internal/firewall/firewall.go

package firewall

import (
	"context"
	"net"
	"sync"

	"github.com/qdm12/gluetun/internal/models"
	"github.com/qdm12/gluetun/internal/routing"
	"github.com/qdm12/golibs/command"
)

type Config struct { //nolint:maligned
	runner         command.Runner
	logger         Logger
	iptablesMutex  sync.Mutex
	ip6tablesMutex sync.Mutex
	defaultRoutes  []routing.DefaultRoute
	localNetworks  []routing.LocalNetwork

	// Fixed state
	ipTables        string
	ip6Tables       string
	customRulesPath string

	// State
	enabled           bool
	vpnConnection     models.Connection
	vpnIntf           string
	outboundSubnets   []net.IPNet
	allowedInputPorts map[uint16]map[string]struct{} // port to interfaces set mapping
	stateMutex        sync.Mutex
}

// NewConfig creates a new Config instance and returns an error
// if no iptables implementation is available.
func NewConfig(ctx context.Context, logger Logger,
	runner command.Runner, defaultRoutes []routing.DefaultRoute,
	localNetworks []routing.LocalNetwork) (config *Config, err error) {
	iptables, err := checkIptablesSupport(ctx, runner, "iptables", "iptables-nft")
	if err != nil {
		return nil, err
	}

	ip6tables, err := findIP6tablesSupported(ctx, runner)
	if err != nil {
		return nil, err
	}

	return &Config{
		runner:            runner,
		logger:            logger,
		allowedInputPorts: make(map[uint16]map[string]struct{}),
		ipTables:          iptables,
		ip6Tables:         ip6tables,
		customRulesPath:   "/iptables/post-rules.txt",
		// Obtained from routing
		defaultRoutes: defaultRoutes,
		localNetworks: localNetworks,
	}, nil
}
Rewrite of the entrypoint in Golang (#71) - General improvements - Parallel download of only needed files at start - Prettier console output with all streams merged (openvpn, unbound, shadowsocks etc.) - Simplified Docker final image - Faster bootup - DNS over TLS - Finer grain blocking at DNS level: malicious, ads and surveillance - Choose your DNS over TLS providers - Ability to use multiple DNS over TLS providers for DNS split horizon - Environment variables for DNS logging - DNS block lists needed are downloaded and built automatically at start, in parallel - PIA - A random region is selected if the REGION parameter is left empty (thanks @rorph for your PR) - Routing and iptables adjusted so it can work as a Kubernetes pod sidecar (thanks @rorph for your PR) 2020-02-06 20:42:46 -05:00			`package firewall`

			`import (`
Updated dependencies 2020-04-19 18:13:48 +00:00			`"context"`
Rewrite of the entrypoint in Golang (#71) - General improvements - Parallel download of only needed files at start - Prettier console output with all streams merged (openvpn, unbound, shadowsocks etc.) - Simplified Docker final image - Faster bootup - DNS over TLS - Finer grain blocking at DNS level: malicious, ads and surveillance - Choose your DNS over TLS providers - Ability to use multiple DNS over TLS providers for DNS split horizon - Environment variables for DNS logging - DNS block lists needed are downloaded and built automatically at start, in parallel - PIA - A random region is selected if the REGION parameter is left empty (thanks @rorph for your PR) - Routing and iptables adjusted so it can work as a Kubernetes pod sidecar (thanks @rorph for your PR) 2020-02-06 20:42:46 -05:00			`"net"`
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`"sync"`
Rewrite of the entrypoint in Golang (#71) - General improvements - Parallel download of only needed files at start - Prettier console output with all streams merged (openvpn, unbound, shadowsocks etc.) - Simplified Docker final image - Faster bootup - DNS over TLS - Finer grain blocking at DNS level: malicious, ads and surveillance - Choose your DNS over TLS providers - Ability to use multiple DNS over TLS providers for DNS split horizon - Environment variables for DNS logging - DNS block lists needed are downloaded and built automatically at start, in parallel - PIA - A random region is selected if the REGION parameter is left empty (thanks @rorph for your PR) - Routing and iptables adjusted so it can work as a Kubernetes pod sidecar (thanks @rorph for your PR) 2020-02-06 20:42:46 -05:00
Rename repo to Gluetun, refers to #112 2020-07-26 12:07:06 +00:00			`"github.com/qdm12/gluetun/internal/models"`
			`"github.com/qdm12/gluetun/internal/routing"`
Rewrite of the entrypoint in Golang (#71) - General improvements - Parallel download of only needed files at start - Prettier console output with all streams merged (openvpn, unbound, shadowsocks etc.) - Simplified Docker final image - Faster bootup - DNS over TLS - Finer grain blocking at DNS level: malicious, ads and surveillance - Choose your DNS over TLS providers - Ability to use multiple DNS over TLS providers for DNS split horizon - Environment variables for DNS logging - DNS block lists needed are downloaded and built automatically at start, in parallel - PIA - A random region is selected if the REGION parameter is left empty (thanks @rorph for your PR) - Routing and iptables adjusted so it can work as a Kubernetes pod sidecar (thanks @rorph for your PR) 2020-02-06 20:42:46 -05:00			`"github.com/qdm12/golibs/command"`
			`)`

Maint: firewall package interface rework - return concrete struct type - split interface is sub-interfaces 2021-07-23 19:12:16 +00:00			`type Config struct { //nolint:maligned`
feat(firewall): use all default routes - Accept output traffic from all default routes through VPN interface - Accept output from all default routes to outbound subnets - Accept all input traffic on ports for all default routes - Add IP rules for all default routes 2022-03-13 13:26:09 +00:00			`runner command.Runner`
			`logger Logger`
			`iptablesMutex sync.Mutex`
			`ip6tablesMutex sync.Mutex`
			`defaultRoutes []routing.DefaultRoute`
			`localNetworks []routing.LocalNetwork`
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00
Fix: only run ip6tables if it is supported by the Kernel (#431) - Fix #430 2021-04-19 14:35:29 -04:00			`// Fixed state`
feat(firewall): auto-detect which `iptables` - On `iptables` error, try to use `iptables-nft` - On `ip6tables` error, try to use `ip6tables-nft` 2022-02-26 22:55:22 +00:00			`ipTables string`
			`ip6Tables string`
Maint: do not mock os functions - Use filepaths with /tmp for tests instead - Only mock functions where filepath can't be specified such as user.Lookup 2021-07-23 16:06:19 +00:00			`customRulesPath string`
Fix: only run ip6tables if it is supported by the Kernel (#431) - Fix #430 2021-04-19 14:35:29 -04:00
Firewall refactoring - Ability to enable and disable rules in various loops - Simplified code overall - Port forwarding moved into openvpn loop - Route addition and removal improved 2020-07-11 21:03:55 +00:00			`// State`
Firewall simplifications - Only a map of allowed input port to interface - port forwarded is in the map of allowed input ports - port forwarded has the interface tun0 in this map - Always allow tcp and udp for allowed input ports - Port forward state is in openvpn looper only - Shadowsocks input port allowed on default interface only - Tinyproxy input port allowed on default interface only 2020-07-20 00:39:59 +00:00			`enabled bool`
Maint: make VPN connection not specific to OpenVPN - Add VPN field to ServerSelection struct - Set VPN type to server selection at start using VPN_TYPE - Change OpenVPNConnection to Connection with Type field - Rename Provider GetOpenVPNConnection to GetConnection - Rename GetTargetIPOpenVPNConnection to GetTargetIPConnection - Rename PickRandomOpenVPNConnection to PickRandomConnection - Add 'OpenVPN' prefix to OpenVPN specific methods on connection 2021-08-19 14:09:41 +00:00			`vpnConnection models.Connection`
Feat: `OPENVPN_INTERFACE` defaulting to `tun0` - Fix: custom config with custom network interface name for firewall - Keep VPN tunnel interface in firewall state - Vul fix: only allow traffic through vpn interface when needed - Adapt code to adapt to network interface name - Remove outdated TUN and TAP constants 2021-08-19 23:22:55 +00:00			`vpnIntf string`
Fix #273 (#277), adding FIREWALL_OUTBOUND_SUBNETS 2020-10-29 19:23:44 -04:00			`outboundSubnets []net.IPNet`
feat(firewall): use all default routes - Accept output traffic from all default routes through VPN interface - Accept output from all default routes to outbound subnets - Accept all input traffic on ports for all default routes - Add IP rules for all default routes 2022-03-13 13:26:09 +00:00			`allowedInputPorts map[uint16]map[string]struct{} // port to interfaces set mapping`
Firewall simplifications - Only a map of allowed input port to interface - port forwarded is in the map of allowed input ports - port forwarded has the interface tun0 in this map - Always allow tcp and udp for allowed input ports - Port forward state is in openvpn looper only - Shadowsocks input port allowed on default interface only - Tinyproxy input port allowed on default interface only 2020-07-20 00:39:59 +00:00			`stateMutex sync.Mutex`
Rewrite of the entrypoint in Golang (#71) - General improvements - Parallel download of only needed files at start - Prettier console output with all streams merged (openvpn, unbound, shadowsocks etc.) - Simplified Docker final image - Faster bootup - DNS over TLS - Finer grain blocking at DNS level: malicious, ads and surveillance - Choose your DNS over TLS providers - Ability to use multiple DNS over TLS providers for DNS split horizon - Environment variables for DNS logging - DNS block lists needed are downloaded and built automatically at start, in parallel - PIA - A random region is selected if the REGION parameter is left empty (thanks @rorph for your PR) - Routing and iptables adjusted so it can work as a Kubernetes pod sidecar (thanks @rorph for your PR) 2020-02-06 20:42:46 -05:00			`}`

feat(firewall): auto-detect which `iptables` - On `iptables` error, try to use `iptables-nft` - On `ip6tables` error, try to use `ip6tables-nft` 2022-02-26 22:55:22 +00:00			`// NewConfig creates a new Config instance and returns an error`
			`// if no iptables implementation is available.`
			`func NewConfig(ctx context.Context, logger Logger,`
feat(firewall): use all default routes - Accept output traffic from all default routes through VPN interface - Accept output from all default routes to outbound subnets - Accept all input traffic on ports for all default routes - Add IP rules for all default routes 2022-03-13 13:26:09 +00:00			`runner command.Runner, defaultRoutes []routing.DefaultRoute,`
			`localNetworks []routing.LocalNetwork) (config *Config, err error) {`
fix(firewall): iptables support detection - Add dummy rule to `INPUT` to test for iptables support - This may resolve #896 2022-03-30 08:39:32 +00:00			`iptables, err := checkIptablesSupport(ctx, runner, "iptables", "iptables-nft")`
			`if err != nil {`
			`return nil, err`
			`}`

			`ip6tables, err := findIP6tablesSupported(ctx, runner)`
feat(firewall): auto-detect which `iptables` - On `iptables` error, try to use `iptables-nft` - On `ip6tables` error, try to use `ip6tables-nft` 2022-02-26 22:55:22 +00:00			`if err != nil {`
			`return nil, err`
			`}`

Maint: pass network values to firewall constructor 2021-07-23 19:04:17 +00:00			`return &Config{`
Maint: upgrade qdm12 dependencies - Upgrade qdm12/golibs - Upgrade qdm12/dns to v1.11.0 2021-07-24 17:59:22 +00:00			`runner: runner,`
Maintenance: upgrade golibs (affects logger) 2021-05-12 22:57:15 +00:00			`logger: logger,`
feat(firewall): use all default routes - Accept output traffic from all default routes through VPN interface - Accept output from all default routes to outbound subnets - Accept all input traffic on ports for all default routes - Add IP rules for all default routes 2022-03-13 13:26:09 +00:00			`allowedInputPorts: make(map[uint16]map[string]struct{}),`
feat(firewall): auto-detect which `iptables` - On `iptables` error, try to use `iptables-nft` - On `ip6tables` error, try to use `ip6tables-nft` 2022-02-26 22:55:22 +00:00			`ipTables: iptables,`
fix(firewall): iptables support detection - Add dummy rule to `INPUT` to test for iptables support - This may resolve #896 2022-03-30 08:39:32 +00:00			`ip6Tables: ip6tables,`
Maint: do not mock os functions - Use filepaths with /tmp for tests instead - Only mock functions where filepath can't be specified such as user.Lookup 2021-07-23 16:06:19 +00:00			`customRulesPath: "/iptables/post-rules.txt",`
Maint: pass network values to firewall constructor 2021-07-23 19:04:17 +00:00			`// Obtained from routing`
feat(firewall): use all default routes - Accept output traffic from all default routes through VPN interface - Accept output from all default routes to outbound subnets - Accept all input traffic on ports for all default routes - Add IP rules for all default routes 2022-03-13 13:26:09 +00:00			`defaultRoutes: defaultRoutes,`
			`localNetworks: localNetworks,`
feat(firewall): auto-detect which `iptables` - On `iptables` error, try to use `iptables-nft` - On `ip6tables` error, try to use `ip6tables-nft` 2022-02-26 22:55:22 +00:00			`}, nil`
Rewrite of the entrypoint in Golang (#71) - General improvements - Parallel download of only needed files at start - Prettier console output with all streams merged (openvpn, unbound, shadowsocks etc.) - Simplified Docker final image - Faster bootup - DNS over TLS - Finer grain blocking at DNS level: malicious, ads and surveillance - Choose your DNS over TLS providers - Ability to use multiple DNS over TLS providers for DNS split horizon - Environment variables for DNS logging - DNS block lists needed are downloaded and built automatically at start, in parallel - PIA - A random region is selected if the REGION parameter is left empty (thanks @rorph for your PR) - Routing and iptables adjusted so it can work as a Kubernetes pod sidecar (thanks @rorph for your PR) 2020-02-06 20:42:46 -05:00			`}`