diff --git a/internal/trafpol/filter.go b/internal/trafpol/filter.go index 991e29c..3b169c4 100644 --- a/internal/trafpol/filter.go +++ b/internal/trafpol/filter.go @@ -2,6 +2,7 @@ package trafpol import ( "context" + "errors" "fmt" "net" "strconv" @@ -155,7 +156,9 @@ table inet oc-daemon-filter { ` r := strings.NewReplacer("$FWMARK", fwMark) rules := r.Replace(filterRules) - if stdout, stderr, err := execs.RunNft(ctx, rules); err != nil { + if stdout, stderr, err := execs.RunNft(ctx, rules); err != nil && + !errors.Is(err, context.Canceled) { + log.WithError(err).WithFields(log.Fields{ "stdout": string(stdout), "stderr": string(stderr), @@ -165,7 +168,10 @@ table inet oc-daemon-filter { // unsetFilterRules unsets the filter rules. func unsetFilterRules(ctx context.Context) { - if stdout, stderr, err := execs.RunNft(ctx, "delete table inet oc-daemon-filter"); err != nil { + if stdout, stderr, err := execs.RunNft(ctx, + "delete table inet oc-daemon-filter"); err != nil && + !errors.Is(err, context.Canceled) { + log.WithError(err).WithFields(log.Fields{ "stdout": string(stdout), "stderr": string(stderr), @@ -176,7 +182,9 @@ func unsetFilterRules(ctx context.Context) { // addAllowedDevice adds device to the allowed devices. func addAllowedDevice(ctx context.Context, device string) { nftconf := fmt.Sprintf("add element inet oc-daemon-filter allowdevs { %s }", device) - if stdout, stderr, err := execs.RunNft(ctx, nftconf); err != nil { + if stdout, stderr, err := execs.RunNft(ctx, nftconf); err != nil && + !errors.Is(err, context.Canceled) { + log.WithError(err).WithFields(log.Fields{ "stdout": string(stdout), "stderr": string(stderr), @@ -187,7 +195,9 @@ func addAllowedDevice(ctx context.Context, device string) { // removeAllowedDevice removes device from the allowed devices. func removeAllowedDevice(ctx context.Context, device string) { nftconf := fmt.Sprintf("delete element inet oc-daemon-filter allowdevs { %s }", device) - if stdout, stderr, err := execs.RunNft(ctx, nftconf); err != nil { + if stdout, stderr, err := execs.RunNft(ctx, nftconf); err != nil && + !errors.Is(err, context.Canceled) { + log.WithError(err).WithFields(log.Fields{ "stdout": string(stdout), "stderr": string(stderr), @@ -202,13 +212,19 @@ func setAllowedIPs(ctx context.Context, ips []*net.IPNet) { // runs into "file exists" errors even though we remove duplicates from // ips before calling this function and we flush the existing entries - if stdout, stderr, err := execs.RunNft(ctx, "flush set inet oc-daemon-filter allowhosts4"); err != nil { + if stdout, stderr, err := execs.RunNft(ctx, + "flush set inet oc-daemon-filter allowhosts4"); err != nil && + !errors.Is(err, context.Canceled) { + log.WithError(err).WithFields(log.Fields{ "stdout": string(stdout), "stderr": string(stderr), }).Error("TrafPol error flushing allowed ipv4s") } - if stdout, stderr, err := execs.RunNft(ctx, "flush set inet oc-daemon-filter allowhosts6"); err != nil { + if stdout, stderr, err := execs.RunNft(ctx, + "flush set inet oc-daemon-filter allowhosts6"); err != nil && + !errors.Is(err, context.Canceled) { + log.WithError(err).WithFields(log.Fields{ "stdout": string(stdout), "stderr": string(stderr), @@ -221,7 +237,9 @@ func setAllowedIPs(ctx context.Context, ips []*net.IPNet) { if ip.IP.To4() != nil { // ipv4 address nftconf := fmt.Sprintf(fmt4, ip) - if stdout, stderr, err := execs.RunNft(ctx, nftconf); err != nil { + if stdout, stderr, err := execs.RunNft(ctx, nftconf); err != nil && + !errors.Is(err, context.Canceled) { + log.WithError(err).WithFields(log.Fields{ "stdout": string(stdout), "stderr": string(stderr), @@ -230,7 +248,9 @@ func setAllowedIPs(ctx context.Context, ips []*net.IPNet) { } else { // ipv6 address nftconf := fmt.Sprintf(fmt6, ip) - if stdout, stderr, err := execs.RunNft(ctx, nftconf); err != nil { + if stdout, stderr, err := execs.RunNft(ctx, nftconf); err != nil && + !errors.Is(err, context.Canceled) { + log.WithError(err).WithFields(log.Fields{ "stdout": string(stdout), "stderr": string(stderr), @@ -253,7 +273,9 @@ func portsToString(ports []uint16) string { func addPortalPorts(ctx context.Context, ports []uint16) { p := portsToString(ports) nftconf := fmt.Sprintf("add element inet oc-daemon-filter allowports { %s }", p) - if stdout, stderr, err := execs.RunNft(ctx, nftconf); err != nil { + if stdout, stderr, err := execs.RunNft(ctx, nftconf); err != nil && + !errors.Is(err, context.Canceled) { + log.WithError(err).WithFields(log.Fields{ "stdout": string(stdout), "stderr": string(stderr), @@ -265,7 +287,9 @@ func addPortalPorts(ctx context.Context, ports []uint16) { func removePortalPorts(ctx context.Context, ports []uint16) { p := portsToString(ports) nftconf := fmt.Sprintf("delete element inet oc-daemon-filter allowports { %s }", p) - if stdout, stderr, err := execs.RunNft(ctx, nftconf); err != nil { + if stdout, stderr, err := execs.RunNft(ctx, nftconf); err != nil && + !errors.Is(err, context.Canceled) { + log.WithError(err).WithFields(log.Fields{ "stdout": string(stdout), "stderr": string(stderr),