FIREWALL_DEBUG variable, refers to #190, #194

2020-07-13 02:14:56 +00:00
parent 7252ac722c
commit 0fc69e068e
10 changed files with 42 additions and 0 deletions
--- a/1
+++ b/1
@@ -80,6 +80,7 @@ ENV VPNSP=pia \
    # Firewall
    FIREWALL=on \
    EXTRA_SUBNETS= \
    FIREWALL_DEBUG=off \
    # Tinyproxy
    TINYPROXY=off \
    TINYPROXY_LOG=Info \
--- a/README.md
+++ b/README.md
@@ -231,6 +231,7 @@ That one is important if you want to connect to the container from your LAN for
 | --- | --- | --- | --- |
 | `FIREWALL` | `on` | `on` or `off` | Turn on or off the container built-in firewall. You should use it for **debugging purposes** only. |
 | `EXTRA_SUBNETS` | | i.e. `192.168.1.0/24,192.168.10.121,10.0.0.5/28` | Comma separated subnets allowed in the container firewall |
 | `FIREWALL_DEBUG` | `off` | `on` or `off` | Prints every firewall related command. You should use it for **debugging purposes** only. |
 ### Shadowsocks
--- a/cmd/gluetun/main.go
+++ b/cmd/gluetun/main.go
@@ -96,6 +96,11 @@ func _main(background context.Context, args []string) int {
 	err = fileManager.SetOwnership("/etc/tinyproxy", uid, gid)
 	fatalOnError(err)
 	if allSettings.Firewall.Debug {
 		firewallConf.SetDebug()
 		routingConf.SetDebug()
 	}
 	if err := ovpnConf.CheckTUN(); err != nil {
 		logger.Warn(err)
 		err = ovpnConf.CreateTUN()
--- a/internal/firewall/firewall.go
+++ b/internal/firewall/firewall.go
@@ -21,6 +21,7 @@ type Configurator interface {
 	SetAllowedPort(ctx context.Context, port uint16) error
 	RemoveAllowedPort(ctx context.Context, port uint16) (err error)
 	SetPortForward(ctx context.Context, port uint16) (err error)
 	SetDebug()
 }
 type configurator struct { //nolint:maligned
@@ -29,6 +30,7 @@ type configurator struct { //nolint:maligned
 	routing       routing.Routing
 	fileManager   files.FileManager // for custom iptables rules
 	iptablesMutex sync.Mutex
 	debug         bool
 	// State
 	enabled        bool
@@ -49,3 +51,7 @@ func NewConfigurator(logger logging.Logger, routing routing.Routing, fileManager
 		allowedPorts: make(map[uint16]struct{}),
 	}
 }
 func (c *configurator) SetDebug() {
 	c.debug = true
 }
--- a/internal/firewall/iptables.go
+++ b/internal/firewall/iptables.go
@@ -57,6 +57,9 @@ func (c *configurator) runIptablesInstructions(ctx context.Context, instructions
 func (c *configurator) runIptablesInstruction(ctx context.Context, instruction string) error {
 	c.iptablesMutex.Lock() // only one iptables command at once
 	defer c.iptablesMutex.Unlock()
 	if c.debug {
 		fmt.Printf("iptables %s\n", instruction)
 	}
 	flags := strings.Fields(instruction)
 	if output, err := c.commander.Run(ctx, "iptables", flags...); err != nil {
 		return fmt.Errorf("failed executing \"iptables %s\": %s: %w", instruction, output, err)
--- a/internal/params/firewall.go
+++ b/internal/params/firewall.go
@@ -34,3 +34,8 @@ func (r *reader) GetExtraSubnets() (extraSubnets []net.IPNet, err error) {
 	}
 	return extraSubnets, nil
 }
 // GetFirewallDebug obtains if the firewall should run in debug verbose mode from the environment variable FIREWALL_DEBUG
 func (r *reader) GetFirewallDebug() (debug bool, err error) {
 	return r.envParams.GetOnOff("FIREWALL_DEBUG", libparams.Default("off"))
 }
--- a/internal/params/params.go
+++ b/internal/params/params.go
@@ -41,6 +41,7 @@ type Reader interface {
 	// Firewall getters
 	GetFirewall() (enabled bool, err error)
 	GetExtraSubnets() (extraSubnets []net.IPNet, err error)
 	GetFirewallDebug() (debug bool, err error)
 	// VPN getters
 	GetUser() (s string, err error)
--- a/internal/routing/mutate.go
+++ b/internal/routing/mutate.go
@@ -16,6 +16,9 @@ func (r *routing) AddRouteVia(ctx context.Context, subnet net.IPNet, defaultGate
 	} else if exists {
 		return nil
 	}
 	if r.debug {
 		fmt.Printf("ip route add %s via %s dev %s\n", subnetStr, defaultGateway, defaultInterface)
 	}
 	output, err := r.commander.Run(ctx, "ip", "route", "add", subnetStr, "via", defaultGateway.String(), "dev", defaultInterface)
 	if err != nil {
 		return fmt.Errorf("cannot add route for %s via %s %s %s: %s: %w", subnetStr, defaultGateway, "dev", defaultInterface, output, err)
@@ -32,6 +35,9 @@ func (r *routing) DeleteRouteVia(ctx context.Context, subnet net.IPNet) (err err
 	} else if !exists { // thanks to @npawelek https://github.com/npawelek
 		return nil
 	}
 	if r.debug {
 		fmt.Printf("ip route del %s\n", subnetStr)
 	}
 	output, err := r.commander.Run(ctx, "ip", "route", "del", subnetStr)
 	if err != nil {
 		return fmt.Errorf("cannot delete route for %s: %s: %w", subnetStr, output, err)
--- a/internal/routing/routing.go
+++ b/internal/routing/routing.go
@@ -15,12 +15,14 @@ type Routing interface {
 	DefaultRoute() (defaultInterface string, defaultGateway net.IP, err error)
 	LocalSubnet() (defaultSubnet net.IPNet, err error)
 	VPNGatewayIP(defaultInterface string) (ip net.IP, err error)
 	SetDebug()
 }
 type routing struct {
 	commander   command.Commander
 	logger      logging.Logger
 	fileManager files.FileManager
 	debug       bool
 }
 // NewConfigurator creates a new Configurator instance
@@ -31,3 +33,7 @@ func NewRouting(logger logging.Logger, fileManager files.FileManager) Routing {
 		fileManager: fileManager,
 	}
 }
 func (c *routing) SetDebug() {
 	c.debug = true
 }
--- a/internal/settings/firewall.go
+++ b/internal/settings/firewall.go
@@ -11,6 +11,7 @@ import (
 type Firewall struct {
 	AllowedSubnets []net.IPNet
 	Enabled        bool
 	Debug          bool
 }
 func (f *Firewall) String() string {
@@ -25,6 +26,9 @@ func (f *Firewall) String() string {
 		"Firewall settings:",
 		"Allowed subnets: " + strings.Join(allowedSubnets, ", "),
 	}
 	if f.Debug {
 		settingsList = append(settingsList, "Debug: on")
 	}
 	return strings.Join(settingsList, "\n |--")
 }
@@ -38,5 +42,9 @@ func GetFirewallSettings(paramsReader params.Reader) (settings Firewall, err err
 	if err != nil {
 		return settings, err
 	}
 	settings.Debug, err = paramsReader.GetFirewallDebug()
 	if err != nil {
 		return settings, err
 	}
 	return settings, nil
 }