admin/gluetun
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(firewall): use all default routes

Browse Source 
- Accept output traffic from all default routes through VPN interface
- Accept output from all default routes to outbound subnets
- Accept all input traffic on ports for all default routes
- Add IP rules for all default routes
This commit is contained in:
Quentin McGaw
2022-03-13 13:26:09 +00:00
parent 0795008c23
commit f99d5e8656
11 changed files with 212 additions and 154 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
internal/routing/enable.go
View File

@@ -9,9 +9,9 @@ type Setuper interface {
}
func (r *Routing) Setup() (err error) {
defaultInterfaceName, defaultGateway, err := r.DefaultRoute()
defaultRoutes, err := r.DefaultRoutes()
if err != nil {
return fmt.Errorf("cannot get default route: %w", err)
return fmt.Errorf("cannot get default routes: %w", err)
}
touched := false
@@ -25,7 +25,7 @@ func (r *Routing) Setup() (err error) {
touched = true
err = r.routeInboundFromDefault(defaultGateway, defaultInterfaceName)
err = r.routeInboundFromDefault(defaultRoutes)
if err != nil {
return fmt.Errorf("cannot add routes for inbound traffic from default IP: %w", err)
}
@@ -33,7 +33,7 @@ func (r *Routing) Setup() (err error) {
r.stateMutex.RLock()
outboundSubnets := r.outboundSubnets
r.stateMutex.RUnlock()
if err := r.setOutboundRoutes(outboundSubnets, defaultInterfaceName, defaultGateway); err != nil {
if err := r.setOutboundRoutes(outboundSubnets, defaultRoutes); err != nil {
return fmt.Errorf("cannot set outbound subnets routes: %w", err)
}
@@ -45,17 +45,17 @@ type TearDowner interface {
}
func (r *Routing) TearDown() error {
defaultInterfaceName, defaultGateway, err := r.DefaultRoute()
defaultRoutes, err := r.DefaultRoutes()
if err != nil {
return fmt.Errorf("cannot get default route: %w", err)
}
err = r.unrouteInboundFromDefault(defaultGateway, defaultInterfaceName)
err = r.unrouteInboundFromDefault(defaultRoutes)
if err != nil {
return fmt.Errorf("cannot remove routes for inbound traffic from default IP: %w", err)
}
if err := r.setOutboundRoutes(nil, defaultInterfaceName, defaultGateway); err != nil {
if err := r.setOutboundRoutes(nil, defaultRoutes); err != nil {
return fmt.Errorf("cannot set outbound subnets routes: %w", err)
}