github.com/mysteriumnetwork/node@v0.0.0-20240516044423-365054f76801/firewall/outgoing_firewall_default.go

github.com/mysteriumnetwork/node@v0.0.0-20240516044423-365054f76801/firewall/outgoing_firewall_default.go (about)

     1  /*
     2   * Copyright (C) 2019 The "MysteriumNetwork/node" Authors.
     3   *
     4   * This program is free software: you can redistribute it and/or modify
     5   * it under the terms of the GNU General Public License as published by
     6   * the Free Software Foundation, either version 3 of the License, or
     7   * (at your option) any later version.
     8   *
     9   * This program is distributed in the hope that it will be useful,
    10   * but WITHOUT ANY WARRANTY; without even the implied warranty of
    11   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    12   * GNU General Public License for more details.
    13   *
    14   * You should have received a copy of the GNU General Public License
    15   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
    16   */
    17  
    18  package firewall
    19  
    20  const (
    21  	// Global scope overrides session scope and is not affected by session scope calls.
    22  	Global Scope = "global"
    23  	// Session scope block is applied before connection session begins and is removed when session ends.
    24  	Session Scope = "session"
    25  	// internal state to mark that no blocks are in effect.
    26  	none Scope = ""
    27  )
    28  
    29  // DefaultOutgoingFirewall outgoing traffic firewall bootstrapped for global calls.
    30  var DefaultOutgoingFirewall OutgoingTrafficFirewall = &outgoingFirewallNoop{}
    31  
    32  // OutgoingTrafficFirewall defines consumer side firewall a.k.a. kill switch.
    33  // Purpose is to detect traffic which leaves machine and reject it,
    34  // because during established VPN connection it is expected to leave through tunnel device only.
    35  type OutgoingTrafficFirewall interface {
    36  	Setup() error
    37  	Teardown()
    38  	BlockOutgoingTraffic(scope Scope, outboundIP string) (OutgoingRuleRemove, error)
    39  	AllowIPAccess(ip string) (OutgoingRuleRemove, error)
    40  	AllowURLAccess(rawURLs ...string) (OutgoingRuleRemove, error)
    41  }
    42  
    43  // Scope type represents scope of blocking consumer traffic.
    44  type Scope string
    45  
    46  // OutgoingRuleRemove type defines function for removal of created rule.
    47  type OutgoingRuleRemove func()
    48  
    49  // BlockNonTunnelTraffic effectively disallows any outgoing traffic from consumer node with specified scope.
    50  func BlockNonTunnelTraffic(scope Scope, outboundIP string) (OutgoingRuleRemove, error) {
    51  	return DefaultOutgoingFirewall.BlockOutgoingTraffic(scope, outboundIP)
    52  }
    53  
    54  // AllowURLAccess adds exception to blocked traffic for specified URL (host part is usually taken).
    55  func AllowURLAccess(urls ...string) (OutgoingRuleRemove, error) {
    56  	return DefaultOutgoingFirewall.AllowURLAccess(urls...)
    57  }
    58  
    59  // AllowIPAccess adds IP based exception.
    60  func AllowIPAccess(ip string) (OutgoingRuleRemove, error) {
    61  	return DefaultOutgoingFirewall.AllowIPAccess(ip)
    62  }
    63  
    64  // Reset firewall state - usually called when cleanup is needed (during shutdown).
    65  func Reset() {
    66  	DefaultOutgoingFirewall.Teardown()
    67  }