Added option to let the users define iptables rules.
The system rules are added in the file /etc/opensnitchd/system-fw.json
with this format:
```
{
"SystemRules": [
{
"Rule": {
"Description": "Allow pptp VPN",
"Table": "mangle",
"Chain": "OUTPUT",
"Parameters": "-p gre",
"Target": "ACCEPT",
"TargetParameters": ""
}
}
]
}
```
On the mangle table, OUTPUT chain, these rules are added before
the NFQUEUE interception rule, so any rule you add there bypasses the
interception. Useful to allow traffic you don't want to intercept.
This feature solves in some way the issue some users have connecting to
VPNs when the Default Action configured in the daemon is Deny.
For example:
- OpenVPN when keepalive is configured and ICMP is used.
- PPTP because the GRE routing protocol is blocked.
- probably others like IPSEC.
(regarding WireGuard, as far as I can tell it works just fine, see #61).
closes#47
In some scenarios (#47) may be useful to have a set of rules handled from
OpenSnitch, although you can accomplish it with other software (ufw,...).
This rules will sit just above default intercetion, so if you want to
allow or deny something, just place it here.
These priority rules are defined in /etc/opensnitchd/fw.json, with the
following format (example):
{
"PriorityRules": {
"out": {
"allow": [
],
"deny": [
"-m conntrack --ctstate INVALID",
"-p tcp ! --syn -m conntrack --ctstate NEW"
]
}
}
}
The structure must exist even if you haven't defined any rule, for
example:
{
"PriorityRules": {
"out": {
"allow": [
],
"deny": [
]
}
}
}
