From 4cd6b33044aab006de013cff608ed1d4c9aa55ab Mon Sep 17 00:00:00 2001
From: Quentin McGaw <quentin.mcgaw@gmail.com>
Date: Sun, 12 Jul 2020 21:21:41 +0000
Subject: [PATCH] Add missing subnets setup, fixes #190 - Also setup subnet
 routes when firewall is disabled

---
 cmd/gluetun/main.go          |  3 +++
 internal/firewall/enable.go  |  1 -
 internal/firewall/subnets.go | 28 +++++++++++++++++++++++++++-
 3 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/cmd/gluetun/main.go b/cmd/gluetun/main.go
index e7c63eb6..8b99f679 100644
--- a/cmd/gluetun/main.go
+++ b/cmd/gluetun/main.go
@@ -123,6 +123,9 @@ func _main(background context.Context, args []string) int {
 		fatalOnError(err)
 	}
 
+	err = firewallConf.SetAllowedSubnets(ctx, allSettings.Firewall.AllowedSubnets)
+	fatalOnError(err)
+
 	openvpnLooper := openvpn.NewLooper(allSettings.VPNSP, allSettings.OpenVPN, uid, gid,
 		ovpnConf, firewallConf, logger, client, fileManager, streamMerger, fatalOnError)
 	// wait for restartOpenvpn
diff --git a/internal/firewall/enable.go b/internal/firewall/enable.go
index 285f0a72..ee65ad70 100644
--- a/internal/firewall/enable.go
+++ b/internal/firewall/enable.go
@@ -48,7 +48,6 @@ func (c *configurator) disable(ctx context.Context) (err error) {
 	if err = c.setAllPolicies(ctx, "ACCEPT"); err != nil {
 		return fmt.Errorf("cannot disable firewall: %w", err)
 	}
-	// TODO routes?
 	return nil
 }
 
diff --git a/internal/firewall/subnets.go b/internal/firewall/subnets.go
index d684faf9..fbb58523 100644
--- a/internal/firewall/subnets.go
+++ b/internal/firewall/subnets.go
@@ -11,7 +11,10 @@ func (c *configurator) SetAllowedSubnets(ctx context.Context, subnets []net.IPNe
 	defer c.stateMutex.Unlock()
 
 	if !c.enabled {
-		c.logger.Info("firewall disabled, only updating allowed subnets internal list")
+		c.logger.Info("firewall disabled, only updating allowed subnets internal list and updating routes")
+		if err := c.updateSubnetRoutes(ctx, c.allowedSubnets, subnets); err != nil {
+			return err
+		}
 		c.allowedSubnets = make([]net.IPNet, len(subnets))
 		copy(c.allowedSubnets, subnets)
 		return nil
@@ -125,3 +128,26 @@ func (c *configurator) addSubnets(ctx context.Context, subnets []net.IPNet, defa
 	}
 	return nil
 }
+
+func (c *configurator) updateSubnetRoutes(ctx context.Context, oldSubnets, newSubnets []net.IPNet) error {
+	subnetsToAdd := findSubnetsToAdd(oldSubnets, newSubnets)
+	subnetsToRemove := findSubnetsToRemove(oldSubnets, newSubnets)
+	if len(subnetsToAdd) == 0 && len(subnetsToRemove) == 0 {
+		return nil
+	}
+	defaultInterface, defaultGateway, err := c.routing.DefaultRoute()
+	if err != nil {
+		return err
+	}
+	for _, subnet := range subnetsToRemove {
+		if err := c.routing.DeleteRouteVia(ctx, subnet); err != nil {
+			c.logger.Error("cannot remove outdated route for subnet: %s", err)
+		}
+	}
+	for _, subnet := range subnetsToAdd {
+		if err := c.routing.AddRouteVia(ctx, subnet, defaultGateway, defaultInterface); err != nil {
+			c.logger.Error("cannot add route for subnet: %s", err)
+		}
+	}
+	return nil
+}