From a7e0c89afc03fc4754bda781b4bc401cd50924ea Mon Sep 17 00:00:00 2001 From: keliramu Date: Thu, 1 Aug 2024 19:09:01 +0300 Subject: [PATCH] Rearrange order of FW rules Signed-off-by: keliramu --- daemon/rpc_set_lan_discovery.go | 1 + networker/networker.go | 28 +++++++++++++--------------- test/qa/lib/firewall.py | 1 - 3 files changed, 14 insertions(+), 16 deletions(-) diff --git a/daemon/rpc_set_lan_discovery.go b/daemon/rpc_set_lan_discovery.go index 9a72e276..be167d5c 100644 --- a/daemon/rpc_set_lan_discovery.go +++ b/daemon/rpc_set_lan_discovery.go @@ -48,6 +48,7 @@ func (r *RPC) SetLANDiscovery(ctx context.Context, in *pb.SetLANDiscoveryRequest } cfg.AutoConnectData.Allowlist.Subnets = subnets + allowlist = cfg.AutoConnectData.Allowlist } if err := r.netw.SetAllowlist(allowlist); err != nil { diff --git a/networker/networker.go b/networker/networker.go index a0e9f5ed..42eeb10c 100644 --- a/networker/networker.go +++ b/networker/networker.go @@ -899,6 +899,7 @@ func (netw *Combined) setAllowlist(allowlist config.Allowlist) error { allowlist = addLANPermissions(allowlist) } + // start adding set of rules rules := []firewall.Rule{} var subnets []netip.Prefix @@ -924,12 +925,6 @@ func (netw *Combined) setAllowlist(allowlist config.Allowlist) error { Direction: firewall.TwoWay, Allow: true, }) - rules = append(rules, firewall.Rule{ - Name: "allowlist_forward_related", - Direction: firewall.Forward, - Allow: true, - ConnectionStates: firewall.ConnectionStates{States: []firewall.ConnectionState{firewall.Established, firewall.Related}}, - }) rules = append(rules, firewall.Rule{ Name: "allowlist_subnets_forward", Interfaces: ifaces, @@ -967,15 +962,17 @@ func (netw *Combined) setAllowlist(allowlist config.Allowlist) error { } } } - if err := netw.fw.Add(rules); err != nil { return err } - // disable DNS traffic to private LAN ranges - to prevent DNS leaks - // when /etc/resolv.conf has nameserver default gateway - if err := netw.denyDNS(); err != nil { - return err + // if port 53 is whitelisted - do not add drop-dns rules + if !allowlist.Ports.TCP[53] && !allowlist.Ports.UDP[53] { + // disable DNS traffic to private LAN ranges - to prevent DNS leaks + // when /etc/resolv.conf has nameserver default gateway + if err := netw.denyDNS(); err != nil { + return err + } } netw.allowlist = allowlist @@ -1005,13 +1002,12 @@ func (netw *Combined) unsetAllowlist() error { for _, rule := range []string{ "allowlist_subnets", "allowlist_subnets_forward", - "allowlist_forward_related", "allowlist_ports_tcp", "allowlist_ports_udp", } { err := netw.fw.Delete([]string{rule}) if err != nil && !errors.Is(err, firewall.ErrRuleNotFound) { - return err + return fmt.Errorf("disabling allowlist firewall rules: %w", err) } } @@ -1019,8 +1015,10 @@ func (netw *Combined) unsetAllowlist() error { return fmt.Errorf("disabling allowlist routing: %w", err) } - if err := netw.undenyDNS(); err != nil { - return fmt.Errorf("unsetting deny dns: %w", err) + if !netw.allowlist.Ports.TCP[53] && !netw.allowlist.Ports.UDP[53] { + if err := netw.undenyDNS(); err != nil { + return fmt.Errorf("unsetting deny dns: %w", err) + } } return nil diff --git a/test/qa/lib/firewall.py b/test/qa/lib/firewall.py index 9bc3daf2..34bdb1f9 100644 --- a/test/qa/lib/firewall.py +++ b/test/qa/lib/firewall.py @@ -103,7 +103,6 @@ "-A FORWARD -d 192.168.0.0/16 -o eth0 -m comment --comment nordvpn -j ACCEPT", "-A FORWARD -d 172.16.0.0/12 -o eth0 -m comment --comment nordvpn -j ACCEPT", "-A FORWARD -d 10.0.0.0/8 -o eth0 -m comment --comment nordvpn -j ACCEPT", - "-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment nordvpn -j ACCEPT", ] OUTPUT_LAN_DISCOVERY_RULES = [