christian
/
punchd
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

fix firewall logic

This commit is contained in:
Christian Ulrich 2020-08-18 00:34:21 +02:00
parent a1fbc27c54
commit f5d36f82d5
No known key found for this signature in database
GPG Key ID: 8241BE099775A097
2 changed files with 23 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
punchd.nim
View File

@ -61,11 +61,9 @@ proc handleRequest(line: string, unixSock: AsyncSocket) {.async.} =
let unixFd = unixSock.getFd.AsyncFD let unixFd = unixSock.getFd.AsyncFD
await unixFd.asyncSendMsg(&"ok|{id}\n", @[fromFd(sock.getFd.AsyncFD)]) await unixFd.asyncSendMsg(&"ok|{id}\n", @[fromFd(sock.getFd.AsyncFD)])
await puncher.cleanup
except PunchHoleError as e: except PunchHoleError as e:
await unixSock.send(&"error|{id}|{e.msg}\n") await unixSock.send(&"error|{id}|{e.msg}\n")
await puncher.cleanup
except ValueError: except ValueError:
unixSock.close unixSock.close

33
tcp_syni.nim
View File

@ -35,10 +35,7 @@ proc addFirewallRule(srcIp: IpAddress, srcPort: Port,
--ctorigdst {dstIp} \ --ctorigdst {dstIp} \
--ctorigdstport {dstPort.int} \ --ctorigdstport {dstPort.int} \
-j DROP""" -j DROP"""
try:
discard await asyncExecCmd(firewall_cmd) discard await asyncExecCmd(firewall_cmd)
except OSError:
raise newException(PunchHoleError, "cannot add firewall rule")
proc delFirewallRule(srcIp: IpAddress, srcPort: Port, proc delFirewallRule(srcIp: IpAddress, srcPort: Port,
dstIp: IpAddress, dstPort: Port) {.async.} = dstIp: IpAddress, dstPort: Port) {.async.} =
@ -54,10 +51,7 @@ proc delFirewallRule(srcIp: IpAddress, srcPort: Port,
--ctorigdst {dstIp} \ --ctorigdst {dstIp} \
--ctorigdstport {dstPort.int} \ --ctorigdstport {dstPort.int} \
-j DROP""" -j DROP"""
try:
discard await asyncExecCmd(firewall_cmd) discard await asyncExecCmd(firewall_cmd)
except OSError:
raise newException(PunchHoleError, "cannot delete firewall rule")
proc captureSeqNumbers(puncher: TcpSyniPuncher, rawFd: AsyncFD, proc captureSeqNumbers(puncher: TcpSyniPuncher, rawFd: AsyncFD,
cb: PunchProgressCb) {.async.} = cb: PunchProgressCb) {.async.} =
@ -114,12 +108,6 @@ proc initPuncher*(srcPort: Port, dstIp: IpAddress, dstPorts: array[3, Port],
predictedDstPorts[i] = Port(basePort + i.uint16) predictedDstPorts[i] = Port(basePort + i.uint16)
result = TcpSyniPuncher(srcIp: localIp, srcPort: srcPort, dstIp: dstIp, result = TcpSyniPuncher(srcIp: localIp, srcPort: srcPort, dstIp: dstIp,
dstPorts: predictedDstPorts, seqNums: seqNums) dstPorts: predictedDstPorts, seqNums: seqNums)
for dstPort in result.dstPorts:
await addFirewallRule(result.srcIp, result.srcPort, result.dstIp, dstPort)
proc cleanup*(puncher: TcpSyniPuncher) {.async.} =
for dstPort in puncher.dstPorts:
await delFirewallRule(puncher.srcIp, puncher.srcPort, puncher.dstIp, dstPort)
proc doConnect(srcIp: IpAddress, srcPort: Port, dstIp: IpAddress, proc doConnect(srcIp: IpAddress, srcPort: Port, dstIp: IpAddress,
dstPort: Port, future: Future[AsyncSocket]) {.async.} = dstPort: Port, future: Future[AsyncSocket]) {.async.} =
@ -127,12 +115,21 @@ proc doConnect(srcIp: IpAddress, srcPort: Port, dstIp: IpAddress,
sock.setSockOpt(OptReuseAddr, true) sock.setSockOpt(OptReuseAddr, true)
sock.getFd.setSockOptInt(IPPROTO_IP, IP_TTL, 2) sock.getFd.setSockOptInt(IPPROTO_IP, IP_TTL, 2)
sock.bindAddr(srcPort, $srcIp) sock.bindAddr(srcPort, $srcIp)
try:
await addFirewallRule(srcIp, srcPort, dstIp, dstPort)
except OSError as e:
echo "cannot add firewall rule: ", e.msg
return
try: try:
await sock.connect($dstIp, dstPort) await sock.connect($dstIp, dstPort)
future.complete(sock) future.complete(sock)
except OSError as e: except OSError as e:
echo &"connection {srcIP}:{srcPort.int} -> {dstIp}:{dstPort.int} failed: ", e.msg echo &"connection {srcIP}:{srcPort.int} -> {dstIp}:{dstPort.int} failed: ", e.msg
discard discard
try:
await delFirewallRule(srcIp, srcPort, dstIp, dstPort)
except OSError as e:
echo "cannot delete firewall rule: ", e.msg
proc doAccept(puncher: TcpSyniPuncher, future: Future[AsyncSocket]) {.async.} = proc doAccept(puncher: TcpSyniPuncher, future: Future[AsyncSocket]) {.async.} =
for dstPort in puncher.dstPorts: for dstPort in puncher.dstPorts:
@ -147,6 +144,12 @@ proc doAccept(puncher: TcpSyniPuncher, future: Future[AsyncSocket]) {.async.} =
sock.close() sock.close()
except OSError: except OSError:
discard discard
try:
await addFirewallRule(puncher.srcIp, puncher.srcPort, puncher.dstIp,
dstPort)
except OSError as e:
echo "cannot add firewall rule: ", e.msg
return
try: try:
# FIXME: timeout # FIXME: timeout
let rawFd = setupTcpInjectingSocket() let rawFd = setupTcpInjectingSocket()
@ -163,6 +166,12 @@ proc doAccept(puncher: TcpSyniPuncher, future: Future[AsyncSocket]) {.async.} =
except OSError as e: except OSError as e:
echo &"accepting connections from {puncher.dstIP}:{puncher.dstPorts[0].int} failed: ", e.msg echo &"accepting connections from {puncher.dstIP}:{puncher.dstPorts[0].int} failed: ", e.msg
discard discard
for dstPort in puncher.dstPorts:
try:
await delFirewallRule(puncher.srcIp, puncher.srcPort, puncher.dstIp,
dstPort)
except OSError as e:
echo "cannot delete firewall rule: ", e.msg
proc connect*(puncher: TcpSyniPuncher, proc connect*(puncher: TcpSyniPuncher,
progressCb: PunchProgressCb): Future[AsyncSocket] = progressCb: PunchProgressCb): Future[AsyncSocket] =