Merge pull request #170 from niki-on-github/feature/open-hosts-v2

Allow open_hosts with killswitch
jamesmcm · Jul 10, 2022 · 9d4ebc1 · 9d4ebc1
2 parents 13d434e + 2c17ae3
commit 9d4ebc1
Show file tree

Hide file tree

Showing 4 changed files with 50 additions and 2 deletions.
diff --git a/src/exec.rs b/src/exec.rs
@@ -294,7 +294,7 @@ pub fn exec(command: ExecCommand) -> anyhow::Result<()> {
         let target_subnet = get_target_subnet()?;
         ns.add_loopback()?;
         ns.add_veth_pair()?;
-        ns.add_routing(target_subnet, command.open_hosts)?;
+        ns.add_routing(target_subnet, command.open_hosts.as_ref())?;
         ns.add_host_masquerade(target_subnet, interface.clone(), firewall)?;
         ns.add_firewall_exception(
             interface,
@@ -413,6 +413,10 @@ pub fn exec(command: ExecCommand) -> anyhow::Result<()> {
             }
         }
 
+        if let Some(ref hosts) = command.open_hosts {
+            vopono_core::util::open_hosts(&ns, hosts.to_vec(), firewall)?;
+        }
+
         // Temporarily set env var referring to this network namespace IP
         // for the PostUp script and the application:
         std::env::set_var(

diff --git a/vopono_core/src/network/netns.rs b/vopono_core/src/network/netns.rs
@@ -163,7 +163,7 @@ impl NetworkNamespace {
     pub fn add_routing(
         &mut self,
         target_subnet: u8,
-        hosts: Option<Vec<IpAddr>>,
+        hosts: Option<&Vec<IpAddr>>,
     ) -> anyhow::Result<()> {
         // TODO: Handle case where IP address taken in better way i.e. don't just change subnet
         let veth_dest = &self

diff --git a/vopono_core/src/util/mod.rs b/vopono_core/src/util/mod.rs
@@ -1,4 +1,5 @@
 pub mod country_map;
+pub mod open_hosts;
 pub mod open_ports;
 pub mod pulseaudio;
 pub mod wireguard;
@@ -11,6 +12,7 @@ use directories_next::BaseDirs;
 use ipnet::Ipv4Net;
 use log::{debug, info, warn};
 use nix::unistd::{Group, User};
+pub use open_hosts::open_hosts;
 pub use open_ports::open_ports;
 use rand::seq::SliceRandom;
 use regex::Regex;

diff --git a/vopono_core/src/util/open_hosts.rs b/vopono_core/src/util/open_hosts.rs
@@ -0,0 +1,42 @@
+use crate::network::firewall::Firewall;
+use crate::network::netns::NetworkNamespace;
+use std::net::IpAddr;
+
+pub fn open_hosts(
+    netns: &NetworkNamespace,
+    hosts: Vec<IpAddr>,
+    firewall: Firewall,
+) -> anyhow::Result<()> {
+    for host in hosts {
+        match firewall {
+            Firewall::IpTables => {
+                netns.exec(&[
+                    "iptables",
+                    "-I",
+                    "OUTPUT",
+                    "1",
+                    "-d",
+                    &host.to_string(),
+                    "-j",
+                    "ACCEPT",
+                ])?;
+            }
+            Firewall::NfTables => {
+                netns.exec(&[
+                    "nft",
+                    "insert",
+                    "rule",
+                    "inet",
+                    &netns.name,
+                    "output",
+                    "ip",
+                    "daddr",
+                    &host.to_string(),
+                    "counter",
+                    "accept",
+                ])?;
+            }
+        }
+    }
+    Ok(())
+}