interesting
/
linux-router
mirror of https://github.com/garywill/linux-router.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Detect firewalld and make sure it won't interfere

This commit is contained in:
garywill 2024-02-25 10:00:00 +08:00
parent 8b57dcef1a
commit 6aabef278b
2 changed files with 38 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -25,6 +25,7 @@ Basic features:
- Transparent proxy (redsocks) - Transparent proxy (redsocks)
- Transparent DNS proxy (hijack port 53 packets) - Transparent DNS proxy (hijack port 53 packets)
- Detect NetworkManager and make sure it won't interfere (handle interface (un)managed status) - Detect NetworkManager and make sure it won't interfere (handle interface (un)managed status)
- Detect firewalld and make sure it won't interfere our (by using `trusted` zone)
- You can run many instances, to create many different networks. Has instances managing feature. - You can run many instances, to create many different networks. Has instances managing feature.
**For many other features, see below [CLI usage](#cli-usage-and-other-features)** **For many other features, see below [CLI usage](#cli-usage-and-other-features)**
@ -450,11 +451,6 @@ Visit [**my homepage** 🏡](https://garywill.github.io) to see **more tools and
- 🙋‍♂️ Contributions are not limited to coding. There're [some posts and questions](https://github.com/garywill/linux-router/issues) that need more people to answer - 🙋‍♂️ Contributions are not limited to coding. There're [some posts and questions](https://github.com/garywill/linux-router/issues) that need more people to answer
## TODO ## TODO
Sooner is better:
- Detect firewalld and make sure it won't interfere our interface
Future:
- WPA3 - WPA3
- Global IPv6 - Global IPv6
- Explictly ban forwarding if not needed - Explictly ban forwarding if not needed

50
lnxrouter
View File

@ -229,6 +229,8 @@ define_global_variables(){
IP_VERs= IP_VERs=
NM_UNM_LIST= # it's called "list" but for now one interface NM_UNM_LIST= # it's called "list" but for now one interface
NM_PID= NM_PID=
FIREWALLD_PID=
TMP_FIREWALLD_ZONE=
} }
parse_user_options(){ parse_user_options(){
@ -872,8 +874,6 @@ is_same_netns() {
[[ "$(readlink /proc/$$/ns/net)" == "$(readlink /proc/$pid2/ns/net)" ]] && return 0 [[ "$(readlink /proc/$$/ns/net)" == "$(readlink /proc/$pid2/ns/net)" ]] && return 0
return 1 return 1
} }
#----------------- #-----------------
# only support NetworkManager >= 0.9.9 # only support NetworkManager >= 0.9.9
is_nm_running() { is_nm_running() {
@ -925,22 +925,37 @@ nm_restore_manage() {
fi fi
} }
#------- #-------
is_firewalld_running() {
FIREWALLD_PID="$(get_pid_by_dbus_name "org.fedoraproject.FirewallD1")"
#========= [[ ! -n "$FIREWALLD_PID" ]] && return 1 # not running
check_iptables()
{
echo
iptables --version
if which firewall-cmd > /dev/null 2>&1; then if (which firewall-cmd >/dev/null 2>&1 ) && [[ "$(firewall-cmd --state 2>&1)" == "running" ]] ; then
if [[ "$(firewall-cmd --state 2>&1)" == "running" ]]; then if is_same_netns "$FIREWALLD_PID"; then
echo "firewalld is running ($(firewall-cmd --version))" echo "firewalld is running ($(firewall-cmd --version))"
echo -e "\nWARN: We haven't completed the compatibility with firewalld.\nWARN: If you see any trouble, try:\nWARN: 1) 'firewall-cmd --zone=trusted --add-interface=<SUBN_IFACE>'\nWARN: 2) disable firewalld\n" >&2 return 0
# TODO
fi fi
fi fi
FIREWALLD_PID= # cancel value if treat as not running
return 1 # not running
}
firewalld_add_tmpzone() {
# TMP_FIREWALLD_ZONE="lrt${$}${SUBNET_IFACE}"
TMP_FIREWALLD_ZONE="trusted"
# firewall-cmd --new-zone=$TMP_FIREWALLD_ZONE || die "Failed creating temporary firewalld zone"
echo "Adding $SUBNET_IFACE to firewalld '$TMP_FIREWALLD_ZONE' zone"
firewall-cmd --zone=$TMP_FIREWALLD_ZONE --add-interface=$SUBNET_IFACE >/dev/null || die "Failed adding interface to firewalld temporary zone"
}
firewalld_del_tmpzone() {
if [[ -n "$TMP_FIREWALLD_ZONE" ]];then
echo "Removing $SUBNET_IFACE from firewalld '$TMP_FIREWALLD_ZONE' zone"
firewall-cmd --zone=$TMP_FIREWALLD_ZONE --remove-interface=$SUBNET_IFACE >/dev/null
# firewall-cmd --delete-zone=$TMP_FIREWALLD_ZONE
fi
} }
#=========
CUSTOM_CHAINS_4_filter= CUSTOM_CHAINS_4_filter=
CUSTOM_CHAINS_4_nat= CUSTOM_CHAINS_4_nat=
CUSTOM_CHAINS_6_filter= CUSTOM_CHAINS_6_filter=
@ -1313,6 +1328,8 @@ _cleanup() {
ip link set down dev "${SUBNET_IFACE}" ip link set down dev "${SUBNET_IFACE}"
firewalld_del_tmpzone
if [[ $VWIFI_IFACE ]]; then # the subnet interface (virtual wifi interface) will be removed if [[ $VWIFI_IFACE ]]; then # the subnet interface (virtual wifi interface) will be removed
iw dev "${VWIFI_IFACE}" del iw dev "${VWIFI_IFACE}" del
dealloc_vface_name "$VWIFI_IFACE" dealloc_vface_name "$VWIFI_IFACE"
@ -2226,9 +2243,9 @@ dealwith_mac # setting MAC should be after setting NM unmanaged
[[ $WIFI_IFACE ]] && check_rfkill_unblock_wifi [[ $WIFI_IFACE ]] && check_rfkill_unblock_wifi
check_iptables echo
iptables --version
echo "NOTICE: Not showing all operations done to iptables rules" echo "Notice: Not showing all operations done to iptables rules"
if [[ "$IPV6" -eq 0 ]]; then if [[ "$IPV6" -eq 0 ]]; then
IP_VERs=("4") IP_VERs=("4")
@ -2303,6 +2320,11 @@ fi
[[ $NO_DNSMASQ -eq 0 ]] && ( allow_dhcp ; start_dnsmasq ) [[ $NO_DNSMASQ -eq 0 ]] && ( allow_dhcp ; start_dnsmasq )
echo ""
is_firewalld_running && firewalld_add_tmpzone
echo echo
echo "== Setting up completed, now linux-router should be working ==" echo "== Setting up completed, now linux-router should be working =="