119 lines
3.3 KiB
Go
119 lines
3.3 KiB
Go
package app
|
|
|
|
import (
|
|
"os"
|
|
trafficappmarkspkg "selective-vpn-api/app/trafficappmarks"
|
|
"strings"
|
|
)
|
|
|
|
func ensureAppMarksNft() error {
|
|
_ = trafficappmarkspkg.EnsureBase(appMarksNFTConfig(), runCommandTimeout)
|
|
|
|
// Remove legacy rules that relied on `meta cgroup @svpn_cg_*` (broken on some kernels).
|
|
_ = cleanupLegacyAppMarksRules()
|
|
return nil
|
|
}
|
|
|
|
func cleanupLegacyAppMarksRules() error {
|
|
return trafficappmarkspkg.CleanupLegacyRules(appMarksNFTConfig(), runCommandTimeout)
|
|
}
|
|
|
|
func appMarkComment(target string, id uint64) string {
|
|
return trafficappmarkspkg.AppMarkComment(appMarkCommentPrefix, target, id)
|
|
}
|
|
|
|
func appGuardComment(target string, id uint64) string {
|
|
return trafficappmarkspkg.AppGuardComment(appGuardCommentPrefix, target, id)
|
|
}
|
|
|
|
func appGuardEnabled() bool {
|
|
v := strings.ToLower(strings.TrimSpace(os.Getenv("SVPN_APP_GUARD")))
|
|
return v == "1" || v == "true" || v == "yes" || v == "on"
|
|
}
|
|
|
|
func appMarksNFTConfig() trafficappmarkspkg.NFTConfig {
|
|
return trafficappmarkspkg.NFTConfig{
|
|
Table: appMarksTable,
|
|
Chain: appMarksChain,
|
|
GuardChain: appMarksGuardChain,
|
|
LocalBypassSet: appMarksLocalBypassSet,
|
|
MarkApp: MARK_APP,
|
|
MarkDirect: MARK_DIRECT,
|
|
MarkCommentPrefix: appMarkCommentPrefix,
|
|
GuardCommentPrefix: appGuardCommentPrefix,
|
|
GuardEnabled: appGuardEnabled(),
|
|
}
|
|
}
|
|
|
|
func appMarkAutoBypassCIDRs(vpnIface string) []string {
|
|
routes := detectAutoLocalBypassRoutes(vpnIface)
|
|
out := make([]string, 0, len(routes))
|
|
for _, rt := range routes {
|
|
dst := strings.TrimSpace(rt.Dst)
|
|
if dst == "" || dst == "default" {
|
|
continue
|
|
}
|
|
out = append(out, dst)
|
|
}
|
|
return out
|
|
}
|
|
|
|
func updateAppMarkLocalBypassSet(vpnIface string) error {
|
|
_ = ensureAppMarksNft()
|
|
return trafficappmarkspkg.UpdateLocalBypassSet(
|
|
appMarksNFTConfig(),
|
|
strings.TrimSpace(vpnIface),
|
|
appMarkAutoBypassCIDRs(vpnIface),
|
|
runCommandTimeout,
|
|
)
|
|
}
|
|
|
|
func nftInsertAppMarkRule(target string, rel string, level int, id uint64, vpnIface string) error {
|
|
return trafficappmarkspkg.InsertAppMarkRule(
|
|
appMarksNFTConfig(),
|
|
target,
|
|
rel,
|
|
level,
|
|
id,
|
|
strings.TrimSpace(vpnIface),
|
|
appMarkAutoBypassCIDRs(vpnIface),
|
|
runCommandTimeout,
|
|
)
|
|
}
|
|
|
|
func nftDeleteAppMarkRule(target string, id uint64) error {
|
|
return trafficappmarkspkg.DeleteAppMarkRule(appMarksNFTConfig(), target, id, runCommandTimeout)
|
|
}
|
|
|
|
func nftHasAppMarkRule(target string, id uint64) bool {
|
|
return trafficappmarkspkg.HasAppMarkRule(appMarksNFTConfig(), target, id, runCommandTimeout)
|
|
}
|
|
|
|
func parseNftHandle(line string) int {
|
|
return trafficappmarkspkg.ParseNftHandle(line)
|
|
}
|
|
|
|
func resolveCgroupV2PathForNft(input string) (rel string, level int, inodeID uint64, abs string, err error) {
|
|
return trafficappmarkspkg.ResolveCgroupV2PathForNft(input, cgroupRootPath)
|
|
}
|
|
|
|
func normalizeCgroupRelOnly(raw string) string {
|
|
return trafficappmarkspkg.NormalizeCgroupRelOnly(raw)
|
|
}
|
|
|
|
func cgroupDirInode(rel string) (uint64, error) {
|
|
return trafficappmarkspkg.CgroupDirInode(cgroupRootPath, rel)
|
|
}
|
|
|
|
func upsertAppMarkItem(items []appMarkItem, next appMarkItem) []appMarkItem {
|
|
return trafficappmarkspkg.UpsertItem(items, next)
|
|
}
|
|
|
|
func clearManagedAppMarkRules(chain string) {
|
|
trafficappmarkspkg.ClearManagedRules(appMarksNFTConfig(), chain, runCommandTimeout)
|
|
}
|
|
|
|
func isAllDigits(s string) bool {
|
|
return trafficappmarkspkg.IsAllDigits(s)
|
|
}
|