33de701263
* refactor(atomicx): move outside the engine package
After merging probe-engine into probe-cli, my impression is that we have
too much unnecessary nesting of packages in this repository.
The idea of this commit and of a bunch of following commits will instead
be to reduce the nesting and simplify the structure.
While there, improve the documentation.
* fix: always use the atomicx package
For consistency, never use sync/atomic and always use ./internal/atomicx
so we can just grep and make sure we're not risking to crash if we make
a subtle mistake on a 32 bit platform.
While there, mention in the contributing guidelines that we want to
always prefer the ./internal/atomicx package over sync/atomic.
* fix(atomicx): remove unnecessary constructor
We don't need a constructor here. The default constructed `&Int64{}`
instance is already usable and the constructor does not add anything to
what we are doing, rather it just creates extra confusion.
* cleanup(atomicx): we are not using Float64
Because atomicx.Float64 is unused, we can safely zap it.
* cleanup(atomicx): simplify impl and improve tests
We can simplify the implementation by using defer and by letting
the Load() method call Add(0).
We can improve tests by making many goroutines updated the
atomic int64 value concurrently.
* refactor(fsx): can live in the ./internal pkg
Let us reduce the amount of nesting. While there, ensure that the
package only exports the bare minimum, and improve the documentation
of the tests, to ease reading the code.
* refactor: move runtimex to ./internal
* refactor: move shellx into the ./internal package
While there, remove unnecessary dependency between packages.
While there, specify in the contributing guidelines that
one should use x/sys/execabs instead of os/exec.
* refactor: move ooapi into the ./internal pkg
* refactor(humanize): move to ./internal and better docs
* refactor: move platform to ./internal
* refactor(randx): move to ./internal
* refactor(multierror): move into the ./internal pkg
* refactor(kvstore): all kvstores in ./internal
Rather than having part of the kvstore inside ./internal/engine/kvstore
and part in ./internal/engine/kvstore.go, let us put every piece of code
that is kvstore related into the ./internal/kvstore package.
* fix(kvstore): always return ErrNoSuchKey on Get() error
It should help to use the kvstore everywhere removing all the
copies that are lingering around the tree.
* sessionresolver: make KVStore mandatory
Simplifies implementation. While there, use the ./internal/kvstore
package rather than having our private implementation.
* fix(ooapi): use the ./internal/kvstore package
* fix(platform): better documentation
99 lines
3.4 KiB
Go
99 lines
3.4 KiB
Go
// Package iptables contains code for managing firewall rules. This package
|
|
// really only works reliably on Linux. In all other systems the functionality
|
|
// in here is just a set of stubs returning errors.
|
|
package iptables
|
|
|
|
import (
|
|
"github.com/ooni/probe-cli/v3/internal/runtimex"
|
|
)
|
|
|
|
type shell interface {
|
|
createChains() error
|
|
dropIfDestinationEquals(ip string) error
|
|
rstIfDestinationEqualsAndIsTCP(ip string) error
|
|
dropIfContainsKeywordHex(keyword string) error
|
|
dropIfContainsKeyword(keyword string) error
|
|
rstIfContainsKeywordHexAndIsTCP(keyword string) error
|
|
rstIfContainsKeywordAndIsTCP(keyword string) error
|
|
hijackDNS(address string) error
|
|
hijackHTTPS(address string) error
|
|
hijackHTTP(address string) error
|
|
waive() error
|
|
}
|
|
|
|
// CensoringPolicy implements a censoring policy.
|
|
type CensoringPolicy struct {
|
|
DropIPs []string // drop IP traffic to these IPs
|
|
DropKeywordsHex []string // drop IP packets with these hex keywords
|
|
DropKeywords []string // drop IP packets with these keywords
|
|
HijackDNSAddress string // where to hijack DNS to
|
|
HijackHTTPSAddress string // where to hijack HTTPS to
|
|
HijackHTTPAddress string // where to hijack HTTP to
|
|
ResetIPs []string // RST TCP/IP traffic to these IPs
|
|
ResetKeywordsHex []string // RST TCP/IP flows with these hex keywords
|
|
ResetKeywords []string // RST TCP/IP flows with these keywords
|
|
sh shell
|
|
}
|
|
|
|
// NewCensoringPolicy returns a new censoring policy.
|
|
func NewCensoringPolicy() *CensoringPolicy {
|
|
return &CensoringPolicy{
|
|
sh: newShell(),
|
|
}
|
|
}
|
|
|
|
// Apply applies the censorship policy
|
|
func (c *CensoringPolicy) Apply() (err error) {
|
|
defer func() {
|
|
if recover() != nil {
|
|
// JUST KNOW WE'VE BEEN HERE
|
|
}
|
|
}()
|
|
err = c.sh.createChains()
|
|
runtimex.PanicOnError(err, "c.sh.createChains failed")
|
|
// Implementation note: we want the RST rules to be first such
|
|
// that we end up enforcing them before the drop rules.
|
|
for _, keyword := range c.ResetKeywordsHex {
|
|
err = c.sh.rstIfContainsKeywordHexAndIsTCP(keyword)
|
|
runtimex.PanicOnError(err, "c.sh.rstIfContainsKeywordHexAndIsTCP failed")
|
|
}
|
|
for _, keyword := range c.ResetKeywords {
|
|
err = c.sh.rstIfContainsKeywordAndIsTCP(keyword)
|
|
runtimex.PanicOnError(err, "c.sh.rstIfContainsKeywordAndIsTCP failed")
|
|
}
|
|
for _, ip := range c.ResetIPs {
|
|
err = c.sh.rstIfDestinationEqualsAndIsTCP(ip)
|
|
runtimex.PanicOnError(err, "c.sh.rstIfDestinationEqualsAndIsTCP failed")
|
|
}
|
|
for _, keyword := range c.DropKeywordsHex {
|
|
err = c.sh.dropIfContainsKeywordHex(keyword)
|
|
runtimex.PanicOnError(err, "c.sh.dropIfContainsKeywordHex failed")
|
|
}
|
|
for _, keyword := range c.DropKeywords {
|
|
err = c.sh.dropIfContainsKeyword(keyword)
|
|
runtimex.PanicOnError(err, "c.sh.dropIfContainsKeyword failed")
|
|
}
|
|
for _, ip := range c.DropIPs {
|
|
err = c.sh.dropIfDestinationEquals(ip)
|
|
runtimex.PanicOnError(err, "c.sh.dropIfDestinationEquals failed")
|
|
}
|
|
if c.HijackDNSAddress != "" {
|
|
err = c.sh.hijackDNS(c.HijackDNSAddress)
|
|
runtimex.PanicOnError(err, "c.sh.hijackDNS failed")
|
|
}
|
|
if c.HijackHTTPSAddress != "" {
|
|
err = c.sh.hijackHTTPS(c.HijackHTTPSAddress)
|
|
runtimex.PanicOnError(err, "c.sh.hijackHTTPS failed")
|
|
}
|
|
if c.HijackHTTPAddress != "" {
|
|
err = c.sh.hijackHTTP(c.HijackHTTPAddress)
|
|
runtimex.PanicOnError(err, "c.sh.hijackHTTP failed")
|
|
}
|
|
return
|
|
}
|
|
|
|
// Waive removes any censorship policy
|
|
func (c *CensoringPolicy) Waive() error {
|
|
return c.sh.waive()
|
|
}
|