vanja/gluetun
1
0
Fork 0
mirror of https://github.com/qdm12/gluetun.git synced 2026-05-07 04:20:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

Flush conntrack on every firewall enabling

Browse Source
This commit is contained in:
Quentin McGaw
2026-02-25 22:08:23 +00:00
parent 6467f3b4ad
commit dfac2b2f1a
4 changed files with 14 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
cmd/gluetun/main.go
+1 -5
View File
@@ -227,7 +227,7 @@ func _main(ctx context.Context, buildInfo models.BuildInformation,
firewallLogger.Patch(log.SetLevel(log.LevelDebug)) firewallLogger.Patch(log.SetLevel(log.LevelDebug))
} }
firewallConf, err := firewall.NewConfig(ctx, firewallLogger, cmder, firewallConf, err := firewall.NewConfig(ctx, firewallLogger, cmder,
defaultRoutes, localNetworks) netLinker, defaultRoutes, localNetworks)
if err != nil { if err != nil {
return err return err
} }
@@ -237,10 +237,6 @@ func _main(ctx context.Context, buildInfo models.BuildInformation,
if err != nil { if err != nil {
return err return err
} }
err = netLinker.FlushConntrack()
if err != nil {
logger.Warnf("flushing conntrack failed: %s", err)
}
} }
// TODO run this in a loop or in openvpn to reload from file without restarting // TODO run this in a loop or in openvpn to reload from file without restarting
internal/firewall/enable.go
+5
View File
@@ -121,6 +121,11 @@ func (c *Config) enable(ctx context.Context) (err error) {
return fmt.Errorf("running user defined post firewall rules: %w", err) return fmt.Errorf("running user defined post firewall rules: %w", err)
} }
err = c.netlinker.FlushConntrack()
if err != nil {
c.logger.Warn("flushing conntrack failed: " + err.Error())
}
return nil return nil
} }
internal/firewall/firewall.go
+4 -2
View File
@@ -13,6 +13,7 @@ import (
type Config struct { type Config struct {
runner CmdRunner runner CmdRunner
netlinker Netlinker
logger Logger logger Logger
defaultRoutes []routing.DefaultRoute defaultRoutes []routing.DefaultRoute
localNetworks []routing.LocalNetwork localNetworks []routing.LocalNetwork
@@ -35,8 +36,8 @@ type Config struct {
// NewConfig creates a new Config instance and returns an error // NewConfig creates a new Config instance and returns an error
// if no iptables implementation is available. // if no iptables implementation is available.
func NewConfig(ctx context.Context, logger Logger, func NewConfig(ctx context.Context, logger Logger,
runner CmdRunner, defaultRoutes []routing.DefaultRoute, runner CmdRunner, netlinker Netlinker,
localNetworks []routing.LocalNetwork, defaultRoutes []routing.DefaultRoute, localNetworks []routing.LocalNetwork,
) (config *Config, err error) { ) (config *Config, err error) {
impl, err := iptables.New(ctx, runner, logger) impl, err := iptables.New(ctx, runner, logger)
if err != nil { if err != nil {
@@ -45,6 +46,7 @@ func NewConfig(ctx context.Context, logger Logger,
return &Config{ return &Config{
runner: runner, runner: runner,
netlinker: netlinker,
logger: logger, logger: logger,
allowedInputPorts: make(map[uint16]map[string]struct{}), allowedInputPorts: make(map[uint16]map[string]struct{}),
// Obtained from routing // Obtained from routing
internal/firewall/interfaces.go
+4
View File
@@ -19,6 +19,10 @@ type Logger interface {
Error(s string) Error(s string)
} }
type Netlinker interface {
FlushConntrack() error
}
type firewallImpl interface { //nolint:interfacebloat type firewallImpl interface { //nolint:interfacebloat
SaveAndRestore(ctx context.Context) (restore func(context.Context), err error) SaveAndRestore(ctx context.Context) (restore func(context.Context), err error)
AcceptEstablishedRelatedTraffic(ctx context.Context) error AcceptEstablishedRelatedTraffic(ctx context.Context) error