diff options
| author | Ruben Pollan <meskio@sindominio.net> | 2018-07-09 14:52:03 +0200 |
|---|---|---|
| committer | Ruben Pollan <meskio@sindominio.net> | 2018-07-09 14:52:03 +0200 |
| commit | ad175ba3a88b0add9688f402beefd6fdb9d7edde (patch) | |
| tree | a9527e1b83a2f140a0b8abe207a5e0467cec960f | |
| parent | eb9fd2fda54a17ddcabc596b0b6555ab4e1df205 (diff) | |
[feat] provide gateways to the firewall
- Resolves: #10
| -rw-r--r-- | helper/darwin.go | 82 | ||||
| -rw-r--r-- | helper/helper.go | 30 | ||||
| -rw-r--r-- | helper/linux.go | 9 | ||||
| -rw-r--r-- | helper/windows.go | 9 |
4 files changed, 74 insertions, 56 deletions
diff --git a/helper/darwin.go b/helper/darwin.go index 74fe73b..48caaa4 100644 --- a/helper/darwin.go +++ b/helper/darwin.go @@ -27,11 +27,12 @@ To inspect the rules in the firewall manually, use the bitmask anchor: package main import ( + "errors" "fmt" "log" - "net/http" "os" "os/exec" + "path" "strings" ) @@ -39,7 +40,7 @@ const ( logPath = "/Applications/RiseupVPN.app/Contents/helper/helper.log" openvpnPath = "/Applications/RiseupVPN.app/Contents/Resources/openvpn.leap" - rulefile = "/Applications/RiseupVPN.app/Contents/helper/bitmask.pf.conf" + rulefilePath = "/Applications/RiseupVPN.app/Contents/helper/bitmask.pf.conf" bitmask_anchor = "com.apple/250.BitmaskFirewall" gateways_table = "bitmask_gateways" nameserver = "10.42.0.1" @@ -57,22 +58,18 @@ func kill(cmd *exec.Cmd) error { return cmd.Process.Signal(os.Interrupt) } -type firewallT struct{} - -func (firewall *firewallT) start(w http.ResponseWriter, r *http.Request) { +func firewallStart(gateways []string) error { enablePf() + err := resetGatewaysTable(gateways) + if err != nil { + return err + } - // TODO pass gateways - //resetGatewaysTable(gateways) - resetGatewaysTable() - - loadBitmaskAnchor() - log.Println("Start firewall: firewall started") + return loadBitmaskAnchor() } -func (firewall *firewallT) stop(w http.ResponseWriter, r *http.Request) { - flushBitmaskAnchor() - log.Println("Stop firewall: firewall stopped") +func firewallStop() error { + return exec.Command(pfctl, "-a", bitmask_anchor, "-F", "all").Run() } func enablePf() { @@ -80,13 +77,13 @@ func enablePf() { cmd.Run() } -func resetGatewaysTable() { - // TODO pass gateways as parameter instead - gateways := [2]string{"199.58.81.145", "5.79.86.180"} - +func resetGatewaysTable(gateways []string) error { log.Println("Resetting gateways") cmd := exec.Command(pfctl, "-a", bitmask_anchor, "-t", gateways_table, "-T", "delete") err := cmd.Run() + if err != nil { + return err + } for _, gateway := range gateways { log.Println("Adding Gateway:", gateway) @@ -98,10 +95,7 @@ func resetGatewaysTable() { } cmd = exec.Command(pfctl, "-a", bitmask_anchor, "-t", gateways_table, "-T", "add", nameserver) - err = cmd.Run() - if err != nil { - log.Printf("Error adding nameserver: %v", err) - } + return cmd.Run() } @@ -113,35 +107,37 @@ func getDefaultDevice() string { return strings.TrimSpace(bytesToString(out)) } -func loadBitmaskAnchor() { - // TODO check that rulefile exists - +func loadBitmaskAnchor() error { dev := getDefaultDevice() - cmdline := fmt.Sprintf("%s -D default_device=%s -a %s -f %s", pfctl, dev, bitmask_anchor, rulefile) + rulePath, err := getRulefilePath() + if err != nil { + return err + } + cmdline := fmt.Sprintf("%s -D default_device=%s -a %s -f %s", pfctl, dev, bitmask_anchor, rulePath) log.Println("Loading Bitmask Anchor:", cmdline) - _, err := exec.Command("/bin/sh", "-c", cmdline).Output() - if err != nil { - log.Printf("Error loading Bitmask anchor: %v\n", err) - } + _, err = exec.Command("/bin/sh", "-c", cmdline).Output() + return err } -func flushBitmaskAnchor() { - exec.Command(pfctl, "-a", bitmask_anchor, "-F", "all").Run() +func getRulefilePath() (string, error) { + if _, err := os.Stat(rulefilePath); !os.IsNotExist(err) { + return rulefilePath, nil + } + + gopath := os.Getenv("GOPATH") + if gopath == "" { + gopath = path.Join(os.Getenv("HOME"), "go") + } + rulefile := path.Join(gopath, "0xacab.org", "leap", "riseup_vpn", "osx", "bitmask.pf.conf") + + if _, err := os.Stat(rulefile); !os.IsNotExist(err) { + return rulefile, nil + } + return "", errors.New("Can't find rule file for the firewall") } func bytesToString(data []byte) string { return string(data[:]) } - -// for testing - -/* -func main() { - enablePf() - flushBitmaskAnchor() - resetGatewaysTable() - loadBitmaskAnchor() -} -*/ diff --git a/helper/helper.go b/helper/helper.go index 04eafc7..4671868 100644 --- a/helper/helper.go +++ b/helper/helper.go @@ -74,11 +74,10 @@ func daemonize() { func serveHTTP() { openvpn := openvpnT{nil} - firewall := firewallT{} http.HandleFunc("/openvpn/start", openvpn.start) http.HandleFunc("/openvpn/stop", openvpn.stop) - http.HandleFunc("/firewall/start", firewall.start) - http.HandleFunc("/firewall/stop", firewall.stop) + http.HandleFunc("/firewall/start", firewallStartHandler) + http.HandleFunc("/firewall/stop", firewallStopHandler) log.Fatal(http.ListenAndServe(bindAddr, nil)) } @@ -139,6 +138,31 @@ func (openvpn *openvpnT) kill() error { return nil } +func firewallStartHandler(w http.ResponseWriter, r *http.Request) { + gateways, err := getArgs(r) + if err != nil { + log.Printf("An error has occurred processing gateways: %v", err) + w.Write([]byte(err.Error())) + return + } + + err = firewallStart(gateways) + if err != nil { + log.Printf("Error starting firewall: %v", err) + w.Write([]byte(err.Error())) + } + log.Println("Start firewall: firewall started") +} + +func firewallStopHandler(w http.ResponseWriter, r *http.Request) { + err := firewallStop() + if err != nil { + log.Printf("Error stoping firewall: %v", err) + w.Write([]byte(err.Error())) + } + log.Println("Stop firewall: firewall stopped") +} + func getArgs(r *http.Request) ([]string, error) { args := []string{} decoder := json.NewDecoder(r.Body) diff --git a/helper/linux.go b/helper/linux.go index 5b167fb..ba43d82 100644 --- a/helper/linux.go +++ b/helper/linux.go @@ -18,7 +18,6 @@ package main import ( "log" - "net/http" "os" "os/exec" ) @@ -40,12 +39,12 @@ func kill(cmd *exec.Cmd) error { return cmd.Process.Signal(os.Interrupt) } -type firewallT struct{} - -func (firewall *firewallT) start(w http.ResponseWriter, r *http.Request) { +func firewallStart(gateways []string) error { log.Println("Start firewall: do nothing, not implemented") + return nil } -func (firewall *firewallT) stop(w http.ResponseWriter, r *http.Request) { +func firewallStop() error { log.Println("Stop firewall: do nothing, not implemented") + return nil } diff --git a/helper/windows.go b/helper/windows.go index a2e538f..47f53ff 100644 --- a/helper/windows.go +++ b/helper/windows.go @@ -18,7 +18,6 @@ package main import ( "log" - "net/http" "os" "os/exec" ) @@ -42,12 +41,12 @@ func kill(cmd *exec.Cmd) error { return cmd.Process.Kill() } -type firewallT struct{} - -func (firewall *firewallT) start(w http.ResponseWriter, r *http.Request) { +func firewallStart(gateways []string) error { log.Println("Start firewall: do nothing, not implemented") + return nil } -func (firewall *firewallT) stop(w http.ResponseWriter, r *http.Request) { +func firewallStop() error { log.Println("Stop firewall: do nothing, not implemented") + return nil } |