diff --git a/Dockerfile b/Dockerfile index 8e6df432..9b58107f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -80,6 +80,7 @@ ENV VPNSP=pia \ # Firewall FIREWALL=on \ EXTRA_SUBNETS= \ + FIREWALL_DEBUG=off \ # Tinyproxy TINYPROXY=off \ TINYPROXY_LOG=Info \ diff --git a/README.md b/README.md index 514c0e18..a0e6933f 100644 --- a/README.md +++ b/README.md @@ -231,6 +231,7 @@ That one is important if you want to connect to the container from your LAN for | --- | --- | --- | --- | | `FIREWALL` | `on` | `on` or `off` | Turn on or off the container built-in firewall. You should use it for **debugging purposes** only. | | `EXTRA_SUBNETS` | | i.e. `192.168.1.0/24,192.168.10.121,10.0.0.5/28` | Comma separated subnets allowed in the container firewall | +| `FIREWALL_DEBUG` | `off` | `on` or `off` | Prints every firewall related command. You should use it for **debugging purposes** only. | ### Shadowsocks diff --git a/cmd/gluetun/main.go b/cmd/gluetun/main.go index 887229f4..29f5c0bc 100644 --- a/cmd/gluetun/main.go +++ b/cmd/gluetun/main.go @@ -96,6 +96,11 @@ func _main(background context.Context, args []string) int { err = fileManager.SetOwnership("/etc/tinyproxy", uid, gid) fatalOnError(err) + if allSettings.Firewall.Debug { + firewallConf.SetDebug() + routingConf.SetDebug() + } + if err := ovpnConf.CheckTUN(); err != nil { logger.Warn(err) err = ovpnConf.CreateTUN() diff --git a/internal/firewall/firewall.go b/internal/firewall/firewall.go index 805ad8c2..b8a478f7 100644 --- a/internal/firewall/firewall.go +++ b/internal/firewall/firewall.go @@ -21,6 +21,7 @@ type Configurator interface { SetAllowedPort(ctx context.Context, port uint16) error RemoveAllowedPort(ctx context.Context, port uint16) (err error) SetPortForward(ctx context.Context, port uint16) (err error) + SetDebug() } type configurator struct { //nolint:maligned @@ -29,6 +30,7 @@ type configurator struct { //nolint:maligned routing routing.Routing fileManager files.FileManager // for custom iptables rules iptablesMutex sync.Mutex + debug bool // State enabled bool @@ -49,3 +51,7 @@ func NewConfigurator(logger logging.Logger, routing routing.Routing, fileManager allowedPorts: make(map[uint16]struct{}), } } + +func (c *configurator) SetDebug() { + c.debug = true +} diff --git a/internal/firewall/iptables.go b/internal/firewall/iptables.go index e26d6b0b..a1be52fc 100644 --- a/internal/firewall/iptables.go +++ b/internal/firewall/iptables.go @@ -57,6 +57,9 @@ func (c *configurator) runIptablesInstructions(ctx context.Context, instructions func (c *configurator) runIptablesInstruction(ctx context.Context, instruction string) error { c.iptablesMutex.Lock() // only one iptables command at once defer c.iptablesMutex.Unlock() + if c.debug { + fmt.Printf("iptables %s\n", instruction) + } flags := strings.Fields(instruction) if output, err := c.commander.Run(ctx, "iptables", flags...); err != nil { return fmt.Errorf("failed executing \"iptables %s\": %s: %w", instruction, output, err) diff --git a/internal/params/firewall.go b/internal/params/firewall.go index 30684a76..e2ead976 100644 --- a/internal/params/firewall.go +++ b/internal/params/firewall.go @@ -34,3 +34,8 @@ func (r *reader) GetExtraSubnets() (extraSubnets []net.IPNet, err error) { } return extraSubnets, nil } + +// GetFirewallDebug obtains if the firewall should run in debug verbose mode from the environment variable FIREWALL_DEBUG +func (r *reader) GetFirewallDebug() (debug bool, err error) { + return r.envParams.GetOnOff("FIREWALL_DEBUG", libparams.Default("off")) +} diff --git a/internal/params/params.go b/internal/params/params.go index 7dccc6ad..7e6abaa3 100644 --- a/internal/params/params.go +++ b/internal/params/params.go @@ -41,6 +41,7 @@ type Reader interface { // Firewall getters GetFirewall() (enabled bool, err error) GetExtraSubnets() (extraSubnets []net.IPNet, err error) + GetFirewallDebug() (debug bool, err error) // VPN getters GetUser() (s string, err error) diff --git a/internal/routing/mutate.go b/internal/routing/mutate.go index fa670b05..e48a8811 100644 --- a/internal/routing/mutate.go +++ b/internal/routing/mutate.go @@ -16,6 +16,9 @@ func (r *routing) AddRouteVia(ctx context.Context, subnet net.IPNet, defaultGate } else if exists { return nil } + if r.debug { + fmt.Printf("ip route add %s via %s dev %s\n", subnetStr, defaultGateway, defaultInterface) + } output, err := r.commander.Run(ctx, "ip", "route", "add", subnetStr, "via", defaultGateway.String(), "dev", defaultInterface) if err != nil { return fmt.Errorf("cannot add route for %s via %s %s %s: %s: %w", subnetStr, defaultGateway, "dev", defaultInterface, output, err) @@ -32,6 +35,9 @@ func (r *routing) DeleteRouteVia(ctx context.Context, subnet net.IPNet) (err err } else if !exists { // thanks to @npawelek https://github.com/npawelek return nil } + if r.debug { + fmt.Printf("ip route del %s\n", subnetStr) + } output, err := r.commander.Run(ctx, "ip", "route", "del", subnetStr) if err != nil { return fmt.Errorf("cannot delete route for %s: %s: %w", subnetStr, output, err) diff --git a/internal/routing/routing.go b/internal/routing/routing.go index d9f3b6b1..34496eb4 100644 --- a/internal/routing/routing.go +++ b/internal/routing/routing.go @@ -15,12 +15,14 @@ type Routing interface { DefaultRoute() (defaultInterface string, defaultGateway net.IP, err error) LocalSubnet() (defaultSubnet net.IPNet, err error) VPNGatewayIP(defaultInterface string) (ip net.IP, err error) + SetDebug() } type routing struct { commander command.Commander logger logging.Logger fileManager files.FileManager + debug bool } // NewConfigurator creates a new Configurator instance @@ -31,3 +33,7 @@ func NewRouting(logger logging.Logger, fileManager files.FileManager) Routing { fileManager: fileManager, } } + +func (c *routing) SetDebug() { + c.debug = true +} diff --git a/internal/settings/firewall.go b/internal/settings/firewall.go index f44b7412..fc0affbf 100644 --- a/internal/settings/firewall.go +++ b/internal/settings/firewall.go @@ -11,6 +11,7 @@ import ( type Firewall struct { AllowedSubnets []net.IPNet Enabled bool + Debug bool } func (f *Firewall) String() string { @@ -25,6 +26,9 @@ func (f *Firewall) String() string { "Firewall settings:", "Allowed subnets: " + strings.Join(allowedSubnets, ", "), } + if f.Debug { + settingsList = append(settingsList, "Debug: on") + } return strings.Join(settingsList, "\n |--") } @@ -38,5 +42,9 @@ func GetFirewallSettings(paramsReader params.Reader) (settings Firewall, err err if err != nil { return settings, err } + settings.Debug, err = paramsReader.GetFirewallDebug() + if err != nil { + return settings, err + } return settings, nil }