internal/firewall/ports.go

package firewall

import (
	"context"
	"fmt"
	"strconv"
)

func (c *Config) SetAllowedPort(ctx context.Context, port uint16, intf string) (err error) {
	c.stateMutex.Lock()
	defer c.stateMutex.Unlock()

	if port == 0 {
		return nil
	}

	if !c.enabled {
		c.logger.Info("firewall disabled, only updating allowed ports internal state")
		existingInterfaces, ok := c.allowedInputPorts[port]
		if !ok {
			existingInterfaces = make(map[string]struct{})
		}
		existingInterfaces[intf] = struct{}{}
		c.allowedInputPorts[port] = existingInterfaces
		return nil
	}

	netInterfaces, has := c.allowedInputPorts[port]
	if !has {
		netInterfaces = make(map[string]struct{})
	} else if _, exists := netInterfaces[intf]; exists {
		return nil
	}

	c.logger.Info("setting allowed input port " + fmt.Sprint(port) + " through interface " + intf + "...")

	const remove = false
	if err := c.acceptInputToPort(ctx, intf, port, remove); err != nil {
		return fmt.Errorf("allowing input to port %d through interface %s: %w",
			port, intf, err)
	}
	netInterfaces[intf] = struct{}{}
	c.allowedInputPorts[port] = netInterfaces

	return nil
}

func (c *Config) RemoveAllowedPort(ctx context.Context, port uint16) (err error) {
	c.stateMutex.Lock()
	defer c.stateMutex.Unlock()

	if port == 0 {
		return nil
	}

	if !c.enabled {
		c.logger.Info("firewall disabled, only updating allowed ports internal list")
		delete(c.allowedInputPorts, port)
		return nil
	}

	c.logger.Info("removing allowed port " + strconv.Itoa(int(port)) + "...")

	interfacesSet, ok := c.allowedInputPorts[port]
	if !ok {
		return nil
	}

	const remove = true
	for netInterface := range interfacesSet {
		err := c.acceptInputToPort(ctx, netInterface, port, remove)
		if err != nil {
			return fmt.Errorf("removing allowed port %d on interface %s: %w",
				port, netInterface, err)
		}
		delete(interfacesSet, netInterface)
	}

	// All interfaces were removed successfully, so remove the port entry.
	delete(c.allowedInputPorts, port)

	return nil
}
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`package firewall`

			`import (`
			`"context"`
			`"fmt"`
Maint: pass only single strings to logger methods - Do not assume formatting from logger's interface - Allow to change golibs in the future to accept only strings for logger methods 2021-07-23 17:36:08 +00:00			`"strconv"`
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`)`

Maint: firewall package interface rework - return concrete struct type - split interface is sub-interfaces 2021-07-23 19:12:16 +00:00			`func (c *Config) SetAllowedPort(ctx context.Context, port uint16, intf string) (err error) {`
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`c.stateMutex.Lock()`
			`defer c.stateMutex.Unlock()`

			`if port == 0 {`
			`return nil`
			`}`

			`if !c.enabled {`
Firewall simplifications - Only a map of allowed input port to interface - port forwarded is in the map of allowed input ports - port forwarded has the interface tun0 in this map - Always allow tcp and udp for allowed input ports - Port forward state is in openvpn looper only - Shadowsocks input port allowed on default interface only - Tinyproxy input port allowed on default interface only 2020-07-20 00:39:59 +00:00			`c.logger.Info("firewall disabled, only updating allowed ports internal state")`
feat(firewall): use all default routes - Accept output traffic from all default routes through VPN interface - Accept output from all default routes to outbound subnets - Accept all input traffic on ports for all default routes - Add IP rules for all default routes 2022-03-13 13:26:09 +00:00			`existingInterfaces, ok := c.allowedInputPorts[port]`
			`if !ok {`
			`existingInterfaces = make(map[string]struct{})`
			`}`
			`existingInterfaces[intf] = struct{}{}`
			`c.allowedInputPorts[port] = existingInterfaces`
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`return nil`
			`}`

feat(firewall): use all default routes - Accept output traffic from all default routes through VPN interface - Accept output from all default routes to outbound subnets - Accept all input traffic on ports for all default routes - Add IP rules for all default routes 2022-03-13 13:26:09 +00:00			`netInterfaces, has := c.allowedInputPorts[port]`
			`if !has {`
			`netInterfaces = make(map[string]struct{})`
			`} else if _, exists := netInterfaces[intf]; exists {`
			`return nil`
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`}`

feat(firewall): use all default routes - Accept output traffic from all default routes through VPN interface - Accept output from all default routes to outbound subnets - Accept all input traffic on ports for all default routes - Add IP rules for all default routes 2022-03-13 13:26:09 +00:00			`c.logger.Info("setting allowed input port " + fmt.Sprint(port) + " through interface " + intf + "...")`

Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`const remove = false`
Firewall simplifications - Only a map of allowed input port to interface - port forwarded is in the map of allowed input ports - port forwarded has the interface tun0 in this map - Always allow tcp and udp for allowed input ports - Port forward state is in openvpn looper only - Shadowsocks input port allowed on default interface only - Tinyproxy input port allowed on default interface only 2020-07-20 00:39:59 +00:00			`if err := c.acceptInputToPort(ctx, intf, port, remove); err != nil {`
chore(all): review error wrappings - remove repetitive `cannot` and `failed` prefixes - rename `unmarshaling` to `decoding` 2023-04-01 16:53:04 +00:00			`return fmt.Errorf("allowing input to port %d through interface %s: %w",`
feat(firewall): use all default routes - Accept output traffic from all default routes through VPN interface - Accept output from all default routes to outbound subnets - Accept all input traffic on ports for all default routes - Add IP rules for all default routes 2022-03-13 13:26:09 +00:00			`port, intf, err)`
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`}`
feat(firewall): use all default routes - Accept output traffic from all default routes through VPN interface - Accept output from all default routes to outbound subnets - Accept all input traffic on ports for all default routes - Add IP rules for all default routes 2022-03-13 13:26:09 +00:00			`netInterfaces[intf] = struct{}{}`
fix(firewall): remove previously allowed input ports 2022-11-11 09:19:03 +00:00			`c.allowedInputPorts[port] = netInterfaces`
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00
			`return nil`
			`}`

Maint: firewall package interface rework - return concrete struct type - split interface is sub-interfaces 2021-07-23 19:12:16 +00:00			`func (c *Config) RemoveAllowedPort(ctx context.Context, port uint16) (err error) {`
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`c.stateMutex.Lock()`
			`defer c.stateMutex.Unlock()`

			`if port == 0 {`
			`return nil`
			`}`

			`if !c.enabled {`
			`c.logger.Info("firewall disabled, only updating allowed ports internal list")`
Firewall simplifications - Only a map of allowed input port to interface - port forwarded is in the map of allowed input ports - port forwarded has the interface tun0 in this map - Always allow tcp and udp for allowed input ports - Port forward state is in openvpn looper only - Shadowsocks input port allowed on default interface only - Tinyproxy input port allowed on default interface only 2020-07-20 00:39:59 +00:00			`delete(c.allowedInputPorts, port)`
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`return nil`
			`}`

feat(firewall): use all default routes - Accept output traffic from all default routes through VPN interface - Accept output from all default routes to outbound subnets - Accept all input traffic on ports for all default routes - Add IP rules for all default routes 2022-03-13 13:26:09 +00:00			`c.logger.Info("removing allowed port " + strconv.Itoa(int(port)) + "...")`
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00
feat(firewall): use all default routes - Accept output traffic from all default routes through VPN interface - Accept output from all default routes to outbound subnets - Accept all input traffic on ports for all default routes - Add IP rules for all default routes 2022-03-13 13:26:09 +00:00			`interfacesSet, ok := c.allowedInputPorts[port]`
Firewall simplifications - Only a map of allowed input port to interface - port forwarded is in the map of allowed input ports - port forwarded has the interface tun0 in this map - Always allow tcp and udp for allowed input ports - Port forward state is in openvpn looper only - Shadowsocks input port allowed on default interface only - Tinyproxy input port allowed on default interface only 2020-07-20 00:39:59 +00:00			`if !ok {`
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`return nil`
			`}`

			`const remove = true`
feat(firewall): use all default routes - Accept output traffic from all default routes through VPN interface - Accept output from all default routes to outbound subnets - Accept all input traffic on ports for all default routes - Add IP rules for all default routes 2022-03-13 13:26:09 +00:00			`for netInterface := range interfacesSet {`
			`err := c.acceptInputToPort(ctx, netInterface, port, remove)`
			`if err != nil {`
chore(all): review error wrappings - remove repetitive `cannot` and `failed` prefixes - rename `unmarshaling` to `decoding` 2023-04-01 16:53:04 +00:00			`return fmt.Errorf("removing allowed port %d on interface %s: %w",`
feat(firewall): use all default routes - Accept output traffic from all default routes through VPN interface - Accept output from all default routes to outbound subnets - Accept all input traffic on ports for all default routes - Add IP rules for all default routes 2022-03-13 13:26:09 +00:00			`port, netInterface, err)`
			`}`
			`delete(interfacesSet, netInterface)`
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`}`
feat(firewall): use all default routes - Accept output traffic from all default routes through VPN interface - Accept output from all default routes to outbound subnets - Accept all input traffic on ports for all default routes - Add IP rules for all default routes 2022-03-13 13:26:09 +00:00
			`// All interfaces were removed successfully, so remove the port entry.`
Firewall simplifications - Only a map of allowed input port to interface - port forwarded is in the map of allowed input ports - port forwarded has the interface tun0 in this map - Always allow tcp and udp for allowed input ports - Port forward state is in openvpn looper only - Shadowsocks input port allowed on default interface only - Tinyproxy input port allowed on default interface only 2020-07-20 00:39:59 +00:00			`delete(c.allowedInputPorts, port)`
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00
			`return nil`
			`}`