Firewall simplifications

- Only a map of allowed input port to interface
- port forwarded is in the map of allowed input ports
- port forwarded has the interface tun0 in this map
- Always allow tcp and udp for allowed input ports
- Port forward state is in openvpn looper only
- Shadowsocks input port allowed on default interface only
- Tinyproxy input port allowed on default interface only

internal/openvpn/loop.go

@@ -195,6 +195,12 @@ func (l *looper) portForward(ctx context.Context, providerConf provider.Provider
 
 	l.logger.Info("port forwarded is %d", port)
 	l.portForwardedMutex.Lock()
+	if err := l.fw.RemoveAllowedPort(ctx, l.portForwarded); err != nil {
+		l.logger.Error(err)
+	}
+	if err := l.fw.SetAllowedPort(ctx, port, string(constants.TUN)); err != nil {
+		l.logger.Error(err)
+	}
 	l.portForwarded = port
 	l.portForwardedMutex.Unlock()
 
@@ -207,10 +213,6 @@ func (l *looper) portForward(ctx context.Context, providerConf provider.Provider
 	if err != nil {
 		l.logger.Error(err)
 	}
-
-	if err := l.fw.SetPortForward(ctx, port); err != nil {
-		l.logger.Error(err)
-	}
 }
 
 func (l *looper) GetPortForwarded() (portForwarded uint16) {