Automatically manage firewall rules (iptables) for services #1
6 changed files with 12 additions and 19 deletions
4
Cargo.lock
generated
4
Cargo.lock
generated
|
@ -1210,9 +1210,9 @@ dependencies = [
|
|||
|
||||
[[package]]
|
||||
name = "tokio"
|
||||
version = "0.2.11"
|
||||
version = "0.2.21"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "8fdd17989496f49cdc57978c96f0c9fe5e4a58a8bddc6813c449a4624f6a030b"
|
||||
checksum = "d099fa27b9702bed751524694adbe393e18b36b204da91eb1cbbbbb4a5ee2d58"
|
||||
dependencies = [
|
||||
"bytes 0.5.4",
|
||||
"fnv",
|
||||
|
|
|
@ -11,7 +11,7 @@ reqwest = { version = "0.10", features = ["json"] }
|
|||
igd = { version = "0.10.0", features = ["aio"] }
|
||||
log = "0.4"
|
||||
pretty_env_logger = "0.4"
|
||||
tokio = "0.2.11"
|
||||
tokio = "0.2"
|
||||
futures = "0.3.5"
|
||||
serde = { version = "1.0.107", features = ["derive"] }
|
||||
serde_json = "1.0.53"
|
||||
|
|
|
@ -1,5 +1,4 @@
|
|||
use anyhow::Result;
|
||||
use log::*;
|
||||
use tokio::try_join;
|
||||
use crate::consul_actor::ConsulActor;
|
||||
use crate::igd_actor::IgdActor;
|
||||
|
|
|
@ -1,7 +1,6 @@
|
|||
use iptables;
|
||||
use regex::Regex;
|
||||
use std::collections::HashSet;
|
||||
use std::io;
|
||||
use crate::messages;
|
||||
|
||||
|
||||
#[derive(Debug)]
|
||||
|
@ -15,14 +14,16 @@ impl From<iptables::error::IPTError> for FirewallError {
|
|||
|
||||
pub fn setup(ipt: &iptables::IPTables) -> Result<(), FirewallError> {
|
||||
quentin
commented
anyhow will override your Result<> object, taking only a return value, error will be generic then.
This tip applies for the whole document, and in any case build will fail as soon as you will have added the anyhow use statement. anyhow will override your Result<> object, taking only a return value, error will be generic then.
eg:
```rust
pub fn setup(ipt: &iptables::IPTables) -> Result<()> {
```
This tip applies for the whole document, and in any case build will fail as soon as you will have added the anyhow use statement.
|
||||
|
||||
if !ipt.chain_exists("filter", "DIPLONAT")? {
|
||||
quentin
commented
It's very clever to put the rules in a separate chain, well done ;) It's very clever to put the rules in a separate chain, well done ;)
|
||||
ipt.new_chain("filter", "DIPLONAT")?;
|
||||
ipt.insert("filter", "INPUT", "-j DIPLONAT", 1)?;
|
||||
}
|
||||
|
||||
ipt.insert_unique("filter", "INPUT", "-j DIPLONAT", 1)?;
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
pub fn open_ports(ipt: &iptables::IPTables, ports: messages::PublicExposedPorts) -> Result<(), FirewallError> {
|
||||
quentin
commented
Same as before, you can just use Same as before, you can just use `Result<()>`
|
||||
|
||||
for p in ports.tcp_ports {
|
||||
ipt.append("filter", "DIPLONAT", &format!("-p tcp --dport {} -j ACCEPT", p))?;
|
||||
}
|
||||
|
|
|
@ -1,8 +1,4 @@
|
|||
use igd::aio::*;
|
||||
use igd::PortMappingProtocol;
|
||||
use std::net::SocketAddrV4;
|
||||
use log::*;
|
||||
use anyhow::{Result, Context};
|
||||
use anyhow::Result;
|
||||
use tokio::{
|
||||
select,
|
||||
sync::watch,
|
||||
|
@ -10,6 +6,7 @@ use tokio::{
|
|||
self,
|
||||
Duration
|
||||
}};
|
||||
use log::*;
|
||||
|
||||
use iptables;
|
||||
use crate::messages;
|
||||
|
@ -17,7 +14,7 @@ use crate::fw;
|
|||
use std::collections::HashSet;
|
||||
|
||||
pub struct FirewallActor {
|
||||
ipt: iptables::IPTables,
|
||||
pub ipt: iptables::IPTables,
|
||||
rx_ports: watch::Receiver<messages::PublicExposedPorts>,
|
||||
last_ports: messages::PublicExposedPorts,
|
||||
refresh: Duration
|
||||
|
@ -25,8 +22,6 @@ pub struct FirewallActor {
|
|||
|
||||
impl FirewallActor {
|
||||
pub async fn new(_refresh: Duration, rxp: &watch::Receiver<messages::PublicExposedPorts>) -> Result<Self> {
|
||||
|
||||
|
||||
let ctx = Self {
|
||||
ipt: iptables::new(false).unwrap(),
|
||||
quentin
commented
Replace with Replace with `?`
|
||||
rx_ports: rxp.clone(),
|
||||
|
@ -61,7 +56,6 @@ impl FirewallActor {
|
|||
}
|
||||
|
||||
pub async fn do_fw_update(&self) -> Result<()> {
|
||||
|
||||
let curr_opened_ports = fw::get_opened_ports(&self.ipt).unwrap();
|
||||
quentin
commented
You should replace You should replace `unwrap` ;)
|
||||
|
||||
let diff_tcp = self.last_ports.tcp_ports.difference(&curr_opened_ports.tcp_ports).copied().collect::<HashSet<u16>>();
|
||||
quentin marked this conversation as resolved
quentin
commented
Nice idea the set difference ;) Nice idea the set difference ;)
darkgallium
commented
Thanks a lot :) Thanks a lot :)
|
||||
|
|
|
@ -7,7 +7,6 @@ mod diplonat;
|
|||
mod fw;
|
||||
mod fw_actor;
|
||||
|
||||
use iptables;
|
||||
use log::*;
|
||||
use diplonat::Diplonat;
|
||||
|
||||
|
|
Loading…
Reference in a new issue
Could you add the anyhow crate to handle errors please: