Add missing subnets setup, fixes #190
- Also setup subnet routes when firewall is disabled
This commit is contained in:
Quentin McGaw
@@ -123,6 +123,9 @@ func _main(background context.Context, args []string) int {
|
|||||||
fatalOnError(err)
|
fatalOnError(err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
err = firewallConf.SetAllowedSubnets(ctx, allSettings.Firewall.AllowedSubnets)
|
||||||
|
fatalOnError(err)
|
||||||
|
|
||||||
openvpnLooper := openvpn.NewLooper(allSettings.VPNSP, allSettings.OpenVPN, uid, gid,
|
openvpnLooper := openvpn.NewLooper(allSettings.VPNSP, allSettings.OpenVPN, uid, gid,
|
||||||
ovpnConf, firewallConf, logger, client, fileManager, streamMerger, fatalOnError)
|
ovpnConf, firewallConf, logger, client, fileManager, streamMerger, fatalOnError)
|
||||||
// wait for restartOpenvpn
|
// wait for restartOpenvpn
|
||||||
|
|||||||
@@ -48,7 +48,6 @@ func (c *configurator) disable(ctx context.Context) (err error) {
|
|||||||
if err = c.setAllPolicies(ctx, "ACCEPT"); err != nil {
|
if err = c.setAllPolicies(ctx, "ACCEPT"); err != nil {
|
||||||
return fmt.Errorf("cannot disable firewall: %w", err)
|
return fmt.Errorf("cannot disable firewall: %w", err)
|
||||||
}
|
}
|
||||||
// TODO routes?
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -11,7 +11,10 @@ func (c *configurator) SetAllowedSubnets(ctx context.Context, subnets []net.IPNe
|
|||||||
defer c.stateMutex.Unlock()
|
defer c.stateMutex.Unlock()
|
||||||
|
|
||||||
if !c.enabled {
|
if !c.enabled {
|
||||||
c.logger.Info("firewall disabled, only updating allowed subnets internal list")
|
c.logger.Info("firewall disabled, only updating allowed subnets internal list and updating routes")
|
||||||
|
if err := c.updateSubnetRoutes(ctx, c.allowedSubnets, subnets); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
c.allowedSubnets = make([]net.IPNet, len(subnets))
|
c.allowedSubnets = make([]net.IPNet, len(subnets))
|
||||||
copy(c.allowedSubnets, subnets)
|
copy(c.allowedSubnets, subnets)
|
||||||
return nil
|
return nil
|
||||||
@@ -125,3 +128,26 @@ func (c *configurator) addSubnets(ctx context.Context, subnets []net.IPNet, defa
|
|||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (c *configurator) updateSubnetRoutes(ctx context.Context, oldSubnets, newSubnets []net.IPNet) error {
|
||||||
|
subnetsToAdd := findSubnetsToAdd(oldSubnets, newSubnets)
|
||||||
|
subnetsToRemove := findSubnetsToRemove(oldSubnets, newSubnets)
|
||||||
|
if len(subnetsToAdd) == 0 && len(subnetsToRemove) == 0 {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
defaultInterface, defaultGateway, err := c.routing.DefaultRoute()
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
for _, subnet := range subnetsToRemove {
|
||||||
|
if err := c.routing.DeleteRouteVia(ctx, subnet); err != nil {
|
||||||
|
c.logger.Error("cannot remove outdated route for subnet: %s", err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
for _, subnet := range subnetsToAdd {
|
||||||
|
if err := c.routing.AddRouteVia(ctx, subnet, defaultGateway, defaultInterface); err != nil {
|
||||||
|
c.logger.Error("cannot add route for subnet: %s", err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user