internal/firewall/enable.go

package firewall

import (
	"context"
	"fmt"
)

func (c *Config) SetEnabled(ctx context.Context, enabled bool) (err error) {
	c.stateMutex.Lock()
	defer c.stateMutex.Unlock()

	if enabled == c.enabled {
		if enabled {
			c.logger.Info("already enabled")
		} else {
			c.logger.Info("already disabled")
		}
		return nil
	}

	if !enabled {
		c.logger.Info("disabling...")
		if err = c.disable(ctx); err != nil {
			return fmt.Errorf("disabling firewall: %w", err)
		}
		c.enabled = false
		c.logger.Info("disabled successfully")
		return nil
	}

	c.logger.Info("enabling...")

	if err := c.enable(ctx); err != nil {
		return fmt.Errorf("enabling firewall: %w", err)
	}
	c.enabled = true
	c.logger.Info("enabled successfully")

	return nil
}

func (c *Config) disable(ctx context.Context) (err error) {
	if err = c.clearAllRules(ctx); err != nil {
		return fmt.Errorf("clearing all rules: %w", err)
	}
	if err = c.setIPv4AllPolicies(ctx, "ACCEPT"); err != nil {
		return fmt.Errorf("setting ipv4 policies: %w", err)
	}
	if err = c.setIPv6AllPolicies(ctx, "ACCEPT"); err != nil {
		return fmt.Errorf("setting ipv6 policies: %w", err)
	}
	return nil
}

// To use in defered call when enabling the firewall.
func (c *Config) fallbackToDisabled(ctx context.Context) {
	if ctx.Err() != nil {
		return
	}
	if err := c.disable(ctx); err != nil {
		c.logger.Error("failed reversing firewall changes: " + err.Error())
	}
}

func (c *Config) enable(ctx context.Context) (err error) {
	touched := false
	if err = c.setIPv4AllPolicies(ctx, "DROP"); err != nil {
		return err
	}
	touched = true

	if err = c.setIPv6AllPolicies(ctx, "DROP"); err != nil {
		return err
	}

	const remove = false

	defer func() {
		if touched && err != nil {
			c.fallbackToDisabled(ctx)
		}
	}()

	// Loopback traffic
	if err = c.acceptInputThroughInterface(ctx, "lo", remove); err != nil {
		return err
	}
	if err = c.acceptOutputThroughInterface(ctx, "lo", remove); err != nil {
		return err
	}

	if err = c.acceptEstablishedRelatedTraffic(ctx, remove); err != nil {
		return err
	}

	if err = c.allowVPNIP(ctx); err != nil {
		return err
	}

	for _, network := range c.localNetworks {
		if err := c.acceptOutputFromIPToSubnet(ctx, network.InterfaceName, network.IP, network.IPNet, remove); err != nil {
			return err
		}
		if err = c.acceptIpv6MulticastOutput(ctx, network.InterfaceName, remove); err != nil {
			return err
		}
	}

	if err = c.allowOutboundSubnets(ctx); err != nil {
		return err
	}

	// Allows packets from any IP address to go through eth0 / local network
	// to reach Gluetun.
	for _, network := range c.localNetworks {
		if err := c.acceptInputToSubnet(ctx, network.InterfaceName, network.IPNet, remove); err != nil {
			return err
		}
	}

	if err = c.allowInputPorts(ctx); err != nil {
		return err
	}

	if err := c.runUserPostRules(ctx, c.customRulesPath, remove); err != nil {
		return fmt.Errorf("running user defined post firewall rules: %w", err)
	}

	return nil
}

func (c *Config) allowVPNIP(ctx context.Context) (err error) {
	if c.vpnConnection.IP == nil {
		return nil
	}

	const remove = false
	for _, defaultRoute := range c.defaultRoutes {
		err = c.acceptOutputTrafficToVPN(ctx, defaultRoute.NetInterface, c.vpnConnection, remove)
		if err != nil {
			return fmt.Errorf("accepting output traffic through VPN: %w", err)
		}
	}

	return nil
}

func (c *Config) allowOutboundSubnets(ctx context.Context) (err error) {
	for _, subnet := range c.outboundSubnets {
		for _, defaultRoute := range c.defaultRoutes {
			const remove = false
			err := c.acceptOutputFromIPToSubnet(ctx, defaultRoute.NetInterface,
				defaultRoute.AssignedIP, subnet, remove)
			if err != nil {
				return err
			}
		}
	}
	return nil
}

func (c *Config) allowInputPorts(ctx context.Context) (err error) {
	for port, netInterfaces := range c.allowedInputPorts {
		for netInterface := range netInterfaces {
			const remove = false
			err = c.acceptInputToPort(ctx, netInterface, port, remove)
			if err != nil {
				return fmt.Errorf("accepting input port %d on interface %s: %w",
					port, netInterface, err)
			}
		}
	}
	return nil
}
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`package firewall`

			`import (`
			`"context"`
			`"fmt"`
			`)`

Maint: firewall package interface rework - return concrete struct type - split interface is sub-interfaces 2021-07-23 19:12:16 +00:00			`func (c *Config) SetEnabled(ctx context.Context, enabled bool) (err error) {`
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`c.stateMutex.Lock()`
			`defer c.stateMutex.Unlock()`

			`if enabled == c.enabled {`
			`if enabled {`
			`c.logger.Info("already enabled")`
			`} else {`
			`c.logger.Info("already disabled")`
			`}`
			`return nil`
			`}`

			`if !enabled {`
			`c.logger.Info("disabling...")`
			`if err = c.disable(ctx); err != nil {`
chore(all): review error wrappings - remove repetitive `cannot` and `failed` prefixes - rename `unmarshaling` to `decoding` 2023-04-01 16:53:04 +00:00			`return fmt.Errorf("disabling firewall: %w", err)`
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`}`
			`c.enabled = false`
			`c.logger.Info("disabled successfully")`
			`return nil`
			`}`

			`c.logger.Info("enabling...")`

			`if err := c.enable(ctx); err != nil {`
chore(all): review error wrappings - remove repetitive `cannot` and `failed` prefixes - rename `unmarshaling` to `decoding` 2023-04-01 16:53:04 +00:00			`return fmt.Errorf("enabling firewall: %w", err)`
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`}`
			`c.enabled = true`
			`c.logger.Info("enabled successfully")`

			`return nil`
			`}`

Maint: firewall package interface rework - return concrete struct type - split interface is sub-interfaces 2021-07-23 19:12:16 +00:00			`func (c *Config) disable(ctx context.Context) (err error) {`
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`if err = c.clearAllRules(ctx); err != nil {`
chore(all): review error wrappings - remove repetitive `cannot` and `failed` prefixes - rename `unmarshaling` to `decoding` 2023-04-01 16:53:04 +00:00			`return fmt.Errorf("clearing all rules: %w", err)`
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`}`
Feature/Bugfix: IPv6 blocking (#428) - Feature/Bugfix: Block all IPv6 traffic with `ip6tables` by default - Feature: Adapt existing firewall code to handle IPv4 and IPv6, depending on user inputs and environment - Maintenance: improve error wrapping in the firewall package 2021-04-19 09:24:46 -04:00			`if err = c.setIPv4AllPolicies(ctx, "ACCEPT"); err != nil {`
chore(all): review error wrappings - remove repetitive `cannot` and `failed` prefixes - rename `unmarshaling` to `decoding` 2023-04-01 16:53:04 +00:00			`return fmt.Errorf("setting ipv4 policies: %w", err)`
Feature/Bugfix: IPv6 blocking (#428) - Feature/Bugfix: Block all IPv6 traffic with `ip6tables` by default - Feature: Adapt existing firewall code to handle IPv4 and IPv6, depending on user inputs and environment - Maintenance: improve error wrapping in the firewall package 2021-04-19 09:24:46 -04:00			`}`
			`if err = c.setIPv6AllPolicies(ctx, "ACCEPT"); err != nil {`
chore(all): review error wrappings - remove repetitive `cannot` and `failed` prefixes - rename `unmarshaling` to `decoding` 2023-04-01 16:53:04 +00:00			`return fmt.Errorf("setting ipv6 policies: %w", err)`
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`}`
			`return nil`
			`}`

Add linters and fix lint issues 2020-10-20 02:45:28 +00:00			`// To use in defered call when enabling the firewall.`
Maint: firewall package interface rework - return concrete struct type - split interface is sub-interfaces 2021-07-23 19:12:16 +00:00			`func (c *Config) fallbackToDisabled(ctx context.Context) {`
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`if ctx.Err() != nil {`
			`return`
			`}`
Feature/Bugfix: IPv6 blocking (#428) - Feature/Bugfix: Block all IPv6 traffic with `ip6tables` by default - Feature: Adapt existing firewall code to handle IPv4 and IPv6, depending on user inputs and environment - Maintenance: improve error wrapping in the firewall package 2021-04-19 09:24:46 -04:00			`if err := c.disable(ctx); err != nil {`
			`c.logger.Error("failed reversing firewall changes: " + err.Error())`
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`}`
			`}`

Maint: firewall package interface rework - return concrete struct type - split interface is sub-interfaces 2021-07-23 19:12:16 +00:00			`func (c *Config) enable(ctx context.Context) (err error) {`
Feature/Bugfix: IPv6 blocking (#428) - Feature/Bugfix: Block all IPv6 traffic with `ip6tables` by default - Feature: Adapt existing firewall code to handle IPv4 and IPv6, depending on user inputs and environment - Maintenance: improve error wrapping in the firewall package 2021-04-19 09:24:46 -04:00			`touched := false`
			`if err = c.setIPv4AllPolicies(ctx, "DROP"); err != nil {`
chore(errors): review all errors in codebase 2022-02-20 02:58:16 +00:00			`return err`
Feature/Bugfix: IPv6 blocking (#428) - Feature/Bugfix: Block all IPv6 traffic with `ip6tables` by default - Feature: Adapt existing firewall code to handle IPv4 and IPv6, depending on user inputs and environment - Maintenance: improve error wrapping in the firewall package 2021-04-19 09:24:46 -04:00			`}`
			`touched = true`

			`if err = c.setIPv6AllPolicies(ctx, "DROP"); err != nil {`
chore(errors): review all errors in codebase 2022-02-20 02:58:16 +00:00			`return err`
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`}`

			`const remove = false`

			`defer func() {`
Feature/Bugfix: IPv6 blocking (#428) - Feature/Bugfix: Block all IPv6 traffic with `ip6tables` by default - Feature: Adapt existing firewall code to handle IPv4 and IPv6, depending on user inputs and environment - Maintenance: improve error wrapping in the firewall package 2021-04-19 09:24:46 -04:00			`if touched && err != nil {`
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`c.fallbackToDisabled(ctx)`
			`}`
			`}()`

			`// Loopback traffic`
			`if err = c.acceptInputThroughInterface(ctx, "lo", remove); err != nil {`
chore(errors): review all errors in codebase 2022-02-20 02:58:16 +00:00			`return err`
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`}`
			`if err = c.acceptOutputThroughInterface(ctx, "lo", remove); err != nil {`
chore(errors): review all errors in codebase 2022-02-20 02:58:16 +00:00			`return err`
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`}`

			`if err = c.acceptEstablishedRelatedTraffic(ctx, remove); err != nil {`
chore(errors): review all errors in codebase 2022-02-20 02:58:16 +00:00			`return err`
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`}`
feat(firewall): use all default routes - Accept output traffic from all default routes through VPN interface - Accept output from all default routes to outbound subnets - Accept all input traffic on ports for all default routes - Add IP rules for all default routes 2022-03-13 13:26:09 +00:00
			`if err = c.allowVPNIP(ctx); err != nil {`
			`return err`
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`}`
Routing improvements (#268) - Fixes #82 - Remove `EXTRA_SUBNETS` - Remove no longer needed iptables rules - Reduce routing interface arity - Routing setup is done in main.go instead of in the firewall - Routing setup gets reverted at shutdown 2020-10-24 18:05:11 -04:00
Feature: uplift the 'localSubnet' concept to cover all local ethernet interfaces (#413) 2021-04-10 03:08:20 +10:00			`for _, network := range c.localNetworks {`
chore(all): use `netip.Prefix` for ip networks - remove usage of `net.IPNet` - remove usage of `netaddr.IPPrefix` 2023-04-27 13:41:05 +00:00			`if err := c.acceptOutputFromIPToSubnet(ctx, network.InterfaceName, network.IP, network.IPNet, remove); err != nil {`
chore(errors): review all errors in codebase 2022-02-20 02:58:16 +00:00			`return err`
Feature: uplift the 'localSubnet' concept to cover all local ethernet interfaces (#413) 2021-04-10 03:08:20 +10:00			`}`
feat(network): enable ipv6 connection and tunneling (#1114) Co-authored-by: Quentin McGaw <quentin.mcgaw@gmail.com> 2022-09-14 02:18:10 +02:00			`if err = c.acceptIpv6MulticastOutput(ctx, network.InterfaceName, remove); err != nil {`
			`return err`
			`}`
Fix #289 2020-11-06 02:54:27 +00:00			`}`

feat(firewall): use all default routes - Accept output traffic from all default routes through VPN interface - Accept output from all default routes to outbound subnets - Accept all input traffic on ports for all default routes - Add IP rules for all default routes 2022-03-13 13:26:09 +00:00			`if err = c.allowOutboundSubnets(ctx); err != nil {`
			`return err`
Fix #273 (#277), adding FIREWALL_OUTBOUND_SUBNETS 2020-10-29 19:23:44 -04:00			`}`

Routing improvements (#268) - Fixes #82 - Remove `EXTRA_SUBNETS` - Remove no longer needed iptables rules - Reduce routing interface arity - Routing setup is done in main.go instead of in the firewall - Routing setup gets reverted at shutdown 2020-10-24 18:05:11 -04:00			`// Allows packets from any IP address to go through eth0 / local network`
			`// to reach Gluetun.`
Feature: uplift the 'localSubnet' concept to cover all local ethernet interfaces (#413) 2021-04-10 03:08:20 +10:00			`for _, network := range c.localNetworks {`
chore(all): use `netip.Prefix` for ip networks - remove usage of `net.IPNet` - remove usage of `netaddr.IPPrefix` 2023-04-27 13:41:05 +00:00			`if err := c.acceptInputToSubnet(ctx, network.InterfaceName, network.IPNet, remove); err != nil {`
chore(errors): review all errors in codebase 2022-02-20 02:58:16 +00:00			`return err`
Feature: uplift the 'localSubnet' concept to cover all local ethernet interfaces (#413) 2021-04-10 03:08:20 +10:00			`}`
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`}`

feat(firewall): use all default routes - Accept output traffic from all default routes through VPN interface - Accept output from all default routes to outbound subnets - Accept all input traffic on ports for all default routes - Add IP rules for all default routes 2022-03-13 13:26:09 +00:00			`if err = c.allowInputPorts(ctx); err != nil {`
			`return err`
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`}`

Maint: do not mock os functions - Use filepaths with /tmp for tests instead - Only mock functions where filepath can't be specified such as user.Lookup 2021-07-23 16:06:19 +00:00			`if err := c.runUserPostRules(ctx, c.customRulesPath, remove); err != nil {`
chore(all): review error wrappings - remove repetitive `cannot` and `failed` prefixes - rename `unmarshaling` to `decoding` 2023-04-01 16:53:04 +00:00			`return fmt.Errorf("running user defined post firewall rules: %w", err)`
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`}`

			`return nil`
			`}`
feat(firewall): use all default routes - Accept output traffic from all default routes through VPN interface - Accept output from all default routes to outbound subnets - Accept all input traffic on ports for all default routes - Add IP rules for all default routes 2022-03-13 13:26:09 +00:00
			`func (c *Config) allowVPNIP(ctx context.Context) (err error) {`
			`if c.vpnConnection.IP == nil {`
			`return nil`
			`}`

			`const remove = false`
			`for _, defaultRoute := range c.defaultRoutes {`
			`err = c.acceptOutputTrafficToVPN(ctx, defaultRoute.NetInterface, c.vpnConnection, remove)`
			`if err != nil {`
chore(all): review error wrappings - remove repetitive `cannot` and `failed` prefixes - rename `unmarshaling` to `decoding` 2023-04-01 16:53:04 +00:00			`return fmt.Errorf("accepting output traffic through VPN: %w", err)`
feat(firewall): use all default routes - Accept output traffic from all default routes through VPN interface - Accept output from all default routes to outbound subnets - Accept all input traffic on ports for all default routes - Add IP rules for all default routes 2022-03-13 13:26:09 +00:00			`}`
			`}`

			`return nil`
			`}`

			`func (c *Config) allowOutboundSubnets(ctx context.Context) (err error) {`
			`for _, subnet := range c.outboundSubnets {`
			`for _, defaultRoute := range c.defaultRoutes {`
			`const remove = false`
			`err := c.acceptOutputFromIPToSubnet(ctx, defaultRoute.NetInterface,`
			`defaultRoute.AssignedIP, subnet, remove)`
			`if err != nil {`
			`return err`
			`}`
			`}`
			`}`
			`return nil`
			`}`

			`func (c *Config) allowInputPorts(ctx context.Context) (err error) {`
			`for port, netInterfaces := range c.allowedInputPorts {`
			`for netInterface := range netInterfaces {`
			`const remove = false`
			`err = c.acceptInputToPort(ctx, netInterface, port, remove)`
			`if err != nil {`
chore(all): review error wrappings - remove repetitive `cannot` and `failed` prefixes - rename `unmarshaling` to `decoding` 2023-04-01 16:53:04 +00:00			`return fmt.Errorf("accepting input port %d on interface %s: %w",`
feat(firewall): use all default routes - Accept output traffic from all default routes through VPN interface - Accept output from all default routes to outbound subnets - Accept all input traffic on ports for all default routes - Add IP rules for all default routes 2022-03-13 13:26:09 +00:00			`port, netInterface, err)`
			`}`
			`}`
			`}`
			`return nil`
			`}`