwdEntries); err != nil {
 		log.Errorf("failed to start DNS forward: %v", err)
@@ -1893,34 +1887,9 @@ func (e *Engine) stopDNSForwarder() {
 		log.Errorf("failed to stop DNS forward: %v", err)
 	}

-	e.unregisterDNSServices()
 	e.dnsForwardMgr = nil
 }

-func (e *Engine) registerDNSServices() {
-	if netstackNet := e.wgInterface.GetNet(); netstackNet != nil {
-		if registrar, ok := e.firewall.(interface {
-			RegisterNetstackService(protocol nftypes.Protocol, port uint16)
-		}); ok {
-			registrar.RegisterNetstackService(nftypes.UDP, nbdns.ForwarderServerPort)
-			registrar.RegisterNetstackService(nftypes.TCP, nbdns.ForwarderServerPort)
-			log.Debugf("registered DNS forwarder service with netstack for UDP/TCP:%d", nbdns.ForwarderServerPort)
-		}
-	}
-}
-
-func (e *Engine) unregisterDNSServices() {
-	if netstackNet := e.wgInterface.GetNet(); netstackNet != nil {
-		if registrar, ok := e.firewall.(interface {
-			UnregisterNetstackService(protocol nftypes.Protocol, port uint16)
-		}); ok {
-			registrar.UnregisterNetstackService(nftypes.UDP, nbdns.ForwarderServerPort)
-			registrar.UnregisterNetstackService(nftypes.TCP, nbdns.ForwarderServerPort)
-			log.Debugf("unregistered DNS forwarder service with netstack for UDP/TCP:%d", nbdns.ForwarderServerPort)
-		}
-	}
-}
-
 func (e *Engine) GetNet() (*netstack.Net, error) {
 	e.syncMsgMux.Lock()
 	intf := e.wgInterface