punchd/tcp_syni.nim

159 lines
5.7 KiB
Nim
Raw Normal View History

2020-07-07 19:39:28 +02:00
import asyncdispatch, asyncnet, strformat
2020-07-10 19:36:41 +02:00
from net import IpAddress, Port, `$`, `==`, getPrimaryIPAddr
2020-07-07 19:39:28 +02:00
from nativesockets import setSockOptInt
import asyncutils
2020-07-10 00:27:21 +02:00
import ip_packet
2020-07-07 19:39:28 +02:00
import network_interface
import raw_socket
var IPPROTO_IP {.importc: "IPPROTO_IP", header: "<netinet/in.h>".}: cint
var IP_TTL {.importc: "IP_TTL", header: "<netinet/in.h>".}: cint
type
TcpSyniPuncher* = object
srcIp: IpAddress
srcPort: Port
dstIp: IpAddress
dstPorts: array[10, Port]
seqNums: seq[uint32]
PunchProgressCb* = proc (seqNums: seq[uint32]) {.async.}
PunchHoleError* = object of ValueError
proc addFirewallRule(srcIp: IpAddress, srcPort: Port,
dstIp: IpAddress, dstPort: Port) {.async.} =
let firewall_cmd = fmt"""iptables -A INPUT \
-d {srcIp} \
-p icmp \
--icmp-type time-exceeded \
-m conntrack \
--ctstate RELATED \
--ctproto tcp \
--ctorigsrc {srcIp} \
--ctorigsrcport {srcPort.int} \
--ctorigdst {dstIp} \
--ctorigdstport {dstPort.int} \
-j DROP"""
let exitcode = await asyncExecCmd(firewall_cmd)
if exitcode != 0:
raise newException(PunchHoleError, "cannot add firewall rule")
proc delFirewallRule(srcIp: IpAddress, srcPort: Port,
dstIp: IpAddress, dstPort: Port) {.async.} =
let firewall_cmd = fmt"""iptables -D INPUT \
-d {srcIp} \
-p icmp \
--icmp-type time-exceeded \
-m conntrack \
--ctstate RELATED \
--ctproto tcp \
--ctorigsrc {srcIp} \
--ctorigsrcport {srcPort.int} \
--ctorigdst {dstIp} \
--ctorigdstport {dstPort.int} \
-j DROP"""
let exitcode = await asyncExecCmd(firewall_cmd)
if exitcode != 0:
raise newException(PunchHoleError, "cannot delete firewall rule")
proc captureSeqNumbers(puncher: TcpSyniPuncher, rawFd: AsyncFD,
cb: PunchProgressCb) {.async.} =
# FIXME: timeout?
var seqNums = newSeq[uint32]()
while seqNums.len < puncher.dstPorts.len:
let packet = await rawFd.recv(4000)
if packet == "":
break
echo "packet len: ", packet.len
2020-07-09 21:10:25 +02:00
let parsed = parseEthernetPacket(packet)
if parsed.protocol == tcp and
2020-07-10 19:36:41 +02:00
parsed.tcpIpSrc == puncher.srcIp and
2020-07-09 21:10:25 +02:00
parsed.tcpPortSrc.int == puncher.srcPort.int and
2020-07-10 19:36:41 +02:00
parsed.tcpIpDst == puncher.dstIp:
2020-07-07 19:39:28 +02:00
for i, port in puncher.dstPorts.pairs:
2020-07-09 21:10:25 +02:00
if parsed.tcpPortDst.int == port.int:
seqNums.add(parsed.tcpSeqNumber)
2020-07-07 19:39:28 +02:00
break
await cb(seqNums)
2020-07-11 14:46:37 +02:00
proc injectSyns(rawFd: AsyncFD, srcIp: IpAddress, srcPort: Port,
dstIp: IpAddress, dstPort: Port,
seqNums: seq[uint32]) {.async.} =
for seqNum in seqNums:
let ipPacket = IpPacket(protocol: tcp,
tcpIpSrc: srcIp,
tcpIpDst: dstIp,
tcpPortSrc: dstPort,
tcpPortDst: srcPort,
tcpSeqNumber: seqNum)
asyncCheck rawFd.send(serialize(ipPacket))
2020-07-07 19:39:28 +02:00
proc initPuncher*(srcPort: Port, dstIp: IpAddress, dstPorts: array[3, Port],
seqNums: seq[uint32] = @[]): Future[TcpSyniPuncher] {.async.} =
let localIp = getPrimaryIPAddr(dstIp)
# TODO: do real port prediction
var predictedDstPorts: array[10, Port]
let basePort = min(dstPorts[1].uint16, uint16.high - 9)
for i in 0.uint16 .. 9.uint16:
predictedDstPorts[i] = Port(basePort + i)
result = TcpSyniPuncher(srcIp: localIp, srcPort: srcPort, dstIp: dstIp,
dstPorts: predictedDstPorts, seqNums: seqNums)
for dstPort in result.dstPorts:
await addFirewallRule(result.srcIp, result.srcPort, result.dstIp, dstPort)
proc cleanup*(puncher: TcpSyniPuncher) {.async.} =
for dstPort in puncher.dstPorts:
await delFirewallRule(puncher.srcIp, puncher.srcPort, puncher.dstIp, dstPort)
proc doConnect(srcIp: IpAddress, srcPort: Port, dstIp: IpAddress,
dstPort: Port, future: Future[AsyncSocket]) {.async.} =
let sock = newAsyncSocket()
sock.setSockOpt(OptReuseAddr, true)
sock.getFd.setSockOptInt(IPPROTO_IP, IP_TTL, 2)
sock.bindAddr(srcPort, $srcIp)
try:
await sock.connect($dstIp, dstPort)
future.complete(sock)
except OSError as e:
echo &"connection {srcIP}:{srcPort.int} -> {dstIp}:{dstPort.int} failed: ", e.msg
discard
2020-07-11 14:46:37 +02:00
proc doAccept(srcIp: IpAddress, srcPort: Port, dstIp: IpAddress, dstPort: Port,
future: Future[AsyncSocket]) {.async.} =
let sock = newAsyncSocket()
sock.setSockOpt(OptReuseAddr, true)
sock.getFd.setSockOptInt(IPPROTO_IP, IP_TTL, 2)
sock.bindAddr(srcPort, $srcIp)
try:
await sock.connect($dstIp, dstPort)
echo "connected during accept phase"
sock.close()
except OSError:
discard
try:
let connectedSock = await sock.accept()
future.complete(connectedSock)
except OSError as e:
echo &"connection {srcIP}:{srcPort.int} -> {dstIp}:{dstPort.int} failed: ", e.msg
discard
2020-07-07 19:39:28 +02:00
proc connect*(puncher: TcpSyniPuncher,
progressCb: PunchProgressCb): Future[AsyncSocket] =
result = newFuture[AsyncSocket]("tcp_syni.connect")
let iface = fromIpAddress($puncher.srcIp)
2020-07-09 21:10:25 +02:00
let rawFd = setupEthernetCapturingSocket(iface)
2020-07-07 19:39:28 +02:00
asyncCheck puncher.captureSeqNumbers(rawFd, progressCb)
for dstPort in puncher.dstPorts:
asyncCheck doConnect(puncher.srcIp, puncher.srcPort, puncher.dstIp,
dstPort, result)
proc accept*(puncher: TcpSyniPuncher): Future[AsyncSocket] =
result = newFuture[AsyncSocket]("tcp_syni.accept")
2020-07-11 14:46:37 +02:00
let rawFd = setupTcpInjectingSocket()
for dstPort in puncher.dstPorts:
asyncCheck doAccept(puncher.srcIp, puncher.srcPort, puncher.dstIp, dstPort,
result)
asyncCheck injectSyns(rawFd, puncher.srcIp, puncher.srcPort, puncher.dstIp,
dstPort, puncher.seqNums)