mirrors/opensnitch
1
0
Fork 0
mirror of https://github.com/evilsocket/opensnitch.git synced 2025-03-04 08:34:40 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
opensnitch/daemon/firewall/rules.go

159 lines
4.1 KiB
Go
Raw Normal View History

misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
package firewall
import (
Allow to configure firewall rules from the GUI (#660) * Allow to configure firewall rules from the GUI (WIP) New features: - Configure and list system firewall rules from the GUI (nftables). - Configure chains' policies. - Add simple rules to allow incoming ports. - Add simple rules to exclude apps (ports) from being intercepted. This feature is only available for nftables. iptables is still supported, you can add rules to the configuration file and they'll be loaded, but you can't configure them from the GUI. More information: #592
2022-05-03 22:05:12 +02:00
"fmt"
fw: minor changes for better code reading
2023-01-30 13:43:44 +01:00
"github.com/evilsocket/opensnitch/daemon/firewall/common"
fw: allow to configure interception queue number - Added new configuration field to allow configure fw interception number queue (default to 0): "FwOptions": { "QueueNum": 0 } (we still need to reconfigure nfqueue queues in order for this to take effect). - If the fw configuration path is not supplied, default to /etc/opensnitchd/system-fw.json
2024-05-14 23:41:25 +02:00
"github.com/evilsocket/opensnitch/daemon/firewall/config"
added nftables support Added basic nftables support, which adds the needed rules to intercept outgoing network traffic and DNS responses. System rules will be added soon. What netfilter subsystem to use is determined based on the following: - nftables: if the _iptables_ binary is not present in the system, or if the iptables version (iptables -V) is "iptables vX.Y.Z (nf_tables)". - iptables: in the rest of the cases.
2021-06-07 01:32:05 +02:00
"github.com/evilsocket/opensnitch/daemon/firewall/iptables"
"github.com/evilsocket/opensnitch/daemon/firewall/nftables"
updated import paths
2020-12-09 18:18:42 +01:00
"github.com/evilsocket/opensnitch/daemon/log"
Allow to configure firewall rules from the GUI (#660) * Allow to configure firewall rules from the GUI (WIP) New features: - Configure and list system firewall rules from the GUI (nftables). - Configure chains' policies. - Add simple rules to allow incoming ports. - Add simple rules to exclude apps (ports) from being intercepted. This feature is only available for nftables. iptables is still supported, you can add rules to the configuration file and they'll be loaded, but you can't configure them from the GUI. More information: #592
2022-05-03 22:05:12 +02:00
"github.com/evilsocket/opensnitch/daemon/ui/protocol"
firewall: check rules every 5s Every 5s check if our rules are loaded, and if they aren't, add them again.
2020-02-22 00:27:35 +01:00
)
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
added nftables support Added basic nftables support, which adds the needed rules to intercept outgoing network traffic and DNS responses. System rules will be added soon. What netfilter subsystem to use is determined based on the following: - nftables: if the _iptables_ binary is not present in the system, or if the iptables version (iptables -V) is "iptables vX.Y.Z (nf_tables)". - iptables: in the rest of the cases.
2021-06-07 01:32:05 +02:00
// Firewall is the interface that all firewalls (iptables, nftables) must implement.
type Firewall interface {
allow to configure nfqueue bypass flag Nfqueue bypass option skips the enqueue of packets to userspace if no application is listening to the queue. https://wiki.nftables.org/wiki-nftables/index.php/Queueing_to_userspace If this flag is not specified, and for example the daemon dies unexpectedly, all the outbound traffic will be blocked. Up until now we've been using this flag by default not to block network traffic if the daemon dies or is killed for some reason. But some users want to use precisely this behaviour (#884, #1183, #1201). Now you can configure it, to block connections if the daemon unexpectedly dies. The option is on by default in the configuration (QueueBypass: true). If this item is not present in the daemon config file, then it'll be false.
2024-10-19 10:51:40 +02:00
Init(uint16, string, string, bool)
added nftables support Added basic nftables support, which adds the needed rules to intercept outgoing network traffic and DNS responses. System rules will be added soon. What netfilter subsystem to use is determined based on the following: - nftables: if the _iptables_ binary is not present in the system, or if the iptables version (iptables -V) is "iptables vX.Y.Z (nf_tables)". - iptables: in the rest of the cases.
2021-06-07 01:32:05 +02:00
Stop()
Name() string
IsRunning() bool
fw: allow to configure interception queue number - Added new configuration field to allow configure fw interception number queue (default to 0): "FwOptions": { "QueueNum": 0 } (we still need to reconfigure nfqueue queues in order for this to take effect). - If the fw configuration path is not supplied, default to /etc/opensnitchd/system-fw.json
2024-05-14 23:41:25 +02:00
SetQueueNum(num uint16)
added nftables support Added basic nftables support, which adds the needed rules to intercept outgoing network traffic and DNS responses. System rules will be added soon. What netfilter subsystem to use is determined based on the following: - nftables: if the _iptables_ binary is not present in the system, or if the iptables version (iptables -V) is "iptables vX.Y.Z (nf_tables)". - iptables: in the rest of the cases.
2021-06-07 01:32:05 +02:00
Allow to configure firewall rules from the GUI (#660) * Allow to configure firewall rules from the GUI (WIP) New features: - Configure and list system firewall rules from the GUI (nftables). - Configure chains' policies. - Add simple rules to allow incoming ports. - Add simple rules to exclude apps (ports) from being intercepted. This feature is only available for nftables. iptables is still supported, you can add rules to the configuration file and they'll be loaded, but you can't configure them from the GUI. More information: #592
2022-05-03 22:05:12 +02:00
SaveConfiguration(rawConfig string) error
EnableInterception()
DisableInterception(bool)
added nftables support Added basic nftables support, which adds the needed rules to intercept outgoing network traffic and DNS responses. System rules will be added soon. What netfilter subsystem to use is determined based on the following: - nftables: if the _iptables_ binary is not present in the system, or if the iptables version (iptables -V) is "iptables vX.Y.Z (nf_tables)". - iptables: in the rest of the cases.
2021-06-07 01:32:05 +02:00
QueueDNSResponses(bool, bool) (error, error)
QueueConnections(bool, bool) (error, error)
CleanRules(bool)
sys fw: improved chains creation This is part of latest commit ced9a249338a33f131bb1b72f747135985ab8608 - When reusing a chain, configure the new policy. - Don't backup existing rules when reloading the configuration.
2022-12-23 00:50:22 +01:00
AddSystemRules(bool, bool)
DeleteSystemRules(bool, bool, bool)
Allow to change settings from the UI (1/2) We start receiving notifications from the UI, which allow us to change configurations and perform actions on the daemon. The concept of Node has also been introduced, which identifies every daemon (client) connected to the UI (server). These options has been added: - Enable/Disable firewall interception (for all nodes) - Change daemons (clients) configuration. globally or per node. - Change prompt dialog options. We have fixed some bugs along the way: - Close audit client connection gracefully. - Exclude our own connections from being intercepted. - Better handling of client connection status with the UI. We probably has also introduced some other bugs (not listed here).
2020-04-19 20:13:31 +02:00
Allow to configure firewall rules from the GUI (#660) * Allow to configure firewall rules from the GUI (WIP) New features: - Configure and list system firewall rules from the GUI (nftables). - Configure chains' policies. - Add simple rules to allow incoming ports. - Add simple rules to exclude apps (ports) from being intercepted. This feature is only available for nftables. iptables is still supported, you can add rules to the configuration file and they'll be loaded, but you can't configure them from the GUI. More information: #592
2022-05-03 22:05:12 +02:00
Serialize() (*protocol.SysFirewall, error)
Deserialize(sysfw *protocol.SysFirewall) ([]byte, error)
sys fw: report errors to the GUI after reloading - Send errors to the server (GUI) if there's any error when reloading the system fw rules (far from being perfect/optimal, needs a rewrite). - Don't load the configuration after saving it, let the watcher reload it on write change to avoid double reload/duplicated errors.
2023-07-15 20:32:42 +02:00
ErrorsChan() <-chan string
ErrChanEmpty() bool
added priority rules to bypass/extend interception In some scenarios (#47) may be useful to have a set of rules handled from OpenSnitch, although you can accomplish it with other software (ufw,...). This rules will sit just above default intercetion, so if you want to allow or deny something, just place it here. These priority rules are defined in /etc/opensnitchd/fw.json, with the following format (example): { "PriorityRules": { "out": { "allow": [ ], "deny": [ "-m conntrack --ctstate INVALID", "-p tcp ! --syn -m conntrack --ctstate NEW" ] } } } The structure must exist even if you haven't defined any rule, for example: { "PriorityRules": { "out": { "allow": [ ], "deny": [ ] } } }
2020-07-25 21:23:53 +02:00
}
Allow to configure firewall rules from the GUI (#660) * Allow to configure firewall rules from the GUI (WIP) New features: - Configure and list system firewall rules from the GUI (nftables). - Configure chains' policies. - Add simple rules to allow incoming ports. - Add simple rules to exclude apps (ports) from being intercepted. This feature is only available for nftables. iptables is still supported, you can add rules to the configuration file and they'll be loaded, but you can't configure them from the GUI. More information: #592
2022-05-03 22:05:12 +02:00
var (
fw: allow to configure interception queue number - Added new configuration field to allow configure fw interception number queue (default to 0): "FwOptions": { "QueueNum": 0 } (we still need to reconfigure nfqueue queues in order for this to take effect). - If the fw configuration path is not supplied, default to /etc/opensnitchd/system-fw.json
2024-05-14 23:41:25 +02:00
fw Firewall
queueNum = uint16(0)
Allow to configure firewall rules from the GUI (#660) * Allow to configure firewall rules from the GUI (WIP) New features: - Configure and list system firewall rules from the GUI (nftables). - Configure chains' policies. - Add simple rules to allow incoming ports. - Add simple rules to exclude apps (ports) from being intercepted. This feature is only available for nftables. iptables is still supported, you can add rules to the configuration file and they'll be loaded, but you can't configure them from the GUI. More information: #592
2022-05-03 22:05:12 +02:00
)
Allow to change settings from the UI (1/2) We start receiving notifications from the UI, which allow us to change configurations and perform actions on the daemon. The concept of Node has also been introduced, which identifies every daemon (client) connected to the UI (server). These options has been added: - Enable/Disable firewall interception (for all nodes) - Change daemons (clients) configuration. globally or per node. - Change prompt dialog options. We have fixed some bugs along the way: - Close audit client connection gracefully. - Exclude our own connections from being intercepted. - Better handling of client connection status with the UI. We probably has also introduced some other bugs (not listed here).
2020-04-19 20:13:31 +02:00
added nftables support Added basic nftables support, which adds the needed rules to intercept outgoing network traffic and DNS responses. System rules will be added soon. What netfilter subsystem to use is determined based on the following: - nftables: if the _iptables_ binary is not present in the system, or if the iptables version (iptables -V) is "iptables vX.Y.Z (nf_tables)". - iptables: in the rest of the cases.
2021-06-07 01:32:05 +02:00
// Init initializes the firewall and loads firewall rules.
Allow to configure firewall rules from the GUI (#660) * Allow to configure firewall rules from the GUI (WIP) New features: - Configure and list system firewall rules from the GUI (nftables). - Configure chains' policies. - Add simple rules to allow incoming ports. - Add simple rules to exclude apps (ports) from being intercepted. This feature is only available for nftables. iptables is still supported, you can add rules to the configuration file and they'll be loaded, but you can't configure them from the GUI. More information: #592
2022-05-03 22:05:12 +02:00
// We'll try to use the firewall configured in the configuration (iptables/nftables).
// If iptables is not installed, we can add nftables rules directly to the kernel,
// without relying on any binaries.
allow to configure nfqueue bypass flag Nfqueue bypass option skips the enqueue of packets to userspace if no application is listening to the queue. https://wiki.nftables.org/wiki-nftables/index.php/Queueing_to_userspace If this flag is not specified, and for example the daemon dies unexpectedly, all the outbound traffic will be blocked. Up until now we've been using this flag by default not to block network traffic if the daemon dies or is killed for some reason. But some users want to use precisely this behaviour (#884, #1183, #1201). Now you can configure it, to block connections if the daemon unexpectedly dies. The option is on by default in the configuration (QueueBypass: true). If this item is not present in the daemon config file, then it'll be false.
2024-10-19 10:51:40 +02:00
func Init(fwType, configPath, monitorInterval string, bypassQueue bool, qNum uint16) (err error) {
allow to configure what firewall to use Before this change, we tried to determine what firewall to use based on the version of iptables (if -V legacy -> nftables, otherwise iptables). This caused problems (#455), and as there's no support yet for nftables system firewall rules, it can't be configured to workaround these errors. Now the default firewall to use will be iptables. If it's not available (installed), can't be used or the configuration option is empty/missing, we'll use nftables.
2021-08-09 00:21:43 +02:00
if fwType == iptables.Name {
fw, err = iptables.Fw()
if err != nil {
log.Warning("iptables not available: %s", err)
}
}
if fwType == nftables.Name || err != nil {
fw, err = nftables.Fw()
if err != nil {
log.Warning("nftables not available: %s", err)
}
}
if err != nil {
improved errors printing
2022-12-11 11:41:47 +01:00
return fmt.Errorf("firewall error: %s, not iptables nor nftables are available or are usable. Please, report it on github", err)
allow to configure what firewall to use Before this change, we tried to determine what firewall to use based on the version of iptables (if -V legacy -> nftables, otherwise iptables). This caused problems (#455), and as there's no support yet for nftables system firewall rules, it can't be configured to workaround these errors. Now the default firewall to use will be iptables. If it's not available (installed), can't be used or the configuration option is empty/missing, we'll use nftables.
2021-08-09 00:21:43 +02:00
}
added nftables support Added basic nftables support, which adds the needed rules to intercept outgoing network traffic and DNS responses. System rules will be added soon. What netfilter subsystem to use is determined based on the following: - nftables: if the _iptables_ binary is not present in the system, or if the iptables version (iptables -V) is "iptables vX.Y.Z (nf_tables)". - iptables: in the rest of the cases.
2021-06-07 01:32:05 +02:00
if fw == nil {
fw: report initialization errors Allow send fw initialization errors to the server (UI).
2022-10-13 00:08:52 +02:00
return fmt.Errorf("Firewall not initialized")
Allow to change settings from the UI (1/2) We start receiving notifications from the UI, which allow us to change configurations and perform actions on the daemon. The concept of Node has also been introduced, which identifies every daemon (client) connected to the UI (server). These options has been added: - Enable/Disable firewall interception (for all nodes) - Change daemons (clients) configuration. globally or per node. - Change prompt dialog options. We have fixed some bugs along the way: - Close audit client connection gracefully. - Exclude our own connections from being intercepted. - Better handling of client connection status with the UI. We probably has also introduced some other bugs (not listed here).
2020-04-19 20:13:31 +02:00
}
fw: allow to configure interception queue number - Added new configuration field to allow configure fw interception number queue (default to 0): "FwOptions": { "QueueNum": 0 } (we still need to reconfigure nfqueue queues in order for this to take effect). - If the fw configuration path is not supplied, default to /etc/opensnitchd/system-fw.json
2024-05-14 23:41:25 +02:00
if configPath == "" {
configPath = config.DefaultConfigFile
}
allow to configure what firewall to use Before this change, we tried to determine what firewall to use based on the version of iptables (if -V legacy -> nftables, otherwise iptables). This caused problems (#455), and as there's no support yet for nftables system firewall rules, it can't be configured to workaround these errors. Now the default firewall to use will be iptables. If it's not available (installed), can't be used or the configuration option is empty/missing, we'll use nftables.
2021-08-09 00:21:43 +02:00
fw.Stop()
allow to configure nfqueue bypass flag Nfqueue bypass option skips the enqueue of packets to userspace if no application is listening to the queue. https://wiki.nftables.org/wiki-nftables/index.php/Queueing_to_userspace If this flag is not specified, and for example the daemon dies unexpectedly, all the outbound traffic will be blocked. Up until now we've been using this flag by default not to block network traffic if the daemon dies or is killed for some reason. But some users want to use precisely this behaviour (#884, #1183, #1201). Now you can configure it, to block connections if the daemon unexpectedly dies. The option is on by default in the configuration (QueueBypass: true). If this item is not present in the daemon config file, then it'll be false.
2024-10-19 10:51:40 +02:00
fw.Init(qNum, configPath, monitorInterval, bypassQueue)
fw: allow to configure interception queue number - Added new configuration field to allow configure fw interception number queue (default to 0): "FwOptions": { "QueueNum": 0 } (we still need to reconfigure nfqueue queues in order for this to take effect). - If the fw configuration path is not supplied, default to /etc/opensnitchd/system-fw.json
2024-05-14 23:41:25 +02:00
queueNum = qNum
Allow to change settings from the UI (1/2) We start receiving notifications from the UI, which allow us to change configurations and perform actions on the daemon. The concept of Node has also been introduced, which identifies every daemon (client) connected to the UI (server). These options has been added: - Enable/Disable firewall interception (for all nodes) - Change daemons (clients) configuration. globally or per node. - Change prompt dialog options. We have fixed some bugs along the way: - Close audit client connection gracefully. - Exclude our own connections from being intercepted. - Better handling of client connection status with the UI. We probably has also introduced some other bugs (not listed here).
2020-04-19 20:13:31 +02:00
added nftables support Added basic nftables support, which adds the needed rules to intercept outgoing network traffic and DNS responses. System rules will be added soon. What netfilter subsystem to use is determined based on the following: - nftables: if the _iptables_ binary is not present in the system, or if the iptables version (iptables -V) is "iptables vX.Y.Z (nf_tables)". - iptables: in the rest of the cases.
2021-06-07 01:32:05 +02:00
log.Info("Using %s firewall", fw.Name())
fw: report initialization errors Allow send fw initialization errors to the server (UI).
2022-10-13 00:08:52 +02:00
return
Allow to change settings from the UI (1/2) We start receiving notifications from the UI, which allow us to change configurations and perform actions on the daemon. The concept of Node has also been introduced, which identifies every daemon (client) connected to the UI (server). These options has been added: - Enable/Disable firewall interception (for all nodes) - Change daemons (clients) configuration. globally or per node. - Change prompt dialog options. We have fixed some bugs along the way: - Close audit client connection gracefully. - Exclude our own connections from being intercepted. - Better handling of client connection status with the UI. We probably has also introduced some other bugs (not listed here).
2020-04-19 20:13:31 +02:00
}
Allow to configure firewall rules from the GUI (#660) * Allow to configure firewall rules from the GUI (WIP) New features: - Configure and list system firewall rules from the GUI (nftables). - Configure chains' policies. - Add simple rules to allow incoming ports. - Add simple rules to exclude apps (ports) from being intercepted. This feature is only available for nftables. iptables is still supported, you can add rules to the configuration file and they'll be loaded, but you can't configure them from the GUI. More information: #592
2022-05-03 22:05:12 +02:00
// IsRunning returns if the firewall is running or not.
func IsRunning() bool {
return fw != nil && fw.IsRunning()
}
sys fw: report errors to the GUI after reloading - Send errors to the server (GUI) if there's any error when reloading the system fw rules (far from being perfect/optimal, needs a rewrite). - Don't load the configuration after saving it, let the watcher reload it on write change to avoid double reload/duplicated errors.
2023-07-15 20:32:42 +02:00
// ErrorsChan returns the channel where the errors are sent to.
func ErrorsChan() <-chan string {
return fw.ErrorsChan()
}
// ErrChanEmpty checks if the errors channel is empty.
func ErrChanEmpty() bool {
return fw.ErrChanEmpty()
}
Allow to configure firewall rules from the GUI (#660) * Allow to configure firewall rules from the GUI (WIP) New features: - Configure and list system firewall rules from the GUI (nftables). - Configure chains' policies. - Add simple rules to allow incoming ports. - Add simple rules to exclude apps (ports) from being intercepted. This feature is only available for nftables. iptables is still supported, you can add rules to the configuration file and they'll be loaded, but you can't configure them from the GUI. More information: #592
2022-05-03 22:05:12 +02:00
// CleanRules deletes the rules we added.
func CleanRules(logErrors bool) {
if fw == nil {
return
}
fw.CleanRules(logErrors)
}
fw: allow to configure config file/ check interval - Allow to configure system firewall configuration file path: * via cli (-fw-config-file). * via global configuration file. - Allow to configure fw rules check interval. The system fw config file contains regular iptables/nftables rules. Previously it was hardcoded to /etc/opensnitchd/system-fw.json The interval to check if the interception rules were added was also hardcoded to 10 seconds. Now it's possible to configure it. A value of "0s" disables the interval, while "" defaults to 10 seconds.
2023-12-20 21:32:45 +01:00
// Reload stops current firewall and initializes a new one.
allow to configure nfqueue bypass flag Nfqueue bypass option skips the enqueue of packets to userspace if no application is listening to the queue. https://wiki.nftables.org/wiki-nftables/index.php/Queueing_to_userspace If this flag is not specified, and for example the daemon dies unexpectedly, all the outbound traffic will be blocked. Up until now we've been using this flag by default not to block network traffic if the daemon dies or is killed for some reason. But some users want to use precisely this behaviour (#884, #1183, #1201). Now you can configure it, to block connections if the daemon unexpectedly dies. The option is on by default in the configuration (QueueBypass: true). If this item is not present in the daemon config file, then it'll be false.
2024-10-19 10:51:40 +02:00
func Reload(fwtype, configPath, monitorInterval string, bypassQueue bool, queueNum uint16) (err error) {
sys fw: allow to change fw type from the GUI - Configuration of system firewall rules from the GUI is not supported for iptables. Up until now only a warning was displayed, encouring to change fw type manually. Now if configured fw type is iptables (default-config.json, Firewall:), and the user opens the fw dialog, we'll ask the user to change it from the GUI. - Add fw rules before connecting to the GUI. Otherwise we send to the GUI an invalid fw state.
2022-12-16 17:03:36 +01:00
Stop()
allow to configure nfqueue bypass flag Nfqueue bypass option skips the enqueue of packets to userspace if no application is listening to the queue. https://wiki.nftables.org/wiki-nftables/index.php/Queueing_to_userspace If this flag is not specified, and for example the daemon dies unexpectedly, all the outbound traffic will be blocked. Up until now we've been using this flag by default not to block network traffic if the daemon dies or is killed for some reason. But some users want to use precisely this behaviour (#884, #1183, #1201). Now you can configure it, to block connections if the daemon unexpectedly dies. The option is on by default in the configuration (QueueBypass: true). If this item is not present in the daemon config file, then it'll be false.
2024-10-19 10:51:40 +02:00
err = Init(fwtype, configPath, monitorInterval, bypassQueue, queueNum)
sys fw: allow to change fw type from the GUI - Configuration of system firewall rules from the GUI is not supported for iptables. Up until now only a warning was displayed, encouring to change fw type manually. Now if configured fw type is iptables (default-config.json, Firewall:), and the user opens the fw dialog, we'll ask the user to change it from the GUI. - Add fw rules before connecting to the GUI. Otherwise we send to the GUI an invalid fw state.
2022-12-16 17:03:36 +01:00
return
}
Allow to configure firewall rules from the GUI (#660) * Allow to configure firewall rules from the GUI (WIP) New features: - Configure and list system firewall rules from the GUI (nftables). - Configure chains' policies. - Add simple rules to allow incoming ports. - Add simple rules to exclude apps (ports) from being intercepted. This feature is only available for nftables. iptables is still supported, you can add rules to the configuration file and they'll be loaded, but you can't configure them from the GUI. More information: #592
2022-05-03 22:05:12 +02:00
// ReloadSystemRules deletes existing rules, and add them again
func ReloadSystemRules() {
fw: minor changes for better code reading
2023-01-30 13:43:44 +01:00
fw.DeleteSystemRules(!common.ForcedDelRules, common.RestoreChains, true)
fw.AddSystemRules(common.ReloadRules, common.BackupChains)
Allow to configure firewall rules from the GUI (#660) * Allow to configure firewall rules from the GUI (WIP) New features: - Configure and list system firewall rules from the GUI (nftables). - Configure chains' policies. - Add simple rules to allow incoming ports. - Add simple rules to exclude apps (ports) from being intercepted. This feature is only available for nftables. iptables is still supported, you can add rules to the configuration file and they'll be loaded, but you can't configure them from the GUI. More information: #592
2022-05-03 22:05:12 +02:00
}
// EnableInterception removes the rules to intercept outbound connections.
func EnableInterception() error {
if fw == nil {
return fmt.Errorf("firewall not initialized when trying to enable interception, report please")
}
fw.EnableInterception()
return nil
}
// DisableInterception removes the rules to intercept outbound connections.
func DisableInterception() error {
if fw == nil {
return fmt.Errorf("firewall not initialized when trying to disable interception, report please")
}
fw.DisableInterception(true)
return nil
}
// Stop deletes the firewall rules, allowing network traffic.
func Stop() {
if fw == nil {
return
}
fw.Stop()
}
// SaveConfiguration saves configuration string to disk
func SaveConfiguration(rawConfig []byte) error {
return fw.SaveConfiguration(string(rawConfig))
}
// Serialize transforms firewall json configuration to protobuf
func Serialize() (*protocol.SysFirewall, error) {
return fw.Serialize()
}
// Deserialize transforms firewall json configuration to protobuf
func Deserialize(sysfw *protocol.SysFirewall) ([]byte, error) {
return fw.Deserialize(sysfw)
}
Reference in a new issue Copy permalink