feat: support to auto config firewall (firewalld) (#420)

common/consts/ebpf.go

@@ -157,9 +157,10 @@ var (
 )
 
 const (
-	TproxyMark      uint32 = 0x8000000
-	Recognize       uint16 = 0x2017
-	LoopbackIfIndex        = 1
+	TproxyMark       uint32 = 0x08000000
+	TproxyMarkString string = "0x08000000" // Should be aligned with nftables
+	Recognize        uint16 = 0x2017
+	LoopbackIfIndex         = 1
 )
 
 type LanWanFlag uint8

config/config.go

@@ -35,6 +35,7 @@ type Global struct {
 	DialMode                  string        `mapstructure:"dial_mode" default:"domain"`
 	DisableWaitingNetwork     bool          `mapstructure:"disable_waiting_network" default:"false"`
 	AutoConfigKernelParameter bool          `mapstructure:"auto_config_kernel_parameter" default:"false"`
+	AutoConfigFirewallRule    bool          `mapstructure:"auto_config_firewall_rule" default:"false"`
 	SniffingTimeout           time.Duration `mapstructure:"sniffing_timeout" default:"100ms"`
 	TlsImplementation         string        `mapstructure:"tls_implementation" default:"tls"`
 	UtlsImitate               string        `mapstructure:"utls_imitate" default:"chrome_auto"`

control/control_plane.go

@@ -198,6 +198,14 @@ func NewControlPlane(
 		if err = core.setupRoutingPolicy(); err != nil {
 			return nil, err
 		}
+		if global.AutoConfigFirewallRule {
+			if ok := core.addAcceptInputMark(); ok {
+				core.deferFuncs = append(core.deferFuncs, func() error {
+					core.delAcceptInputMark()
+					return nil
+				})
+			}
+		}
 	}
 
 	/// Bind to links. Binding should be advance of dialerGroups to avoid un-routable old connection.

control/control_plane_core.go

@@ -12,7 +12,9 @@ import (
 	"net"
 	"net/netip"
 	"os"
+	"os/exec"
 	"regexp"
+	"strings"
 	"sync"
 
 	"github.com/cilium/ebpf"
@@ -192,6 +194,43 @@ func (c *controlPlaneCore) delQdisc(ifname string) error {
 	return nil
 }
 
+// TODO: Support more than firewalld and fw4: need more user feedback.
+var nftInputChains = [][3]string{
+	{"inet", "firewalld", "filter_INPUT"},
+	{"inet", "fw4", "input"},
+}
+
+func (c *controlPlaneCore) addAcceptInputMark() (ok bool) {
+	for _, rule := range nftInputChains {
+		if err := exec.Command("nft", "insert rule "+strings.Join(rule[:], " ")+" mark & "+consts.TproxyMarkString+" == "+consts.TproxyMarkString+" accept").Run(); err == nil {
+			ok = true
+		}
+	}
+	return ok
+}
+
+func (c *controlPlaneCore) delAcceptInputMark() (ok bool) {
+	for _, rule := range nftInputChains {
+		output, err := exec.Command("nft", "--handle", "--numeric", "list", "chain", rule[0], rule[1], rule[2]).Output()
+		if err != nil {
+			continue
+		}
+		lines := strings.Split(string(output), "\n")
+		regex := regexp.MustCompile("meta mark & " + consts.TproxyMarkString + " == " + consts.TproxyMarkString + " accept # handle ([0-9]+)")
+		for _, line := range lines {
+			matches := regex.FindStringSubmatch(line)
+			if len(matches) >= 2 {
+				handle := matches[1]
+				if err = exec.Command("nft", "delete rule "+strings.Join(rule[:], " ")+" handle "+handle).Run(); err == nil {
+					ok = true
+				}
+				break
+			}
+		}
+	}
+	return ok
+}
+
 func (c *controlPlaneCore) setupRoutingPolicy() (err error) {
 	/// Insert ip rule / ip route.
 	var table = 2023 + c.flip

docs/en/README.md

@@ -162,6 +162,7 @@ global {
   log_level: info
   allow_insecure: false
   auto_config_kernel_parameter: true
+  auto_config_firewall_rule: true
 }
 
 subscription {

docs/zh/README.md

@@ -156,6 +156,7 @@ global {
   log_level: info
   allow_insecure: false
   auto_config_kernel_parameter: true
+  auto_config_firewall_rule: true
 }
 
 subscription {

example.dae

@@ -34,6 +34,10 @@ global {
     # https://github.com/daeuniverse/dae/blob/main/docs/en/user-guide/kernel-parameters.md to see what will dae do.
     auto_config_kernel_parameter: true
 
+    # Automatically configure firewall rules like firewalld and fw4.
+    # firewalld: nft 'insert rule inet firewalld filter_INPUT mark 0x08000000 accept'
+    # fw4: nft 'insert rule inet fw4 input mark 0x08000000 accept'
+    auto_config_firewall_rule: true
 
     ##### Node connectivity check.