firewall: open ports in ipv6 as well as ipv4 (using ip6tables)

2023-04-04 13:33:54 +02:00 · 2023-04-04 13:33:54 +02:00 · 846c4344aa
commit 846c4344aa
parent eba95c9b28
1 changed files with 28 additions and 23 deletions
--- a/src/fw_actor.rs
+++ b/src/fw_actor.rs
@ -12,7 +12,8 @@ use tokio::{
 use crate::{fw, messages};

 pub struct FirewallActor {
-  pub ipt: iptables::IPTables,
+  pub ipt_v4: iptables::IPTables,
+  pub ipt_v6: iptables::IPTables,
  rx_ports: watch::Receiver<messages::PublicExposedPorts>,
  last_ports: messages::PublicExposedPorts,
  refresh: Duration,
@ -20,17 +21,19 @@ pub struct FirewallActor {

 impl FirewallActor {
  pub async fn new(
-    _refresh: Duration,
+    refresh: Duration,
    rxp: &watch::Receiver<messages::PublicExposedPorts>,
  ) -> Result<Self> {
    let ctx = Self {
-      ipt: iptables::new(false)?,
+      ipt_v4: iptables::new(false)?,
+      ipt_v6: iptables::new(true)?,
      rx_ports: rxp.clone(),
      last_ports: messages::PublicExposedPorts::new(),
-      refresh: _refresh,
+      refresh,
    };

-    fw::setup(&ctx.ipt)?;
+    fw::setup(&ctx.ipt_v4)?;
+    fw::setup(&ctx.ipt_v6)?;

    return Ok(ctx);
  }
@ -59,27 +62,29 @@ impl FirewallActor {
  }

  pub async fn do_fw_update(&self) -> Result<()> {
-    let curr_opened_ports = fw::get_opened_ports(&self.ipt)?;
+    for ipt in [&self.ipt_v4, &self.ipt_v6] {
+      let curr_opened_ports = fw::get_opened_ports(ipt)?;

-    let diff_tcp = self
-      .last_ports
-      .tcp_ports
-      .difference(&curr_opened_ports.tcp_ports)
-      .copied()
-      .collect::<HashSet<u16>>();
-    let diff_udp = self
-      .last_ports
-      .udp_ports
-      .difference(&curr_opened_ports.udp_ports)
-      .copied()
-      .collect::<HashSet<u16>>();
+      let diff_tcp = self
+        .last_ports
+        .tcp_ports
+        .difference(&curr_opened_ports.tcp_ports)
+        .copied()
+        .collect::<HashSet<u16>>();
+      let diff_udp = self
+        .last_ports
+        .udp_ports
+        .difference(&curr_opened_ports.udp_ports)
+        .copied()
+        .collect::<HashSet<u16>>();

-    let ports_to_open = messages::PublicExposedPorts {
-      tcp_ports: diff_tcp,
-      udp_ports: diff_udp,
-    };
+      let ports_to_open = messages::PublicExposedPorts {
+        tcp_ports: diff_tcp,
+        udp_ports: diff_udp,
+      };

-    fw::open_ports(&self.ipt, ports_to_open)?;
+      fw::open_ports(ipt, ports_to_open)?;
+    }

    return Ok(());
  }