apps/openlan
1
0
Fork 0
mirror of https://github.com/luscis/openlan.git synced 2025-10-05 16:47:11 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix: firewall: add comments for iptable rules

Browse Source 
Signed-off-by: zhihui.ding <danieldin186@gmail.com>
This commit is contained in:
zhihui.ding
2023-08-24 22:11:56 +08:00
parent d118d36039
commit b2ee3d9b2e
4 changed files with 41 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
pkg/network/iptables.go
View File

@@ -92,6 +92,9 @@ func (ru IpRule) Args() []string {
if ru.Output != "" { if ru.Output != "" {
args = append(args, "-o", ru.Output) args = append(args, "-o", ru.Output)
} }
if ru.Comment != "" {
args = append(args, "-m", "comment", "--comment", ru.Comment)
}
if ru.Jump != "" { if ru.Jump != "" {
jump := strings.ToUpper(ru.Jump) jump := strings.ToUpper(ru.Jump)
if jump == "DROP" || jump == "ACCEPT" { if jump == "DROP" || jump == "ACCEPT" {

7
pkg/switch/network.go
View File

@@ -217,9 +217,10 @@ func (w *WorkerImpl) Start(v api.Switcher) {
if w.dhcp != nil { if w.dhcp != nil {
w.dhcp.Start() w.dhcp.Start()
fire.Nat.Post.AddRule(cn.IpRule{ fire.Nat.Post.AddRule(cn.IpRule{
Source: cfg.Bridge.Address, Source: cfg.Bridge.Address,
NoDest: cfg.Bridge.Address, NoDest: cfg.Bridge.Address,
Jump: cn.CMasq, Jump: cn.CMasq,
Comment: "Default Gateway for DHCP",
}) })
} }
} }

60
pkg/switch/openlan.go
View File

@@ -51,56 +51,61 @@ func (w *OpenLANWorker) toACL(acl, input string) {
} }
} }
func (w *OpenLANWorker) openPort(protocol, port string) { func (w *OpenLANWorker) openPort(protocol, port, comment string) {
w.out.Info("OpenLANWorker.openPort %s %s", protocol, port) w.out.Info("OpenLANWorker.openPort %s %s", protocol, port)
// allowed forward between source and prefix. // allowed forward between source and prefix.
w.fire.Filter.In.AddRule(network.IpRule{ w.fire.Filter.In.AddRule(network.IpRule{
Proto: protocol, Proto: protocol,
Match: "multiport", Match: "multiport",
DstPort: port, DstPort: port,
Comment: comment,
}) })
} }
func (w *OpenLANWorker) toForward(input, output, source, prefix string) { func (w *OpenLANWorker) toForward(input, output, source, prefix, comment string) {
w.out.Debug("OpenLANWorker.toForward %s:%s %s:%s", input, output, source, prefix) w.out.Debug("OpenLANWorker.toForward %s:%s %s:%s", input, output, source, prefix)
// Allowed forward between source and prefix. // Allowed forward between source and prefix.
w.fire.Filter.For.AddRule(network.IpRule{ w.fire.Filter.For.AddRule(network.IpRule{
Input: input, Input: input,
Output: output, Output: output,
Source: source, Source: source,
Dest: prefix, Dest: prefix,
Comment: comment,
}) })
if source != prefix { if source != prefix {
w.fire.Filter.For.AddRule(network.IpRule{ w.fire.Filter.For.AddRule(network.IpRule{
Output: input, Output: input,
Input: output, Input: output,
Source: prefix, Source: prefix,
Dest: source, Dest: source,
Comment: comment,
}) })
} }
} }
func (w *OpenLANWorker) toMasq(input, output, source, prefix string) { func (w *OpenLANWorker) toMasq(source, prefix, comment string) {
if source == prefix { if source == prefix {
return return
} }
// Enable masquerade from source to prefix. // Enable masquerade from source to prefix.
if prefix == "" || prefix == "0.0.0.0/0" { if prefix == "" || prefix == "0.0.0.0/0" {
w.fire.Nat.Post.AddRule(network.IpRule{ w.fire.Nat.Post.AddRule(network.IpRule{
Source: source, Source: source,
NoDest: source, NoDest: source,
Jump: network.CMasq, Jump: network.CMasq,
Comment: comment,
}) })
} else { } else {
w.fire.Nat.Post.AddRule(network.IpRule{ w.fire.Nat.Post.AddRule(network.IpRule{
Source: source, Source: source,
Dest: prefix, Dest: prefix,
Jump: network.CMasq, Jump: network.CMasq,
Comment: comment,
}) })
} }
} }
func (w *OpenLANWorker) toSnat(input, output, source, prefix string) { func (w *OpenLANWorker) toSnat(source, prefix, comment string) {
if source == prefix { if source == prefix {
return return
} }
@@ -109,6 +114,7 @@ func (w *OpenLANWorker) toSnat(input, output, source, prefix string) {
ToSource: source, ToSource: source,
Dest: prefix, Dest: prefix,
Jump: network.CSnat, Jump: network.CSnat,
Comment: comment,
}) })
} }
@@ -146,16 +152,16 @@ func (w *OpenLANWorker) allowedVPN() {
_, port := libol.GetHostPort(vCfg.Listen) _, port := libol.GetHostPort(vCfg.Listen)
if vCfg.Protocol == "udp" { if vCfg.Protocol == "udp" {
w.openPort("udp", port) w.openPort("udp", port, "Open VPN")
} else { } else {
w.openPort("tcp", port) w.openPort("tcp", port, "Open VPN")
} }
devName := vCfg.Device devName := vCfg.Device
w.toACL(cfg.Acl, devName) w.toACL(cfg.Acl, devName)
for _, rt := range vCfg.Routes { for _, rt := range vCfg.Routes {
w.toForward(devName, "", vCfg.Subnet, rt) w.toForward(devName, "", vCfg.Subnet, rt, "From VPN")
w.toMasq(devName, "", vCfg.Subnet, rt) w.toMasq(vCfg.Subnet, rt, "From VPN")
} }
} }
@@ -172,15 +178,15 @@ func (w *OpenLANWorker) allowedSubnet() {
// Enable MASQUERADE, and allowed forward. // Enable MASQUERADE, and allowed forward.
for _, rt := range cfg.Routes { for _, rt := range cfg.Routes {
if vCfg != nil { if vCfg != nil {
w.toForward("", br.Name, vCfg.Subnet, rt.Prefix) w.toForward("", br.Name, vCfg.Subnet, rt.Prefix, "To VPN")
w.toMasq("", br.Name, vCfg.Subnet, rt.Prefix) w.toMasq(vCfg.Subnet, rt.Prefix, "To VPN")
} }
w.toForward(br.Name, "", subnet, rt.Prefix) w.toForward(br.Name, "", subnet, rt.Prefix, "To route")
if rt.MultiPath != nil { if rt.MultiPath != nil {
w.toSnat(br.Name, "", ifAddr, rt.Prefix) w.toSnat(ifAddr, rt.Prefix, "To SNAT")
} else if rt.Mode == "snat" { } else if rt.Mode == "snat" {
w.toMasq(br.Name, "", subnet, rt.Prefix) w.toMasq(subnet, rt.Prefix, "To Masq")
} }
} }
} }

1
pkg/switch/switch.go
View File

@@ -129,6 +129,7 @@ func (v *Switch) enablePort(protocol, port string) {
Proto: protocol, Proto: protocol,
Match: "multiport", Match: "multiport",
DstPort: port, DstPort: port,
Comment: "Open Default Ports",
}) })
} }