mirrors/dae
1
0
Fork 0
mirror of https://github.com/daeuniverse/dae.git synced 2025-07-15 18:29:08 +07:00
Code Issues Packages Projects Releases Wiki Activity

feat: support to auto config firewall (firewalld) (#420)

Browse Source
This commit is contained in:
mzz
2024-01-11 20:25:29 +08:00
committed by GitHub
parent 35094f398b
commit f9bba2498e
7 changed files with 58 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
common/consts/ebpf.go
View File

@ -157,9 +157,10 @@ var (
) )
const ( const (
TproxyMark uint32 = 0x8000000 TproxyMark uint32 = 0x08000000
Recognize uint16 = 0x2017 TproxyMarkString string = "0x08000000" // Should be aligned with nftables
LoopbackIfIndex = 1 Recognize uint16 = 0x2017
LoopbackIfIndex = 1
) )
type LanWanFlag uint8 type LanWanFlag uint8

1
config/config.go
View File

@ -35,6 +35,7 @@ type Global struct {
DialMode string `mapstructure:"dial_mode" default:"domain"` DialMode string `mapstructure:"dial_mode" default:"domain"`
DisableWaitingNetwork bool `mapstructure:"disable_waiting_network" default:"false"` DisableWaitingNetwork bool `mapstructure:"disable_waiting_network" default:"false"`
AutoConfigKernelParameter bool `mapstructure:"auto_config_kernel_parameter" default:"false"` AutoConfigKernelParameter bool `mapstructure:"auto_config_kernel_parameter" default:"false"`
AutoConfigFirewallRule bool `mapstructure:"auto_config_firewall_rule" default:"false"`
SniffingTimeout time.Duration `mapstructure:"sniffing_timeout" default:"100ms"` SniffingTimeout time.Duration `mapstructure:"sniffing_timeout" default:"100ms"`
TlsImplementation string `mapstructure:"tls_implementation" default:"tls"` TlsImplementation string `mapstructure:"tls_implementation" default:"tls"`
UtlsImitate string `mapstructure:"utls_imitate" default:"chrome_auto"` UtlsImitate string `mapstructure:"utls_imitate" default:"chrome_auto"`

8
control/control_plane.go
View File

@ -198,6 +198,14 @@ func NewControlPlane(
if err = core.setupRoutingPolicy(); err != nil { if err = core.setupRoutingPolicy(); err != nil {
return nil, err return nil, err
} }
if global.AutoConfigFirewallRule {
if ok := core.addAcceptInputMark(); ok {
core.deferFuncs = append(core.deferFuncs, func() error {
core.delAcceptInputMark()
return nil
})
}
}
} }
/// Bind to links. Binding should be advance of dialerGroups to avoid un-routable old connection. /// Bind to links. Binding should be advance of dialerGroups to avoid un-routable old connection.

39
control/control_plane_core.go
View File

@ -12,7 +12,9 @@ import (
"net" "net"
"net/netip" "net/netip"
"os" "os"
"os/exec"
"regexp" "regexp"
"strings"
"sync" "sync"
"github.com/cilium/ebpf" "github.com/cilium/ebpf"
@ -192,6 +194,43 @@ func (c *controlPlaneCore) delQdisc(ifname string) error {
return nil return nil
} }
// TODO: Support more than firewalld and fw4: need more user feedback.
var nftInputChains = [][3]string{
{"inet", "firewalld", "filter_INPUT"},
{"inet", "fw4", "input"},
}
func (c *controlPlaneCore) addAcceptInputMark() (ok bool) {
for _, rule := range nftInputChains {
if err := exec.Command("nft", "insert rule "+strings.Join(rule[:], " ")+" mark & "+consts.TproxyMarkString+" == "+consts.TproxyMarkString+" accept").Run(); err == nil {
ok = true
}
}
return ok
}
func (c *controlPlaneCore) delAcceptInputMark() (ok bool) {
for _, rule := range nftInputChains {
output, err := exec.Command("nft", "--handle", "--numeric", "list", "chain", rule[0], rule[1], rule[2]).Output()
if err != nil {
continue
}
lines := strings.Split(string(output), "\n")
regex := regexp.MustCompile("meta mark & " + consts.TproxyMarkString + " == " + consts.TproxyMarkString + " accept # handle ([0-9]+)")
for _, line := range lines {
matches := regex.FindStringSubmatch(line)
if len(matches) >= 2 {
handle := matches[1]
if err = exec.Command("nft", "delete rule "+strings.Join(rule[:], " ")+" handle "+handle).Run(); err == nil {
ok = true
}
break
}
}
}
return ok
}
func (c *controlPlaneCore) setupRoutingPolicy() (err error) { func (c *controlPlaneCore) setupRoutingPolicy() (err error) {
/// Insert ip rule / ip route. /// Insert ip rule / ip route.
var table = 2023 + c.flip var table = 2023 + c.flip

1
docs/en/README.md
View File

@ -162,6 +162,7 @@ global {
log_level: info log_level: info
allow_insecure: false allow_insecure: false
auto_config_kernel_parameter: true auto_config_kernel_parameter: true
auto_config_firewall_rule: true
} }
subscription { subscription {

1
docs/zh/README.md
View File

@ -156,6 +156,7 @@ global {
log_level: info log_level: info
allow_insecure: false allow_insecure: false
auto_config_kernel_parameter: true auto_config_kernel_parameter: true
auto_config_firewall_rule: true
} }
subscription { subscription {

4
example.dae
View File

@ -34,6 +34,10 @@ global {
# https://github.com/daeuniverse/dae/blob/main/docs/en/user-guide/kernel-parameters.md to see what will dae do. # https://github.com/daeuniverse/dae/blob/main/docs/en/user-guide/kernel-parameters.md to see what will dae do.
auto_config_kernel_parameter: true auto_config_kernel_parameter: true
# Automatically configure firewall rules like firewalld and fw4.
# firewalld: nft 'insert rule inet firewalld filter_INPUT mark 0x08000000 accept'
# fw4: nft 'insert rule inet fw4 input mark 0x08000000 accept'
auto_config_firewall_rule: true
##### Node connectivity check. ##### Node connectivity check.