From 86f08554cd46c66d3f21ef7693b7e2217dc0d200 Mon Sep 17 00:00:00 2001
From: Mykola Baibuz <mykola.baibuz@gmail.com>
Date: Mon, 30 Dec 2024 19:23:53 -0800
Subject: [PATCH] fix: check for Linux firewall install before use it (#1328)

* bugfix: check for Linux firewall install before use it

* XRay Linux firewall rules
---
 client/platforms/linux/daemon/linuxfirewall.cpp | 3 +++
 ipc/ipcserver.cpp                               | 2 ++
 2 files changed, 5 insertions(+)

diff --git a/client/platforms/linux/daemon/linuxfirewall.cpp b/client/platforms/linux/daemon/linuxfirewall.cpp
index 393c24f26..96194bc77 100644
--- a/client/platforms/linux/daemon/linuxfirewall.cpp
+++ b/client/platforms/linux/daemon/linuxfirewall.cpp
@@ -196,6 +196,8 @@ QStringList LinuxFirewall::getDNSRules(const QStringList& servers)
         result << QStringLiteral("-o amn0+ -d %1 -p tcp --dport 53 -j ACCEPT").arg(server);
         result << QStringLiteral("-o tun0+ -d %1 -p udp --dport 53 -j ACCEPT").arg(server);
         result << QStringLiteral("-o tun0+ -d %1 -p tcp --dport 53 -j ACCEPT").arg(server);
+        result << QStringLiteral("-o tun2+ -d %1 -p udp --dport 53 -j ACCEPT").arg(server);
+        result << QStringLiteral("-o tun2+ -d %1 -p tcp --dport 53 -j ACCEPT").arg(server);
     }
     return result;
 }
@@ -277,6 +279,7 @@ void LinuxFirewall::install()
     installAnchor(Both, QStringLiteral("200.allowVPN"), {
                                                             QStringLiteral("-o amn0+ -j ACCEPT"),
                                                             QStringLiteral("-o tun0+ -j ACCEPT"),
+                                                            QStringLiteral("-o tun2+ -j ACCEPT"),
                                                         });
 
     installAnchor(IPv4, QStringLiteral("120.blockNets"), {});
diff --git a/ipc/ipcserver.cpp b/ipc/ipcserver.cpp
index bb8a41826..6dd0071e1 100644
--- a/ipc/ipcserver.cpp
+++ b/ipc/ipcserver.cpp
@@ -228,6 +228,8 @@ bool IpcServer::enableKillSwitch(const QJsonObject &configStr, int vpnAdapterInd
 
 #ifdef Q_OS_LINUX
     // double-check + ensure our firewall is installed and enabled
+    if (!LinuxFirewall::isInstalled())
+        LinuxFirewall::install();
     LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("000.allowLoopback"), true);
     LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("100.blockAll"), blockAll);
     LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("110.allowNets"), allowNets);