From 6aabef278beeff0142dbc3b854f7a8a572c0a5cd Mon Sep 17 00:00:00 2001
From: garywill <garywill@disroot.org>
Date: Sun, 25 Feb 2024 10:00:00 +0800
Subject: [PATCH] Detect firewalld and make sure it won't interfere

---
 README.md |  6 +-----
 lnxrouter | 52 +++++++++++++++++++++++++++++++++++++---------------
 2 files changed, 38 insertions(+), 20 deletions(-)

diff --git a/README.md b/README.md
index ea55ebb..dd3797c 100644
--- a/README.md
+++ b/README.md
@@ -25,6 +25,7 @@ Basic features:
 - Transparent proxy (redsocks)
 - Transparent DNS proxy (hijack port 53 packets)
 - Detect NetworkManager and make sure it won't interfere (handle interface (un)managed status)
+- Detect firewalld and make sure it won't interfere our (by using `trusted` zone)
 - You can run many instances, to create many different networks. Has instances managing feature.
 
 **For many other features, see below [CLI usage](#cli-usage-and-other-features)**
@@ -450,11 +451,6 @@ Visit [**my homepage** 🏡](https://garywill.github.io) to see **more tools and
 - 🙋‍♂️ Contributions are not limited to coding. There're [some posts and questions](https://github.com/garywill/linux-router/issues) that need more people to answer
 
 ## TODO
-
-Sooner is better:
-- Detect firewalld and make sure it won't interfere our interface
-
-Future:
 - WPA3
 - Global IPv6
 - Explictly ban forwarding if not needed
diff --git a/lnxrouter b/lnxrouter
index 46ef050..19e2133 100644
--- a/lnxrouter
+++ b/lnxrouter
@@ -229,6 +229,8 @@ define_global_variables(){
     IP_VERs=
     NM_UNM_LIST=  # it's called "list" but for now one interface
     NM_PID=
+    FIREWALLD_PID=
+    TMP_FIREWALLD_ZONE=
 }
 
 parse_user_options(){
@@ -872,8 +874,6 @@ is_same_netns() {
     [[ "$(readlink /proc/$$/ns/net)" == "$(readlink /proc/$pid2/ns/net)" ]] && return 0
     return 1
 }
-
-
 #-----------------
 # only support NetworkManager >= 0.9.9
 is_nm_running() {
@@ -925,22 +925,37 @@ nm_restore_manage() {
     fi
 }
 #-------
-
-#=========
-check_iptables()
-{
-    echo
-    iptables --version
+is_firewalld_running() {
+    FIREWALLD_PID="$(get_pid_by_dbus_name "org.fedoraproject.FirewallD1")"
     
-    if which firewall-cmd > /dev/null 2>&1; then
-        if [[ "$(firewall-cmd --state 2>&1)" == "running" ]]; then
+    [[ ! -n "$FIREWALLD_PID" ]] && return 1 # not running
+    
+    if (which firewall-cmd >/dev/null 2>&1 ) && [[ "$(firewall-cmd --state 2>&1)" == "running" ]] ; then
+        if is_same_netns "$FIREWALLD_PID"; then
             echo "firewalld is running ($(firewall-cmd --version))"
-            echo -e "\nWARN: We haven't completed the compatibility with firewalld.\nWARN: If you see any trouble, try:\nWARN:     1) 'firewall-cmd --zone=trusted --add-interface=<SUBN_IFACE>'\nWARN:     2) disable firewalld\n" >&2 
-            # TODO
+            return 0
         fi
     fi
+
+    FIREWALLD_PID=  # cancel value if treat as not running
+    return 1  # not running
+}
+firewalld_add_tmpzone() {
+#     TMP_FIREWALLD_ZONE="lrt${$}${SUBNET_IFACE}"
+    TMP_FIREWALLD_ZONE="trusted"
+#     firewall-cmd --new-zone=$TMP_FIREWALLD_ZONE  || die "Failed creating temporary firewalld zone"
+    echo "Adding $SUBNET_IFACE to firewalld '$TMP_FIREWALLD_ZONE' zone"
+    firewall-cmd --zone=$TMP_FIREWALLD_ZONE --add-interface=$SUBNET_IFACE >/dev/null || die "Failed adding interface to firewalld temporary zone"
+}
+firewalld_del_tmpzone() {
+    if [[ -n "$TMP_FIREWALLD_ZONE" ]];then
+        echo "Removing $SUBNET_IFACE from firewalld '$TMP_FIREWALLD_ZONE' zone"
+        firewall-cmd --zone=$TMP_FIREWALLD_ZONE --remove-interface=$SUBNET_IFACE >/dev/null
+#         firewall-cmd --delete-zone=$TMP_FIREWALLD_ZONE
+    fi
 }
 
+#=========
 CUSTOM_CHAINS_4_filter=
 CUSTOM_CHAINS_4_nat=
 CUSTOM_CHAINS_6_filter=
@@ -1313,6 +1328,8 @@ _cleanup() {
     
     ip link set down dev "${SUBNET_IFACE}"
     
+    firewalld_del_tmpzone
+    
     if [[ $VWIFI_IFACE ]]; then # the subnet interface (virtual wifi interface) will be removed
         iw dev "${VWIFI_IFACE}" del
         dealloc_vface_name "$VWIFI_IFACE"
@@ -2226,9 +2243,9 @@ dealwith_mac # setting MAC should be after setting NM unmanaged
 [[ $WIFI_IFACE ]] && check_rfkill_unblock_wifi
 
 
-check_iptables
-
-echo "NOTICE: Not showing all operations done to iptables rules"
+echo
+iptables --version
+echo "Notice: Not showing all operations done to iptables rules"
 
 if [[ "$IPV6" -eq 0 ]]; then
     IP_VERs=("4")
@@ -2303,6 +2320,11 @@ fi
 
 [[ $NO_DNSMASQ -eq 0 ]] && ( allow_dhcp ; start_dnsmasq )
 
+
+echo ""
+is_firewalld_running && firewalld_add_tmpzone
+
+
 echo 
 echo "== Setting up completed, now linux-router should be working =="