diff --git a/logic/gateway.go b/logic/gateway.go index 96ddbef4..a9e56dff 100644 --- a/logic/gateway.go +++ b/logic/gateway.go @@ -56,6 +56,7 @@ func CreateEgressGateway(gateway models.EgressGatewayRequest) (models.Node, erro } } if node.OS == "freebsd" { + // spacing around ; is important for later parsing of postup/postdown in wireguard/common.go postUpCmd = "kldload ipfw ipfw_nat ; " postUpCmd += "ipfw disable one_pass ; " postUpCmd += "ipfw nat 1 config if " + gateway.Interface + " same_ports unreg_only reset ; " @@ -285,6 +286,7 @@ func DeleteGatewayExtClients(gatewayID string, networkName string) error { // firewallNFTCommandsCreateIngress - used to centralize firewall command maintenance for creating an ingress gateway using the nftables firewall. func firewallNFTCommandsCreateIngress(networkInterface string) (string, string) { + // spacing around ; is important for later parsing of postup/postdown in wireguard/common.go postUp := "nft add table ip filter ; " postUp += "nft add chain ip filter FORWARD ; " postUp += "nft add rule ip filter FORWARD iifname " + networkInterface + " counter accept ; " @@ -302,6 +304,7 @@ func firewallNFTCommandsCreateIngress(networkInterface string) (string, string) // firewallNFTCommandsCreateEgress - used to centralize firewall command maintenance for creating an egress gateway using the nftables firewall. func firewallNFTCommandsCreateEgress(networkInterface string, gatewayInterface string, egressNatEnabled string) (string, string) { + // spacing around ; is important for later parsing of postup/postdown in wireguard/common.go postUp := "nft add table ip filter ; " postUp += "nft add chain ip filter FORWARD ; " postUp += "nft add rule ip filter FORWARD iifname " + networkInterface + " counter accept ; " @@ -322,6 +325,7 @@ func firewallNFTCommandsCreateEgress(networkInterface string, gatewayInterface s // firewallIPTablesCommandsCreateIngress - used to centralize firewall command maintenance for creating an ingress gateway using the iptables firewall. func firewallIPTablesCommandsCreateIngress(networkInterface string) (string, string) { + // spacing around ; is important for later parsing of postup/postdown in wireguard/common.go postUp := "iptables -A FORWARD -i " + networkInterface + " -j ACCEPT ; " postUp += "iptables -A FORWARD -o " + networkInterface + " -j ACCEPT ; " postUp += "iptables -t nat -A POSTROUTING -o " + networkInterface + " -j MASQUERADE" @@ -336,7 +340,7 @@ func firewallIPTablesCommandsCreateIngress(networkInterface string) (string, str // firewallIPTablesCommandsCreateEgress - used to centralize firewall command maintenance for creating an egress gateway using the iptables firewall. func firewallIPTablesCommandsCreateEgress(networkInterface string, gatewayInterface string, egressNatEnabled string) (string, string) { - + // spacing around ; is important for later parsing of postup/postdown in wireguard/common.go postUp := "iptables -A FORWARD -i " + networkInterface + " -j ACCEPT; " postUp += "iptables -A FORWARD -o " + networkInterface + " -j ACCEPT" postDown := "iptables -D FORWARD -i " + networkInterface + " -j ACCEPT; " diff --git a/netclient/wireguard/common.go b/netclient/wireguard/common.go index 438a19cd..41c6c236 100644 --- a/netclient/wireguard/common.go +++ b/netclient/wireguard/common.go @@ -341,11 +341,24 @@ func WriteWgConfig(node *models.Node, privateKey string, peers []wgtypes.PeerCon //if node.DNSOn == "yes" { // wireguard.Section(section_interface).Key("DNS").SetValue(cfg.Server.CoreDNSAddr) //} + //need to split postup/postdown because ini lib adds a ` and the ` breaks freebsd if node.PostUp != "" { - wireguard.Section(section_interface).Key("PostUp").SetValue(node.PostUp) + parts := strings.Split(node.PostUp, " ; ") + for i, part := range parts { + if i == 0 { + wireguard.Section(section_interface).Key("PostUp").SetValue(part) + } + wireguard.Section(section_interface).Key("PostUp").AddShadow(part) + } } if node.PostDown != "" { - wireguard.Section(section_interface).Key("PostDown").SetValue(node.PostDown) + parts := strings.Split(node.PostDown, " ; ") + for i, part := range parts { + if i == 0 { + wireguard.Section(section_interface).Key("PostDown").SetValue(part) + } + wireguard.Section(section_interface).Key("PostDown").AddShadow(part) + } } if node.MTU != 0 { wireguard.Section(section_interface).Key("MTU").SetValue(strconv.FormatInt(int64(node.MTU), 10)) @@ -427,6 +440,7 @@ func UpdateWgPeers(file string, peers []wgtypes.PeerConfig) (*net.UDPAddr, error // UpdateWgInterface - updates the interface section of a wireguard config file func UpdateWgInterface(file, privateKey, nameserver string, node models.Node) error { + log.Println("updating conf file ", file, nameserver, node.Name) options := ini.LoadOptions{ AllowNonUniqueSections: true, AllowShadows: true, @@ -451,11 +465,25 @@ func UpdateWgInterface(file, privateKey, nameserver string, node models.Node) er //if node.DNSOn == "yes" { // wireguard.Section(section_interface).Key("DNS").SetValue(nameserver) //} + //need to split postup/postdown because ini lib adds a quotes which breaks freebsd if node.PostUp != "" { - wireguard.Section(section_interface).Key("PostUp").SetValue(node.PostUp) + log.Println("updating PostUp") + parts := strings.Split(node.PostUp, " ; ") + for i, part := range parts { + if i == 0 { + wireguard.Section(section_interface).Key("PostUp").SetValue(part) + } + wireguard.Section(section_interface).Key("PostUp").AddShadow(part) + } } if node.PostDown != "" { - wireguard.Section(section_interface).Key("PostDown").SetValue(node.PostDown) + parts := strings.Split(node.PostDown, ";") + for i, part := range parts { + if i == 0 { + wireguard.Section(section_interface).Key("PostDown").SetValue(part) + } + wireguard.Section(section_interface).Key("PostDown").AddShadow(part) + } } if node.MTU != 0 { wireguard.Section(section_interface).Key("MTU").SetValue(strconv.FormatInt(int64(node.MTU), 10))