internal/firewall/ip6tables.go

package firewall

import (
	"context"
	"errors"
	"fmt"
	"os/exec"
	"strings"

	"github.com/qdm12/golibs/command"
)

var (
	ErrIP6Tables       = errors.New("failed ip6tables command")
	ErrIP6NotSupported = errors.New("ip6tables not supported")
)

func ip6tablesSupported(ctx context.Context, commander command.Commander) (supported bool) {
	cmd := exec.CommandContext(ctx, "ip6tables", "-L")
	if _, err := commander.Run(cmd); err != nil {
		return false
	}
	return true
}

func (c *Config) runIP6tablesInstructions(ctx context.Context, instructions []string) error {
	for _, instruction := range instructions {
		if err := c.runIP6tablesInstruction(ctx, instruction); err != nil {
			return err
		}
	}
	return nil
}

func (c *Config) runIP6tablesInstruction(ctx context.Context, instruction string) error {
	if !c.ip6Tables {
		return nil
	}
	c.ip6tablesMutex.Lock() // only one ip6tables command at once
	defer c.ip6tablesMutex.Unlock()

	c.logger.Debug("ip6tables " + instruction)

	flags := strings.Fields(instruction)
	cmd := exec.CommandContext(ctx, "ip6tables", flags...)
	if output, err := c.commander.Run(cmd); err != nil {
		return fmt.Errorf("%w: \"ip6tables %s\": %s: %s", ErrIP6Tables, instruction, output, err)
	}
	return nil
}

var errPolicyNotValid = errors.New("policy is not valid")

func (c *Config) setIPv6AllPolicies(ctx context.Context, policy string) error {
	switch policy {
	case "ACCEPT", "DROP":
	default:
		return fmt.Errorf("%w: %s", errPolicyNotValid, policy)
	}
	return c.runIP6tablesInstructions(ctx, []string{
		"--policy INPUT " + policy,
		"--policy OUTPUT " + policy,
		"--policy FORWARD " + policy,
	})
}
Feature/Bugfix: IPv6 blocking (#428) - Feature/Bugfix: Block all IPv6 traffic with `ip6tables` by default - Feature: Adapt existing firewall code to handle IPv4 and IPv6, depending on user inputs and environment - Maintenance: improve error wrapping in the firewall package 2021-04-19 09:24:46 -04:00			`package firewall`

			`import (`
			`"context"`
			`"errors"`
			`"fmt"`
Fix: controlled interrupt exit for subprograms - Openvpn and Unbound do not receive OS signals - Openvpn and Unbound run in a different process group than the entrypoint - Openvpn and Unbound are gracefully shutdown by the entrypoint - Update golibs with a modified command package - Update dns to v1.9.0 where Unbound is luanched in its own group 2021-07-16 20:04:17 +00:00			`"os/exec"`
Feature/Bugfix: IPv6 blocking (#428) - Feature/Bugfix: Block all IPv6 traffic with `ip6tables` by default - Feature: Adapt existing firewall code to handle IPv4 and IPv6, depending on user inputs and environment - Maintenance: improve error wrapping in the firewall package 2021-04-19 09:24:46 -04:00			`"strings"`
Fix: only run ip6tables if it is supported by the Kernel (#431) - Fix #430 2021-04-19 14:35:29 -04:00
			`"github.com/qdm12/golibs/command"`
Feature/Bugfix: IPv6 blocking (#428) - Feature/Bugfix: Block all IPv6 traffic with `ip6tables` by default - Feature: Adapt existing firewall code to handle IPv4 and IPv6, depending on user inputs and environment - Maintenance: improve error wrapping in the firewall package 2021-04-19 09:24:46 -04:00			`)`

			`var (`
Fix: only run ip6tables if it is supported by the Kernel (#431) - Fix #430 2021-04-19 14:35:29 -04:00			`ErrIP6Tables = errors.New("failed ip6tables command")`
			`ErrIP6NotSupported = errors.New("ip6tables not supported")`
Feature/Bugfix: IPv6 blocking (#428) - Feature/Bugfix: Block all IPv6 traffic with `ip6tables` by default - Feature: Adapt existing firewall code to handle IPv4 and IPv6, depending on user inputs and environment - Maintenance: improve error wrapping in the firewall package 2021-04-19 09:24:46 -04:00			`)`

Fix: only run ip6tables if it is supported by the Kernel (#431) - Fix #430 2021-04-19 14:35:29 -04:00			`func ip6tablesSupported(ctx context.Context, commander command.Commander) (supported bool) {`
Fix: controlled interrupt exit for subprograms - Openvpn and Unbound do not receive OS signals - Openvpn and Unbound run in a different process group than the entrypoint - Openvpn and Unbound are gracefully shutdown by the entrypoint - Update golibs with a modified command package - Update dns to v1.9.0 where Unbound is luanched in its own group 2021-07-16 20:04:17 +00:00			`cmd := exec.CommandContext(ctx, "ip6tables", "-L")`
			`if _, err := commander.Run(cmd); err != nil {`
Fix: only run ip6tables if it is supported by the Kernel (#431) - Fix #430 2021-04-19 14:35:29 -04:00			`return false`
			`}`
			`return true`
			`}`

Maint: firewall package interface rework - return concrete struct type - split interface is sub-interfaces 2021-07-23 19:12:16 +00:00			`func (c *Config) runIP6tablesInstructions(ctx context.Context, instructions []string) error {`
Feature/Bugfix: IPv6 blocking (#428) - Feature/Bugfix: Block all IPv6 traffic with `ip6tables` by default - Feature: Adapt existing firewall code to handle IPv4 and IPv6, depending on user inputs and environment - Maintenance: improve error wrapping in the firewall package 2021-04-19 09:24:46 -04:00			`for _, instruction := range instructions {`
			`if err := c.runIP6tablesInstruction(ctx, instruction); err != nil {`
			`return err`
			`}`
			`}`
			`return nil`
			`}`

Maint: firewall package interface rework - return concrete struct type - split interface is sub-interfaces 2021-07-23 19:12:16 +00:00			`func (c *Config) runIP6tablesInstruction(ctx context.Context, instruction string) error {`
Fix: only run ip6tables if it is supported by the Kernel (#431) - Fix #430 2021-04-19 14:35:29 -04:00			`if !c.ip6Tables {`
			`return nil`
			`}`
Feature/Bugfix: IPv6 blocking (#428) - Feature/Bugfix: Block all IPv6 traffic with `ip6tables` by default - Feature: Adapt existing firewall code to handle IPv4 and IPv6, depending on user inputs and environment - Maintenance: improve error wrapping in the firewall package 2021-04-19 09:24:46 -04:00			`c.ip6tablesMutex.Lock() // only one ip6tables command at once`
			`defer c.ip6tablesMutex.Unlock()`
Maint: firewall and routing use logger.Debug - Remove SetVerbose and SetDebug from both - Log routing teardown - Default logging level set to info 2021-07-23 18:20:18 +00:00
			`c.logger.Debug("ip6tables " + instruction)`

Feature/Bugfix: IPv6 blocking (#428) - Feature/Bugfix: Block all IPv6 traffic with `ip6tables` by default - Feature: Adapt existing firewall code to handle IPv4 and IPv6, depending on user inputs and environment - Maintenance: improve error wrapping in the firewall package 2021-04-19 09:24:46 -04:00			`flags := strings.Fields(instruction)`
Fix: controlled interrupt exit for subprograms - Openvpn and Unbound do not receive OS signals - Openvpn and Unbound run in a different process group than the entrypoint - Openvpn and Unbound are gracefully shutdown by the entrypoint - Update golibs with a modified command package - Update dns to v1.9.0 where Unbound is luanched in its own group 2021-07-16 20:04:17 +00:00			`cmd := exec.CommandContext(ctx, "ip6tables", flags...)`
			`if output, err := c.commander.Run(cmd); err != nil {`
Maintenance: improve error wrapping 2021-05-30 16:14:08 +00:00			`return fmt.Errorf("%w: \"ip6tables %s\": %s: %s", ErrIP6Tables, instruction, output, err)`
Feature/Bugfix: IPv6 blocking (#428) - Feature/Bugfix: Block all IPv6 traffic with `ip6tables` by default - Feature: Adapt existing firewall code to handle IPv4 and IPv6, depending on user inputs and environment - Maintenance: improve error wrapping in the firewall package 2021-04-19 09:24:46 -04:00			`}`
			`return nil`
			`}`

Maintenance: improve error wrapping 2021-05-30 16:14:08 +00:00			`var errPolicyNotValid = errors.New("policy is not valid")`

Maint: firewall package interface rework - return concrete struct type - split interface is sub-interfaces 2021-07-23 19:12:16 +00:00			`func (c *Config) setIPv6AllPolicies(ctx context.Context, policy string) error {`
Feature/Bugfix: IPv6 blocking (#428) - Feature/Bugfix: Block all IPv6 traffic with `ip6tables` by default - Feature: Adapt existing firewall code to handle IPv4 and IPv6, depending on user inputs and environment - Maintenance: improve error wrapping in the firewall package 2021-04-19 09:24:46 -04:00			`switch policy {`
			`case "ACCEPT", "DROP":`
			`default:`
Maintenance: improve error wrapping 2021-05-30 16:14:08 +00:00			`return fmt.Errorf("%w: %s", errPolicyNotValid, policy)`
Feature/Bugfix: IPv6 blocking (#428) - Feature/Bugfix: Block all IPv6 traffic with `ip6tables` by default - Feature: Adapt existing firewall code to handle IPv4 and IPv6, depending on user inputs and environment - Maintenance: improve error wrapping in the firewall package 2021-04-19 09:24:46 -04:00			`}`
			`return c.runIP6tablesInstructions(ctx, []string{`
			`"--policy INPUT " + policy,`
			`"--policy OUTPUT " + policy,`
			`"--policy FORWARD " + policy,`
			`})`
			`}`