-
Notifications
You must be signed in to change notification settings - Fork 12
/
tables.go
55 lines (49 loc) · 1.47 KB
/
tables.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
package main
// IPTables interface for interacting with an iptables library. Declare it this
// way so that it is easy to dependency inject a mock.
type IPTables interface {
ClearChain(string, string) error
Append(string, string, ...string) error
AppendUnique(string, string, ...string) error
NewChain(string, string) error
}
// Setup creates a new iptables chain for holding peers and adds the chain and
// deny rules to the specified interface
func Setup(ipt IPTables, ipFace, chain string) error {
var err error
err = ipt.NewChain("filter", chain)
if err != nil {
if err.Error() != "exit status 1: iptables: Chain already exists.\n" {
return err
}
}
err = ipt.AppendUnique("filter", "INPUT", "-i", ipFace, "-j", chain)
if err != nil {
return err
}
// Do not drop connections when the `droplan-peers` chain is being updated
err = ipt.AppendUnique("filter", "INPUT", "-i", ipFace, "-m", "conntrack", "--ctstate", "ESTABLISHED,RELATED", "-j", "ACCEPT")
if err != nil {
return err
}
err = ipt.AppendUnique("filter", "INPUT", "-i", ipFace, "-j", "DROP")
if err != nil {
return err
}
return nil
}
// UpdatePeers updates the droplan-peers chain in iptables with the specified
// peers
func UpdatePeers(ipt IPTables, peers []string, chain string) error {
err := ipt.ClearChain("filter", chain)
if err != nil {
return err
}
for _, peer := range peers {
err := ipt.Append("filter", chain, "-s", peer, "-j", "ACCEPT")
if err != nil {
return err
}
}
return nil
}