From 846c4344aa10a8610c1de859bac51e71d86855d5 Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Tue, 4 Apr 2023 13:33:54 +0200 Subject: firewall: open ports in ipv6 as well as ipv4 (using ip6tables) --- src/fw_actor.rs | 51 ++++++++++++++++++++++++++++----------------------- 1 file changed, 28 insertions(+), 23 deletions(-) diff --git a/src/fw_actor.rs b/src/fw_actor.rs index ac553b1..518c1b8 100644 --- a/src/fw_actor.rs +++ b/src/fw_actor.rs @@ -12,7 +12,8 @@ use tokio::{ use crate::{fw, messages}; pub struct FirewallActor { - pub ipt: iptables::IPTables, + pub ipt_v4: iptables::IPTables, + pub ipt_v6: iptables::IPTables, rx_ports: watch::Receiver, last_ports: messages::PublicExposedPorts, refresh: Duration, @@ -20,17 +21,19 @@ pub struct FirewallActor { impl FirewallActor { pub async fn new( - _refresh: Duration, + refresh: Duration, rxp: &watch::Receiver, ) -> Result { let ctx = Self { - ipt: iptables::new(false)?, + ipt_v4: iptables::new(false)?, + ipt_v6: iptables::new(true)?, rx_ports: rxp.clone(), last_ports: messages::PublicExposedPorts::new(), - refresh: _refresh, + refresh, }; - fw::setup(&ctx.ipt)?; + fw::setup(&ctx.ipt_v4)?; + fw::setup(&ctx.ipt_v6)?; return Ok(ctx); } @@ -59,27 +62,29 @@ impl FirewallActor { } pub async fn do_fw_update(&self) -> Result<()> { - let curr_opened_ports = fw::get_opened_ports(&self.ipt)?; + for ipt in [&self.ipt_v4, &self.ipt_v6] { + let curr_opened_ports = fw::get_opened_ports(ipt)?; - let diff_tcp = self - .last_ports - .tcp_ports - .difference(&curr_opened_ports.tcp_ports) - .copied() - .collect::>(); - let diff_udp = self - .last_ports - .udp_ports - .difference(&curr_opened_ports.udp_ports) - .copied() - .collect::>(); + let diff_tcp = self + .last_ports + .tcp_ports + .difference(&curr_opened_ports.tcp_ports) + .copied() + .collect::>(); + let diff_udp = self + .last_ports + .udp_ports + .difference(&curr_opened_ports.udp_ports) + .copied() + .collect::>(); - let ports_to_open = messages::PublicExposedPorts { - tcp_ports: diff_tcp, - udp_ports: diff_udp, - }; + let ports_to_open = messages::PublicExposedPorts { + tcp_ports: diff_tcp, + udp_ports: diff_udp, + }; - fw::open_ports(&self.ipt, ports_to_open)?; + fw::open_ports(ipt, ports_to_open)?; + } return Ok(()); } -- cgit v1.2.3