fix: netlink race condition (#48)

2024-09-21 12:14:08 +08:00 · 2024-02-05 19:32:52 -08:00 · 2024-02-05 19:32:52 -08:00 · 843f17896c
commit 843f17896c
parent 6871244809
1 changed files with 26 additions and 16 deletions
--- a/io/nfqueue.go
+++ b/io/nfqueue.go
@ -45,6 +45,7 @@ type nfqueuePacketIO struct {
 	local  bool
 	ipt4   *iptables.IPTables
 	ipt6   *iptables.IPTables
+	iptSet bool // whether iptables rules are set
 }

 type NFQueuePacketIOConfig struct {
@ -74,22 +75,16 @@ func NewNFQueuePacketIO(config NFQueuePacketIOConfig) (PacketIO, error) {
 	if err != nil {
 		return nil, err
 	}
-	io := &nfqueuePacketIO{
+	return &nfqueuePacketIO{
 		n:     n,
 		local: config.Local,
 		ipt4:  ipt4,
 		ipt6:  ipt6,
-	}
-	err = io.setupIpt(config.Local, false)
-	if err != nil {
-		_ = n.Close()
-		return nil, err
-	}
-	return io, nil
+	}, nil
 }

 func (n *nfqueuePacketIO) Register(ctx context.Context, cb PacketCallback) error {
-	return n.n.RegisterWithErrorFunc(ctx,
+	err := n.n.RegisterWithErrorFunc(ctx,
 		func(a nfqueue.Attribute) int {
 			if a.PacketID == nil || a.Ct == nil || a.Payload == nil || len(*a.Payload) < 20 {
 				// Invalid packet, ignore
@ -106,6 +101,17 @@ func (n *nfqueuePacketIO) Register(ctx context.Context, cb PacketCallback) error
 		func(e error) int {
 			return okBoolToInt(cb(nil, e))
 		})
+	if err != nil {
+		return err
+	}
+	if !n.iptSet {
+		err = n.setupIpt(n.local, false)
+		if err != nil {
+			return err
+		}
+		n.iptSet = true
+	}
+	return nil
 }

 func (n *nfqueuePacketIO) SetVerdict(p Packet, v Verdict, newPacket []byte) error {
@ -150,10 +156,14 @@ func (n *nfqueuePacketIO) setupIpt(local, remove bool) error {
 }

 func (n *nfqueuePacketIO) Close() error {
+	if n.iptSet {
 		err := n.setupIpt(n.local, true)
-	_ = n.n.Close()
+		if err != nil {
 			return err
 		}
+	}
+	return n.n.Close()
+}

 var _ Packet = (*nfqueuePacket)(nil)