iptables rules to ipset

This commit is contained in:
Vladimir Avtsenov 2024-09-05 05:42:10 +03:00
parent d79a7d43d4
commit 0b43814c07
3 changed files with 65 additions and 6 deletions

View File

@ -9,7 +9,7 @@ Realized features:
- [x] IPTables rules for rebind DNS server port [1] - [x] IPTables rules for rebind DNS server port [1]
- [X] IPSet integration - [X] IPSet integration
- [X] IP integration - [X] IP integration
- [ ] IPTables rules to IPSet [2] - [X] IPTables rules to IPSet [2]
- [ ] Rule composer (CRUD) - [ ] Rule composer (CRUD)
- [ ] GORM integration - [ ] GORM integration
- [X] Listing of interfaces - [X] Listing of interfaces

View File

@ -4,6 +4,7 @@ import (
"fmt" "fmt"
"net" "net"
"os" "os"
"strconv"
"time" "time"
"kvas2-go/models" "kvas2-go/models"
@ -55,7 +56,7 @@ DomainSearch:
return nil return nil
} }
func (g *Group) Enable() error { func (g *Group) Enable(a *App) error {
if g.options.Enabled { if g.options.Enabled {
return nil return nil
} }
@ -150,18 +151,76 @@ func (g *Group) Enable() error {
return fmt.Errorf("failed to create ipset: %w", err) return fmt.Errorf("failed to create ipset: %w", err)
} }
preroutingChainName := fmt.Sprintf("%sROUTING_%d_PREROUTING", a.Config.ChainPostfix, g.ID)
err = a.IPTables.ClearChain("mangle", preroutingChainName)
if err != nil {
return fmt.Errorf("failed to clear chain: %w", err)
}
err = a.IPTables.AppendUnique("mangle", preroutingChainName, "-m", "set", "--match-set", g.ipsetName, "dst", "-j", "MARK", "--set-mark", strconv.Itoa(int(mark)))
if err != nil {
return fmt.Errorf("failed to create rule: %w", err)
}
err = a.IPTables.AppendUnique("mangle", "PREROUTING", "-j", preroutingChainName)
if err != nil {
return fmt.Errorf("failed to linking chain: %w", err)
}
postroutingChainName := fmt.Sprintf("%sROUTING_%d_POSTROUTING", a.Config.ChainPostfix, g.ID)
err = a.IPTables.ClearChain("nat", postroutingChainName)
if err != nil {
return fmt.Errorf("failed to clear chain: %w", err)
}
err = a.IPTables.AppendUnique("nat", postroutingChainName, "-o", g.Interface, "-j", "MASQUERADE")
if err != nil {
return fmt.Errorf("failed to create rule: %w", err)
}
err = a.IPTables.AppendUnique("nat", "POSTROUTING", "-j", postroutingChainName)
if err != nil {
return fmt.Errorf("failed to linking chain: %w", err)
}
g.options.Enabled = true g.options.Enabled = true
return nil return nil
} }
func (g *Group) Disable() error { func (g *Group) Disable(a *App) error {
if !g.options.Enabled { if !g.options.Enabled {
return nil return nil
} }
var err error var err error
preroutingChainName := fmt.Sprintf("%sROUTING_%d_PREROUTING", a.Config.ChainPostfix, g.ID)
err = a.IPTables.DeleteIfExists("mangle", "PREROUTING", "-j", preroutingChainName)
if err != nil {
return fmt.Errorf("failed to unlinking chain: %w", err)
}
err = a.IPTables.ClearAndDeleteChain("mangle", preroutingChainName)
if err != nil {
return fmt.Errorf("failed to delete chain: %w", err)
}
postroutingChainName := fmt.Sprintf("%sROUTING_%d_POSTROUTING", a.Config.ChainPostfix, g.ID)
err = a.IPTables.DeleteIfExists("nat", "POSTROUTING", "-j", postroutingChainName)
if err != nil {
return fmt.Errorf("failed to unlinking chain: %w", err)
}
err = a.IPTables.ClearAndDeleteChain("nat", postroutingChainName)
if err != nil {
return fmt.Errorf("failed to delete chain: %w", err)
}
if g.options.ipRule != nil { if g.options.ipRule != nil {
err = netlink.RuleDel(g.options.ipRule) err = netlink.RuleDel(g.options.ipRule)
if err != nil { if err != nil {

View File

@ -94,7 +94,7 @@ func (a *App) Listen(ctx context.Context) []error {
} }
for idx, _ := range a.Groups { for idx, _ := range a.Groups {
err = a.Groups[idx].Enable() err = a.Groups[idx].Enable(a)
if err != nil { if err != nil {
handleError(fmt.Errorf("failed to enable group: %w", err)) handleError(fmt.Errorf("failed to enable group: %w", err))
return errs return errs
@ -113,7 +113,7 @@ func (a *App) Listen(ctx context.Context) []error {
} }
for idx, _ := range a.Groups { for idx, _ := range a.Groups {
err = a.Groups[idx].Disable() err = a.Groups[idx].Disable(a)
if err != nil { if err != nil {
handleError(fmt.Errorf("failed to disable group: %w", err)) handleError(fmt.Errorf("failed to disable group: %w", err))
return errs return errs
@ -146,7 +146,7 @@ func (a *App) AppendGroup(group *models.Group) error {
} }
if a.isRunning { if a.isRunning {
err := a.Groups[group.ID].Enable() err := a.Groups[group.ID].Enable(a)
if err != nil { if err != nil {
return fmt.Errorf("failed to enable appended group: %w", err) return fmt.Errorf("failed to enable appended group: %w", err)
} }