Feature: uplift the 'localSubnet' concept to cover all local ethernet interfaces (#413)

2021-04-10 03:08:20 +10:00
parent cc4117e054
commit 8230596f98
5 changed files with 87 additions and 11 deletions
--- a/internal/firewall/enable.go
+++ b/internal/firewall/enable.go
@@ -94,8 +94,10 @@ func (c *configurator) enable(ctx context.Context) (err error) {
 		return fmt.Errorf("cannot enable firewall: %w", err)
 	}

-	if err := c.acceptOutputFromIPToSubnet(ctx, c.defaultInterface, c.localIP, c.localSubnet, remove); err != nil {
-		return fmt.Errorf("cannot enable firewall: %w", err)
+	for _, network := range c.localNetworks {
+		if err := c.acceptOutputFromIPToSubnet(ctx, network.InterfaceName, network.IP, network.Subnet, remove); err != nil {
+			return fmt.Errorf("cannot enable firewall: %w", err)
+		}
 	}

 	for _, subnet := range c.outboundSubnets {
@@ -106,8 +108,10 @@ func (c *configurator) enable(ctx context.Context) (err error) {

 	// Allows packets from any IP address to go through eth0 / local network
 	// to reach Gluetun.
-	if err := c.acceptInputToSubnet(ctx, c.defaultInterface, c.localSubnet, remove); err != nil {
-		return fmt.Errorf("cannot enable firewall: %w", err)
+	for _, network := range c.localNetworks {
+		if err := c.acceptInputToSubnet(ctx, network.InterfaceName, network.Subnet, remove); err != nil {
+			return fmt.Errorf("cannot enable firewall: %w", err)
+		}
 	}

 	for port, intf := range c.allowedInputPorts {