XRay Linux firewall rules

client/platforms/linux/daemon/linuxfirewall.cpp

@@ -196,6 +196,8 @@ QStringList LinuxFirewall::getDNSRules(const QStringList& servers)
         result << QStringLiteral("-o amn0+ -d %1 -p tcp --dport 53 -j ACCEPT").arg(server);
         result << QStringLiteral("-o tun0+ -d %1 -p udp --dport 53 -j ACCEPT").arg(server);
         result << QStringLiteral("-o tun0+ -d %1 -p tcp --dport 53 -j ACCEPT").arg(server);
+        result << QStringLiteral("-o tun2+ -d %1 -p udp --dport 53 -j ACCEPT").arg(server);
+        result << QStringLiteral("-o tun2+ -d %1 -p tcp --dport 53 -j ACCEPT").arg(server);
     }
     return result;
 }
@@ -277,6 +279,7 @@ void LinuxFirewall::install()
     installAnchor(Both, QStringLiteral("200.allowVPN"), {
                                                             QStringLiteral("-o amn0+ -j ACCEPT"),
                                                             QStringLiteral("-o tun0+ -j ACCEPT"),
+                                                            QStringLiteral("-o tun2+ -j ACCEPT"),
                                                         });
 
     installAnchor(IPv4, QStringLiteral("120.blockNets"), {});

ipc/ipcserver.cpp

@@ -228,6 +228,8 @@ bool IpcServer::enableKillSwitch(const QJsonObject &configStr, int vpnAdapterInd
 
 #ifdef Q_OS_LINUX
     // double-check + ensure our firewall is installed and enabled
+    if (!LinuxFirewall::isInstalled())
+        LinuxFirewall::install();
     LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("000.allowLoopback"), true);
     LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("100.blockAll"), blockAll);
     LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("110.allowNets"), allowNets);