User specified iptables rules (#161)

.github/workflows/buildx-branch.yml

@@ -25,8 +25,6 @@ jobs:
       - uses: actions/checkout@v2
       - name: Buildx setup
         uses: crazy-max/ghaction-docker-buildx@v1
-        with:
-          version: latest
       - name: Dockerhub login
         run: echo ${{ secrets.DOCKERHUB_PASSWORD }} | docker login -u qmcgaw --password-stdin 2>&1
       - name: Run Buildx

.github/workflows/buildx-latest.yml

@@ -22,8 +22,6 @@ jobs:
       - uses: actions/checkout@v2
       - name: Buildx setup
         uses: crazy-max/ghaction-docker-buildx@v1
-        with:
-          version: latest
       - name: Dockerhub login
         run: echo ${{ secrets.DOCKERHUB_PASSWORD }} | docker login -u qmcgaw --password-stdin 2>&1
       - name: Run Buildx

.github/workflows/buildx-release.yml

@@ -20,10 +20,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
-      - id: buildx
+      - name: Buildx setup
         uses: crazy-max/ghaction-docker-buildx@v1
-        with:
-          version: latest
       - name: Dockerhub login
         run: echo ${{ secrets.DOCKERHUB_PASSWORD }} | docker login -u qmcgaw --password-stdin 2>&1
       - name: Run Buildx

cmd/main.go

@@ -193,6 +193,8 @@ func main() {
 	fatalOnError(err)
 	err = firewallConf.CreateLocalSubnetsRules(ctx, defaultSubnet, allSettings.Firewall.AllowedSubnets, defaultInterface)
 	fatalOnError(err)
+	err = firewallConf.RunUserPostRules(ctx, fileManager, "/iptables/post-rules.txt")
+	fatalOnError(err)
 
 	if allSettings.TinyProxy.Enabled {
 		err = tinyProxyConf.MakeConf(

internal/firewall/firewall.go

@@ -5,6 +5,7 @@ import (
 	"net"
 
 	"github.com/qdm12/golibs/command"
+	"github.com/qdm12/golibs/files"
 	"github.com/qdm12/golibs/logging"
 	"github.com/qdm12/private-internet-access-docker/internal/models"
 )
@@ -20,6 +21,7 @@ type Configurator interface {
 	CreateLocalSubnetsRules(ctx context.Context, subnet net.IPNet, extraSubnets []net.IPNet, defaultInterface string) error
 	AllowInputTrafficOnPort(ctx context.Context, device models.VPNDevice, port uint16) error
 	AllowAnyIncomingOnPort(ctx context.Context, port uint16) error
+	RunUserPostRules(ctx context.Context, fileManager files.FileManager, filepath string) error
 }
 
 type configurator struct {

internal/firewall/iptables.go

@@ -6,6 +6,7 @@ import (
 	"net"
 	"strings"
 
+	"github.com/qdm12/golibs/files"
 	"github.com/qdm12/private-internet-access-docker/internal/models"
 )
 
@@ -34,7 +35,7 @@ func (c *configurator) runIptablesInstructions(ctx context.Context, instructions
 func (c *configurator) runIptablesInstruction(ctx context.Context, instruction string) error {
 	flags := strings.Fields(instruction)
 	if output, err := c.commander.Run(ctx, "iptables", flags...); err != nil {
-		return fmt.Errorf("failed executing %q: %s: %w", instruction, output, err)
+		return fmt.Errorf("failed executing \"iptables %s\": %s: %w", instruction, output, err)
 	}
 	return nil
 }
@@ -136,3 +137,27 @@ func (c *configurator) AllowAnyIncomingOnPort(ctx context.Context, port uint16)
 		fmt.Sprintf("-A INPUT -p udp --dport %d -j ACCEPT", port),
 	})
 }
+
+func (c *configurator) RunUserPostRules(ctx context.Context, fileManager files.FileManager, filepath string) error {
+	exists, err := fileManager.FileExists(filepath)
+	if err != nil {
+		return err
+	}
+	if exists {
+		b, err := fileManager.ReadFile(filepath)
+		if err != nil {
+			return err
+		}
+		lines := strings.Split(string(b), "\n")
+		var rules []string
+		for _, line := range lines {
+			if !strings.HasPrefix(line, "iptables ") {
+				continue
+			}
+			rules = append(rules, strings.TrimPrefix(line, "iptables "))
+			c.logger.Info("running user post firewall rule: %s", line)
+		}
+		return c.runIptablesInstructions(ctx, rules)
+	}
+	return nil
+}