124 lines
3.6 KiB
Go
124 lines
3.6 KiB
Go
package nat
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"os"
|
|
"os/exec"
|
|
"path/filepath"
|
|
"strings"
|
|
)
|
|
|
|
const tableName = "alpine-router-nat"
|
|
|
|
// Config holds NAT masquerade settings per interface.
|
|
type Config struct {
|
|
// Interfaces is the list of LAN interface names for which masquerade is enabled.
|
|
// Traffic arriving on these interfaces will be NATted to the outgoing WAN interface.
|
|
Interfaces []string `json:"interfaces"`
|
|
}
|
|
|
|
// configPath returns the path to nat.json next to the running binary.
|
|
func configPath() string {
|
|
exe, err := os.Executable()
|
|
if err != nil {
|
|
return filepath.Join("configs", "nat.json")
|
|
}
|
|
return filepath.Join(filepath.Dir(exe), "configs", "nat.json")
|
|
}
|
|
|
|
// IsInstalled reports whether the nft (nftables) binary is available.
|
|
func IsInstalled() bool {
|
|
_, err := exec.LookPath("nft")
|
|
return err == nil
|
|
}
|
|
|
|
// Load reads the NAT config from disk.
|
|
// Returns an empty config if the file does not exist yet.
|
|
func Load() (*Config, error) {
|
|
data, err := os.ReadFile(configPath())
|
|
if err != nil {
|
|
if os.IsNotExist(err) {
|
|
return &Config{Interfaces: []string{}}, nil
|
|
}
|
|
return nil, fmt.Errorf("read nat config: %w", err)
|
|
}
|
|
var cfg Config
|
|
if err := json.Unmarshal(data, &cfg); err != nil {
|
|
return nil, fmt.Errorf("parse nat config: %w", err)
|
|
}
|
|
if cfg.Interfaces == nil {
|
|
cfg.Interfaces = []string{}
|
|
}
|
|
return &cfg, nil
|
|
}
|
|
|
|
// Save writes the NAT config to the configs/ directory next to the binary.
|
|
func Save(cfg *Config) error {
|
|
p := configPath()
|
|
if err := os.MkdirAll(filepath.Dir(p), 0755); err != nil {
|
|
return fmt.Errorf("mkdir configs: %w", err)
|
|
}
|
|
data, err := json.MarshalIndent(cfg, "", " ")
|
|
if err != nil {
|
|
return err
|
|
}
|
|
return os.WriteFile(p, data, 0644)
|
|
}
|
|
|
|
// ApplyRules flushes the existing alpine-router NAT table and recreates it
|
|
// from the provided config. Called on every daemon startup and on config save.
|
|
//
|
|
// nftables is used instead of iptables because it applies all rules atomically
|
|
// in a single kernel call, which is faster and avoids partial-state issues.
|
|
func ApplyRules(cfg *Config) error {
|
|
return ApplyRulesWithBlocked(cfg, nil)
|
|
}
|
|
|
|
// ApplyRulesWithBlocked is like ApplyRules but also installs drop rules for
|
|
// the given list of blocked client IPs.
|
|
func ApplyRulesWithBlocked(cfg *Config, blockedIPs []string) error {
|
|
if err := os.WriteFile("/proc/sys/net/ipv4/ip_forward", []byte("1"), 0644); err != nil {
|
|
return fmt.Errorf("enable ip_forward: %w", err)
|
|
}
|
|
|
|
exec.Command("nft", "delete", "table", "ip", tableName).Run()
|
|
|
|
if len(cfg.Interfaces) == 0 && len(blockedIPs) == 0 {
|
|
return nil
|
|
}
|
|
|
|
var sb strings.Builder
|
|
fmt.Fprintf(&sb, "table ip %s {\n", tableName)
|
|
|
|
sb.WriteString(" chain forward {\n")
|
|
sb.WriteString(" type filter hook forward priority filter; policy drop;\n")
|
|
sb.WriteString(" ct state established,related accept\n")
|
|
|
|
for _, ip := range blockedIPs {
|
|
fmt.Fprintf(&sb, " ip saddr %s drop\n", ip)
|
|
fmt.Fprintf(&sb, " ip daddr %s drop\n", ip)
|
|
}
|
|
|
|
for _, iface := range cfg.Interfaces {
|
|
fmt.Fprintf(&sb, " iifname \"%s\" accept\n", iface)
|
|
}
|
|
sb.WriteString(" }\n")
|
|
|
|
sb.WriteString(" chain postrouting {\n")
|
|
sb.WriteString(" type nat hook postrouting priority srcnat; policy accept;\n")
|
|
for _, iface := range cfg.Interfaces {
|
|
fmt.Fprintf(&sb, " iifname \"%s\" masquerade\n", iface)
|
|
}
|
|
sb.WriteString(" }\n")
|
|
sb.WriteString("}\n")
|
|
|
|
cmd := exec.Command("nft", "-f", "-")
|
|
cmd.Stdin = strings.NewReader(sb.String())
|
|
out, err := cmd.CombinedOutput()
|
|
if err != nil {
|
|
return fmt.Errorf("nft apply: %s: %w", strings.TrimSpace(string(out)), err)
|
|
}
|
|
return nil
|
|
}
|