vanja/gluetun
1
0
Fork 0
mirror of https://github.com/qdm12/gluetun.git synced 2026-05-07 04:20:12 +02:00
Code Issues Packages Projects Releases Wiki Activity
2,226 Commits 27 Branches 78 Tags
conntrack
Commit Graph

119 Commits

Author SHA1 Message Date
Quentin McGaw 27b8e83aa5 Use ErrKernelModuleMissing when missing kernel module string is detected 2026-03-11 13:35:56 +00:00
Quentin McGaw a62220d7b6 give up on kernel modules checks 2026-03-02 23:17:08 +00:00
Quentin McGaw 594b1db98b Require xt_CONNMARK and define its kernel config values 2026-02-28 15:13:23 +00:00
Quentin McGaw bfc8136bc9 Fourth fallback, use DROP temporarily instead of REJECT 2026-02-27 12:17:12 +00:00
Quentin McGaw 1fd4cc511a Fix kernel module names 2026-02-27 12:16:54 +00:00
Quentin McGaw af0bc3e224 allow custom chain name targets 2026-02-26 23:18:44 +00:00
Quentin McGaw 302f1f11f7 only use kernel modules error as context to an actual error, not as a requirement since some systems don't show what they support reliably 2026-02-26 23:14:40 +00:00
Quentin McGaw f654dece66 Reject output public ip traffic for 1s as another fallback 2026-02-26 23:10:37 +00:00
Quentin McGaw a37354426b Fallback to accepting only NEW output public traffic if conntrack netlink isn't supported 2026-02-26 23:08:32 +00:00
Quentin McGaw dfac2b2f1a Flush conntrack on every firewall enabling 2026-02-26 23:01:27 +00:00
Quentin McGaw 2bb4deccd5 feat(firewall): atomic iptables operations 
- all operations rollback on failure
- disabling the firewall means rolling back to its state before enabling it
- aligns with nftables atomicity feature
 2026-02-26 22:58:52 +00:00
Quentin McGaw d21953f62e chore(firewall): split apart iptables specific code in internal/firewall/iptables 2026-02-25 04:23:53 +00:00
Quentin McGaw bc79901f1e chore(pmtud/tcp): restrict temp firewall rules to source ip and source port 2026-02-19 13:20:58 +00:00
Quentin McGaw 04d7cef294 hotfix(pmtud/tcp): block kernel from racing to send RST packets 
- this makes PMTUD TCP reliable
- this only works on kernels with the mark module
- on kernels without the mark module, the icmp pmtud mtu found is used
 2026-02-17 21:46:24 +00:00
Quentin McGaw d43eb1658f chore(firewall): support TCP flags for future changes 2026-02-17 19:38:20 +00:00
Quentin McGaw be92aa2ac4 Path MTU discovery fixes and improvements (#3109) 
- Existing option `WIREGUARD_MTU` , if set, disables PMTUD and is used
- New option `PMTUD_ICMP_ADDRESSES=1.1.1.1,8.8.8.8` and `PMTUD_TCP_ADDRESSES=1.1.1.1:443,8.8.8.8:443`
- ICMP PMTUD now targets external-by-default IP addresses
- New TCP PMTUD (binary search only) as a second MTU confirmation and fallback mechanism.
- Force set TCP MSS to MTU - IP header - TCP base header - "magic 20 bytes" 🎆
- Fix #3108
 2026-02-14 19:40:34 -05:00
Quentin McGaw 6712adfe6b hotfix(firewall): handle textual values for protocols 
- Alpine / iptables-legacy bug introduced in Alpine 3.22
- Alpine: what the hell? Stop introducing breaking changes in iptables on every god damn release!
 2025-11-04 14:16:11 +00:00
Quentin McGaw 2e2e5f9df5 fix(firewall): parse "all" protocol from iptables chains 2025-11-03 16:09:24 +00:00
Quentin McGaw b0c4a28be6 chore(lint): upgrade linter to v2.4.0 
- migrate configuration file
- fix existing code issues
- add exclusion rules
- update linter names
 2025-08-16 20:10:19 +00:00
Quentin McGaw e890c50da6 feat(firewall): support icmp rules 2024-12-25 20:05:55 +00:00
Quentin McGaw 37900341cf hotfix(firewall): fix unit test for previous PR 2024-11-15 17:46:10 +00:00
Jean-François Roy 36bb368cad fix(firewall): iptables list uses -n flag for testing iptables path (#2574) 
Signed-off-by: Jean-Francois Roy <jf@devklog.net>
 2024-11-15 16:47:08 +01:00
Quentin McGaw 76a4bb5dc3 chore: use gofumpt for code formatting 2024-10-11 19:27:29 +00:00
Quentin McGaw abe9dcbe33 chore(lint): add new linters and update codebase 
- add canonicalheader
- add copyloopvar
- add fatcontext
- add intrange
 2024-10-11 18:28:00 +00:00
Quentin McGaw 3c8e80a1a4 chore(lint): upgrade linter from v1.56.2 to v1.61.0 
- Remove no longer needed exclude rules
- Add new exclude rules for printf govet errors
- Remove deprecated linters `execinquery` and `exportloopref`
- Rename linter `goerr113` to `err113`
- Rename linter `gomnd` to `mnd`
 2024-10-11 18:05:54 +00:00
Quentin McGaw 99e9bc87cf fix(firewall): deduplicate VPN address accept rule for multiple default routes with the same network interface 2024-10-06 09:48:07 +00:00
Quentin McGaw 9ef14ee070 fix(firewall): deduplicate ipv6 multicast output accept rules 2024-10-06 09:46:47 +00:00
Quentin McGaw 7842ff4cdc fix(firewall): ipv6 multicast output address value 2024-10-06 09:28:39 +00:00
Quentin McGaw 3d6d03b327 fix(firewall): log warning if ipv6 nat filter not supported instead of returning an error 
- Allow to port forward redirect for IPv4 and not IPv6 if IPv6 NAT is not supported
- Fix #2503
 2024-10-05 07:52:30 +00:00
Quentin McGaw a2b3d7e30c chore(deps): implement github.com/qdm12/golibs/command locally (#2418) 2024-08-21 15:21:31 +02:00
Quentin McGaw 3f130931d2 hotfix(firewall): fix ip prefix parsing for ipv6 (again) 2024-08-19 17:06:45 +00:00
Quentin McGaw 946f055fed hotfix(firewall): handle iptables CIDR ranges with 3 digits for IPv6 2024-08-19 14:02:53 +00:00
Quentin McGaw bc55c25e73 fix(firewall): delete chain rules by line number (#2411) 
- Fix #2334 
- Parsing of iptables chains, contributing to progress for #1856
 2024-08-17 20:12:22 +02:00
Quentin McGaw 74ea1a0f5a hotfix(firewall): prefer ip6tables (nft) instead of ip6tables-legacy 2024-08-05 14:01:27 +00:00
Quentin McGaw 2a9ab29e7d fix(firewall): VPN_PORT_FORWARDING_LISTENING_PORT behavior fixed again 
- allow redirection destination port in INPUT table
 2024-08-05 13:57:30 +00:00
Quentin McGaw f6165d206a fix(firewall): VPN_PORT_FORWARDING_LISTENING_PORT behavior fixed 
by not restricting the destination address to 127.0.0.1
 2024-08-05 13:37:49 +00:00
Quentin McGaw 26705f5a23 hotfix(firewall): re-add iptables-legacy for setups with nft kernel support 2024-07-29 05:43:34 +00:00
Quentin McGaw ddbfdc9f14 feat(firewall): prefer using iptables nft instead of legacy 2024-07-28 14:29:00 +00:00
Quentin McGaw 73832d8b49 hotfix(firewall): add iptables -m flag for input port instructions 2024-07-26 11:40:12 +00:00
Quentin McGaw 06c9bc55d3 hotfix(firewall): prefer using ip6tables-legacy 
- Fixes issue #2334
 2024-07-08 08:57:57 +00:00
Quentin McGaw ce642a6d8b hotfix(firewall): prefer using iptables-legacy over nf_tables 
- due to nf_tables bugs I discovered and reported
 2024-05-09 14:33:34 +00:00
Quentin McGaw ef6874fe57 fix(firewall): query iptables version for iptables found 2024-05-04 16:19:30 +00:00
Quentin McGaw fb145d68a0 hotfix(firewall): support iptables-legacy for older kernels 2024-05-02 16:54:29 +00:00
Quentin McGaw c0621bf381 chore(lint): upgrade linter to v1.56.2 2024-03-21 17:02:11 +00:00
Quentin McGaw 75fd869625 fix(firewall): handle OpenVPN tcp-client as tcp 2023-12-14 15:10:33 +00:00
Quentin McGaw 4105f74ce1 feat(portforward): port redirection with VPN_PORT_FORWARDING_LISTENING_PORT 2023-11-23 08:37:43 +00:00
Quentin McGaw 4ea474b896 fix(routing): change firewall only for matching ip families 2023-09-20 10:45:13 +00:00
Quentin McGaw 0a29337c3b chore(all): replace net.IP with netip.Addr 2023-05-20 20:06:12 +00:00
Quentin McGaw d21a943779 chore(all): use netip.Prefix for ip networks 
- remove usage of `net.IPNet`
- remove usage of `netaddr.IPPrefix`
 2023-04-27 13:42:50 +00:00
Quentin McGaw 723d0f5e12 chore(lint): upgrade from v1.51.2 to v1.52.2 2023-04-12 09:40:00 +00:00