From 47ec0ee6b0c885a951a141710b1d4dddd3dfd035 Mon Sep 17 00:00:00 2001 From: midefos Date: Wed, 14 Aug 2024 22:25:23 +0200 Subject: [PATCH] cleaning shit --- src/iptables_wrapper.rs | 64 ++++++----------------------------------- 1 file changed, 8 insertions(+), 56 deletions(-) diff --git a/src/iptables_wrapper.rs b/src/iptables_wrapper.rs index d7ffa7f..ac48a0c 100644 --- a/src/iptables_wrapper.rs +++ b/src/iptables_wrapper.rs @@ -86,25 +86,8 @@ pub fn map_secured_ports_allowed_ips(docker: bool) -> HashMap> result } -fn secure_port_rule(iptables: &IPTables, port: u16, docker: bool) -> Option { - if docker { - let internal_ip = get_internal_ip_for_docker_port(iptables, port)?; - Some(format!( - "-d {} -p tcp --dport {} -j DROP", - internal_ip, port - )) - } else { - Some(format!("-p tcp --dport {} -j DROP", port)) - } -} - -fn get_internal_ip_for_docker_port(iptables: &IPTables, port: u16) -> Option { - let rules = iptables.list("filter", "DOCKER").unwrap(); - let rule = rules - .iter() - .find(|r| r.contains(&format!("-p tcp -m tcp --dport {} -j ACCEPT", port))); - - rule.map(|r| extract_ip(&get_regex_for_ip(), r).unwrap()) +fn secure_port_rule(port: u16) -> String { + format!("-p tcp --dport {} -j DROP", port) } pub fn secure_port( @@ -116,10 +99,7 @@ pub fn secure_port( let table = "filter"; let chain = get_chain(docker); - let rule = secure_port_rule(&iptables, port, docker); - if rule.is_none() { - return Err("Err gathering secure port rule".into()); - } + let rule = secure_port_rule(port); let position = if docker && position.is_none() { let all_docker_rules = iptables.list("filter", &chain).unwrap(); @@ -128,7 +108,6 @@ pub fn secure_port( position }; - let rule = rule.unwrap(); if let Some(position) = position { insert_unique(&iptables, table, &chain, &rule, position) } else { @@ -139,30 +118,12 @@ pub fn secure_port( pub fn unsecure_port(port: u16, docker: bool) -> Result<(), Box> { let iptables = iptables::new(false).unwrap(); - let rule = secure_port_rule(&iptables, port, docker); - if rule.is_none() { - return Err("Err gathering secure port rule".into()); - } - - let rule = rule.unwrap(); + let rule = secure_port_rule(port); iptables.delete("filter", &get_chain(docker), &rule) } -fn allow_ip_for_port_rule( - iptables: &IPTables, - port: u16, - ip: &str, - docker: bool, -) -> Option { - if docker { - let internal_ip = get_internal_ip_for_docker_port(iptables, port)?; - Some(format!( - "-p tcp --dport {} -s {} -d {} -j ACCEPT", - port, ip, internal_ip - )) - } else { - Some(format!("-p tcp --dport {} -s {} -j ACCEPT", port, ip)) - } +fn allow_ip_for_port_rule(port: u16, ip: &str) -> String { + format!("-p tcp --dport {} -s {} -j ACCEPT", port, ip) } pub fn allow_ip_for_port( @@ -175,12 +136,8 @@ pub fn allow_ip_for_port( let table = "filter"; let chain = get_chain(docker); - let rule = allow_ip_for_port_rule(&iptables, port, ip, docker); - if rule.is_none() { - return Err("Err gathering allow ip for port rule".into()); - } + let rule = allow_ip_for_port_rule(port, ip); - let rule = rule.unwrap(); if let Some(position) = position { insert_unique(&iptables, table, &chain, &rule, position) } else { @@ -194,12 +151,7 @@ pub fn remove_allow_ip_for_port( docker: bool, ) -> Result<(), Box> { let iptables = iptables::new(false).unwrap(); - let rule = allow_ip_for_port_rule(&iptables, port, ip, docker); - if rule.is_none() { - return Err("Err gathering allow ip for port rule".into()); - } - - let rule = rule.unwrap(); + let rule = allow_ip_for_port_rule(port, ip); iptables.delete("filter", &get_chain(docker), &rule) }