Vendor nftables library, add utils.SupportsIPTables and utils.SupportsNFTables

Signed-off-by: Dan Winship <[email protected]>

Author: danwinship

go.mod

@@ -21,6 +21,7 @@ require (
 	github.com/safchain/ethtool v0.4.1
 	github.com/vishvananda/netlink v1.3.0
 	golang.org/x/sys v0.23.0
+	sigs.k8s.io/knftables v0.0.17
 )
 
 require (

go.sum

@@ -68,6 +68,8 @@ github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN
 github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8 h1:FKHo8hFI3A+7w0aUQuYXQ+6EN5stWmeY/AZqtM8xk9k=
 github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/lithammer/dedent v1.1.0 h1:VNzHMVCBNG1j0fh3OrsFRkVUwStdDArbgBWoPAffktY=
+github.com/lithammer/dedent v1.1.0/go.mod h1:jrXYCQtgg0nJiN+StA2KgR7w6CiQNv9Fd/Z9BP0jIOc=
 github.com/mattn/go-shellwords v1.0.12 h1:M2zGm7EW6UQJvDeQxo4T51eKPurbeFbe8WtebGE2xrk=
 github.com/mattn/go-shellwords v1.0.12/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y=
 github.com/networkplumbing/go-nft v0.4.0 h1:kExVMwXW48DOAukkBwyI16h4uhE5lN9iMvQd52lpTyU=
@@ -194,3 +196,5 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+sigs.k8s.io/knftables v0.0.17 h1:wGchTyRF/iGTIjd+vRaR1m676HM7jB8soFtyr/148ic=
+sigs.k8s.io/knftables v0.0.17/go.mod h1:f/5ZLKYEUPUhVjUCg6l80ACdL7CIIyeL0DxfgojGRTk=

pkg/utils/netfilter.go

@@ -0,0 +1,46 @@
+// Copyright 2023 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package utils
+
+import (
+	"github.com/coreos/go-iptables/iptables"
+	"sigs.k8s.io/knftables"
+)
+
+// SupportsIPTables tests whether the system supports using netfilter via the iptables API
+// (whether via "iptables-legacy" or "iptables-nft"). (Note that this returns true if it
+// is *possible* to use iptables; it does not test whether any other components on the
+// system are *actually* using iptables.)
+func SupportsIPTables() bool {
+	ipt, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
+	if err != nil {
+		return false
+	}
+	// We don't care whether the chain actually exists, only whether we can *check*
+	// whether it exists.
+	_, err = ipt.ChainExists("filter", "INPUT")
+	return err == nil
+}
+
+// SupportsNFTables tests whether the system supports using netfilter via the nftables API
+// (ie, not via "iptables-nft"). (Note that this returns true if it is *possible* to use
+// nftables; it does not test whether any other components on the system are *actually*
+// using nftables.)
+func SupportsNFTables() bool {
+	// knftables.New() does sanity checks so we don't need any further test like in
+	// the iptables case.
+	_, err := knftables.New(knftables.IPv4Family, "supports_nftables_test")
+	return err == nil
+}

pkg/utils/netfilter_test.go

@@ -0,0 +1,52 @@
+// Copyright 2023 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package utils
+
+import (
+	"os"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("netfilter support", func() {
+	When("it is available", func() {
+		It("reports that iptables is supported", func() {
+			Expect(SupportsIPTables()).To(BeTrue(), "This test should only fail if iptables is not available, but the test suite as a whole requires it to be available.")
+		})
+		It("reports that nftables is supported", func() {
+			Expect(SupportsNFTables()).To(BeTrue(), "This test should only fail if nftables is not available, but the test suite as a whole requires it to be available.")
+		})
+	})
+
+	// These are Serial because os.Setenv has process-wide effect
+	When("it is not available", Serial, func() {
+		var origPath string
+		BeforeEach(func() {
+			origPath = os.Getenv("PATH")
+			os.Setenv("PATH", "/does-not-exist")
+		})
+		AfterEach(func() {
+			os.Setenv("PATH", origPath)
+		})
+
+		It("reports that iptables is not supported", func() {
+			Expect(SupportsIPTables()).To(BeFalse(), "found iptables outside of PATH??")
+		})
+		It("reports that nftables is not supported", func() {
+			Expect(SupportsNFTables()).To(BeFalse(), "found nftables outside of PATH??")
+		})
+	})
+})

vendor/modules.txt

@@ -267,3 +267,6 @@ google.golang.org/protobuf/types/known/anypb
 # gopkg.in/yaml.v3 v3.0.1
 ## explicit
 gopkg.in/yaml.v3
+# sigs.k8s.io/knftables v0.0.17
+## explicit; go 1.20
+sigs.k8s.io/knftables