|
|
@ -60,6 +60,9 @@ type Firewall struct {
|
|
|
|
ruleLock sync.Mutex
|
|
|
|
ruleLock sync.Mutex
|
|
|
|
rulesById map[uint]*Rule
|
|
|
|
rulesById map[uint]*Rule
|
|
|
|
nextRuleId uint
|
|
|
|
nextRuleId uint
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
reloadRulesChan chan bool
|
|
|
|
|
|
|
|
stopChan chan bool
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func (fw *Firewall) setEnabled(flag bool) {
|
|
|
|
func (fw *Firewall) setEnabled(flag bool) {
|
|
|
@ -103,6 +106,14 @@ func (fw *Firewall) getRuleById(id uint) *Rule {
|
|
|
|
return fw.rulesById[id]
|
|
|
|
return fw.rulesById[id]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
func (fw *Firewall) stop() {
|
|
|
|
|
|
|
|
fw.stopChan <- true
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
func (fw *Firewall) reloadRules() {
|
|
|
|
|
|
|
|
fw.reloadRulesChan <- true
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func (fw *Firewall) runFilter() {
|
|
|
|
func (fw *Firewall) runFilter() {
|
|
|
|
q := nfqueue.NewNFQueue(0)
|
|
|
|
q := nfqueue.NewNFQueue(0)
|
|
|
|
defer q.Destroy()
|
|
|
|
defer q.Destroy()
|
|
|
@ -111,12 +122,6 @@ func (fw *Firewall) runFilter() {
|
|
|
|
q.Timeout = 5 * time.Minute
|
|
|
|
q.Timeout = 5 * time.Minute
|
|
|
|
packets := q.Process()
|
|
|
|
packets := q.Process()
|
|
|
|
|
|
|
|
|
|
|
|
sigKillChan := make(chan os.Signal, 1)
|
|
|
|
|
|
|
|
signal.Notify(sigKillChan, os.Interrupt, os.Kill)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
sigHupChan := make(chan os.Signal, 1)
|
|
|
|
|
|
|
|
signal.Notify(sigHupChan, syscall.SIGHUP)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
for {
|
|
|
|
for {
|
|
|
|
select {
|
|
|
|
select {
|
|
|
|
case pkt := <-packets:
|
|
|
|
case pkt := <-packets:
|
|
|
@ -125,9 +130,9 @@ func (fw *Firewall) runFilter() {
|
|
|
|
} else {
|
|
|
|
} else {
|
|
|
|
pkt.Accept()
|
|
|
|
pkt.Accept()
|
|
|
|
}
|
|
|
|
}
|
|
|
|
case <-sigHupChan:
|
|
|
|
case <-fw.reloadRulesChan:
|
|
|
|
fw.loadRules()
|
|
|
|
fw.loadRules()
|
|
|
|
case <-sigKillChan:
|
|
|
|
case <-fw.stopChan:
|
|
|
|
return
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
@ -157,6 +162,8 @@ func main() {
|
|
|
|
enabled: true,
|
|
|
|
enabled: true,
|
|
|
|
logBackend: logBackend,
|
|
|
|
logBackend: logBackend,
|
|
|
|
policyMap: make(map[string]*Policy),
|
|
|
|
policyMap: make(map[string]*Policy),
|
|
|
|
|
|
|
|
reloadRulesChan: make(chan bool, 0),
|
|
|
|
|
|
|
|
stopChan: make(chan bool, 0),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
ds.fw = fw
|
|
|
|
ds.fw = fw
|
|
|
|
|
|
|
|
|
|
|
@ -176,6 +183,24 @@ func main() {
|
|
|
|
}
|
|
|
|
}
|
|
|
|
wg := sync.WaitGroup{}
|
|
|
|
wg := sync.WaitGroup{}
|
|
|
|
InitSocksListener(&socksConfig, &wg)
|
|
|
|
InitSocksListener(&socksConfig, &wg)
|
|
|
|
|
|
|
|
|
|
|
|
fw.runFilter()
|
|
|
|
fw.runFilter()
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// observe process signals and either
|
|
|
|
|
|
|
|
// reload rules or shutdown firewall service
|
|
|
|
|
|
|
|
sigKillChan := make(chan os.Signal, 1)
|
|
|
|
|
|
|
|
signal.Notify(sigKillChan, os.Interrupt, os.Kill)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
sigHupChan := make(chan os.Signal, 1)
|
|
|
|
|
|
|
|
signal.Notify(sigHupChan, syscall.SIGHUP)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
for {
|
|
|
|
|
|
|
|
select {
|
|
|
|
|
|
|
|
case <-sigHupChan:
|
|
|
|
|
|
|
|
fw.reloadRules()
|
|
|
|
|
|
|
|
// XXX perhaps restart SOCKS proxy chain service?
|
|
|
|
|
|
|
|
case <-sigKillChan:
|
|
|
|
|
|
|
|
fw.stop()
|
|
|
|
|
|
|
|
return
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|