From ab223a5e06b8e614b7af534473d5831701880850 Mon Sep 17 00:00:00 2001
From: Quentin McGaw <quentin.mcgaw@gmail.com>
Date: Mon, 18 May 2020 09:37:34 -0400
Subject: [PATCH] User specified iptables rules (#161)

---
 .github/workflows/buildx-branch.yml  |  2 --
 .github/workflows/buildx-latest.yml  |  2 --
 .github/workflows/buildx-release.yml |  4 +---
 cmd/main.go                          |  2 ++
 internal/firewall/firewall.go        |  2 ++
 internal/firewall/iptables.go        | 27 ++++++++++++++++++++++++++-
 6 files changed, 31 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/buildx-branch.yml b/.github/workflows/buildx-branch.yml
index 986824d0..fe0033cf 100644
--- a/.github/workflows/buildx-branch.yml
+++ b/.github/workflows/buildx-branch.yml
@@ -25,8 +25,6 @@ jobs:
       - uses: actions/checkout@v2
       - name: Buildx setup
         uses: crazy-max/ghaction-docker-buildx@v1
-        with:
-          version: latest
       - name: Dockerhub login
         run: echo ${{ secrets.DOCKERHUB_PASSWORD }} | docker login -u qmcgaw --password-stdin 2>&1
       - name: Run Buildx
diff --git a/.github/workflows/buildx-latest.yml b/.github/workflows/buildx-latest.yml
index de7ef5f5..c3595d30 100644
--- a/.github/workflows/buildx-latest.yml
+++ b/.github/workflows/buildx-latest.yml
@@ -22,8 +22,6 @@ jobs:
       - uses: actions/checkout@v2
       - name: Buildx setup
         uses: crazy-max/ghaction-docker-buildx@v1
-        with:
-          version: latest
       - name: Dockerhub login
         run: echo ${{ secrets.DOCKERHUB_PASSWORD }} | docker login -u qmcgaw --password-stdin 2>&1
       - name: Run Buildx
diff --git a/.github/workflows/buildx-release.yml b/.github/workflows/buildx-release.yml
index 511695be..22947c96 100644
--- a/.github/workflows/buildx-release.yml
+++ b/.github/workflows/buildx-release.yml
@@ -20,10 +20,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
-      - id: buildx
+      - name: Buildx setup
         uses: crazy-max/ghaction-docker-buildx@v1
-        with:
-          version: latest
       - name: Dockerhub login
         run: echo ${{ secrets.DOCKERHUB_PASSWORD }} | docker login -u qmcgaw --password-stdin 2>&1
       - name: Run Buildx
diff --git a/cmd/main.go b/cmd/main.go
index d1a56edd..90608925 100644
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -193,6 +193,8 @@ func main() {
 	fatalOnError(err)
 	err = firewallConf.CreateLocalSubnetsRules(ctx, defaultSubnet, allSettings.Firewall.AllowedSubnets, defaultInterface)
 	fatalOnError(err)
+	err = firewallConf.RunUserPostRules(ctx, fileManager, "/iptables/post-rules.txt")
+	fatalOnError(err)
 
 	if allSettings.TinyProxy.Enabled {
 		err = tinyProxyConf.MakeConf(
diff --git a/internal/firewall/firewall.go b/internal/firewall/firewall.go
index cf019da4..1f85f0a4 100644
--- a/internal/firewall/firewall.go
+++ b/internal/firewall/firewall.go
@@ -5,6 +5,7 @@ import (
 	"net"
 
 	"github.com/qdm12/golibs/command"
+	"github.com/qdm12/golibs/files"
 	"github.com/qdm12/golibs/logging"
 	"github.com/qdm12/private-internet-access-docker/internal/models"
 )
@@ -20,6 +21,7 @@ type Configurator interface {
 	CreateLocalSubnetsRules(ctx context.Context, subnet net.IPNet, extraSubnets []net.IPNet, defaultInterface string) error
 	AllowInputTrafficOnPort(ctx context.Context, device models.VPNDevice, port uint16) error
 	AllowAnyIncomingOnPort(ctx context.Context, port uint16) error
+	RunUserPostRules(ctx context.Context, fileManager files.FileManager, filepath string) error
 }
 
 type configurator struct {
diff --git a/internal/firewall/iptables.go b/internal/firewall/iptables.go
index 45616687..4b420dca 100644
--- a/internal/firewall/iptables.go
+++ b/internal/firewall/iptables.go
@@ -6,6 +6,7 @@ import (
 	"net"
 	"strings"
 
+	"github.com/qdm12/golibs/files"
 	"github.com/qdm12/private-internet-access-docker/internal/models"
 )
 
@@ -34,7 +35,7 @@ func (c *configurator) runIptablesInstructions(ctx context.Context, instructions
 func (c *configurator) runIptablesInstruction(ctx context.Context, instruction string) error {
 	flags := strings.Fields(instruction)
 	if output, err := c.commander.Run(ctx, "iptables", flags...); err != nil {
-		return fmt.Errorf("failed executing %q: %s: %w", instruction, output, err)
+		return fmt.Errorf("failed executing \"iptables %s\": %s: %w", instruction, output, err)
 	}
 	return nil
 }
@@ -136,3 +137,27 @@ func (c *configurator) AllowAnyIncomingOnPort(ctx context.Context, port uint16)
 		fmt.Sprintf("-A INPUT -p udp --dport %d -j ACCEPT", port),
 	})
 }
+
+func (c *configurator) RunUserPostRules(ctx context.Context, fileManager files.FileManager, filepath string) error {
+	exists, err := fileManager.FileExists(filepath)
+	if err != nil {
+		return err
+	}
+	if exists {
+		b, err := fileManager.ReadFile(filepath)
+		if err != nil {
+			return err
+		}
+		lines := strings.Split(string(b), "\n")
+		var rules []string
+		for _, line := range lines {
+			if !strings.HasPrefix(line, "iptables ") {
+				continue
+			}
+			rules = append(rules, strings.TrimPrefix(line, "iptables "))
+			c.logger.Info("running user post firewall rule: %s", line)
+		}
+		return c.runIptablesInstructions(ctx, rules)
+	}
+	return nil
+}