fix(routing): change firewall only for matching ip families
This commit is contained in:
Quentin McGaw
@@ -3,6 +3,8 @@ package firewall
|
|||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
|
||||||
|
"github.com/qdm12/gluetun/internal/netlink"
|
||||||
)
|
)
|
||||||
|
|
||||||
func (c *Config) SetEnabled(ctx context.Context, enabled bool) (err error) {
|
func (c *Config) SetEnabled(ctx context.Context, enabled bool) (err error) {
|
||||||
@@ -147,7 +149,16 @@ func (c *Config) allowVPNIP(ctx context.Context) (err error) {
|
|||||||
|
|
||||||
func (c *Config) allowOutboundSubnets(ctx context.Context) (err error) {
|
func (c *Config) allowOutboundSubnets(ctx context.Context) (err error) {
|
||||||
for _, subnet := range c.outboundSubnets {
|
for _, subnet := range c.outboundSubnets {
|
||||||
|
subnetIsIPv6 := subnet.Addr().Is6()
|
||||||
|
firewallUpdated := false
|
||||||
for _, defaultRoute := range c.defaultRoutes {
|
for _, defaultRoute := range c.defaultRoutes {
|
||||||
|
defaultRouteIsIPv6 := defaultRoute.Family == netlink.FamilyV6
|
||||||
|
ipFamilyMatch := subnetIsIPv6 == defaultRouteIsIPv6
|
||||||
|
if !ipFamilyMatch {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
firewallUpdated = true
|
||||||
|
|
||||||
const remove = false
|
const remove = false
|
||||||
err := c.acceptOutputFromIPToSubnet(ctx, defaultRoute.NetInterface,
|
err := c.acceptOutputFromIPToSubnet(ctx, defaultRoute.NetInterface,
|
||||||
defaultRoute.AssignedIP, subnet, remove)
|
defaultRoute.AssignedIP, subnet, remove)
|
||||||
@@ -155,6 +166,11 @@ func (c *Config) allowOutboundSubnets(ctx context.Context) (err error) {
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if !firewallUpdated {
|
||||||
|
c.logger.Info(fmt.Sprintf("ignoring subnet %s which has "+
|
||||||
|
"no default route matching its family", subnet))
|
||||||
|
}
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -5,6 +5,7 @@ import (
|
|||||||
"fmt"
|
"fmt"
|
||||||
"net/netip"
|
"net/netip"
|
||||||
|
|
||||||
|
"github.com/qdm12/gluetun/internal/netlink"
|
||||||
"github.com/qdm12/gluetun/internal/subnet"
|
"github.com/qdm12/gluetun/internal/subnet"
|
||||||
)
|
)
|
||||||
|
|
||||||
@@ -37,7 +38,16 @@ func (c *Config) SetOutboundSubnets(ctx context.Context, subnets []netip.Prefix)
|
|||||||
func (c *Config) removeOutboundSubnets(ctx context.Context, subnets []netip.Prefix) {
|
func (c *Config) removeOutboundSubnets(ctx context.Context, subnets []netip.Prefix) {
|
||||||
const remove = true
|
const remove = true
|
||||||
for _, subNet := range subnets {
|
for _, subNet := range subnets {
|
||||||
|
subnetIsIPv6 := subNet.Addr().Is6()
|
||||||
|
firewallUpdated := false
|
||||||
for _, defaultRoute := range c.defaultRoutes {
|
for _, defaultRoute := range c.defaultRoutes {
|
||||||
|
defaultRouteIsIPv6 := defaultRoute.Family == netlink.FamilyV6
|
||||||
|
ipFamilyMatch := subnetIsIPv6 == defaultRouteIsIPv6
|
||||||
|
if !ipFamilyMatch {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
firewallUpdated = true
|
||||||
err := c.acceptOutputFromIPToSubnet(ctx, defaultRoute.NetInterface,
|
err := c.acceptOutputFromIPToSubnet(ctx, defaultRoute.NetInterface,
|
||||||
defaultRoute.AssignedIP, subNet, remove)
|
defaultRoute.AssignedIP, subNet, remove)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@@ -45,6 +55,12 @@ func (c *Config) removeOutboundSubnets(ctx context.Context, subnets []netip.Pref
|
|||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if !firewallUpdated {
|
||||||
|
c.logger.Info(fmt.Sprintf("ignoring subnet %s which has "+
|
||||||
|
"no default route matching its family", subNet))
|
||||||
|
continue
|
||||||
|
}
|
||||||
c.outboundSubnets = subnet.RemoveSubnetFromSubnets(c.outboundSubnets, subNet)
|
c.outboundSubnets = subnet.RemoveSubnetFromSubnets(c.outboundSubnets, subNet)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -52,13 +68,28 @@ func (c *Config) removeOutboundSubnets(ctx context.Context, subnets []netip.Pref
|
|||||||
func (c *Config) addOutboundSubnets(ctx context.Context, subnets []netip.Prefix) error {
|
func (c *Config) addOutboundSubnets(ctx context.Context, subnets []netip.Prefix) error {
|
||||||
const remove = false
|
const remove = false
|
||||||
for _, subnet := range subnets {
|
for _, subnet := range subnets {
|
||||||
|
subnetIsIPv6 := subnet.Addr().Is6()
|
||||||
|
firewallUpdated := false
|
||||||
for _, defaultRoute := range c.defaultRoutes {
|
for _, defaultRoute := range c.defaultRoutes {
|
||||||
|
defaultRouteIsIPv6 := defaultRoute.Family == netlink.FamilyV6
|
||||||
|
ipFamilyMatch := subnetIsIPv6 == defaultRouteIsIPv6
|
||||||
|
if !ipFamilyMatch {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
firewallUpdated = true
|
||||||
err := c.acceptOutputFromIPToSubnet(ctx, defaultRoute.NetInterface,
|
err := c.acceptOutputFromIPToSubnet(ctx, defaultRoute.NetInterface,
|
||||||
defaultRoute.AssignedIP, subnet, remove)
|
defaultRoute.AssignedIP, subnet, remove)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if !firewallUpdated {
|
||||||
|
c.logger.Info(fmt.Sprintf("ignoring subnet %s which has "+
|
||||||
|
"no default route matching its family", subnet))
|
||||||
|
continue
|
||||||
|
}
|
||||||
c.outboundSubnets = append(c.outboundSubnets, subnet)
|
c.outboundSubnets = append(c.outboundSubnets, subnet)
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
|
|||||||
Reference in New Issue
Block a user