admin/gluetun
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(firewall): use all default routes

Browse Source 
- Accept output traffic from all default routes through VPN interface
- Accept output from all default routes to outbound subnets
- Accept all input traffic on ports for all default routes
- Add IP rules for all default routes
This commit is contained in:
Quentin McGaw
2022-03-13 13:26:09 +00:00
parent 0795008c23
commit f99d5e8656
11 changed files with 212 additions and 154 deletions
Download Patch File Download Diff File Expand all files Collapse all files

65
internal/routing/inbound.go
View File

@@ -12,61 +12,62 @@ const (
inboundPriority = 100
)
func (r *Routing) routeInboundFromDefault(defaultGateway net.IP,
defaultInterface string) (err error) {
if err := r.addRuleInboundFromDefault(inboundTable); err != nil {
func (r *Routing) routeInboundFromDefault(defaultRoutes []DefaultRoute) (err error) {
if err := r.addRuleInboundFromDefault(inboundTable, defaultRoutes); err != nil {
return fmt.Errorf("cannot add rule: %w", err)
}
defaultDestination := net.IPNet{IP: net.IPv4(0, 0, 0, 0), Mask: net.IPv4Mask(0, 0, 0, 0)}
if err := r.addRouteVia(defaultDestination, defaultGateway, defaultInterface, inboundTable); err != nil {
return fmt.Errorf("cannot add route: %w", err)
// TODO IPv6
for _, defaultRoute := range defaultRoutes {
err := r.addRouteVia(defaultDestination, defaultRoute.Gateway, defaultRoute.NetInterface, inboundTable)
if err != nil {
return fmt.Errorf("cannot add route: %w", err)
}
}
return nil
}
func (r *Routing) unrouteInboundFromDefault(defaultGateway net.IP,
defaultInterface string) (err error) {
func (r *Routing) unrouteInboundFromDefault(defaultRoutes []DefaultRoute) (err error) {
defaultDestination := net.IPNet{IP: net.IPv4(0, 0, 0, 0), Mask: net.IPv4Mask(0, 0, 0, 0)}
if err := r.deleteRouteVia(defaultDestination, defaultGateway, defaultInterface, inboundTable); err != nil {
return fmt.Errorf("cannot delete route: %w", err)
for _, defaultRoute := range defaultRoutes {
err := r.deleteRouteVia(defaultDestination, defaultRoute.Gateway, defaultRoute.NetInterface, inboundTable)
if err != nil {
return fmt.Errorf("cannot delete route: %w", err)
}
}
if err := r.delRuleInboundFromDefault(inboundTable); err != nil {
if err := r.delRuleInboundFromDefault(inboundTable, defaultRoutes); err != nil {
return fmt.Errorf("cannot delete rule: %w", err)
}
return nil
}
func (r *Routing) addRuleInboundFromDefault(table int) (err error) {
defaultIP, err := r.DefaultIP()
if err != nil {
return fmt.Errorf("cannot find default IP: %w", err)
}
defaultIPMasked32 := netlink.NewIPNet(defaultIP)
ruleDstNet := (*net.IPNet)(nil)
err = r.addIPRule(defaultIPMasked32, ruleDstNet, table, inboundPriority)
if err != nil {
return fmt.Errorf("cannot add rule: %w", err)
func (r *Routing) addRuleInboundFromDefault(table int, defaultRoutes []DefaultRoute) (err error) {
for _, defaultRoute := range defaultRoutes {
defaultIPMasked32 := netlink.NewIPNet(defaultRoute.AssignedIP)
ruleDstNet := (*net.IPNet)(nil)
err = r.addIPRule(defaultIPMasked32, ruleDstNet, table, inboundPriority)
if err != nil {
return fmt.Errorf("cannot add rule for default route %s: %w", defaultRoute, err)
}
}
return nil
}
func (r *Routing) delRuleInboundFromDefault(table int) (err error) {
defaultIP, err := r.DefaultIP()
if err != nil {
return fmt.Errorf("cannot find default IP: %w", err)
}
defaultIPMasked32 := netlink.NewIPNet(defaultIP)
ruleDstNet := (*net.IPNet)(nil)
err = r.deleteIPRule(defaultIPMasked32, ruleDstNet, table, inboundPriority)
if err != nil {
return fmt.Errorf("cannot delete rule: %w", err)
func (r *Routing) delRuleInboundFromDefault(table int, defaultRoutes []DefaultRoute) (err error) {
for _, defaultRoute := range defaultRoutes {
defaultIPMasked32 := netlink.NewIPNet(defaultRoute.AssignedIP)
ruleDstNet := (*net.IPNet)(nil)
err = r.deleteIPRule(defaultIPMasked32, ruleDstNet, table, inboundPriority)
if err != nil {
return fmt.Errorf("cannot delete rule for default route %s: %w", defaultRoute, err)
}
}
return nil