Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: support to auto config firewall (firewalld) #420

Merged
merged 8 commits into from
Jan 11, 2024

Conversation

mzz2017
Copy link
Contributor

@mzz2017 mzz2017 commented Jan 8, 2024

Background

global {
  auto_config_firewall_rule: true
}

It performs:

nft list table inet firewalld && nft 'insert rule inet firewalld filter_INPUT mark & 0x08000000 == 0x08000000 accept'

Checklist

Full Changelogs

  • [Implement ...]

Issue Reference

Closes #419

Test Result

@mzz2017 mzz2017 requested a review from a team as a code owner January 8, 2024 16:48
@Basstorm
Copy link

Basstorm commented Jan 8, 2024

image

root@R66S:~# nft list table inet firewalld && nft 'insert rule inet firewalld filter_INPUT mark & 0x08000000 == 0x08000000 accept'
Error: No such file or directory
list table inet firewalld
                ^^^^^^^^^

For immortalwrt 23.05 or maybe mainstream openwrt the commnd shoule be

nft 'insert rule inet fw4 input mark 0x8000000 accept'

Is there a more compatible implementation?
nevermind. I didnt see the todo line..

@mzz2017
Copy link
Contributor Author

mzz2017 commented Jan 8, 2024

@Basstorm Thanks for test. It doesn't matter. I'll try it with fw4 again.

@mzz2017
Copy link
Contributor Author

mzz2017 commented Jan 10, 2024

@Basstorm I've added fw4 support. Could you please try it?

@Basstorm
Copy link

@mzz2017 没毛病
image

@nobody116
Copy link

环境:openSUSE + 本机代理(WAN)
重启之后无法访问代理网站,执行 sudo systemctl restart/reload dae.service 代理恢复正常工作,即 curl 1.1.1.1 -v 仅在 reload/restart 之后正常。

> sudo /usr/local/bin/dae -v
dae version unstable-20240110.pr-420.r8.9f4776
go runtime go1.21.5 linux/amd64
Copyright (c) 2022-2024 dae
License GNU AGPLv3 <https://github.com/daeuniverse/dae/blob/main/LICENSE>

@mzz2017
Copy link
Contributor Author

mzz2017 commented Jan 10, 2024

环境:openSUSE + 本机代理(WAN)

重启之后无法访问代理网站,执行 sudo systemctl restart/reload dae.service 代理恢复正常工作,即 curl 1.1.1.1 -v 仅在 reload/restart 之后正常。


> sudo /usr/local/bin/dae -v

dae version unstable-20240110.pr-420.r8.9f4776

go runtime go1.21.5 linux/amd64

Copyright (c) 2022-2024 dae

License GNU AGPLv3 <https://github.com/daeuniverse/dae/blob/main/LICENSE>

此问题可能和 #418 有关,开 log level: trace,检查日志是否第一次 connectivity check 失败,第二次成功

@nobody116
Copy link

环境:openSUSE + 本机代理(WAN)
重启之后无法访问代理网站,执行 sudo systemctl restart/reload dae.service 代理恢复正常工作,即 curl 1.1.1.1 -v 仅在 reload/restart 之后正常。


> sudo /usr/local/bin/dae -v

dae version unstable-20240110.pr-420.r8.9f4776

go runtime go1.21.5 linux/amd64

Copyright (c) 2022-2024 dae

License GNU AGPLv3 <https://github.com/daeuniverse/dae/blob/main/LICENSE>

此问题可能和 #418 有关,开 log level: trace,检查日志是否第一次 connectivity check 失败,第二次成功

是的,第一次 Connectivity Check 失败,第二次 Connectivity Check 成功

level=debug msg="Connectivity Check Failed" err="rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing: dial tcp <nil>->ip:port: connect: network is unreachable"" network="udp4(DNS)" node=SJC

该日志在 policyfixed(0) 时默认没有吗,修改 policymin_moving_avg 找到了。

@mzz2017
Copy link
Contributor Author

mzz2017 commented Jan 11, 2024

@nobody116 看看是不是第二次成功之后就可以正常联网了

@nobody116
Copy link

@nobody116 看看是不是第二次成功之后就可以正常联网了

第二次成功之后可以正常代理

Copy link
Contributor

@dae-prow dae-prow bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧪 Since the PR has been fully tested, please consider merging it.

Copy link
Contributor

@sumire88 sumire88 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good job. Thanks!

@mzz2017 mzz2017 merged commit f9bba24 into main Jan 11, 2024
30 checks passed
@mzz2017 mzz2017 deleted the mzz/auto_add_firewalld_rule branch January 11, 2024 12:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Bug Report] dae is stuck in CheckNetwork when reloading
4 participants