vanja/gluetun
1
0
Fork 0
mirror of https://github.com/qdm12/gluetun.git synced 2026-05-06 20:10:11 +02:00
Code Issues Packages Projects Releases Wiki Activity

Flush conntrack on every firewall enabling

Browse Source
This commit is contained in:
Quentin McGaw
2026-02-25 22:08:23 +00:00
parent 6467f3b4ad
commit dfac2b2f1a
4 changed files with 14 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
cmd/gluetun/main.go
+1 -5
View File
@@ -227,7 +227,7 @@ func _main(ctx context.Context, buildInfo models.BuildInformation,
firewallLogger.Patch(log.SetLevel(log.LevelDebug))
}
firewallConf, err := firewall.NewConfig(ctx, firewallLogger, cmder,
defaultRoutes, localNetworks)
netLinker, defaultRoutes, localNetworks)
if err != nil {
return err
}
@@ -237,10 +237,6 @@ func _main(ctx context.Context, buildInfo models.BuildInformation,
if err != nil {
return err
}
err = netLinker.FlushConntrack()
if err != nil {
logger.Warnf("flushing conntrack failed: %s", err)
}
}
// TODO run this in a loop or in openvpn to reload from file without restarting
internal/firewall/enable.go
+5
View File
@@ -121,6 +121,11 @@ func (c *Config) enable(ctx context.Context) (err error) {
return fmt.Errorf("running user defined post firewall rules: %w", err)
}
err = c.netlinker.FlushConntrack()
if err != nil {
c.logger.Warn("flushing conntrack failed: " + err.Error())
}
return nil
}
internal/firewall/firewall.go
+4 -2
View File
@@ -13,6 +13,7 @@ import (
type Config struct {
runner CmdRunner
netlinker Netlinker
logger Logger
defaultRoutes []routing.DefaultRoute
localNetworks []routing.LocalNetwork
@@ -35,8 +36,8 @@ type Config struct {
// NewConfig creates a new Config instance and returns an error
// if no iptables implementation is available.
func NewConfig(ctx context.Context, logger Logger,
runner CmdRunner, defaultRoutes []routing.DefaultRoute,
localNetworks []routing.LocalNetwork,
runner CmdRunner, netlinker Netlinker,
defaultRoutes []routing.DefaultRoute, localNetworks []routing.LocalNetwork,
) (config *Config, err error) {
impl, err := iptables.New(ctx, runner, logger)
if err != nil {
@@ -45,6 +46,7 @@ func NewConfig(ctx context.Context, logger Logger,
return &Config{
runner: runner,
netlinker: netlinker,
logger: logger,
allowedInputPorts: make(map[uint16]map[string]struct{}),
// Obtained from routing
internal/firewall/interfaces.go
+4
View File
@@ -19,6 +19,10 @@ type Logger interface {
Error(s string)
}
type Netlinker interface {
FlushConntrack() error
}
type firewallImpl interface { //nolint:interfacebloat
SaveAndRestore(ctx context.Context) (restore func(context.Context), err error)
AcceptEstablishedRelatedTraffic(ctx context.Context) error