Firewall simplifications

- Only a map of allowed input port to interface - port forwarded is in the map of allowed input ports - port forwarded has the interface tun0 in this map - Always allow tcp and udp for allowed input ports - Port forward state is in openvpn looper only - Shadowsocks input port allowed on default interface only - Tinyproxy input port allowed on default interface only
2020-07-20 00:39:59 +00:00
parent 85bd4f2e8d
commit a13be8f45e
8 changed files with 99 additions and 148 deletions
--- a/internal/tinyproxy/loop.go
+++ b/internal/tinyproxy/loop.go
@@ -21,17 +21,18 @@ type Looper interface {
 }

 type looper struct {
-	conf          Configurator
-	firewallConf  firewall.Configurator
-	settings      settings.TinyProxy
-	settingsMutex sync.RWMutex
-	logger        logging.Logger
-	streamMerger  command.StreamMerger
-	uid           int
-	gid           int
-	restart       chan struct{}
-	start         chan struct{}
-	stop          chan struct{}
+	conf             Configurator
+	firewallConf     firewall.Configurator
+	settings         settings.TinyProxy
+	settingsMutex    sync.RWMutex
+	logger           logging.Logger
+	streamMerger     command.StreamMerger
+	uid              int
+	gid              int
+	defaultInterface string
+	restart          chan struct{}
+	start            chan struct{}
+	stop             chan struct{}
 }

 func (l *looper) logAndWait(ctx context.Context, err error) {
@@ -43,18 +44,19 @@ func (l *looper) logAndWait(ctx context.Context, err error) {
 }

 func NewLooper(conf Configurator, firewallConf firewall.Configurator, settings settings.TinyProxy,
-	logger logging.Logger, streamMerger command.StreamMerger, uid, gid int) Looper {
+	logger logging.Logger, streamMerger command.StreamMerger, uid, gid int, defaultInterface string) Looper {
 	return &looper{
-		conf:         conf,
-		firewallConf: firewallConf,
-		settings:     settings,
-		logger:       logger.WithPrefix("tinyproxy: "),
-		streamMerger: streamMerger,
-		uid:          uid,
-		gid:          gid,
-		restart:      make(chan struct{}),
-		start:        make(chan struct{}),
-		stop:         make(chan struct{}),
+		conf:             conf,
+		firewallConf:     firewallConf,
+		settings:         settings,
+		logger:           logger.WithPrefix("tinyproxy: "),
+		streamMerger:     streamMerger,
+		uid:              uid,
+		gid:              gid,
+		defaultInterface: defaultInterface,
+		restart:          make(chan struct{}),
+		start:            make(chan struct{}),
+		stop:             make(chan struct{}),
 	}
 }

@@ -133,7 +135,7 @@ func (l *looper) Run(ctx context.Context, wg *sync.WaitGroup) {
 				continue
 			}
 		}
-		if err := l.firewallConf.SetAllowedPort(ctx, settings.Port); err != nil {
+		if err := l.firewallConf.SetAllowedPort(ctx, settings.Port, l.defaultInterface); err != nil {
 			l.logger.Error(err)
 			continue
 		}