fix: check for Linux firewall install before use it (#1328)

* bugfix: check for Linux firewall install before use it * XRay Linux firewall rules
amnezia-vpn · Dec 31, 2024 · 86f0855 · 86f0855
1 parent a741186
commit 86f0855
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 0 deletions.
diff --git a/client/platforms/linux/daemon/linuxfirewall.cpp b/client/platforms/linux/daemon/linuxfirewall.cpp
@@ -196,6 +196,8 @@ QStringList LinuxFirewall::getDNSRules(const QStringList& servers)
         result << QStringLiteral("-o amn0+ -d %1 -p tcp --dport 53 -j ACCEPT").arg(server);
         result << QStringLiteral("-o tun0+ -d %1 -p udp --dport 53 -j ACCEPT").arg(server);
         result << QStringLiteral("-o tun0+ -d %1 -p tcp --dport 53 -j ACCEPT").arg(server);
+        result << QStringLiteral("-o tun2+ -d %1 -p udp --dport 53 -j ACCEPT").arg(server);
+        result << QStringLiteral("-o tun2+ -d %1 -p tcp --dport 53 -j ACCEPT").arg(server);
     }
     return result;
 }
@@ -277,6 +279,7 @@ void LinuxFirewall::install()
     installAnchor(Both, QStringLiteral("200.allowVPN"), {
                                                             QStringLiteral("-o amn0+ -j ACCEPT"),
                                                             QStringLiteral("-o tun0+ -j ACCEPT"),
+                                                            QStringLiteral("-o tun2+ -j ACCEPT"),
                                                         });
 
     installAnchor(IPv4, QStringLiteral("120.blockNets"), {});

diff --git a/ipc/ipcserver.cpp b/ipc/ipcserver.cpp
@@ -228,6 +228,8 @@ bool IpcServer::enableKillSwitch(const QJsonObject &configStr, int vpnAdapterInd
 
 #ifdef Q_OS_LINUX
     // double-check + ensure our firewall is installed and enabled
+    if (!LinuxFirewall::isInstalled())
+        LinuxFirewall::install();
     LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("000.allowLoopback"), true);
     LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("100.blockAll"), blockAll);
     LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("110.allowNets"), allowNets);