Add option for firewall rules

doc/ss-server.asciidoc

@@ -13,8 +13,9 @@ SYNOPSIS
  [-k <password>] [-m <encrypt_method>] [-f <pid_file>]
  [-t <timeout>] [-c <config_file>] [-i <interface>]
  [-a <user_name>] [-d <addr>] [-n <nofile>]
- [-b <local_address] [--fast-open] [--acl <acl_config>]
- [--mtu <MTU>] [--manager-address <path_to_unix_domain>]
+ [-b <local_address] [--fast-open] [--mptcp]
+ [--firewall] [--acl <acl_config>] [--mtu <MTU>]
+ [--manager-address <path_to_unix_domain>]
 
 DESCRIPTION
 -----------
@@ -105,6 +106,14 @@ Enable TCP fast open.
 +
 Only available with Linux kernel > 3.7.0.
 
+--mptcp::
+Enable Multipath TCP.
++
+Only available with MPTCP enabled Linux kernel.
+
+--firewall::
+Setup firewall rules for auto blocking.
+
 --acl <acl_config>::
 Enable ACL (Access Control List) and specify config file.
 

src/acl.c

@@ -236,11 +236,14 @@ free_firewall_rule(void *key, void *element)
 #endif
 
 void
-init_block_list()
+init_block_list(int firewall)
 {
     // Initialize cache
 #ifdef __linux__
-    init_firewall();
+    if (firewall)
+        init_firewall();
+    else
+        mode = NO_FIREWALL_MODE;
     cache_create(&block_list, 256, free_firewall_rule);
 #else
     cache_create(&block_list, 256, NULL);
@@ -251,7 +254,8 @@ void
 free_block_list()
 {
 #ifdef __linux__
-    reset_firewall();
+    if (mode != NO_FIREWALL_MODE)
+        reset_firewall();
 #endif
     cache_clear(block_list, 0); // Remove all items
 }
@@ -303,7 +307,8 @@ update_block_list(char *addr, int err_level)
         *count = 1;
         cache_insert(block_list, addr, addr_len, count);
 #ifdef __linux__
-        set_firewall_rule(addr, 1);
+        if (mode != NO_FIREWALL_MODE)
+            set_firewall_rule(addr, 1);
 #endif
     }
 

src/acl.h

@@ -42,7 +42,7 @@ int acl_remove_ip(const char *ip);
 
 int get_acl_mode(void);
 
-void init_block_list();
+void init_block_list(int firewall);
 void free_block_list();
 int check_block_list(char *addr);
 int update_block_list(char *addr, int err_level);

src/local.c

@@ -1446,7 +1446,7 @@ main(int argc, char **argv)
 
 #ifndef __MINGW32__
     if (geteuid() == 0){
-        LOGI("You are running this process as the root user!");
+        LOGI("running from root user");
     }
 #endif
 

src/manager.c

@@ -851,7 +851,7 @@ main(int argc, char **argv)
 
 #ifndef __MINGW32__
     if (geteuid() == 0){
-        LOGI("You are running this process as the root user!");
+        LOGI("running from root user");
     }
 #endif
 

src/redir.c

@@ -1026,7 +1026,7 @@ main(int argc, char **argv)
     }
 
     if (geteuid() == 0){
-        LOGI("You are running this process as the root user!");
+        LOGI("running from root user");
     }
 
     ev_run(loop, 0);

src/server.c

@@ -1538,6 +1538,7 @@ main(int argc, char **argv)
     int i, c;
     int pid_flags   = 0;
     int mptcp       = 0;
+    int firewall    = 0;
     int mtu         = 0;
     char *user      = NULL;
     char *password  = NULL;
@@ -1559,8 +1560,11 @@ main(int argc, char **argv)
         { "acl",             required_argument, 0, 0 },
         { "manager-address", required_argument, 0, 0 },
         { "mtu",             required_argument, 0, 0 },
-        { "mptcp",           no_argument,       0, 0 },
         { "help",            no_argument,       0, 0 },
+#ifdef __linux__
+        { "mptcp",           no_argument,       0, 0 },
+        { "firewall",        no_argument,       0, 0 },
+#endif
         {                 0,                 0, 0, 0 }
     };
 
@@ -1583,11 +1587,14 @@ main(int argc, char **argv)
                 mtu = atoi(optarg);
                 LOGI("set MTU to %d", mtu);
             } else if (option_index == 4) {
-                mptcp = 1;
-                LOGI("enable multipath TCP");
-            } else if (option_index == 5) {
                 usage();
                 exit(EXIT_SUCCESS);
+            } else if (option_index == 5) {
+                mptcp = 1;
+                LOGI("enable multipath TCP");
+            } else if (option_index == 6) {
+                firewall = 1;
+                LOGI("enable firewall rules");
             }
             break;
         case 's':
@@ -1876,12 +1883,15 @@ main(int argc, char **argv)
 
 #ifndef __MINGW32__
     if (geteuid() == 0){
-        LOGI("You are running this process as the root user!");
+        LOGI("running from root user");
+    } else if (firewall) {
+        LOGE("firewall setup requires running from root user");
+        exit(-1);
     }
 #endif
 
     // init block list
-    init_block_list();
+    init_block_list(firewall);
 
     // Init connections
     cork_dllist_init(&connections);

src/tunnel.c

@@ -1034,7 +1034,7 @@ main(int argc, char **argv)
 
 #ifndef __MINGW32__
     if (geteuid() == 0){
-        LOGI("You are running this process as the root user!");
+        LOGI("running from root user");
     }
 #endif
 

src/utils.c

@@ -341,8 +341,14 @@ usage()
 #endif
     printf(
         "       [--mtu <MTU>]              MTU of your network interface.\n");
+#ifdef __linux__
     printf(
         "       [--mptcp]                  Enable Multipath TCP on MPTCP Kernel.\n");
+#ifdef MODULE_REMOTE
+    printf(
+        "       [--firewall]               Setup firewall rules for auto blocking.\n");
+#endif
+#endif
     printf("\n");
     printf(
         "       [-v]                       Verbose mode.\n");