99b28c1d95
* refactor: start building an Android package Part of https://github.com/ooni/probe/issues/1335. This seems also a good moment to move some packages out of the engine, e.g., oonimkall. This package, for example, is a consumer of the engine, so it makes sense it's not _inside_ it. * fix: committed some stuff I didn't need to commit * fix: oonimkall needs to be public to build The side effect is that we will probably need to bump the major version number every time we change one of these APIs. (We can also of course choose to violate the basic guidelines of Go software, but I believe this is bad form.) I have no problem in bumping the major quite frequently and in any case this monorepo solution is convinving me more than continuing to keep a split between engine and cli. The need to embed assets to make the probe more reliable trumps the negative effects of having to ~frequently bump major because we expose a public API. * fix: let's not forget about libooniffi Honestly, I don't know what to do with this library. I added it to provide a drop in replacement for MK but I have no idea whether it's used and useful. I would not feel comfortable exposing it, unlike oonimkall, since we're not using it. It may be that the right thing to do here is just to delete the package and reduce the amount of code we're maintaining? * woops, we're still missing the publish android script * fix(publish-android.bash): add proper API key * ouch fix another place where the name changed
99 lines
3.4 KiB
Go
99 lines
3.4 KiB
Go
// Package iptables contains code for managing firewall rules. This package
|
|
// really only works reliably on Linux. In all other systems the functionality
|
|
// in here is just a set of stubs returning errors.
|
|
package iptables
|
|
|
|
import (
|
|
"github.com/ooni/probe-cli/v3/internal/engine/runtimex"
|
|
)
|
|
|
|
type shell interface {
|
|
createChains() error
|
|
dropIfDestinationEquals(ip string) error
|
|
rstIfDestinationEqualsAndIsTCP(ip string) error
|
|
dropIfContainsKeywordHex(keyword string) error
|
|
dropIfContainsKeyword(keyword string) error
|
|
rstIfContainsKeywordHexAndIsTCP(keyword string) error
|
|
rstIfContainsKeywordAndIsTCP(keyword string) error
|
|
hijackDNS(address string) error
|
|
hijackHTTPS(address string) error
|
|
hijackHTTP(address string) error
|
|
waive() error
|
|
}
|
|
|
|
// CensoringPolicy implements a censoring policy.
|
|
type CensoringPolicy struct {
|
|
DropIPs []string // drop IP traffic to these IPs
|
|
DropKeywordsHex []string // drop IP packets with these hex keywords
|
|
DropKeywords []string // drop IP packets with these keywords
|
|
HijackDNSAddress string // where to hijack DNS to
|
|
HijackHTTPSAddress string // where to hijack HTTPS to
|
|
HijackHTTPAddress string // where to hijack HTTP to
|
|
ResetIPs []string // RST TCP/IP traffic to these IPs
|
|
ResetKeywordsHex []string // RST TCP/IP flows with these hex keywords
|
|
ResetKeywords []string // RST TCP/IP flows with these keywords
|
|
sh shell
|
|
}
|
|
|
|
// NewCensoringPolicy returns a new censoring policy.
|
|
func NewCensoringPolicy() *CensoringPolicy {
|
|
return &CensoringPolicy{
|
|
sh: newShell(),
|
|
}
|
|
}
|
|
|
|
// Apply applies the censorship policy
|
|
func (c *CensoringPolicy) Apply() (err error) {
|
|
defer func() {
|
|
if recover() != nil {
|
|
// JUST KNOW WE'VE BEEN HERE
|
|
}
|
|
}()
|
|
err = c.sh.createChains()
|
|
runtimex.PanicOnError(err, "c.sh.createChains failed")
|
|
// Implementation note: we want the RST rules to be first such
|
|
// that we end up enforcing them before the drop rules.
|
|
for _, keyword := range c.ResetKeywordsHex {
|
|
err = c.sh.rstIfContainsKeywordHexAndIsTCP(keyword)
|
|
runtimex.PanicOnError(err, "c.sh.rstIfContainsKeywordHexAndIsTCP failed")
|
|
}
|
|
for _, keyword := range c.ResetKeywords {
|
|
err = c.sh.rstIfContainsKeywordAndIsTCP(keyword)
|
|
runtimex.PanicOnError(err, "c.sh.rstIfContainsKeywordAndIsTCP failed")
|
|
}
|
|
for _, ip := range c.ResetIPs {
|
|
err = c.sh.rstIfDestinationEqualsAndIsTCP(ip)
|
|
runtimex.PanicOnError(err, "c.sh.rstIfDestinationEqualsAndIsTCP failed")
|
|
}
|
|
for _, keyword := range c.DropKeywordsHex {
|
|
err = c.sh.dropIfContainsKeywordHex(keyword)
|
|
runtimex.PanicOnError(err, "c.sh.dropIfContainsKeywordHex failed")
|
|
}
|
|
for _, keyword := range c.DropKeywords {
|
|
err = c.sh.dropIfContainsKeyword(keyword)
|
|
runtimex.PanicOnError(err, "c.sh.dropIfContainsKeyword failed")
|
|
}
|
|
for _, ip := range c.DropIPs {
|
|
err = c.sh.dropIfDestinationEquals(ip)
|
|
runtimex.PanicOnError(err, "c.sh.dropIfDestinationEquals failed")
|
|
}
|
|
if c.HijackDNSAddress != "" {
|
|
err = c.sh.hijackDNS(c.HijackDNSAddress)
|
|
runtimex.PanicOnError(err, "c.sh.hijackDNS failed")
|
|
}
|
|
if c.HijackHTTPSAddress != "" {
|
|
err = c.sh.hijackHTTPS(c.HijackHTTPSAddress)
|
|
runtimex.PanicOnError(err, "c.sh.hijackHTTPS failed")
|
|
}
|
|
if c.HijackHTTPAddress != "" {
|
|
err = c.sh.hijackHTTP(c.HijackHTTPAddress)
|
|
runtimex.PanicOnError(err, "c.sh.hijackHTTP failed")
|
|
}
|
|
return
|
|
}
|
|
|
|
// Waive removes any censorship policy
|
|
func (c *CensoringPolicy) Waive() error {
|
|
return c.sh.waive()
|
|
}
|