Revert "update detection logic"

This reverts commit 13138e5.

Author: adleong

pkg/iptables/detect.go

@@ -68,7 +68,8 @@ type FirewallConfiguration struct {
 func ConfigureFirewall(firewallConfiguration FirewallConfiguration) error {
 	log.Debugf("tracing script execution as [%s]", executionTraceID)
 
-	// Using configured iptables binaries as-is.
+	// Before executing, ensure the configured iptables binaries exist; if not, attempt a fallback.
+	resolveBinFallback(&firewallConfiguration)
 
 	existingRules, err := executeCommand(firewallConfiguration, firewallConfiguration.makeShowAllRules())
 	if err != nil {
@@ -112,7 +113,8 @@ func CleanupFirewallConfig(firewallConfiguration FirewallConfiguration) error {
 	log.Debugf("using '%s' to clean-up firewall rules", firewallConfiguration.BinPath)
 	log.Debugf("using '%s' to list all available rules", firewallConfiguration.SaveBinPath)
 
-	// Using configured iptables binaries as-is for cleanup as well.
+	// Ensure binaries exist before attempting cleanup as well
+	resolveBinFallback(&firewallConfiguration)
 
 	commands := make([]*exec.Cmd, 0)
 	commands = firewallConfiguration.cleanupRules(commands)
@@ -451,4 +453,61 @@ func asDestination(portRange util.PortRange) string {
 	return fmt.Sprintf("%d:%d", portRange.LowerBound, portRange.UpperBound)
 }
 
-// resolveBinFallback removed: binaries are assumed to be correctly set by callers.
+// resolveBinFallback ensures the configured BinPath and SaveBinPath exist on PATH; if not, it
+// tries reasonable alternatives of the same family (ip6tables vs iptables). Returns true if a
+// fallback was applied.
+func resolveBinFallback(fc *FirewallConfiguration) {
+	// helper to check presence
+	has := func(name string) bool {
+		_, err := exec.LookPath(name)
+		return err == nil
+	}
+
+	// Both present? nothing to do
+	if has(fc.BinPath) && has(fc.SaveBinPath) {
+		log.WithFields(log.Fields{
+			"requestedBin":     fc.BinPath,
+			"requestedSaveBin": fc.SaveBinPath,
+		}).Debug("iptables: using configured binaries")
+		return
+	}
+
+	// Decide family based on current name
+	ipv6 := strings.Contains(fc.BinPath, "ip6tables") || strings.Contains(fc.SaveBinPath, "ip6tables")
+
+	// Candidate orders: prefer nft, then plain, then legacy
+	var candidates [][2]string
+	if ipv6 {
+		candidates = [][2]string{
+			{"ip6tables-nft", "ip6tables-nft-save"},
+			{"ip6tables", "ip6tables-save"},
+			{"ip6tables-legacy", "ip6tables-legacy-save"},
+		}
+	} else {
+		candidates = [][2]string{
+			{"iptables-nft", "iptables-nft-save"},
+			{"iptables", "iptables-save"},
+			{"iptables-legacy", "iptables-legacy-save"},
+		}
+	}
+
+	// Use first candidate where both exist
+	for _, pair := range candidates {
+		if has(pair[0]) && has(pair[1]) {
+			if pair[0] != fc.BinPath || pair[1] != fc.SaveBinPath {
+				log.WithFields(log.Fields{
+					"requestedBin":     fc.BinPath,
+					"requestedSaveBin": fc.SaveBinPath,
+					"fallbackBin":      pair[0],
+					"fallbackSaveBin":  pair[1],
+				}).Warn("iptables: configured binaries not found; applying fallback to available binaries")
+			}
+			fc.BinPath = pair[0]
+			fc.SaveBinPath = pair[1]
+			return
+		}
+	}
+
+	// No candidates found; keep as-is and let execution fail with a clear error later
+	log.WithFields(log.Fields{"binPath": fc.BinPath, "saveBinPath": fc.SaveBinPath}).Error("iptables: no suitable binaries found on PATH; commands may fail")
+}

pkg/iptables/iptables.go

@@ -21,8 +21,6 @@ const (
 	// IPTablesModePlain signals the usage of the iptables commands, which
 	// can be either legacy or nft
 	IPTablesModePlain = "plain"
-	// IPTablesModeAuto signals automatic detection of the iptables backend
-	IPTablesModeAuto = "auto"
 
 	cmdLegacy         = "iptables-legacy"
 	cmdLegacySave     = "iptables-legacy-save"
@@ -167,11 +165,21 @@ func NewRootCmd() *cobra.Command {
 
 // BuildFirewallConfiguration returns an iptables FirewallConfiguration suitable to use to configure iptables.
 func BuildFirewallConfiguration(options *RootOptions) (*iptables.FirewallConfiguration, error) {
-	if options.IPTablesMode != "" &&
-		options.IPTablesMode != IPTablesModeLegacy &&
-		options.IPTablesMode != IPTablesModeNFT &&
-		options.IPTablesMode != IPTablesModePlain {
-		return nil, fmt.Errorf("--iptables-mode valid values are only \"%s\", \"%s\", \"%s\", and \"%s\"", IPTablesModeLegacy, IPTablesModeNFT, IPTablesModeAuto, IPTablesModePlain)
+	if options.IPTablesMode != "" && options.IPTablesMode != IPTablesModeLegacy && options.IPTablesMode != IPTablesModeNFT && options.IPTablesMode != IPTablesModePlain {
+		return nil, fmt.Errorf("--iptables-mode valid values are only \"%s\", \"%s\" and \"%s\"", IPTablesModeLegacy, IPTablesModeNFT, IPTablesModePlain)
+	}
+
+	if options.IPTablesMode == "" {
+		switch options.FirewallBinPath {
+		case "", cmdLegacy:
+			options.IPTablesMode = IPTablesModeLegacy
+		case cmdNFT:
+			options.IPTablesMode = IPTablesModeNFT
+		case cmdPlain:
+			options.IPTablesMode = IPTablesModePlain
+		default:
+			return nil, fmt.Errorf("--firewall-bin-path valid values are only \"%s\", \"%s\" and \"%s\"", cmdLegacy, cmdNFT, cmdPlain)
+		}
 	}
 
 	if !util.IsValidPort(options.IncomingProxyPort) {
@@ -182,6 +190,8 @@ func BuildFirewallConfiguration(options *RootOptions) (*iptables.FirewallConfigu
 		return nil, fmt.Errorf("--outgoing-proxy-port must be a valid TCP port number")
 	}
 
+	cmd, cmdSave := getCommands(options)
+
 	sanitizedSubnets := []string{}
 	for _, subnet := range options.SubnetsToIgnore {
 		subnet := strings.TrimSpace(subnet)
@@ -205,6 +215,8 @@ func BuildFirewallConfiguration(options *RootOptions) (*iptables.FirewallConfigu
 		SimulateOnly:           options.SimulateOnly,
 		NetNs:                  options.NetNs,
 		UseWaitFlag:            options.UseWaitFlag,
+		BinPath:                cmd,
+		SaveBinPath:            cmdSave,
 	}
 
 	if len(options.PortsToRedirect) > 0 {
@@ -213,16 +225,6 @@ func BuildFirewallConfiguration(options *RootOptions) (*iptables.FirewallConfigu
 		firewallConfiguration.Mode = iptables.RedirectAllMode
 	}
 
-	// For backwards-compatibility, if IPTablesMode is not set, use the FirewallBinPath
-	// explicitly set by the user.
-	if options.IPTablesMode == "" {
-		firewallConfiguration.BinPath = options.FirewallBinPath
-		firewallConfiguration.SaveBinPath = options.FirewallSaveBinPath
-	} else {
-		// Otherwise, detect and set the appropriate backend.
-		iptables.DetectBackend(firewallConfiguration, exec.LookPath, options.IPv6, options.IPTablesMode)
-	}
-
 	return firewallConfiguration, nil
 }
 
@@ -235,6 +237,26 @@ func getFormatter(format string) log.Formatter {
 	}
 }
 
+func getCommands(options *RootOptions) (string, string) {
+	switch options.IPTablesMode {
+	case IPTablesModeLegacy:
+		if options.IPv6 {
+			return cmdLegacyIPv6, cmdLegacyIPv6Save
+		}
+		return cmdLegacy, cmdLegacySave
+	case IPTablesModeNFT:
+		if options.IPv6 {
+			return cmdNFTIPv6, cmdNFTIPv6Save
+		}
+		return cmdNFT, cmdNFTSave
+	default:
+		if options.IPv6 {
+			return cmdPlainIPv6, cmdPlainIPv6Save
+		}
+		return cmdPlain, cmdPlainSave
+	}
+}
+
 func setLogLevel(logLevel string) error {
 	level, err := log.ParseLevel(logLevel)
 	if err != nil {