althea-net · jkilpatr · Jul 22, 2023 · Jul 13, 2023
diff --git a/althea_kernel_interface/src/counter.rs b/althea_kernel_interface/src/counter.rs
@@ -133,7 +133,10 @@ add zxcv 1234:5678:9801:2345:6789:0123:4567:8902,wg0 packets 123456789 bytes 987
 
 impl dyn KernelInterface {
     pub fn init_counter(&self, target: &FilterTarget) -> Result<(), Error> {
-        if self.get_kernel_is_v4()? {
+        if self.does_nftables_exist() {
+            info!("Trying to init a counter!");
+            self.nft_init_counters(target.set_name(), target.chain(), target.nft_interface())?;
+        } else {
             self.run_command(
                 "ipset",
                 &[
@@ -165,9 +168,6 @@ impl dyn KernelInterface {
                     &format!("dst,{}", target.interface()),
                 ],
             )?;
-        } else {
-            info!("Trying to init a counter!");
-            self.nft_init_counters(target.set_name(), target.chain(), target.nft_interface())?;
         }
 
         Ok(())
@@ -235,7 +235,9 @@ impl dyn KernelInterface {
         &self,
         target: &FilterTarget,
     ) -> Result<HashMap<(IpAddr, String), u64>, Error> {
-        if self.get_kernel_is_v4()? {
+        if self.does_nftables_exist() {
+            self.parse_nft_set_counters(target.set_name())
+        } else {
             self.run_command(
                 "ipset",
                 &[
@@ -264,8 +266,6 @@ impl dyn KernelInterface {
 
             self.run_command("ipset", &["destroy", &format!("tmp_{}", target.set_name())])?;
             res
-        } else {
-            self.parse_nft_set_counters(target.set_name())
         }
     }
 }
@@ -282,7 +282,7 @@ fn test_init_counter() {
 
     KI.set_mock(Box::new(move |program, args| {
         counter += 1;
-        if KI.get_kernel_is_v4().unwrap() {
+        if KI.get_kernel_is_v4()? {
             match counter {
                 1 => {
                     assert_eq!(program, "ipset");
@@ -338,6 +338,15 @@ fn test_init_counter() {
         } else {
             match counter {
                 1 => {
+                    assert_eq!(program, "nft");
+                    assert_eq!(args, &["-v"]);
+                    Ok(Output {
+                        stdout: b"nftables v1.0.1 (Fearless Fosdick #3)".to_vec(),
+                        stderr: b"".to_vec(),
+                        status: ExitStatus::from_raw(0),
+                    })
+                }
+                2 => {
                     assert_eq!(program, "nft");
                     assert_eq!(args, &["list", "set", "inet", "fw4", "rita_input"]);
 
@@ -347,7 +356,7 @@ fn test_init_counter() {
                         status: ExitStatus::from_raw(0),
                     })
                 }
-                2 => {
+                3 => {
                     assert_eq!(program, "nft");
                     assert_eq!(
                         args,
@@ -377,7 +386,7 @@ fn test_init_counter() {
                         status: ExitStatus::from_raw(0),
                     })
                 }
-                3 => {
+                4 => {
                     assert_eq!(program, "nft");
                     assert_eq!(
                         args,
@@ -422,7 +431,7 @@ fn test_read_counters() {
 
     KI.set_mock(Box::new(move |program, args| {
         counter += 1;
-        if KI.get_kernel_is_v4().unwrap() {
+        if KI.get_kernel_is_v4()? {
             match counter {
                 1 => {
                     assert_eq!(program, "ipset");
@@ -478,6 +487,15 @@ fn test_read_counters() {
         } else {
             match counter {
                 1 => {
+                    assert_eq!(program, "nft");
+                    assert_eq!(args, &["-v"]);
+                    Ok(Output {
+                        stdout: b"nftables v1.0.1 (Fearless Fosdick #3)".to_vec(),
+                        stderr: b"".to_vec(),
+                        status: ExitStatus::from_raw(0),
+                    })
+                }
+                2 => {
                     assert_eq!(program, "nft");
                     assert_eq!(args, &["list", "set", "inet", "fw4", "rita_input"]);
                     Ok(Output {
@@ -489,7 +507,7 @@ fn test_read_counters() {
                         status: ExitStatus::from_raw(0),
                     })
                 }
-                2 => {
+                3 => {
                     assert_eq!(program, "nft");
                     assert_eq!(args, &["flush", "set", "inet", "fw4", "rita_input"]);
                     Ok(Output {

diff --git a/althea_kernel_interface/src/exit_client_tunnel.rs b/althea_kernel_interface/src/exit_client_tunnel.rs
@@ -211,9 +211,9 @@ impl dyn KernelInterface {
     /// same rules. It may be advisable in the future to split them up into
     /// individual nat entires for each option
     pub fn create_client_nat_rules(&self) -> Result<(), Error> {
-        let is_v4 = self.get_kernel_is_v4()?;
+        let use_iptables = !self.does_nftables_exist();
 
-        if is_v4 {
+        if use_iptables {
             self.add_iptables_rule(
                 "iptables",
                 &[
@@ -234,7 +234,7 @@ impl dyn KernelInterface {
         }
 
         // Set mtu
-        if is_v4 {
+        if use_iptables {
             self.add_iptables_rule(
                 "iptables",
                 &[
@@ -275,7 +275,7 @@ impl dyn KernelInterface {
     /// blocks the client nat by inserting a blocker in the start of the special lan forwarding
     /// table created by openwrt.
     pub fn block_client_nat(&self) -> Result<(), Error> {
-        if self.get_kernel_is_v4()? {
+        if !self.does_nftables_exist() {
             self.add_iptables_rule("iptables", &["-I", "zone_lan_forward", "-j", "REJECT"])?;
         } else {
             self.insert_reject_rule()?;
@@ -285,7 +285,7 @@ impl dyn KernelInterface {
 
     /// Removes the block created by block_client_nat() will fail if not run after that command
     pub fn restore_client_nat(&self) -> Result<(), Error> {
-        if self.get_kernel_is_v4()? {
+        if !self.does_nftables_exist() {
             self.add_iptables_rule("iptables", &["-D", "zone_lan_forward", "-j", "REJECT"])?;
         } else {
             self.delete_reject_rule()?;

diff --git a/althea_kernel_interface/src/exit_server_tunnel.rs b/althea_kernel_interface/src/exit_server_tunnel.rs
@@ -228,7 +228,7 @@ impl dyn KernelInterface {
         external_v6: Option<(IpAddr, u8)>,
     ) -> Result<(), Error> {
         // nat masquerade on exit
-        if self.get_kernel_is_v4()? {
+        if !self.does_nftables_exist() {
             self.add_iptables_rule(
                 "iptables",
                 &[
@@ -248,7 +248,7 @@ impl dyn KernelInterface {
         }
 
         // Add v4 and v6 forward rules wg_exit <-> ex_nic
-        if self.get_kernel_is_v4()? {
+        if !self.does_nftables_exist() {
             // v4 wg_exit -> ex_nic
             self.add_iptables_rule(
                 "iptables",

diff --git a/althea_kernel_interface/src/netfilter.rs b/althea_kernel_interface/src/netfilter.rs
@@ -4,6 +4,27 @@ use crate::KernelInterface;
 use crate::KernelInterfaceError;
 
 impl dyn KernelInterface {
+    pub fn does_nftables_exist(&self) -> bool {
+        let output = match self.run_command("nft", &["-v"]) {
+            Ok(out) => out,
+            Err(e) => {
+                error!("Run command is failing with {}", e);
+                // Assume there is no nftables
+                return false;
+            }
+        };
+
+        let stdout = match String::from_utf8(output.stdout) {
+            Ok(a) => a,
+            Err(e) => {
+                error!("Cannot parse stdout with {}", e);
+                return false;
+            }
+        };
+
+        stdout.contains("nftables")
+    }
+
     fn create_fwd_rule(&self) -> Result<(), KernelInterfaceError> {
         self.run_command(
             "nft",