Bump actions/checkout from 6.0.1 to 6.0.2

Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.1 to 6.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](8e8c483db8...de0fac2e45) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
2026-02-08 14:06:41 +00:00 · 2026-01-26 22:34:44 +00:00
4 changed files with 3 additions and 114 deletions
--- a/.github/workflows/cicd.yml
+++ b/.github/workflows/cicd.yml
@@ -36,7 +36,7 @@ jobs:

    steps:
      - name: Checkout code
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Set up QEMU
        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -14,7 +14,7 @@ jobs:
    runs-on: amd64-runner

    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Set up Go
        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
--- a/main.go
+++ b/main.go
@@ -555,10 +555,6 @@ func ensureWireguardInterface(wgconfig WgConfig) error {
 		logger.Warn("Failed to ensure MSS clamping: %v", err)
 	}

-	if err := ensureWireguardFirewall(); err != nil {
-		logger.Warn("Failed to ensure WireGuard firewall rules: %v", err)
-	}
-
 	logger.Info("WireGuard interface %s created and configured", interfaceName)

 	return nil
@@ -727,113 +723,6 @@ func ensureMSSClamping() error {
 	return nil
 }

-func ensureWireguardFirewall() error {
-	// Rules to enforce:
-	// 1. Allow established/related connections (responses to our outbound traffic)
-	// 2. Allow ICMP ping packets
-	// 3. Drop all other inbound traffic from peers
-
-	// Define the rules we want to ensure exist
-	rules := [][]string{
-		// Allow established and related connections (responses to outbound traffic)
-		{
-			"-A", "INPUT",
-			"-i", interfaceName,
-			"-m", "conntrack",
-			"--ctstate", "ESTABLISHED,RELATED",
-			"-j", "ACCEPT",
-		},
-		// Allow ICMP ping requests
-		{
-			"-A", "INPUT",
-			"-i", interfaceName,
-			"-p", "icmp",
-			"--icmp-type", "8",
-			"-j", "ACCEPT",
-		},
-		// Drop all other inbound traffic from WireGuard interface
-		{
-			"-A", "INPUT",
-			"-i", interfaceName,
-			"-j", "DROP",
-		},
-	}
-
-	// First, try to delete any existing rules for this interface
-	for _, rule := range rules {
-		deleteArgs := make([]string, len(rule))
-		copy(deleteArgs, rule)
-		// Change -A to -D for deletion
-		for i, arg := range deleteArgs {
-			if arg == "-A" {
-				deleteArgs[i] = "-D"
-				break
-			}
-		}
-
-		deleteCmd := exec.Command("/usr/sbin/iptables", deleteArgs...)
-		logger.Debug("Attempting to delete existing firewall rule: %v", deleteArgs)
-
-		// Try deletion multiple times to handle multiple existing rules
-		for i := 0; i < 5; i++ {
-			out, err := deleteCmd.CombinedOutput()
-			if err != nil {
-				if exitErr, ok := err.(*exec.ExitError); ok {
-					logger.Debug("Deletion stopped: %v (output: %s)", exitErr.String(), string(out))
-				}
-				break // No more rules to delete
-			}
-			logger.Info("Deleted existing firewall rule (attempt %d)", i+1)
-		}
-	}
-
-	// Now add the rules
-	var errors []error
-	for i, rule := range rules {
-		addCmd := exec.Command("/usr/sbin/iptables", rule...)
-		logger.Info("Adding WireGuard firewall rule %d: %v", i+1, rule)
-
-		if out, err := addCmd.CombinedOutput(); err != nil {
-			errMsg := fmt.Sprintf("Failed to add firewall rule %d: %v (output: %s)", i+1, err, string(out))
-			logger.Error("%s", errMsg)
-			errors = append(errors, fmt.Errorf("%s", errMsg))
-			continue
-		}
-
-		// Verify the rule was added by checking
-		checkArgs := make([]string, len(rule))
-		copy(checkArgs, rule)
-		// Change -A to -C for check
-		for j, arg := range checkArgs {
-			if arg == "-A" {
-				checkArgs[j] = "-C"
-				break
-			}
-		}
-
-		checkCmd := exec.Command("/usr/sbin/iptables", checkArgs...)
-		if out, err := checkCmd.CombinedOutput(); err != nil {
-			errMsg := fmt.Sprintf("Rule verification failed for rule %d: %v (output: %s)", i+1, err, string(out))
-			logger.Error("%s", errMsg)
-			errors = append(errors, fmt.Errorf("%s", errMsg))
-			continue
-		}
-
-		logger.Info("Successfully added and verified WireGuard firewall rule %d", i+1)
-	}
-
-	if len(errors) > 0 {
-		var errMsgs []string
-		for _, err := range errors {
-			errMsgs = append(errMsgs, err.Error())
-		}
-		return fmt.Errorf("WireGuard firewall setup encountered errors:\n%s", strings.Join(errMsgs, "\n"))
-	}
-
-	logger.Info("WireGuard firewall rules successfully configured for interface %s", interfaceName)
-	return nil
-}
-
 func handlePeer(w http.ResponseWriter, r *http.Request) {
 	switch r.Method {
 	case http.MethodPost:
--- a/relay/relay.go
+++ b/relay/relay.go
@@ -839,7 +839,7 @@ func (s *UDPProxyServer) clearSessionsForIP(ip string) {
 		s.wgSessions.Delete(key)
 	}

-	logger.Debug("Cleared %d sessions for WG IP: %s", len(keysToDelete), ip)
+	logger.Info("Cleared %d sessions for WG IP: %s", len(keysToDelete), ip)
 }

 // // clearProxyMappingsForWGIP removes all proxy mappings that have destinations pointing to a specific WireGuard IP