feat(firewall): use all default routes

- Accept output traffic from all default routes through VPN interface
- Accept output from all default routes to outbound subnets
- Accept all input traffic on ports for all default routes
- Add IP rules for all default routes

cmd/gluetun/main.go

@@ -184,7 +184,7 @@ func _main(ctx context.Context, buildInfo models.BuildInformation,
 	}
 	routingConf := routing.New(netLinker, routingLogger)
 
-	defaultInterface, defaultGateway, err := routingConf.DefaultRoute()
+	defaultRoutes, err := routingConf.DefaultRoutes()
 	if err != nil {
 		return err
 	}
@@ -194,11 +194,6 @@ func _main(ctx context.Context, buildInfo models.BuildInformation,
 		return err
 	}
 
-	defaultIP, err := routingConf.DefaultIP()
-	if err != nil {
-		return err
-	}
-
 	firewallLogger := logger.NewChild(logging.Settings{
 		Prefix: "firewall: ",
 	})
@@ -206,7 +201,7 @@ func _main(ctx context.Context, buildInfo models.BuildInformation,
 		firewallLogger.PatchLevel(logging.LevelDebug)
 	}
 	firewallConf, err := firewall.NewConfig(ctx, firewallLogger, cmder,
-		defaultInterface, defaultGateway, localNetworks, defaultIP)
+		defaultRoutes, localNetworks)
 	if err != nil {
 		return err
 	}
@@ -321,9 +316,11 @@ func _main(ctx context.Context, buildInfo models.BuildInformation,
 	}
 
 	for _, port := range allSettings.Firewall.InputPorts {
-		err = firewallConf.SetAllowedPort(ctx, port, defaultInterface)
-		if err != nil {
-			return err
+		for _, defaultRoute := range defaultRoutes {
+			err = firewallConf.SetAllowedPort(ctx, port, defaultRoute.NetInterface)
+			if err != nil {
+				return err
+			}
 		}
 	} // TODO move inside firewall?