2e0118d1a6
## Description This PR continues the refactoring of `netx` under the following principles: 1. do not break the rest of the tree and do not engage in extensive tree-wide refactoring yet 2. move under `netxlite` clearly related subpackages (e.g., `iox`, `netxmocks`) 3. move into `internal/netxlite/internal` stuff that is clearly private of `netxlite` 4. hide implementation details in `netxlite` pending new factories 5. refactor `tls` code in `netxlite` to clearly separate `crypto/tls` code from `utls` code After each commit, I run `go test -short -race ./...` locally. Each individual commit explains what it does. I will squash, but this operation will preserve the original commit titles, so this will give further insight on each step. ## Commits * refactor: rename netxmocks -> netxlite/mocks Part of https://github.com/ooni/probe/issues/1591 * refactor: rename quicx -> netxlite/quicx See https://github.com/ooni/probe/issues/1591 * refactor: rename iox -> netxlite/iox Regenerate sources and make sure the tests pass. See https://github.com/ooni/probe/issues/1591. * refactor(iox): move MockableReader to netxlite/mocks See https://github.com/ooni/probe/issues/1591 * refactor(netxlite): generator is an implementation detail See https://github.com/ooni/probe/issues/1591 * refactor(netxlite): separate tls and utls code See https://github.com/ooni/probe/issues/1591 * refactor(netxlite): hide most types but keep old names as legacy With this change we avoid breaking the rest of the tree, but we start hiding some implementation details a bit. Factories will follow. See https://github.com/ooni/probe/issues/1591
121 lines
4.4 KiB
Go
121 lines
4.4 KiB
Go
//go:build linux
|
|
// +build linux
|
|
|
|
package iptables
|
|
|
|
import (
|
|
"github.com/apex/log"
|
|
"github.com/ooni/probe-cli/v3/internal/runtimex"
|
|
"github.com/ooni/probe-cli/v3/internal/shellx"
|
|
)
|
|
|
|
type linuxShell struct{}
|
|
|
|
func (s *linuxShell) createChains() (err error) {
|
|
defer func() {
|
|
if recover() != nil {
|
|
// JUST KNOW WE'VE BEEN HERE
|
|
}
|
|
}()
|
|
err = shellx.Run(log.Log, "sudo", "iptables", "-N", "JAFAR_INPUT")
|
|
runtimex.PanicOnError(err, "cannot create JAFAR_INPUT chain")
|
|
err = shellx.Run(log.Log, "sudo", "iptables", "-N", "JAFAR_OUTPUT")
|
|
runtimex.PanicOnError(err, "cannot create JAFAR_OUTPUT chain")
|
|
err = shellx.Run(log.Log, "sudo", "iptables", "-t", "nat", "-N", "JAFAR_NAT_OUTPUT")
|
|
runtimex.PanicOnError(err, "cannot create JAFAR_NAT_OUTPUT chain")
|
|
err = shellx.Run(log.Log, "sudo", "iptables", "-I", "OUTPUT", "-j", "JAFAR_OUTPUT")
|
|
runtimex.PanicOnError(err, "cannot insert jump to JAFAR_OUTPUT")
|
|
err = shellx.Run(log.Log, "sudo", "iptables", "-I", "INPUT", "-j", "JAFAR_INPUT")
|
|
runtimex.PanicOnError(err, "cannot insert jump to JAFAR_INPUT")
|
|
err = shellx.Run(log.Log, "sudo", "iptables", "-t", "nat", "-I", "OUTPUT", "-j", "JAFAR_NAT_OUTPUT")
|
|
runtimex.PanicOnError(err, "cannot insert jump to JAFAR_NAT_OUTPUT")
|
|
return nil
|
|
}
|
|
|
|
func (s *linuxShell) dropIfDestinationEquals(ip string) error {
|
|
return shellx.Run(log.Log,
|
|
"sudo", "iptables", "-A", "JAFAR_OUTPUT", "-d", ip, "-j", "DROP")
|
|
}
|
|
|
|
func (s *linuxShell) rstIfDestinationEqualsAndIsTCP(ip string) error {
|
|
return shellx.Run(log.Log,
|
|
"sudo", "iptables", "-A", "JAFAR_OUTPUT", "--proto", "tcp", "-d", ip,
|
|
"-j", "REJECT", "--reject-with", "tcp-reset",
|
|
)
|
|
}
|
|
|
|
func (s *linuxShell) dropIfContainsKeywordHex(keyword string) error {
|
|
return shellx.Run(log.Log,
|
|
"sudo", "iptables", "-A", "JAFAR_OUTPUT", "-m", "string", "--algo", "kmp",
|
|
"--hex-string", keyword, "-j", "DROP",
|
|
)
|
|
}
|
|
|
|
func (s *linuxShell) dropIfContainsKeyword(keyword string) error {
|
|
return shellx.Run(log.Log,
|
|
"sudo", "iptables", "-A", "JAFAR_OUTPUT", "-m", "string", "--algo", "kmp",
|
|
"--string", keyword, "-j", "DROP",
|
|
)
|
|
}
|
|
|
|
func (s *linuxShell) rstIfContainsKeywordHexAndIsTCP(keyword string) error {
|
|
return shellx.Run(log.Log,
|
|
"sudo", "iptables", "-A", "JAFAR_OUTPUT", "-m", "string", "--proto", "tcp", "--algo",
|
|
"kmp", "--hex-string", keyword, "-j", "REJECT", "--reject-with", "tcp-reset",
|
|
)
|
|
}
|
|
|
|
func (s *linuxShell) rstIfContainsKeywordAndIsTCP(keyword string) error {
|
|
return shellx.Run(log.Log,
|
|
"sudo", "iptables", "-A", "JAFAR_OUTPUT", "-m", "string", "--proto", "tcp", "--algo",
|
|
"kmp", "--string", keyword, "-j", "REJECT", "--reject-with", "tcp-reset",
|
|
)
|
|
}
|
|
|
|
func (s *linuxShell) hijackDNS(address string) error {
|
|
// Hijack any DNS query, like the Vodafone station does when using the
|
|
// secure network feature. Our transparent proxies will use DoT, in order
|
|
// to bypass this restriction and avoid routing loop.
|
|
return shellx.Run(log.Log,
|
|
"sudo", "iptables", "-t", "nat", "-A", "JAFAR_NAT_OUTPUT", "-p", "udp",
|
|
"--dport", "53", "-j", "DNAT", "--to", address,
|
|
)
|
|
}
|
|
|
|
func (s *linuxShell) hijackHTTPS(address string) error {
|
|
// We need to whitelist root otherwise the traffic sent by Jafar
|
|
// itself will match the rule and loop.
|
|
return shellx.Run(log.Log,
|
|
"sudo", "iptables", "-t", "nat", "-A", "JAFAR_NAT_OUTPUT", "-p", "tcp",
|
|
"--dport", "443", "-m", "owner", "!", "--uid-owner", "0",
|
|
"-j", "DNAT", "--to", address,
|
|
)
|
|
}
|
|
|
|
func (s *linuxShell) hijackHTTP(address string) error {
|
|
// We need to whitelist root otherwise the traffic sent by Jafar
|
|
// itself will match the rule and loop.
|
|
return shellx.Run(log.Log,
|
|
"sudo", "iptables", "-t", "nat", "-A", "JAFAR_NAT_OUTPUT", "-p", "tcp",
|
|
"--dport", "80", "-m", "owner", "!", "--uid-owner", "0",
|
|
"-j", "DNAT", "--to", address,
|
|
)
|
|
}
|
|
|
|
func (s *linuxShell) waive() error {
|
|
shellx.RunQuiet("sudo", "iptables", "-D", "OUTPUT", "-j", "JAFAR_OUTPUT")
|
|
shellx.RunQuiet("sudo", "iptables", "-D", "INPUT", "-j", "JAFAR_INPUT")
|
|
shellx.RunQuiet("sudo", "iptables", "-t", "nat", "-D", "OUTPUT", "-j", "JAFAR_NAT_OUTPUT")
|
|
shellx.RunQuiet("sudo", "iptables", "-F", "JAFAR_INPUT")
|
|
shellx.RunQuiet("sudo", "iptables", "-X", "JAFAR_INPUT")
|
|
shellx.RunQuiet("sudo", "iptables", "-F", "JAFAR_OUTPUT")
|
|
shellx.RunQuiet("sudo", "iptables", "-X", "JAFAR_OUTPUT")
|
|
shellx.RunQuiet("sudo", "iptables", "-t", "nat", "-F", "JAFAR_NAT_OUTPUT")
|
|
shellx.RunQuiet("sudo", "iptables", "-t", "nat", "-X", "JAFAR_NAT_OUTPUT")
|
|
return nil
|
|
}
|
|
|
|
func newShell() *linuxShell {
|
|
return &linuxShell{}
|
|
}
|