From 9e61609312e6f8f7104ebcd7dab42069d7cff3c0 Mon Sep 17 00:00:00 2001 From: Patrick Pacher Date: Thu, 16 Jul 2020 16:02:32 +0200 Subject: [PATCH] Add recover-iptables sub-comment. Fixes #6 --- cmds/portmaster-start/recover_linux.go | 21 +++++++++++++++++++++ firewall/interception/nfqueue_linux.go | 17 +++++++++-------- 2 files changed, 30 insertions(+), 8 deletions(-) create mode 100644 cmds/portmaster-start/recover_linux.go diff --git a/cmds/portmaster-start/recover_linux.go b/cmds/portmaster-start/recover_linux.go new file mode 100644 index 000000000..b87723b08 --- /dev/null +++ b/cmds/portmaster-start/recover_linux.go @@ -0,0 +1,21 @@ +package main + +import ( + "github.com/safing/portmaster/firewall/interception" + "github.com/spf13/cobra" +) + +var recoverForceFlag bool +var recoverIPTablesCmd = &cobra.Command{ + Use: "recover-iptables", + Short: "Removes obsolete IP tables rules in case of an unclean shutdown", + RunE: func(*cobra.Command, []string) error { + return interception.DeactivateNfqueueFirewall(recoverForceFlag) + }, + SilenceUsage: true, +} + +func init() { + recoverIPTablesCmd.Flags().BoolVarP(&recoverForceFlag, "force", "f", false, "Force removal ignoring errors") + rootCmd.AddCommand(recoverIPTablesCmd) +} diff --git a/firewall/interception/nfqueue_linux.go b/firewall/interception/nfqueue_linux.go index 312478cbd..27b81976f 100644 --- a/firewall/interception/nfqueue_linux.go +++ b/firewall/interception/nfqueue_linux.go @@ -179,7 +179,8 @@ func activateNfqueueFirewall() error { return nil } -func deactivateNfqueueFirewall() error { +// DeactivateNfqueueFirewall drops portmaster related IP tables rules. +func DeactivateNfqueueFirewall(force bool) error { // IPv4 ip4tables, err := iptables.NewWithProtocol(iptables.ProtocolIPv4) if err != nil { @@ -194,7 +195,7 @@ func deactivateNfqueueFirewall() error { return err } if ok { - if err = ip4tables.Delete(splittedRule[0], splittedRule[1], splittedRule[2:]...); err != nil { + if err = ip4tables.Delete(splittedRule[0], splittedRule[1], splittedRule[2:]...); err != nil && !force { return err } } @@ -202,10 +203,10 @@ func deactivateNfqueueFirewall() error { for _, chain := range v4chains { splittedRule := strings.Split(chain, " ") - if err = ip4tables.ClearChain(splittedRule[0], splittedRule[1]); err != nil { + if err = ip4tables.ClearChain(splittedRule[0], splittedRule[1]); err != nil && !force { return err } - if err = ip4tables.DeleteChain(splittedRule[0], splittedRule[1]); err != nil { + if err = ip4tables.DeleteChain(splittedRule[0], splittedRule[1]); err != nil && !force { return err } } @@ -223,7 +224,7 @@ func deactivateNfqueueFirewall() error { return err } if ok { - if err = ip6tables.Delete(splittedRule[0], splittedRule[1], splittedRule[2:]...); err != nil { + if err = ip6tables.Delete(splittedRule[0], splittedRule[1], splittedRule[2:]...); err != nil && !force { return err } } @@ -231,10 +232,10 @@ func deactivateNfqueueFirewall() error { for _, chain := range v6chains { splittedRule := strings.Split(chain, " ") - if err := ip6tables.ClearChain(splittedRule[0], splittedRule[1]); err != nil { + if err := ip6tables.ClearChain(splittedRule[0], splittedRule[1]); err != nil && !force { return err } - if err := ip6tables.DeleteChain(splittedRule[0], splittedRule[1]); err != nil { + if err := ip6tables.DeleteChain(splittedRule[0], splittedRule[1]); err != nil && !force { return err } } @@ -293,7 +294,7 @@ func StopNfqueueInterception() error { in6Queue.Destroy() } - err := deactivateNfqueueFirewall() + err := DeactivateNfqueueFirewall(false) if err != nil { return fmt.Errorf("interception: error while deactivating nfqueue: %s", err) }