feat: support to auto config firewall (firewalld)

daeuniverse · Jan 8, 2024 · e24c368 · e24c368
1 parent 35094f3
commit e24c368
Show file tree

Hide file tree

Showing 5 changed files with 35 additions and 3 deletions.
diff --git a/common/consts/ebpf.go b/common/consts/ebpf.go
@@ -157,9 +157,10 @@ var (
 )
 
 const (
-	TproxyMark      uint32 = 0x8000000
-	Recognize       uint16 = 0x2017
-	LoopbackIfIndex        = 1
+	TproxyMark       uint32 = 0x08000000
+	TproxyMarkString string = "0x08000000" // Should be aligned with nftables
+	Recognize        uint16 = 0x2017
+	LoopbackIfIndex         = 1
 )
 
 type LanWanFlag uint8

diff --git a/config/config.go b/config/config.go
@@ -35,6 +35,7 @@ type Global struct {
 	DialMode                  string        `mapstructure:"dial_mode" default:"domain"`
 	DisableWaitingNetwork     bool          `mapstructure:"disable_waiting_network" default:"false"`
 	AutoConfigKernelParameter bool          `mapstructure:"auto_config_kernel_parameter" default:"false"`
+	AutoConfigFirewallRule    bool          `mapstructure:"auto_config_firewall_rule" default:"false"`
 	SniffingTimeout           time.Duration `mapstructure:"sniffing_timeout" default:"100ms"`
 	TlsImplementation         string        `mapstructure:"tls_implementation" default:"tls"`
 	UtlsImitate               string        `mapstructure:"utls_imitate" default:"chrome_auto"`

diff --git a/control/control_plane.go b/control/control_plane.go
@@ -198,6 +198,9 @@ func NewControlPlane(
 		if err = core.setupRoutingPolicy(); err != nil {
 			return nil, err
 		}
+		if err = core.addAcceptInputMark(); err == nil {
+			core.deferFuncs = append(core.deferFuncs, core.delAcceptInputMark)
+		}
 	}
 
 	/// Bind to links. Binding should be advance of dialerGroups to avoid un-routable old connection.

diff --git a/control/control_plane_core.go b/control/control_plane_core.go
@@ -12,7 +12,9 @@ import (
 	"net"
 	"net/netip"
 	"os"
+	"os/exec"
 	"regexp"
+	"strings"
 	"sync"
 
 	"github.com/cilium/ebpf"
@@ -192,6 +194,28 @@ func (c *controlPlaneCore) delQdisc(ifname string) error {
 	return nil
 }
 
+func (c *controlPlaneCore) addAcceptInputMark() error {
+	// TODO: Support more than firewalld.
+	return exec.Command("sh", "-c", "nft list table inet firewalld && nft 'insert rule inet firewalld filter_INPUT mark "+consts.TproxyMarkString+" accept'").Run()
+}
+
+func (c *controlPlaneCore) delAcceptInputMark() error {
+	output, err := exec.Command("sh", "-c", "nft --handle --numeric list chain inet firewalld filter_INPUT").Output()
+	if err != nil {
+		// No firewalld.
+		return nil
+	}
+	lines := strings.Split(string(output), "\n")
+	regex := regexp.MustCompile("meta mark " + consts.TproxyMarkString + " accept # handle ([0-9]+)")
+	for _, line := range lines {
+		matches := regex.FindStringSubmatch(line)
+		if len(matches) > 0 {
+			return exec.Command("sh", "-c", "nft 'delete rule inet firewalld filter_INPUT handle "+matches[1]+"'").Run()
+		}
+	}
+	return fmt.Errorf("no such rule")
+}
+
 func (c *controlPlaneCore) setupRoutingPolicy() (err error) {
 	/// Insert ip rule / ip route.
 	var table = 2023 + c.flip

diff --git a/example.dae b/example.dae
@@ -34,6 +34,9 @@ global {
     # https://github.com/daeuniverse/dae/blob/main/docs/en/user-guide/kernel-parameters.md to see what will dae do.
     auto_config_kernel_parameter: true
 
+    # Automatically configure firewall rules like firewalld.
+    # For example: nft list table inet firewalld && nft 'insert rule inet firewalld filter_INPUT mark 0x8000000 accept'
+    auto_config_firewall_rule: true
 
     ##### Node connectivity check.