Automated forwarding reset (#27)

* automated forwarding reset

* newline added

---------

Co-authored-by: pseusys <aleksandr.sergeev.ad@gmail.com>

Author: pseusys

caerulean/whirlpool/README.md

@@ -92,8 +92,6 @@ Before whirlpool node can be run, the following configuration steps have to be m
 
 - Disable IPv6 router solicitation (for tunnel interface):
   `echo 0 > /proc/sys/net/ipv6/conf/default/accept_ra`
-- Enable IP packet forwarding:
-  `echo 1 > /proc/sys/net/ipv4/ip_forward`
 
 ### Local whirlpool execution
 

caerulean/whirlpool/tunnel/structure.go

@@ -4,6 +4,9 @@ import (
 	"fmt"
 	"main/utils"
 	"net"
+	"os"
+	"strconv"
+	"strings"
 	"sync"
 
 	"github.com/google/nftables"
@@ -26,6 +29,10 @@ const (
 	DEFAULT_TYPHOON_PORT = 29384
 
 	REQUIRED_TUNNEL_NETWORK_BITS = 16
+
+	FORWARDING_ENABLED_VALUE = 1
+	DEFAULT_FILE_PERMISSIONS = 0644
+	IPV4_FORWARDING_FILE     = "/proc/sys/net/ipv4/ip_forward"
 )
 
 // Tunnel config object, represents tunnel interface and forwarding setup.
@@ -54,6 +61,34 @@ type TunnelConfig struct {
 
 	// Tunnel name.
 	name string
+
+	// Forwarding value.
+	forwardingIPv4 uint8
+}
+
+func readSysctlInt(path string) (uint8, error) {
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return 0, fmt.Errorf("failed to read file at %s: %v", path, err)
+	}
+
+	valueStr := strings.TrimSpace(string(data))
+	value, err := strconv.Atoi(valueStr)
+	if err != nil {
+		return 0, fmt.Errorf("failed to parse %s from %s: %v", valueStr, path, err)
+	}
+
+	return uint8(value), nil
+}
+
+func writeSysctlInt(path string, value uint8) error {
+	data := []byte(fmt.Sprintf("%d\n", value))
+	err := os.WriteFile(path, data, DEFAULT_FILE_PERMISSIONS)
+	if err != nil {
+		return fmt.Errorf("failed to write to file at %s: %v", path, err)
+	}
+
+	return nil
 }
 
 // Preserve current iptables configuration in a TunnelConfig object.
@@ -66,10 +101,16 @@ func Preserve() (*TunnelConfig, error) {
 	mtu := int32(utils.GetIntEnv("SEASIDE_TUNNEL_MTU", DEFAULT_TUNNEL_MTU, 32))
 	name := utils.GetEnv("SEASIDE_TUNNEL_NAME", DEFAULT_TUNNEL_NAME)
 
+	forwardingIPv4, err := readSysctlInt(IPV4_FORWARDING_FILE)
+	if err != nil {
+		return nil, fmt.Errorf("error reading system IPv4 forwarding property: %v", err)
+	}
+
 	conf := TunnelConfig{
-		Default: defaultNet,
-		mtu:     mtu,
-		name:    name,
+		Default:        defaultNet,
+		mtu:            mtu,
+		name:           name,
+		forwardingIPv4: forwardingIPv4,
 	}
 
 	return &conf, nil
@@ -83,6 +124,12 @@ func (conf *TunnelConfig) Open() (err error) {
 	conf.mutex.Lock()
 	defer conf.mutex.Unlock()
 
+	// Enable IPv4 packet forwarding
+	err = writeSysctlInt(IPV4_FORWARDING_FILE, FORWARDING_ENABLED_VALUE)
+	if err != nil {
+		return fmt.Errorf("error enabling IPv4 forwarding: %v", err)
+	}
+
 	// Parse IPs and control port number from environment variables
 	intIP := utils.GetEnv("SEASIDE_ADDRESS", conf.Default.IP.String())
 	extIP := utils.GetEnv("SEASIDE_EXTERNAL", intIP)
@@ -148,4 +195,9 @@ func (conf *TunnelConfig) Close() {
 	if err != nil {
 		logrus.Errorf("Error removing tunnel: %v", err)
 	}
+
+	err = writeSysctlInt(IPV4_FORWARDING_FILE, conf.forwardingIPv4)
+	if err != nil {
+		logrus.Errorf("error restoring IPv4 forwarding: %v", err)
+	}
 }

viridian/algae/setup/whirlpool.py

@@ -58,7 +58,6 @@
 _GO_DISTRIBUTION = "https://go.dev/dl/go{ver}.linux-{arch}.tar.gz"
 
 _ACCEPT_IPV6_CONF = Path("/proc/sys/net/ipv6/conf/default/accept_ra")
-_PACKET_FORWARDING_CONF = Path("/proc/sys/net/ipv4/ip_forward")
 
 _SHELL_LOGIN = Path("/etc/profile")
 _GO_ROOT = Path("/usr/local/go")
@@ -163,12 +162,6 @@ def _configure_server(self) -> None:
             self._logger.info("IPv6 support disabled!")
         else:
             self._logger.debug("IPv6 already disabled!")
-        if int(_PACKET_FORWARDING_CONF.read_text()) != 1:
-            self._logger.info("Enabling packet forwarding for the server...")
-            _PACKET_FORWARDING_CONF.write_text("1")
-            self._logger.info("Packet forwarding enabled!")
-        else:
-            self._logger.debug("Packet forwarding already disabled!")
 
     def _install_go(self) -> Path:
         arch = "arm64" if get_arch() == "arm" else "amd64"