Firewall simplifications
- Only a map of allowed input port to interface - port forwarded is in the map of allowed input ports - port forwarded has the interface tun0 in this map - Always allow tcp and udp for allowed input ports - Port forward state is in openvpn looper only - Shadowsocks input port allowed on default interface only - Tinyproxy input port allowed on default interface only
This commit is contained in:
Quentin McGaw
@@ -3,11 +3,9 @@ package firewall
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
|
||||
"github.com/qdm12/private-internet-access-docker/internal/constants"
|
||||
)
|
||||
|
||||
func (c *configurator) SetAllowedPort(ctx context.Context, port uint16) (err error) {
|
||||
func (c *configurator) SetAllowedPort(ctx context.Context, port uint16, intf string) (err error) {
|
||||
c.stateMutex.Lock()
|
||||
defer c.stateMutex.Unlock()
|
||||
|
||||
@@ -16,25 +14,28 @@ func (c *configurator) SetAllowedPort(ctx context.Context, port uint16) (err err
|
||||
}
|
||||
|
||||
if !c.enabled {
|
||||
c.logger.Info("firewall disabled, only updating allowed ports internal list")
|
||||
c.allowedPorts[port] = struct{}{}
|
||||
c.logger.Info("firewall disabled, only updating allowed ports internal state")
|
||||
c.allowedInputPorts[port] = intf
|
||||
return nil
|
||||
}
|
||||
|
||||
c.logger.Info("setting allowed port %d through firewall...", port)
|
||||
c.logger.Info("setting allowed input port %d through interface %s...", port, intf)
|
||||
|
||||
if _, ok := c.allowedPorts[port]; ok {
|
||||
return nil
|
||||
if existingIntf, ok := c.allowedInputPorts[port]; ok {
|
||||
if intf == existingIntf {
|
||||
return nil
|
||||
}
|
||||
const remove = true
|
||||
if err := c.acceptInputToPort(ctx, existingIntf, port, remove); err != nil {
|
||||
return fmt.Errorf("cannot remove old allowed port %d through interface %s: %w", port, existingIntf, err)
|
||||
}
|
||||
}
|
||||
|
||||
const remove = false
|
||||
if err := c.acceptInputToPort(ctx, "*", constants.TCP, port, remove); err != nil {
|
||||
return fmt.Errorf("cannot set allowed port %d through firewall: %w", port, err)
|
||||
if err := c.acceptInputToPort(ctx, intf, port, remove); err != nil {
|
||||
return fmt.Errorf("cannot set allowed port %d through interface %s: %w", port, intf, err)
|
||||
}
|
||||
if err := c.acceptInputToPort(ctx, "*", constants.UDP, port, remove); err != nil {
|
||||
return fmt.Errorf("cannot set allowed port %d through firewall: %w", port, err)
|
||||
}
|
||||
c.allowedPorts[port] = struct{}{}
|
||||
c.allowedInputPorts[port] = intf
|
||||
|
||||
return nil
|
||||
}
|
||||
@@ -49,63 +50,22 @@ func (c *configurator) RemoveAllowedPort(ctx context.Context, port uint16) (err
|
||||
|
||||
if !c.enabled {
|
||||
c.logger.Info("firewall disabled, only updating allowed ports internal list")
|
||||
delete(c.allowedPorts, port)
|
||||
delete(c.allowedInputPorts, port)
|
||||
return nil
|
||||
}
|
||||
|
||||
c.logger.Info("removing allowed port %d through firewall...", port)
|
||||
|
||||
if _, ok := c.allowedPorts[port]; !ok {
|
||||
intf, ok := c.allowedInputPorts[port]
|
||||
if !ok {
|
||||
return nil
|
||||
}
|
||||
|
||||
const remove = true
|
||||
if err := c.acceptInputToPort(ctx, "*", constants.TCP, port, remove); err != nil {
|
||||
return fmt.Errorf("cannot remove allowed port %d through firewall: %w", port, err)
|
||||
if err := c.acceptInputToPort(ctx, intf, port, remove); err != nil {
|
||||
return fmt.Errorf("cannot remove allowed port %d through interface %s: %w", port, intf, err)
|
||||
}
|
||||
if err := c.acceptInputToPort(ctx, "*", constants.UDP, port, remove); err != nil {
|
||||
return fmt.Errorf("cannot remove allowed port %d through firewall: %w", port, err)
|
||||
}
|
||||
delete(c.allowedPorts, port)
|
||||
delete(c.allowedInputPorts, port)
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// Use 0 to remove
|
||||
func (c *configurator) SetPortForward(ctx context.Context, port uint16) (err error) {
|
||||
c.stateMutex.Lock()
|
||||
defer c.stateMutex.Unlock()
|
||||
|
||||
if port == c.portForwarded {
|
||||
return nil
|
||||
}
|
||||
|
||||
if !c.enabled {
|
||||
c.logger.Info("firewall disabled, only updating port forwarded internally")
|
||||
c.portForwarded = port
|
||||
return nil
|
||||
}
|
||||
|
||||
const tun = string(constants.TUN)
|
||||
if c.portForwarded > 0 {
|
||||
if err := c.acceptInputToPort(ctx, tun, constants.TCP, c.portForwarded, true); err != nil {
|
||||
return fmt.Errorf("cannot remove outdated port forward rule from firewall: %w", err)
|
||||
}
|
||||
if err := c.acceptInputToPort(ctx, tun, constants.UDP, c.portForwarded, true); err != nil {
|
||||
return fmt.Errorf("cannot remove outdated port forward rule from firewall: %w", err)
|
||||
}
|
||||
}
|
||||
|
||||
if port == 0 { // not changing port
|
||||
c.portForwarded = 0
|
||||
return nil
|
||||
}
|
||||
|
||||
if err := c.acceptInputToPort(ctx, tun, constants.TCP, port, false); err != nil {
|
||||
return fmt.Errorf("cannot accept port forwarded through firewall: %w", err)
|
||||
}
|
||||
if err := c.acceptInputToPort(ctx, tun, constants.UDP, port, false); err != nil {
|
||||
return fmt.Errorf("cannot accept port forwarded through firewall: %w", err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user