mirror of
https://github.com/daeuniverse/dae.git
synced 2024-12-23 01:24:45 +07:00
feat: support to auto config firewall (firewalld) (#420)
This commit is contained in:
parent
35094f398b
commit
f9bba2498e
@ -157,9 +157,10 @@ var (
|
||||
)
|
||||
|
||||
const (
|
||||
TproxyMark uint32 = 0x8000000
|
||||
Recognize uint16 = 0x2017
|
||||
LoopbackIfIndex = 1
|
||||
TproxyMark uint32 = 0x08000000
|
||||
TproxyMarkString string = "0x08000000" // Should be aligned with nftables
|
||||
Recognize uint16 = 0x2017
|
||||
LoopbackIfIndex = 1
|
||||
)
|
||||
|
||||
type LanWanFlag uint8
|
||||
|
@ -35,6 +35,7 @@ type Global struct {
|
||||
DialMode string `mapstructure:"dial_mode" default:"domain"`
|
||||
DisableWaitingNetwork bool `mapstructure:"disable_waiting_network" default:"false"`
|
||||
AutoConfigKernelParameter bool `mapstructure:"auto_config_kernel_parameter" default:"false"`
|
||||
AutoConfigFirewallRule bool `mapstructure:"auto_config_firewall_rule" default:"false"`
|
||||
SniffingTimeout time.Duration `mapstructure:"sniffing_timeout" default:"100ms"`
|
||||
TlsImplementation string `mapstructure:"tls_implementation" default:"tls"`
|
||||
UtlsImitate string `mapstructure:"utls_imitate" default:"chrome_auto"`
|
||||
|
@ -198,6 +198,14 @@ func NewControlPlane(
|
||||
if err = core.setupRoutingPolicy(); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if global.AutoConfigFirewallRule {
|
||||
if ok := core.addAcceptInputMark(); ok {
|
||||
core.deferFuncs = append(core.deferFuncs, func() error {
|
||||
core.delAcceptInputMark()
|
||||
return nil
|
||||
})
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/// Bind to links. Binding should be advance of dialerGroups to avoid un-routable old connection.
|
||||
|
@ -12,7 +12,9 @@ import (
|
||||
"net"
|
||||
"net/netip"
|
||||
"os"
|
||||
"os/exec"
|
||||
"regexp"
|
||||
"strings"
|
||||
"sync"
|
||||
|
||||
"github.com/cilium/ebpf"
|
||||
@ -192,6 +194,43 @@ func (c *controlPlaneCore) delQdisc(ifname string) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
// TODO: Support more than firewalld and fw4: need more user feedback.
|
||||
var nftInputChains = [][3]string{
|
||||
{"inet", "firewalld", "filter_INPUT"},
|
||||
{"inet", "fw4", "input"},
|
||||
}
|
||||
|
||||
func (c *controlPlaneCore) addAcceptInputMark() (ok bool) {
|
||||
for _, rule := range nftInputChains {
|
||||
if err := exec.Command("nft", "insert rule "+strings.Join(rule[:], " ")+" mark & "+consts.TproxyMarkString+" == "+consts.TproxyMarkString+" accept").Run(); err == nil {
|
||||
ok = true
|
||||
}
|
||||
}
|
||||
return ok
|
||||
}
|
||||
|
||||
func (c *controlPlaneCore) delAcceptInputMark() (ok bool) {
|
||||
for _, rule := range nftInputChains {
|
||||
output, err := exec.Command("nft", "--handle", "--numeric", "list", "chain", rule[0], rule[1], rule[2]).Output()
|
||||
if err != nil {
|
||||
continue
|
||||
}
|
||||
lines := strings.Split(string(output), "\n")
|
||||
regex := regexp.MustCompile("meta mark & " + consts.TproxyMarkString + " == " + consts.TproxyMarkString + " accept # handle ([0-9]+)")
|
||||
for _, line := range lines {
|
||||
matches := regex.FindStringSubmatch(line)
|
||||
if len(matches) >= 2 {
|
||||
handle := matches[1]
|
||||
if err = exec.Command("nft", "delete rule "+strings.Join(rule[:], " ")+" handle "+handle).Run(); err == nil {
|
||||
ok = true
|
||||
}
|
||||
break
|
||||
}
|
||||
}
|
||||
}
|
||||
return ok
|
||||
}
|
||||
|
||||
func (c *controlPlaneCore) setupRoutingPolicy() (err error) {
|
||||
/// Insert ip rule / ip route.
|
||||
var table = 2023 + c.flip
|
||||
|
@ -162,6 +162,7 @@ global {
|
||||
log_level: info
|
||||
allow_insecure: false
|
||||
auto_config_kernel_parameter: true
|
||||
auto_config_firewall_rule: true
|
||||
}
|
||||
|
||||
subscription {
|
||||
|
@ -156,6 +156,7 @@ global {
|
||||
log_level: info
|
||||
allow_insecure: false
|
||||
auto_config_kernel_parameter: true
|
||||
auto_config_firewall_rule: true
|
||||
}
|
||||
|
||||
subscription {
|
||||
|
@ -34,6 +34,10 @@ global {
|
||||
# https://github.com/daeuniverse/dae/blob/main/docs/en/user-guide/kernel-parameters.md to see what will dae do.
|
||||
auto_config_kernel_parameter: true
|
||||
|
||||
# Automatically configure firewall rules like firewalld and fw4.
|
||||
# firewalld: nft 'insert rule inet firewalld filter_INPUT mark 0x08000000 accept'
|
||||
# fw4: nft 'insert rule inet fw4 input mark 0x08000000 accept'
|
||||
auto_config_firewall_rule: true
|
||||
|
||||
##### Node connectivity check.
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user