Skip to content

Commit

Permalink
Merge pull request #167 from ak-1/master
Browse files Browse the repository at this point in the history 
Changes to remote's and DNS firewall rules
  • Loading branch information
@jamesmcm
jamesmcm authored Jul 2, 2022
2 parents a341b22 + 1e17c2c commit d38b68c
Showing 1 changed file with 15 additions and 80 deletions.
95 changes: 15 additions & 80 deletions src/openvpn.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -195,7 +195,7 @@ impl Drop for OpenVpn {

pub fn killswitch(
netns: &NetworkNamespace,
dns: &[IpAddr],
_dns: &[IpAddr],
remotes: &[Remote],
firewall: Firewall,
disable_ipv6: bool,
Expand Down Expand Up @@ -229,45 +229,14 @@ pub fn killswitch(
netns.exec(&[ipcmd, "-A", "INPUT", "-i", "lo", "-j", "ACCEPT"])?;
netns.exec(&[ipcmd, "-A", "INPUT", "-i", "tun+", "-j", "ACCEPT"])?;
netns.exec(&[ipcmd, "-A", "OUTPUT", "-o", "lo", "-j", "ACCEPT"])?;
for dnsa in dns.iter() {
match dnsa {
// TODO: Tidy this up
IpAddr::V4(addr) => {
if ipcmd == "iptables" {
netns.exec(&[
ipcmd,
"-A",
"OUTPUT",
"-d",
&addr.to_string(),
"-j",
"ACCEPT",
])?;
}
}
IpAddr::V6(addr) => {
if ipcmd == "ip6tables" && !disable_ipv6 {
netns.exec(&[
ipcmd,
"-A",
"OUTPUT",
"-d",
&addr.to_string(),
"-j",
"ACCEPT",
])?;
}
}
}
}

// TODO: Tidy this up - remote can be IPv4 or IPv6 address or hostname
for remote in remotes {
let port_str = format!("{}", remote.port);
match &remote.host {
// TODO: Fix this to specify destination address - but need hostname
// resolution working
Host::IPv4(_ip) => {
Host::IPv4(ip) => {
if ipcmd == "iptables" {
netns.exec(&[
ipcmd,
Expand All @@ -277,16 +246,16 @@ pub fn killswitch(
&remote.protocol.to_string(),
"-m",
&remote.protocol.to_string(),
// "-d",
// &ip.to_string(),
"-d",
&ip.to_string(),
"--dport",
port_str.as_str(),
"-j",
"ACCEPT",
])?;
}
}
Host::IPv6(_ip) => {
Host::IPv6(ip) => {
if ipcmd == "ip6tables" {
netns.exec(&[
ipcmd,
Expand All @@ -296,8 +265,8 @@ pub fn killswitch(
&remote.protocol.to_string(),
"-m",
&remote.protocol.to_string(),
// "-d",
// &ip.to_string(),
"-d",
&ip.to_string(),
"--dport",
port_str.as_str(),
"-j",
Expand Down Expand Up @@ -419,75 +388,41 @@ pub fn killswitch(
"counter",
"accept",
])?;
for dnsa in dns.iter() {
match dnsa {
IpAddr::V4(addr) => {
netns.exec(&[
"nft",
"add",
"rule",
"inet",
&netns.name,
"output",
"ip",
"daddr",
&addr.to_string(),
"counter",
"accept",
])?;
}
IpAddr::V6(addr) => {
netns.exec(&[
"nft",
"add",
"rule",
"inet",
&netns.name,
"output",
"ip6",
"daddr",
&addr.to_string(),
"counter",
"accept",
])?;
}
};
}

for remote in remotes {
let port_str = format!("{}", remote.port);
match &remote.host {
// TODO: Fix this to specify destination address - but need hostname
// resolution working
Host::IPv4(_ip) => {
Host::IPv4(ip) => {
netns.exec(&[
"nft",
"add",
"rule",
"inet",
&netns.name,
"output",
// "ip",
// "daddr",
// &ip.to_string(),
"ip",
"daddr",
&ip.to_string(),
&remote.protocol.to_string(),
"dport",
port_str.as_str(),
"counter",
"accept",
])?;
}
Host::IPv6(_ip) => {
Host::IPv6(ip) => {
netns.exec(&[
"nft",
"add",
"rule",
"inet",
&netns.name,
"output",
// "ip6",
// "daddr",
// &ip.to_string(),
"ip6",
"daddr",
&ip.to_string(),
&remote.protocol.to_string(),
"dport",
port_str.as_str(),
Expand Down

0 comments on commit d38b68c

Please sign in to comment.