7ba98af1cc
- Feature/Bugfix: Block all IPv6 traffic with `ip6tables` by default - Feature: Adapt existing firewall code to handle IPv4 and IPv6, depending on user inputs and environment - Maintenance: improve error wrapping in the firewall package
48 lines
1.2 KiB
Go
48 lines
1.2 KiB
Go
package firewall
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"strings"
|
|
)
|
|
|
|
var (
|
|
ErrIP6Tables = errors.New("failed ip6tables command")
|
|
)
|
|
|
|
func (c *configurator) runIP6tablesInstructions(ctx context.Context, instructions []string) error {
|
|
for _, instruction := range instructions {
|
|
if err := c.runIP6tablesInstruction(ctx, instruction); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (c *configurator) runIP6tablesInstruction(ctx context.Context, instruction string) error {
|
|
c.ip6tablesMutex.Lock() // only one ip6tables command at once
|
|
defer c.ip6tablesMutex.Unlock()
|
|
if c.debug {
|
|
fmt.Println("ip6tables " + instruction)
|
|
}
|
|
flags := strings.Fields(instruction)
|
|
if output, err := c.commander.Run(ctx, "ip6tables", flags...); err != nil {
|
|
return fmt.Errorf("%w \"ip6tables %s\": %s: %s", ErrIP6Tables, instruction, output, err)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (c *configurator) setIPv6AllPolicies(ctx context.Context, policy string) error {
|
|
switch policy {
|
|
case "ACCEPT", "DROP":
|
|
default:
|
|
return fmt.Errorf("policy %q not recognized", policy)
|
|
}
|
|
return c.runIP6tablesInstructions(ctx, []string{
|
|
"--policy INPUT " + policy,
|
|
"--policy OUTPUT " + policy,
|
|
"--policy FORWARD " + policy,
|
|
})
|
|
}
|