internal/firewall/firewall.go

package firewall

import (
	"context"
	"net"
	"sync"

	"github.com/qdm12/golibs/command"
	"github.com/qdm12/golibs/files"
	"github.com/qdm12/golibs/logging"
	"github.com/qdm12/private-internet-access-docker/internal/models"
	"github.com/qdm12/private-internet-access-docker/internal/routing"
)

// Configurator allows to change firewall rules and modify network routes
type Configurator interface {
	Version(ctx context.Context) (string, error)
	SetEnabled(ctx context.Context, enabled bool) (err error)
	SetVPNConnections(ctx context.Context, connections []models.OpenVPNConnection) (err error)
	SetAllowedSubnets(ctx context.Context, subnets []net.IPNet) (err error)
	SetAllowedPort(ctx context.Context, port uint16) error
	RemoveAllowedPort(ctx context.Context, port uint16) (err error)
	SetPortForward(ctx context.Context, port uint16) (err error)
	SetDebug()
}

type configurator struct { //nolint:maligned
	commander     command.Commander
	logger        logging.Logger
	routing       routing.Routing
	fileManager   files.FileManager // for custom iptables rules
	iptablesMutex sync.Mutex
	debug         bool

	// State
	enabled        bool
	vpnConnections []models.OpenVPNConnection
	allowedSubnets []net.IPNet
	allowedPorts   map[uint16]struct{}
	portForwarded  uint16
	stateMutex     sync.Mutex
}

// NewConfigurator creates a new Configurator instance
func NewConfigurator(logger logging.Logger, routing routing.Routing, fileManager files.FileManager) Configurator {
	return &configurator{
		commander:    command.NewCommander(),
		logger:       logger.WithPrefix("firewall: "),
		routing:      routing,
		fileManager:  fileManager,
		allowedPorts: make(map[uint16]struct{}),
	}
}

func (c *configurator) SetDebug() {
	c.debug = true
}
Rewrite of the entrypoint in Golang (#71) - General improvements - Parallel download of only needed files at start - Prettier console output with all streams merged (openvpn, unbound, shadowsocks etc.) - Simplified Docker final image - Faster bootup - DNS over TLS - Finer grain blocking at DNS level: malicious, ads and surveillance - Choose your DNS over TLS providers - Ability to use multiple DNS over TLS providers for DNS split horizon - Environment variables for DNS logging - DNS block lists needed are downloaded and built automatically at start, in parallel - PIA - A random region is selected if the REGION parameter is left empty (thanks @rorph for your PR) - Routing and iptables adjusted so it can work as a Kubernetes pod sidecar (thanks @rorph for your PR) 2020-02-06 20:42:46 -05:00			`package firewall`

			`import (`
Updated dependencies 2020-04-19 18:13:48 +00:00			`"context"`
Rewrite of the entrypoint in Golang (#71) - General improvements - Parallel download of only needed files at start - Prettier console output with all streams merged (openvpn, unbound, shadowsocks etc.) - Simplified Docker final image - Faster bootup - DNS over TLS - Finer grain blocking at DNS level: malicious, ads and surveillance - Choose your DNS over TLS providers - Ability to use multiple DNS over TLS providers for DNS split horizon - Environment variables for DNS logging - DNS block lists needed are downloaded and built automatically at start, in parallel - PIA - A random region is selected if the REGION parameter is left empty (thanks @rorph for your PR) - Routing and iptables adjusted so it can work as a Kubernetes pod sidecar (thanks @rorph for your PR) 2020-02-06 20:42:46 -05:00			`"net"`
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`"sync"`
Rewrite of the entrypoint in Golang (#71) - General improvements - Parallel download of only needed files at start - Prettier console output with all streams merged (openvpn, unbound, shadowsocks etc.) - Simplified Docker final image - Faster bootup - DNS over TLS - Finer grain blocking at DNS level: malicious, ads and surveillance - Choose your DNS over TLS providers - Ability to use multiple DNS over TLS providers for DNS split horizon - Environment variables for DNS logging - DNS block lists needed are downloaded and built automatically at start, in parallel - PIA - A random region is selected if the REGION parameter is left empty (thanks @rorph for your PR) - Routing and iptables adjusted so it can work as a Kubernetes pod sidecar (thanks @rorph for your PR) 2020-02-06 20:42:46 -05:00
			`"github.com/qdm12/golibs/command"`
User specified iptables rules (#161) 2020-05-18 09:37:34 -04:00			`"github.com/qdm12/golibs/files"`
Rewrite of the entrypoint in Golang (#71) - General improvements - Parallel download of only needed files at start - Prettier console output with all streams merged (openvpn, unbound, shadowsocks etc.) - Simplified Docker final image - Faster bootup - DNS over TLS - Finer grain blocking at DNS level: malicious, ads and surveillance - Choose your DNS over TLS providers - Ability to use multiple DNS over TLS providers for DNS split horizon - Environment variables for DNS logging - DNS block lists needed are downloaded and built automatically at start, in parallel - PIA - A random region is selected if the REGION parameter is left empty (thanks @rorph for your PR) - Routing and iptables adjusted so it can work as a Kubernetes pod sidecar (thanks @rorph for your PR) 2020-02-06 20:42:46 -05:00			`"github.com/qdm12/golibs/logging"`
			`"github.com/qdm12/private-internet-access-docker/internal/models"`
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`"github.com/qdm12/private-internet-access-docker/internal/routing"`
Rewrite of the entrypoint in Golang (#71) - General improvements - Parallel download of only needed files at start - Prettier console output with all streams merged (openvpn, unbound, shadowsocks etc.) - Simplified Docker final image - Faster bootup - DNS over TLS - Finer grain blocking at DNS level: malicious, ads and surveillance - Choose your DNS over TLS providers - Ability to use multiple DNS over TLS providers for DNS split horizon - Environment variables for DNS logging - DNS block lists needed are downloaded and built automatically at start, in parallel - PIA - A random region is selected if the REGION parameter is left empty (thanks @rorph for your PR) - Routing and iptables adjusted so it can work as a Kubernetes pod sidecar (thanks @rorph for your PR) 2020-02-06 20:42:46 -05:00			`)`

			`// Configurator allows to change firewall rules and modify network routes`
			`type Configurator interface {`
Updated dependencies 2020-04-19 18:13:48 +00:00			`Version(ctx context.Context) (string, error)`
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`SetEnabled(ctx context.Context, enabled bool) (err error)`
			`SetVPNConnections(ctx context.Context, connections []models.OpenVPNConnection) (err error)`
			`SetAllowedSubnets(ctx context.Context, subnets []net.IPNet) (err error)`
			`SetAllowedPort(ctx context.Context, port uint16) error`
			`RemoveAllowedPort(ctx context.Context, port uint16) (err error)`
			`SetPortForward(ctx context.Context, port uint16) (err error)`
FIREWALL_DEBUG variable, refers to #190, #194 2020-07-13 02:14:56 +00:00			`SetDebug()`
Rewrite of the entrypoint in Golang (#71) - General improvements - Parallel download of only needed files at start - Prettier console output with all streams merged (openvpn, unbound, shadowsocks etc.) - Simplified Docker final image - Faster bootup - DNS over TLS - Finer grain blocking at DNS level: malicious, ads and surveillance - Choose your DNS over TLS providers - Ability to use multiple DNS over TLS providers for DNS split horizon - Environment variables for DNS logging - DNS block lists needed are downloaded and built automatically at start, in parallel - PIA - A random region is selected if the REGION parameter is left empty (thanks @rorph for your PR) - Routing and iptables adjusted so it can work as a Kubernetes pod sidecar (thanks @rorph for your PR) 2020-02-06 20:42:46 -05:00			`}`

Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`type configurator struct { //nolint:maligned`
			`commander command.Commander`
			`logger logging.Logger`
			`routing routing.Routing`
			`fileManager files.FileManager // for custom iptables rules`
			`iptablesMutex sync.Mutex`
FIREWALL_DEBUG variable, refers to #190, #194 2020-07-13 02:14:56 +00:00			`debug bool`
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00
			`// State`
			`enabled bool`
			`vpnConnections []models.OpenVPNConnection`
			`allowedSubnets []net.IPNet`
			`allowedPorts map[uint16]struct{}`
			`portForwarded uint16`
			`stateMutex sync.Mutex`
Rewrite of the entrypoint in Golang (#71) - General improvements - Parallel download of only needed files at start - Prettier console output with all streams merged (openvpn, unbound, shadowsocks etc.) - Simplified Docker final image - Faster bootup - DNS over TLS - Finer grain blocking at DNS level: malicious, ads and surveillance - Choose your DNS over TLS providers - Ability to use multiple DNS over TLS providers for DNS split horizon - Environment variables for DNS logging - DNS block lists needed are downloaded and built automatically at start, in parallel - PIA - A random region is selected if the REGION parameter is left empty (thanks @rorph for your PR) - Routing and iptables adjusted so it can work as a Kubernetes pod sidecar (thanks @rorph for your PR) 2020-02-06 20:42:46 -05:00			`}`

			`// NewConfigurator creates a new Configurator instance`
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`func NewConfigurator(logger logging.Logger, routing routing.Routing, fileManager files.FileManager) Configurator {`
Rewrite of the entrypoint in Golang (#71) - General improvements - Parallel download of only needed files at start - Prettier console output with all streams merged (openvpn, unbound, shadowsocks etc.) - Simplified Docker final image - Faster bootup - DNS over TLS - Finer grain blocking at DNS level: malicious, ads and surveillance - Choose your DNS over TLS providers - Ability to use multiple DNS over TLS providers for DNS split horizon - Environment variables for DNS logging - DNS block lists needed are downloaded and built automatically at start, in parallel - PIA - A random region is selected if the REGION parameter is left empty (thanks @rorph for your PR) - Routing and iptables adjusted so it can work as a Kubernetes pod sidecar (thanks @rorph for your PR) 2020-02-06 20:42:46 -05:00			`return &configurator{`
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`commander: command.NewCommander(),`
			`logger: logger.WithPrefix("firewall: "),`
			`routing: routing,`
			`fileManager: fileManager,`
			`allowedPorts: make(map[uint16]struct{}),`
Rewrite of the entrypoint in Golang (#71) - General improvements - Parallel download of only needed files at start - Prettier console output with all streams merged (openvpn, unbound, shadowsocks etc.) - Simplified Docker final image - Faster bootup - DNS over TLS - Finer grain blocking at DNS level: malicious, ads and surveillance - Choose your DNS over TLS providers - Ability to use multiple DNS over TLS providers for DNS split horizon - Environment variables for DNS logging - DNS block lists needed are downloaded and built automatically at start, in parallel - PIA - A random region is selected if the REGION parameter is left empty (thanks @rorph for your PR) - Routing and iptables adjusted so it can work as a Kubernetes pod sidecar (thanks @rorph for your PR) 2020-02-06 20:42:46 -05:00			`}`
			`}`
FIREWALL_DEBUG variable, refers to #190, #194 2020-07-13 02:14:56 +00:00
			`func (c *configurator) SetDebug() {`
			`c.debug = true`
			`}`