ooni-probe-cli/internal/engine/cmd/jafar/iptables/iptables.go

// Package iptables contains code for managing firewall rules. This package
// really only works reliably on Linux. In all other systems the functionality
// in here is just a set of stubs returning errors.
package iptables

import (
	"github.com/ooni/probe-cli/v3/internal/engine/internal/runtimex"
)

type shell interface {
	createChains() error
	dropIfDestinationEquals(ip string) error
	rstIfDestinationEqualsAndIsTCP(ip string) error
	dropIfContainsKeywordHex(keyword string) error
	dropIfContainsKeyword(keyword string) error
	rstIfContainsKeywordHexAndIsTCP(keyword string) error
	rstIfContainsKeywordAndIsTCP(keyword string) error
	hijackDNS(address string) error
	hijackHTTPS(address string) error
	hijackHTTP(address string) error
	waive() error
}

// CensoringPolicy implements a censoring policy.
type CensoringPolicy struct {
	DropIPs            []string // drop IP traffic to these IPs
	DropKeywordsHex    []string // drop IP packets with these hex keywords
	DropKeywords       []string // drop IP packets with these keywords
	HijackDNSAddress   string   // where to hijack DNS to
	HijackHTTPSAddress string   // where to hijack HTTPS to
	HijackHTTPAddress  string   // where to hijack HTTP to
	ResetIPs           []string // RST TCP/IP traffic to these IPs
	ResetKeywordsHex   []string // RST TCP/IP flows with these hex keywords
	ResetKeywords      []string // RST TCP/IP flows with these keywords
	sh                 shell
}

// NewCensoringPolicy returns a new censoring policy.
func NewCensoringPolicy() *CensoringPolicy {
	return &CensoringPolicy{
		sh: newShell(),
	}
}

// Apply applies the censorship policy
func (c *CensoringPolicy) Apply() (err error) {
	defer func() {
		if recover() != nil {
			// JUST KNOW WE'VE BEEN HERE
		}
	}()
	err = c.sh.createChains()
	runtimex.PanicOnError(err, "c.sh.createChains failed")
	// Implementation note: we want the RST rules to be first such
	// that we end up enforcing them before the drop rules.
	for _, keyword := range c.ResetKeywordsHex {
		err = c.sh.rstIfContainsKeywordHexAndIsTCP(keyword)
		runtimex.PanicOnError(err, "c.sh.rstIfContainsKeywordHexAndIsTCP failed")
	}
	for _, keyword := range c.ResetKeywords {
		err = c.sh.rstIfContainsKeywordAndIsTCP(keyword)
		runtimex.PanicOnError(err, "c.sh.rstIfContainsKeywordAndIsTCP failed")
	}
	for _, ip := range c.ResetIPs {
		err = c.sh.rstIfDestinationEqualsAndIsTCP(ip)
		runtimex.PanicOnError(err, "c.sh.rstIfDestinationEqualsAndIsTCP failed")
	}
	for _, keyword := range c.DropKeywordsHex {
		err = c.sh.dropIfContainsKeywordHex(keyword)
		runtimex.PanicOnError(err, "c.sh.dropIfContainsKeywordHex failed")
	}
	for _, keyword := range c.DropKeywords {
		err = c.sh.dropIfContainsKeyword(keyword)
		runtimex.PanicOnError(err, "c.sh.dropIfContainsKeyword failed")
	}
	for _, ip := range c.DropIPs {
		err = c.sh.dropIfDestinationEquals(ip)
		runtimex.PanicOnError(err, "c.sh.dropIfDestinationEquals failed")
	}
	if c.HijackDNSAddress != "" {
		err = c.sh.hijackDNS(c.HijackDNSAddress)
		runtimex.PanicOnError(err, "c.sh.hijackDNS failed")
	}
	if c.HijackHTTPSAddress != "" {
		err = c.sh.hijackHTTPS(c.HijackHTTPSAddress)
		runtimex.PanicOnError(err, "c.sh.hijackHTTPS failed")
	}
	if c.HijackHTTPAddress != "" {
		err = c.sh.hijackHTTP(c.HijackHTTPAddress)
		runtimex.PanicOnError(err, "c.sh.hijackHTTP failed")
	}
	return
}

// Waive removes any censorship policy
func (c *CensoringPolicy) Waive() error {
	return c.sh.waive()
}
chore: merge probe-engine into probe-cli (#201) This is how I did it: 1. `git clone https://github.com/ooni/probe-engine internal/engine` 2. ``` (cd internal/engine && git describe --tags) v0.23.0 ``` 3. `nvim go.mod` (merging `go.mod` with `internal/engine/go.mod` 4. `rm -rf internal/.git internal/engine/go.{mod,sum}` 5. `git add internal/engine` 6. `find . -type f -name \*.go -exec sed -i 's@/ooni/probe-engine@/ooni/probe-cli/v3/internal/engine@g' {} \;` 7. `go build ./...` (passes) 8. `go test -race ./...` (temporary failure on RiseupVPN) 9. `go mod tidy` 10. this commit message Once this piece of work is done, we can build a new version of `ooniprobe` that is using `internal/engine` directly. We need to do more work to ensure all the other functionality in `probe-engine` (e.g. making mobile packages) are still WAI. Part of https://github.com/ooni/probe/issues/1335 2021-02-02 12:05:47 +01:00			`// Package iptables contains code for managing firewall rules. This package`
			`// really only works reliably on Linux. In all other systems the functionality`
			`// in here is just a set of stubs returning errors.`
			`package iptables`

			`import (`
			`"github.com/ooni/probe-cli/v3/internal/engine/internal/runtimex"`
			`)`

			`type shell interface {`
			`createChains() error`
			`dropIfDestinationEquals(ip string) error`
			`rstIfDestinationEqualsAndIsTCP(ip string) error`
			`dropIfContainsKeywordHex(keyword string) error`
			`dropIfContainsKeyword(keyword string) error`
			`rstIfContainsKeywordHexAndIsTCP(keyword string) error`
			`rstIfContainsKeywordAndIsTCP(keyword string) error`
			`hijackDNS(address string) error`
			`hijackHTTPS(address string) error`
			`hijackHTTP(address string) error`
			`waive() error`
			`}`

			`// CensoringPolicy implements a censoring policy.`
			`type CensoringPolicy struct {`
			`DropIPs []string // drop IP traffic to these IPs`
			`DropKeywordsHex []string // drop IP packets with these hex keywords`
			`DropKeywords []string // drop IP packets with these keywords`
			`HijackDNSAddress string // where to hijack DNS to`
			`HijackHTTPSAddress string // where to hijack HTTPS to`
			`HijackHTTPAddress string // where to hijack HTTP to`
			`ResetIPs []string // RST TCP/IP traffic to these IPs`
			`ResetKeywordsHex []string // RST TCP/IP flows with these hex keywords`
			`ResetKeywords []string // RST TCP/IP flows with these keywords`
			`sh shell`
			`}`

			`// NewCensoringPolicy returns a new censoring policy.`
			`func NewCensoringPolicy() *CensoringPolicy {`
			`return &CensoringPolicy{`
			`sh: newShell(),`
			`}`
			`}`

			`// Apply applies the censorship policy`
			`func (c *CensoringPolicy) Apply() (err error) {`
			`defer func() {`
			`if recover() != nil {`
			`// JUST KNOW WE'VE BEEN HERE`
			`}`
			`}()`
			`err = c.sh.createChains()`
			`runtimex.PanicOnError(err, "c.sh.createChains failed")`
			`// Implementation note: we want the RST rules to be first such`
			`// that we end up enforcing them before the drop rules.`
			`for _, keyword := range c.ResetKeywordsHex {`
			`err = c.sh.rstIfContainsKeywordHexAndIsTCP(keyword)`
			`runtimex.PanicOnError(err, "c.sh.rstIfContainsKeywordHexAndIsTCP failed")`
			`}`
			`for _, keyword := range c.ResetKeywords {`
			`err = c.sh.rstIfContainsKeywordAndIsTCP(keyword)`
			`runtimex.PanicOnError(err, "c.sh.rstIfContainsKeywordAndIsTCP failed")`
			`}`
			`for _, ip := range c.ResetIPs {`
			`err = c.sh.rstIfDestinationEqualsAndIsTCP(ip)`
			`runtimex.PanicOnError(err, "c.sh.rstIfDestinationEqualsAndIsTCP failed")`
			`}`
			`for _, keyword := range c.DropKeywordsHex {`
			`err = c.sh.dropIfContainsKeywordHex(keyword)`
			`runtimex.PanicOnError(err, "c.sh.dropIfContainsKeywordHex failed")`
			`}`
			`for _, keyword := range c.DropKeywords {`
			`err = c.sh.dropIfContainsKeyword(keyword)`
			`runtimex.PanicOnError(err, "c.sh.dropIfContainsKeyword failed")`
			`}`
			`for _, ip := range c.DropIPs {`
			`err = c.sh.dropIfDestinationEquals(ip)`
			`runtimex.PanicOnError(err, "c.sh.dropIfDestinationEquals failed")`
			`}`
			`if c.HijackDNSAddress != "" {`
			`err = c.sh.hijackDNS(c.HijackDNSAddress)`
			`runtimex.PanicOnError(err, "c.sh.hijackDNS failed")`
			`}`
			`if c.HijackHTTPSAddress != "" {`
			`err = c.sh.hijackHTTPS(c.HijackHTTPSAddress)`
			`runtimex.PanicOnError(err, "c.sh.hijackHTTPS failed")`
			`}`
			`if c.HijackHTTPAddress != "" {`
			`err = c.sh.hijackHTTP(c.HijackHTTPAddress)`
			`runtimex.PanicOnError(err, "c.sh.hijackHTTP failed")`
			`}`
			`return`
			`}`

			`// Waive removes any censorship policy`
			`func (c *CensoringPolicy) Waive() error {`
			`return c.sh.waive()`
			`}`