MagiTrickle/netfilter-helper/port-remap.go

package netfilterHelper

import (
	"fmt"
	"net"
	"strconv"

	"github.com/coreos/go-iptables/iptables"
	"github.com/vishvananda/netlink"
)

type PortRemap struct {
	IPTables  *iptables.IPTables
	ChainName string
	Addresses []netlink.Addr
	From      uint16
	To        uint16

	enabled bool
}

func (r *PortRemap) insertIPTablesRules(table string) error {
	if table == "" || table == "nat" {
		preroutingChain := r.ChainName + "_PRR"
		err := r.IPTables.NewChain("nat", preroutingChain)
		if err != nil {
			// If not "AlreadyExists"
			if eerr, eok := err.(*iptables.Error); !(eok && eerr.ExitStatus() == 1) {
				return fmt.Errorf("failed to create chain: %w", err)
			}
		}

		for _, addr := range r.Addresses {
			if !((r.IPTables.Proto() == iptables.ProtocolIPv4 && len(addr.IP) == net.IPv4len) || (r.IPTables.Proto() == iptables.ProtocolIPv6 && len(addr.IP) == net.IPv6len)) {
				continue
			}

			if r.IPTables.Proto() != iptables.ProtocolIPv6 {
				for _, iptablesArgs := range [][]string{
					{"-p", "tcp", "-d", addr.IP.String(), "--dport", fmt.Sprintf("%d", r.From), "-j", "REDIRECT", "--to-port", fmt.Sprintf("%d", r.To)},
					{"-p", "udp", "-d", addr.IP.String(), "--dport", fmt.Sprintf("%d", r.From), "-j", "REDIRECT", "--to-port", fmt.Sprintf("%d", r.To)},
				} {
					err = r.IPTables.AppendUnique("nat", preroutingChain, iptablesArgs...)
					if err != nil {
						return fmt.Errorf("failed to append rule: %w", err)
					}
				}
			} else {
				for _, iptablesArgs := range [][]string{
					{"-p", "tcp", "-d", addr.IP.String(), "--dport", strconv.Itoa(int(r.From)), "-j", "DNAT", "--to-destination", fmt.Sprintf(":%d", r.To)},
					{"-p", "udp", "-d", addr.IP.String(), "--dport", strconv.Itoa(int(r.From)), "-j", "DNAT", "--to-destination", fmt.Sprintf(":%d", r.To)},
				} {
					err = r.IPTables.AppendUnique("nat", preroutingChain, iptablesArgs...)
					if err != nil {
						return fmt.Errorf("failed to append rule: %w", err)
					}
				}
			}
		}

		err = r.IPTables.InsertUnique("nat", "PREROUTING", 1, "-j", preroutingChain)
		if err != nil {
			return fmt.Errorf("failed to linking chain: %w", err)
		}

		postroutingChain := r.ChainName + "_POR"
		err = r.IPTables.NewChain("nat", postroutingChain)
		if err != nil {
			// If not "AlreadyExists"
			if eerr, eok := err.(*iptables.Error); !(eok && eerr.ExitStatus() == 1) {
				return fmt.Errorf("failed to create chain: %w", err)
			}
		}

		for _, addr := range r.Addresses {
			if !((r.IPTables.Proto() == iptables.ProtocolIPv4 && len(addr.IP) == net.IPv4len) || (r.IPTables.Proto() == iptables.ProtocolIPv6 && len(addr.IP) == net.IPv6len)) {
				continue
			}

			if r.IPTables.Proto() == iptables.ProtocolIPv4 {
				for _, iptablesArgs := range [][]string{
					{"-p", "tcp", "-d", addr.IP.String(), "--sport", strconv.Itoa(int(r.To)), "-j", "SNAT", "--to-source", addr.IP.String()},
					{"-p", "udp", "-d", addr.IP.String(), "--sport", strconv.Itoa(int(r.To)), "-j", "SNAT", "--to-source", addr.IP.String()},
				} {
					err = r.IPTables.AppendUnique("nat", postroutingChain, iptablesArgs...)
					if err != nil {
						return fmt.Errorf("failed to append rule: %w", err)
					}
				}
			}
		}

		err = r.IPTables.InsertUnique("nat", "POSTROUTING", 1, "-j", postroutingChain)
		if err != nil {
			return fmt.Errorf("failed to linking chain: %w", err)
		}
	}

	return nil
}

func (r *PortRemap) deleteIPTablesRules() []error {
	var errs []error

	preroutingChain := r.ChainName + "_PRR"
	err := r.IPTables.DeleteIfExists("nat", "PREROUTING", "-j", preroutingChain)
	if err != nil {
		errs = append(errs, fmt.Errorf("failed to unlinking chain: %w", err))
	}

	postroutingChain := r.ChainName + "_POR"
	err = r.IPTables.DeleteIfExists("nat", "POSTROUTING", "-j", postroutingChain)
	if err != nil {
		errs = append(errs, fmt.Errorf("failed to unlinking chain: %w", err))
	}

	err = r.IPTables.ClearAndDeleteChain("nat", r.ChainName)
	if err != nil {
		errs = append(errs, fmt.Errorf("failed to delete chain: %w", err))
	}

	return errs
}

func (r *PortRemap) enable() error {
	err := r.insertIPTablesRules("")
	if err != nil {
		return err
	}

	r.enabled = true
	return nil
}

func (r *PortRemap) Enable() error {
	if r.enabled {
		return nil
	}

	err := r.IPTables.ClearChain("nat", r.ChainName)
	if err != nil {
		return fmt.Errorf("failed to clear chain: %w", err)
	}

	err = r.enable()
	if err != nil {
		r.Disable()
		return err
	}

	return nil
}

func (r *PortRemap) Disable() []error {
	errs := r.deleteIPTablesRules()
	r.enabled = false
	return errs
}

func (r *PortRemap) NetfilterDHook(table string) error {
	if !r.enabled {
		return nil
	}
	return r.insertIPTablesRules(table)
}

func (nh *NetfilterHelper) PortRemap(name string, from, to uint16, addr []netlink.Addr) *PortRemap {
	return &PortRemap{
		IPTables:  nh.IPTables,
		ChainName: name,
		Addresses: addr,
		From:      from,
		To:        to,
	}
}
refactoring 2024-09-06 14:24:55 +03:00			`package netfilterHelper`

			`import (`
			`"fmt"`
fix foreign dns blocking 2024-10-22 23:23:07 +03:00			`"net"`
refactoring 2024-09-06 14:24:55 +03:00			`"strconv"`
fix foreign dns blocking 2024-10-22 23:23:07 +03:00
			`"github.com/coreos/go-iptables/iptables"`
			`"github.com/vishvananda/netlink"`
refactoring 2024-09-06 14:24:55 +03:00			`)`

			`type PortRemap struct {`
			`IPTables *iptables.IPTables`
			`ChainName string`
fix foreign dns blocking 2024-10-22 23:23:07 +03:00			`Addresses []netlink.Addr`
refactoring 2024-09-06 14:24:55 +03:00			`From uint16`
			`To uint16`

refactor PortRemap 2025-02-11 15:53:58 +03:00			`enabled bool`
refactoring 2024-09-06 14:24:55 +03:00			`}`

refactor PortRemap 2025-02-11 15:53:58 +03:00			`func (r *PortRemap) insertIPTablesRules(table string) error {`
			`if table == "" \|\| table == "nat" {`
fix dns routing 2025-02-14 20:55:37 +03:00			`preroutingChain := r.ChainName + "_PRR"`
			`err := r.IPTables.NewChain("nat", preroutingChain)`
catch netfilter.d event 2024-09-06 16:50:56 +03:00			`if err != nil {`
refactor PortRemap 2025-02-11 15:53:58 +03:00			`// If not "AlreadyExists"`
			`if eerr, eok := err.(*iptables.Error); !(eok && eerr.ExitStatus() == 1) {`
			`return fmt.Errorf("failed to create chain: %w", err)`
			`}`
catch netfilter.d event 2024-09-06 16:50:56 +03:00			`}`
refactoring 2024-09-06 14:24:55 +03:00
fix foreign dns blocking 2024-10-22 23:23:07 +03:00			`for _, addr := range r.Addresses {`
refactor PortRemap 2025-02-11 15:53:58 +03:00			`if !((r.IPTables.Proto() == iptables.ProtocolIPv4 && len(addr.IP) == net.IPv4len) \|\| (r.IPTables.Proto() == iptables.ProtocolIPv6 && len(addr.IP) == net.IPv6len)) {`
fix foreign dns blocking 2024-10-22 23:23:07 +03:00			`continue`
			`}`

fix dns routing 2025-02-14 20:55:37 +03:00			`if r.IPTables.Proto() != iptables.ProtocolIPv6 {`
			`for _, iptablesArgs := range [][]string{`
			`{"-p", "tcp", "-d", addr.IP.String(), "--dport", fmt.Sprintf("%d", r.From), "-j", "REDIRECT", "--to-port", fmt.Sprintf("%d", r.To)},`
			`{"-p", "udp", "-d", addr.IP.String(), "--dport", fmt.Sprintf("%d", r.From), "-j", "REDIRECT", "--to-port", fmt.Sprintf("%d", r.To)},`
			`} {`
			`err = r.IPTables.AppendUnique("nat", preroutingChain, iptablesArgs...)`
			`if err != nil {`
			`return fmt.Errorf("failed to append rule: %w", err)`
			`}`
			`}`
			`} else {`
			`for _, iptablesArgs := range [][]string{`
			`{"-p", "tcp", "-d", addr.IP.String(), "--dport", strconv.Itoa(int(r.From)), "-j", "DNAT", "--to-destination", fmt.Sprintf(":%d", r.To)},`
			`{"-p", "udp", "-d", addr.IP.String(), "--dport", strconv.Itoa(int(r.From)), "-j", "DNAT", "--to-destination", fmt.Sprintf(":%d", r.To)},`
			`} {`
			`err = r.IPTables.AppendUnique("nat", preroutingChain, iptablesArgs...)`
			`if err != nil {`
			`return fmt.Errorf("failed to append rule: %w", err)`
			`}`
refactor PortRemap 2025-02-11 15:53:58 +03:00			`}`
refactoring, dns over tcp support, moving to uuid 2025-02-08 06:23:36 +03:00			`}`
catch netfilter.d event 2024-09-06 16:50:56 +03:00			`}`

fix dns routing 2025-02-14 20:55:37 +03:00			`err = r.IPTables.InsertUnique("nat", "PREROUTING", 1, "-j", preroutingChain)`
			`if err != nil {`
			`return fmt.Errorf("failed to linking chain: %w", err)`
			`}`

			`postroutingChain := r.ChainName + "_POR"`
			`err = r.IPTables.NewChain("nat", postroutingChain)`
			`if err != nil {`
			`// If not "AlreadyExists"`
			`if eerr, eok := err.(*iptables.Error); !(eok && eerr.ExitStatus() == 1) {`
			`return fmt.Errorf("failed to create chain: %w", err)`
			`}`
			`}`

			`for _, addr := range r.Addresses {`
			`if !((r.IPTables.Proto() == iptables.ProtocolIPv4 && len(addr.IP) == net.IPv4len) \|\| (r.IPTables.Proto() == iptables.ProtocolIPv6 && len(addr.IP) == net.IPv6len)) {`
			`continue`
			`}`

			`if r.IPTables.Proto() == iptables.ProtocolIPv4 {`
			`for _, iptablesArgs := range [][]string{`
			`{"-p", "tcp", "-d", addr.IP.String(), "--sport", strconv.Itoa(int(r.To)), "-j", "SNAT", "--to-source", addr.IP.String()},`
			`{"-p", "udp", "-d", addr.IP.String(), "--sport", strconv.Itoa(int(r.To)), "-j", "SNAT", "--to-source", addr.IP.String()},`
			`} {`
			`err = r.IPTables.AppendUnique("nat", postroutingChain, iptablesArgs...)`
			`if err != nil {`
			`return fmt.Errorf("failed to append rule: %w", err)`
			`}`
			`}`
			`}`
			`}`

			`err = r.IPTables.InsertUnique("nat", "POSTROUTING", 1, "-j", postroutingChain)`
catch netfilter.d event 2024-09-06 16:50:56 +03:00			`if err != nil {`
			`return fmt.Errorf("failed to linking chain: %w", err)`
			`}`
refactoring 2024-09-06 14:24:55 +03:00			`}`

catch netfilter.d event 2024-09-06 16:50:56 +03:00			`return nil`
			`}`

refactor PortRemap 2025-02-11 15:53:58 +03:00			`func (r *PortRemap) deleteIPTablesRules() []error {`
refactoring 2024-09-06 14:24:55 +03:00			`var errs []error`

fix dns routing 2025-02-14 20:55:37 +03:00			`preroutingChain := r.ChainName + "_PRR"`
			`err := r.IPTables.DeleteIfExists("nat", "PREROUTING", "-j", preroutingChain)`
			`if err != nil {`
			`errs = append(errs, fmt.Errorf("failed to unlinking chain: %w", err))`
			`}`

			`postroutingChain := r.ChainName + "_POR"`
			`err = r.IPTables.DeleteIfExists("nat", "POSTROUTING", "-j", postroutingChain)`
refactoring 2024-09-06 14:24:55 +03:00			`if err != nil {`
			`errs = append(errs, fmt.Errorf("failed to unlinking chain: %w", err))`
			`}`

			`err = r.IPTables.ClearAndDeleteChain("nat", r.ChainName)`
			`if err != nil {`
			`errs = append(errs, fmt.Errorf("failed to delete chain: %w", err))`
			`}`

			`return errs`
			`}`

refactor PortRemap 2025-02-11 15:53:58 +03:00			`func (r *PortRemap) enable() error {`
			`err := r.insertIPTablesRules("")`
			`if err != nil {`
			`return err`
			`}`

			`r.enabled = true`
			`return nil`
			`}`

refactoring 2024-09-06 14:24:55 +03:00			`func (r *PortRemap) Enable() error {`
refactor PortRemap 2025-02-11 15:53:58 +03:00			`if r.enabled {`
refactoring 2024-09-06 14:24:55 +03:00			`return nil`
			`}`

refactor PortRemap 2025-02-11 15:53:58 +03:00			`err := r.IPTables.ClearChain("nat", r.ChainName)`
			`if err != nil {`
			`return fmt.Errorf("failed to clear chain: %w", err)`
			`}`

			`err = r.enable()`
refactoring 2024-09-06 14:24:55 +03:00			`if err != nil {`
			`r.Disable()`
			`return err`
			`}`

			`return nil`
			`}`

refactor PortRemap 2025-02-11 15:53:58 +03:00			`func (r *PortRemap) Disable() []error {`
			`errs := r.deleteIPTablesRules()`
			`r.enabled = false`
			`return errs`
			`}`

group refactoring 2025-02-11 22:42:08 +03:00			`func (r *PortRemap) NetfilterDHook(table string) error {`
refactor PortRemap 2025-02-11 15:53:58 +03:00			`if !r.enabled {`
			`return nil`
			`}`
			`return r.insertIPTablesRules(table)`
			`}`

fix foreign dns blocking 2024-10-22 23:23:07 +03:00			`func (nh NetfilterHelper) PortRemap(name string, from, to uint16, addr []netlink.Addr) PortRemap {`
refactoring 2024-09-06 14:24:55 +03:00			`return &PortRemap{`
			`IPTables: nh.IPTables,`
			`ChainName: name,`
fix foreign dns blocking 2024-10-22 23:23:07 +03:00			`Addresses: addr,`
refactoring 2024-09-06 14:24:55 +03:00			`From: from,`
			`To: to,`
			`}`
			`}`