admin/gluetun
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fixing extra subnets firewall rules

Browse Source 
- Fix #194
- Fix #190
- Refers to #188
This commit is contained in:
Quentin McGaw
2020-07-13 02:17:49 +00:00
parent 95ad58687d
commit 4a7d341c57
3 changed files with 22 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
internal/firewall/subnets.go
View File

@@ -32,9 +32,13 @@ func (c *configurator) SetAllowedSubnets(ctx context.Context, subnets []net.IPNe
if err != nil {
return fmt.Errorf("cannot set allowed subnets through firewall: %w", err)
}
localSubnet, err := c.routing.LocalSubnet()
if err != nil {
return fmt.Errorf("cannot set allowed subnets through firewall: %w", err)
}
c.removeSubnets(ctx, subnetsToRemove, defaultInterface)
if err := c.addSubnets(ctx, subnetsToAdd, defaultInterface, defaultGateway); err != nil {
c.removeSubnets(ctx, subnetsToRemove, defaultInterface, localSubnet)
if err := c.addSubnets(ctx, subnetsToAdd, defaultInterface, defaultGateway, localSubnet); err != nil {
return fmt.Errorf("cannot set allowed subnets through firewall: %w", err)
}
@@ -89,15 +93,16 @@ func removeSubnetFromSubnets(subnets []net.IPNet, subnet net.IPNet) []net.IPNet
return subnets
}
func (c *configurator) removeSubnets(ctx context.Context, subnets []net.IPNet, defaultInterface string) {
func (c *configurator) removeSubnets(ctx context.Context, subnets []net.IPNet, defaultInterface string,
localSubnet net.IPNet) {
const remove = true
for _, subnet := range subnets {
failed := false
if err := c.acceptInputFromToSubnet(ctx, subnet, defaultInterface, remove); err != nil {
if err := c.acceptInputFromSubnetToSubnet(ctx, defaultInterface, subnet, localSubnet, remove); err != nil {
failed = true
c.logger.Error("cannot remove outdated allowed subnet through firewall: %s", err)
}
if err := c.acceptOutputFromToSubnet(ctx, subnet, defaultInterface, remove); err != nil {
if err := c.acceptOutputFromSubnetToSubnet(ctx, defaultInterface, subnet, localSubnet, remove); err != nil {
failed = true
c.logger.Error("cannot remove outdated allowed subnet through firewall: %s", err)
}
@@ -112,13 +117,14 @@ func (c *configurator) removeSubnets(ctx context.Context, subnets []net.IPNet, d
}
}
func (c *configurator) addSubnets(ctx context.Context, subnets []net.IPNet, defaultInterface string, defaultGateway net.IP) error {
func (c *configurator) addSubnets(ctx context.Context, subnets []net.IPNet, defaultInterface string,
defaultGateway net.IP, localSubnet net.IPNet) error {
const remove = false
for _, subnet := range subnets {
if err := c.acceptInputFromToSubnet(ctx, subnet, defaultInterface, remove); err != nil {
if err := c.acceptInputFromSubnetToSubnet(ctx, defaultInterface, subnet, localSubnet, remove); err != nil {
return fmt.Errorf("cannot add allowed subnet through firewall: %w", err)
}
if err := c.acceptOutputFromToSubnet(ctx, subnet, defaultInterface, remove); err != nil {
if err := c.acceptOutputFromSubnetToSubnet(ctx, defaultInterface, localSubnet, subnet, remove); err != nil {
return fmt.Errorf("cannot add allowed subnet through firewall: %w", err)
}
if err := c.routing.AddRouteVia(ctx, subnet, defaultGateway, defaultInterface); err != nil {