package netfilterHelper
import (
"fmt"
"github.com/coreos/go-iptables/iptables"
"github.com/rs/zerolog/log"
"github.com/vishvananda/netlink"
"github.com/vishvananda/netlink/nl"
"net"
"strconv"
)
type IfaceToIPSet struct {
IPTables *iptables.IPTables
ChainName string
IfaceName string
IPSetName string
SoftwareMode bool
Enabled bool
mark uint32
table int
ipRule *netlink.Rule
ipRoute *netlink.Route
}
func (r *IfaceToIPSet) PutIPTable(table string) error {
var err error
if !r.SoftwareMode {
if table == "all" || table == "mangle" {
err = r.IPTables.ClearChain("mangle", r.ChainName)
if err != nil {
return fmt.Errorf("failed to clear chain: %w", err)
}
for _, iptablesArgs := range [][]string{
// Source: https://github.com/qzeleza/kvas/blob/3fdbbd1ace7b57b11bf88d8db3882d94a1d6e01c/opt/etc/ndm/ndm#L194-L206
{"-m", "set", "!", "--match-set", r.IPSetName, "dst", "-j", "RETURN"},
{"-j", "CONNMARK", "--restore-mark"},
{"-m", "mark", "--mark", strconv.Itoa(int(r.mark)), "-j", "RETURN"},
// This command not working
// {"--syn", "-j", "MARK", "--set-mark", strconv.Itoa(int(mark))},
{"-m", "conntrack", "--ctstate", "NEW", "-j", "MARK", "--set-mark", strconv.Itoa(int(r.mark))},
{"-j", "CONNMARK", "--save-mark"},
} {
err = r.IPTables.AppendUnique("mangle", r.ChainName, iptablesArgs...)
if err != nil {
return fmt.Errorf("failed to append rule: %w", err)
}
}
err = r.IPTables.AppendUnique("mangle", "PREROUTING", "-m", "set", "--match-set", r.IPSetName, "dst", "-j", r.ChainName)
if err != nil {
return fmt.Errorf("failed to append rule to PREROUTING: %w", err)
}
err = r.IPTables.AppendUnique("mangle", "OUTPUT", "-m", "set", "--match-set", r.IPSetName, "dst", "-j", r.ChainName)
if err != nil {
return fmt.Errorf("failed to append rule to OUTPUT: %w", err)
}
}
} else {
if table == "all" || table == "mangle" {
preroutingChainName := fmt.Sprintf("%s_PRR", r.ChainName)
err = r.IPTables.ClearChain("mangle", preroutingChainName)
if err != nil {
return fmt.Errorf("failed to clear chain: %w", err)
}
err = r.IPTables.AppendUnique("mangle", preroutingChainName, "-m", "set", "--match-set", r.IPSetName, "dst", "-j", "MARK", "--set-mark", strconv.Itoa(int(r.mark)))
if err != nil {
return fmt.Errorf("failed to create rule: %w", err)
}
err = r.IPTables.AppendUnique("mangle", "PREROUTING", "-j", preroutingChainName)
if err != nil {
return fmt.Errorf("failed to append rule to PREROUTING: %w", err)
}
}
}
if table == "all" || table == "nat" {
postroutingChainName := fmt.Sprintf("%s_POR", r.ChainName)
err = r.IPTables.ClearChain("nat", postroutingChainName)
if err != nil {
return fmt.Errorf("failed to clear chain: %w", err)
}
err = r.IPTables.AppendUnique("nat", postroutingChainName, "-o", r.IfaceName, "-j", "MASQUERADE")
if err != nil {
return fmt.Errorf("failed to create rule: %w", err)
}
err = r.IPTables.AppendUnique("nat", "POSTROUTING", "-j", postroutingChainName)
if err != nil {
return fmt.Errorf("failed to append rule to POSTROUTING: %w", err)
}
}
return nil
}
func (r *IfaceToIPSet) IfaceHandle() error {
// Find interface
iface, err := netlink.LinkByName(r.IfaceName)
if err != nil {
log.Warn().Str("interface", r.IfaceName).Err(err).Msg("error while getting interface")
}
// Mapping iface with table
if iface != nil {
route := &netlink.Route{
LinkIndex: iface.Attrs().Index,
Table: r.table,
Dst: &net.IPNet{IP: []byte{0, 0, 0, 0}, Mask: []byte{0, 0, 0, 0}},
}
// Delete rule if exists
err = netlink.RouteDel(route)
if err != nil {
log.Warn().Str("interface", r.IfaceName).Err(err).Msg("error while deleting route")
}
err = netlink.RouteAdd(route)
if err != nil {
return fmt.Errorf("error while mapping iface with table: %w", err)
}
r.ipRoute = route
}
return nil
}
func (r *IfaceToIPSet) ForceEnable() error {
// Release used mark and table
r.Disable()
r.mark = 0
r.table = 0
// Find unused mark and table
markMap := make(map[uint32]struct{})
tableMap := map[int]struct{}{0: {}, 253: {}, 254: {}, 255: {}}
rules, err := netlink.RuleList(nl.FAMILY_ALL)
if err != nil {
return fmt.Errorf("error while getting rules: %w", err)
}
for _, rule := range rules {
markMap[rule.Mark] = struct{}{}
tableMap[rule.Table] = struct{}{}
}
routes, err := netlink.RouteListFiltered(nl.FAMILY_ALL, &netlink.Route{}, netlink.RT_FILTER_TABLE)
if err != nil {
return fmt.Errorf("error while getting routes: %w", err)
}
for _, route := range routes {
tableMap[route.Table] = struct{}{}
}
for {
if _, exists := tableMap[r.table]; exists {
r.table++
continue
}
break
}
for {
if _, exists := markMap[r.mark]; exists {
r.mark++
continue
}
break
}
// IPTables rules
err = r.PutIPTable("all")
if err != nil {
return nil
}
// Mapping mark with table
rule := netlink.NewRule()
rule.Mark = r.mark
rule.Table = r.table
err = netlink.RuleAdd(rule)
if err != nil {
return fmt.Errorf("error while mapping mark with table: %w", err)
}
r.ipRule = rule
err = r.IfaceHandle()
if err != nil {
return nil
}
r.Enabled = true
return nil
}
func (r *IfaceToIPSet) Disable() []error {
var errs []error
var err error
if !r.SoftwareMode {
err = r.IPTables.DeleteIfExists("mangle", "PREROUTING", "-m", "set", "--match-set", r.IPSetName, "dst", "-j", r.ChainName)
if err != nil {
errs = append(errs, fmt.Errorf("failed to delete rule from PREROUTING: %w", err))
}
err = r.IPTables.DeleteIfExists("mangle", "OUTPUT", "-m", "set", "--match-set", r.IPSetName, "dst", "-j", r.ChainName)
if err != nil {
errs = append(errs, fmt.Errorf("failed to delete rule from OUTPUT: %w", err))
}
err = r.IPTables.ClearAndDeleteChain("mangle", r.ChainName)
if err != nil {
errs = append(errs, fmt.Errorf("failed to delete chain: %w", err))
}
} else {
preroutingChainName := fmt.Sprintf("%s_PRR", r.ChainName)
err = r.IPTables.DeleteIfExists("mangle", "PREROUTING", "-j", preroutingChainName)
if err != nil {
errs = append(errs, fmt.Errorf("failed to delete rule from PREROUTING: %w", err))
}
err = r.IPTables.ClearAndDeleteChain("mangle", preroutingChainName)
if err != nil {
errs = append(errs, fmt.Errorf("failed to delete chain: %w", err))
}
}
postroutingChainName := fmt.Sprintf("%s_POR", r.ChainName)
err = r.IPTables.DeleteIfExists("nat", "POSTROUTING", "-j", postroutingChainName)
if err != nil {
errs = append(errs, fmt.Errorf("failed to unlinking chain: %w", err))
}
err = r.IPTables.ClearAndDeleteChain("nat", postroutingChainName)
if err != nil {
errs = append(errs, fmt.Errorf("failed to delete chain: %w", err))
}
if r.ipRule != nil {
err = netlink.RuleDel(r.ipRule)
if err != nil {
errs = append(errs, fmt.Errorf("error while deleting rule: %w", err))
}
r.ipRule = nil
}
if r.ipRoute != nil {
err = netlink.RouteDel(r.ipRoute)
if err != nil {
errs = append(errs, fmt.Errorf("error while deleting route: %w", err))
}
r.ipRule = nil
}
r.Enabled = false
return errs
}
func (r *IfaceToIPSet) Enable() error {
if r.Enabled {
return nil
}
err := r.ForceEnable()
if err != nil {
r.Disable()
return err
}
return nil
}
func (nh *NetfilterHelper) IfaceToIPSet(name string, ifaceName, ipsetName string, softwareMode bool) *IfaceToIPSet {
return &IfaceToIPSet{
IPTables: nh.IPTables,
ChainName: name,
IfaceName: ifaceName,
IPSetName: ipsetName,
}
}