admin/gluetun
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(wireguard): WIREGUARD_ALLOWED_IPS variable (#1291)

Browse Source
This commit is contained in:
Quentin McGaw
2023-07-06 10:08:59 +03:00
committed by GitHub
parent 9c0f187a12
commit 919b55c3aa
11 changed files with 225 additions and 69 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
internal/wireguard/run.go
View File

@@ -5,7 +5,6 @@ import (
"errors"
"fmt"
"net"
"strings"
"github.com/qdm12/gluetun/internal/netlink"
"golang.org/x/sys/unix"
@@ -103,7 +102,7 @@ func (w *Wireguard) Run(ctx context.Context, waitError chan<- error, ready chan<
return w.netlink.LinkSetDown(link)
})
err = w.addRoute(link, allIPv4(), w.settings.FirewallMark)
err = w.addRoutes(link, w.settings.AllowedIPs, w.settings.FirewallMark)
if err != nil {
waitError <- fmt.Errorf("%w: %s", ErrRouteAdd, err)
return
@@ -111,11 +110,13 @@ func (w *Wireguard) Run(ctx context.Context, waitError chan<- error, ready chan<
if *w.settings.IPv6 {
// requires net.ipv6.conf.all.disable_ipv6=0
err = w.setupIPv6(link, &closers)
ruleCleanup6, err := w.addRule(w.settings.RulePriority,
w.settings.FirewallMark, unix.AF_INET6)
if err != nil {
waitError <- fmt.Errorf("setting up IPv6: %w", err)
waitError <- fmt.Errorf("adding IPv6 rule: %w", err)
return
}
closers.add("removing IPv6 rule", stepOne, ruleCleanup6)
}
ruleCleanup, err := w.addRule(w.settings.RulePriority,
@@ -132,31 +133,6 @@ func (w *Wireguard) Run(ctx context.Context, waitError chan<- error, ready chan<
waitError <- waitAndCleanup()
}
func (w *Wireguard) setupIPv6(link netlink.Link, closers *closers) (err error) {
// requires net.ipv6.conf.all.disable_ipv6=0
err = w.addRoute(link, allIPv6(), w.settings.FirewallMark)
if err != nil {
if strings.Contains(err.Error(), "permission denied") {
w.logger.Errorf("cannot add route for IPv6 due to a permission denial. "+
"Ignoring and continuing execution; "+
"Please report to https://github.com/qdm12/gluetun/issues/998 if you find a fix. "+
"Full error string: %s", err)
return nil
}
return fmt.Errorf("%w: %s", ErrRouteAdd, err)
}
ruleCleanup6, ruleErr := w.addRule(
w.settings.RulePriority, w.settings.FirewallMark,
unix.AF_INET6)
if ruleErr != nil {
return fmt.Errorf("adding IPv6 rule: %w", ruleErr)
}
closers.add("removing IPv6 rule", stepOne, ruleCleanup6)
return nil
}
type waitAndCleanupFunc func() error
func setupKernelSpace(ctx context.Context,