Routing improvements (#268)

- Fixes #82 - Remove `EXTRA_SUBNETS` - Remove no longer needed iptables rules - Reduce routing interface arity - Routing setup is done in main.go instead of in the firewall - Routing setup gets reverted at shutdown
2020-10-24 18:05:11 -04:00
parent 716eb14da1
commit ed4fcc17b3
15 changed files with 209 additions and 251 deletions
--- a/internal/firewall/enable.go
+++ b/internal/firewall/enable.go
@@ -93,26 +93,12 @@ func (c *configurator) enable(ctx context.Context) (err error) {
 	if err = c.acceptOutputThroughInterface(ctx, string(constants.TUN), remove); err != nil {
 		return fmt.Errorf("cannot enable firewall: %w", err)
 	}
-	if err := c.acceptInputFromSubnetToSubnet(ctx, "*", c.localSubnet, c.localSubnet, remove); err != nil {
+
+	// Allows packets from any IP address to go through eth0 / local network
+	// to reach Gluetun.
+	if err := c.acceptInputToSubnet(ctx, c.defaultInterface, c.localSubnet, remove); err != nil {
 		return fmt.Errorf("cannot enable firewall: %w", err)
 	}
-	if err := c.acceptOutputFromSubnetToSubnet(ctx, "*", c.localSubnet, c.localSubnet, remove); err != nil {
-		return fmt.Errorf("cannot enable firewall: %w", err)
-	}
-	for _, subnet := range c.allowedSubnets {
-		if err := c.acceptInputFromSubnetToSubnet(ctx, c.defaultInterface, subnet, c.localSubnet, remove); err != nil {
-			return fmt.Errorf("cannot enable firewall: %w", err)
-		}
-		if err := c.acceptOutputFromSubnetToSubnet(ctx, c.defaultInterface, c.localSubnet, subnet, remove); err != nil {
-			return fmt.Errorf("cannot enable firewall: %w", err)
-		}
-	}
-	// Re-ensure all routes exist
-	for _, subnet := range c.allowedSubnets {
-		if err := c.routing.AddRouteVia(subnet, c.defaultGateway, c.defaultInterface); err != nil {
-			return fmt.Errorf("cannot enable firewall: %w", err)
-		}
-	}

 	for port, intf := range c.allowedInputPorts {
 		if err := c.acceptInputToPort(ctx, intf, port, remove); err != nil {
--- a/internal/firewall/firewall.go
+++ b/internal/firewall/firewall.go
@@ -17,7 +17,6 @@ type Configurator interface {
 	Version(ctx context.Context) (string, error)
 	SetEnabled(ctx context.Context, enabled bool) (err error)
 	SetVPNConnection(ctx context.Context, connection models.OpenVPNConnection) (err error)
-	SetAllowedSubnets(ctx context.Context, subnets []net.IPNet) (err error)
 	SetAllowedPort(ctx context.Context, port uint16, intf string) (err error)
 	RemoveAllowedPort(ctx context.Context, port uint16) (err error)
 	SetDebug()
@@ -40,7 +39,6 @@ type configurator struct { //nolint:maligned
 	// State
 	enabled           bool
 	vpnConnection     models.OpenVPNConnection
-	allowedSubnets    []net.IPNet
 	allowedInputPorts map[uint16]string // port to interface mapping
 	stateMutex        sync.Mutex
 }
--- a/internal/firewall/iptables.go
+++ b/internal/firewall/iptables.go
@@ -94,6 +94,16 @@ func (c *configurator) acceptInputThroughInterface(ctx context.Context, intf str
 	))
 }

+func (c *configurator) acceptInputToSubnet(ctx context.Context, intf string, destination net.IPNet, remove bool) error {
+	interfaceFlag := "-i " + intf
+	if intf == "*" { // all interfaces
+		interfaceFlag = ""
+	}
+	return c.runIptablesInstruction(ctx, fmt.Sprintf(
+		"%s INPUT %s -d %s -j ACCEPT", appendOrDelete(remove), interfaceFlag, destination.String(),
+	))
+}
+
 func (c *configurator) acceptOutputThroughInterface(ctx context.Context, intf string, remove bool) error {
 	return c.runIptablesInstruction(ctx, fmt.Sprintf(
 		"%s OUTPUT -o %s -j ACCEPT", appendOrDelete(remove), intf,
@@ -114,31 +124,6 @@ func (c *configurator) acceptOutputTrafficToVPN(ctx context.Context,
 			appendOrDelete(remove), connection.IP, defaultInterface, connection.Protocol, connection.Protocol, connection.Port))
 }

-func (c *configurator) acceptInputFromSubnetToSubnet(ctx context.Context,
-	intf string, sourceSubnet, destinationSubnet net.IPNet, remove bool) error {
-	interfaceFlag := "-i " + intf
-	if intf == "*" { // all interfaces
-		interfaceFlag = ""
-	}
-	return c.runIptablesInstruction(ctx, fmt.Sprintf(
-		"%s INPUT %s -s %s -d %s -j ACCEPT",
-		appendOrDelete(remove), interfaceFlag, sourceSubnet.String(), destinationSubnet.String(),
-	))
-}
-
-// Thanks to @npawelek.
-func (c *configurator) acceptOutputFromSubnetToSubnet(ctx context.Context,
-	intf string, sourceSubnet, destinationSubnet net.IPNet, remove bool) error {
-	interfaceFlag := "-o " + intf
-	if intf == "*" { // all interfaces
-		interfaceFlag = ""
-	}
-	return c.runIptablesInstruction(ctx, fmt.Sprintf(
-		"%s OUTPUT %s -s %s -d %s -j ACCEPT",
-		appendOrDelete(remove), interfaceFlag, sourceSubnet.String(), destinationSubnet.String(),
-	))
-}
-
 // Used for port forwarding, with intf set to tun.
 func (c *configurator) acceptInputToPort(ctx context.Context, intf string, port uint16, remove bool) error {
 	interfaceFlag := "-i " + intf
--- a/internal/firewall/subnets.go
+++ b/internal/firewall/subnets.go
@@ -1,144 +0,0 @@
-package firewall
-
-import (
-	"context"
-	"fmt"
-	"net"
-)
-
-func (c *configurator) SetAllowedSubnets(ctx context.Context, subnets []net.IPNet) (err error) {
-	c.stateMutex.Lock()
-	defer c.stateMutex.Unlock()
-
-	if !c.enabled {
-		c.logger.Info("firewall disabled, only updating allowed subnets internal list and updating routes")
-		c.updateSubnetRoutes(c.allowedSubnets, subnets)
-		c.allowedSubnets = make([]net.IPNet, len(subnets))
-		copy(c.allowedSubnets, subnets)
-		return nil
-	}
-
-	c.logger.Info("setting allowed subnets through firewall...")
-
-	subnetsToAdd := findSubnetsToAdd(c.allowedSubnets, subnets)
-	subnetsToRemove := findSubnetsToRemove(c.allowedSubnets, subnets)
-	if len(subnetsToAdd) == 0 && len(subnetsToRemove) == 0 {
-		return nil
-	}
-
-	c.removeSubnets(ctx, subnetsToRemove, c.defaultInterface, c.localSubnet)
-	if err := c.addSubnets(ctx, subnetsToAdd, c.defaultInterface, c.defaultGateway, c.localSubnet); err != nil {
-		return fmt.Errorf("cannot set allowed subnets through firewall: %w", err)
-	}
-
-	return nil
-}
-
-func findSubnetsToAdd(oldSubnets, newSubnets []net.IPNet) (subnetsToAdd []net.IPNet) {
-	for _, newSubnet := range newSubnets {
-		found := false
-		for _, oldSubnet := range oldSubnets {
-			if subnetsAreEqual(oldSubnet, newSubnet) {
-				found = true
-				break
-			}
-		}
-		if !found {
-			subnetsToAdd = append(subnetsToAdd, newSubnet)
-		}
-	}
-	return subnetsToAdd
-}
-
-func findSubnetsToRemove(oldSubnets, newSubnets []net.IPNet) (subnetsToRemove []net.IPNet) {
-	for _, oldSubnet := range oldSubnets {
-		found := false
-		for _, newSubnet := range newSubnets {
-			if subnetsAreEqual(oldSubnet, newSubnet) {
-				found = true
-				break
-			}
-		}
-		if !found {
-			subnetsToRemove = append(subnetsToRemove, oldSubnet)
-		}
-	}
-	return subnetsToRemove
-}
-
-func subnetsAreEqual(a, b net.IPNet) bool {
-	return a.IP.Equal(b.IP) && a.Mask.String() == b.Mask.String()
-}
-
-func removeSubnetFromSubnets(subnets []net.IPNet, subnet net.IPNet) []net.IPNet {
-	L := len(subnets)
-	for i := range subnets {
-		if subnetsAreEqual(subnet, subnets[i]) {
-			subnets[i] = subnets[L-1]
-			subnets = subnets[:L-1]
-			break
-		}
-	}
-	return subnets
-}
-
-func (c *configurator) removeSubnets(ctx context.Context, subnets []net.IPNet, defaultInterface string,
-	localSubnet net.IPNet) {
-	const remove = true
-	for _, subnet := range subnets {
-		failed := false
-		if err := c.acceptInputFromSubnetToSubnet(ctx, defaultInterface, subnet, localSubnet, remove); err != nil {
-			failed = true
-			c.logger.Error("cannot remove outdated allowed subnet through firewall: %s", err)
-		}
-		if err := c.acceptOutputFromSubnetToSubnet(ctx, defaultInterface, subnet, localSubnet, remove); err != nil {
-			failed = true
-			c.logger.Error("cannot remove outdated allowed subnet through firewall: %s", err)
-		}
-		if err := c.routing.DeleteRouteVia(subnet); err != nil {
-			failed = true
-			c.logger.Error("cannot remove outdated allowed subnet route: %s", err)
-		}
-		if failed {
-			continue
-		}
-		c.allowedSubnets = removeSubnetFromSubnets(c.allowedSubnets, subnet)
-	}
-}
-
-func (c *configurator) addSubnets(ctx context.Context, subnets []net.IPNet, defaultInterface string,
-	defaultGateway net.IP, localSubnet net.IPNet) error {
-	const remove = false
-	for _, subnet := range subnets {
-		if err := c.acceptInputFromSubnetToSubnet(ctx, defaultInterface, subnet, localSubnet, remove); err != nil {
-			return fmt.Errorf("cannot add allowed subnet through firewall: %w", err)
-		}
-		if err := c.acceptOutputFromSubnetToSubnet(ctx, defaultInterface, localSubnet, subnet, remove); err != nil {
-			return fmt.Errorf("cannot add allowed subnet through firewall: %w", err)
-		}
-		if err := c.routing.AddRouteVia(subnet, defaultGateway, defaultInterface); err != nil {
-			return fmt.Errorf("cannot add route for allowed subnet: %w", err)
-		}
-		c.allowedSubnets = append(c.allowedSubnets, subnet)
-	}
-	return nil
-}
-
-// updateSubnetRoutes does not return an error in order to try to run as many route commands as possible.
-func (c *configurator) updateSubnetRoutes(oldSubnets, newSubnets []net.IPNet) {
-	subnetsToAdd := findSubnetsToAdd(oldSubnets, newSubnets)
-	subnetsToRemove := findSubnetsToRemove(oldSubnets, newSubnets)
-	if len(subnetsToAdd) == 0 && len(subnetsToRemove) == 0 {
-		return
-	}
-	for _, subnet := range subnetsToRemove {
-		if err := c.routing.DeleteRouteVia(subnet); err != nil {
-			c.logger.Error("cannot remove outdated route for subnet: %s", err)
-		}
-	}
-	for _, subnet := range subnetsToAdd {
-		if err := c.routing.AddRouteVia(subnet, c.defaultGateway, c.defaultInterface); err != nil {
-			c.logger.Error("cannot add route for subnet: %s", err)
-		}
-	}
-}