From ad175ba3a88b0add9688f402beefd6fdb9d7edde Mon Sep 17 00:00:00 2001
From: Ruben Pollan <meskio@sindominio.net>
Date: Mon, 9 Jul 2018 14:52:03 +0200
Subject: [feat] provide gateways to the firewall

- Resolves: #10
---
 helper/darwin.go  | 82 ++++++++++++++++++++++++++-----------------------------
 helper/helper.go  | 30 ++++++++++++++++++--
 helper/linux.go   |  9 +++---
 helper/windows.go |  9 +++---
 4 files changed, 74 insertions(+), 56 deletions(-)

diff --git a/helper/darwin.go b/helper/darwin.go
index 74fe73b..48caaa4 100644
--- a/helper/darwin.go
+++ b/helper/darwin.go
@@ -27,11 +27,12 @@ To inspect the rules in the firewall manually, use the bitmask anchor:
 package main
 
 import (
+	"errors"
 	"fmt"
 	"log"
-	"net/http"
 	"os"
 	"os/exec"
+	"path"
 	"strings"
 )
 
@@ -39,7 +40,7 @@ const (
 	logPath     = "/Applications/RiseupVPN.app/Contents/helper/helper.log"
 	openvpnPath = "/Applications/RiseupVPN.app/Contents/Resources/openvpn.leap"
 
-	rulefile       = "/Applications/RiseupVPN.app/Contents/helper/bitmask.pf.conf"
+	rulefilePath   = "/Applications/RiseupVPN.app/Contents/helper/bitmask.pf.conf"
 	bitmask_anchor = "com.apple/250.BitmaskFirewall"
 	gateways_table = "bitmask_gateways"
 	nameserver     = "10.42.0.1"
@@ -57,22 +58,18 @@ func kill(cmd *exec.Cmd) error {
 	return cmd.Process.Signal(os.Interrupt)
 }
 
-type firewallT struct{}
-
-func (firewall *firewallT) start(w http.ResponseWriter, r *http.Request) {
+func firewallStart(gateways []string) error {
 	enablePf()
+	err := resetGatewaysTable(gateways)
+	if err != nil {
+		return err
+	}
 
-	// TODO pass gateways
-	//resetGatewaysTable(gateways)
-	resetGatewaysTable()
-
-	loadBitmaskAnchor()
-	log.Println("Start firewall: firewall started")
+	return loadBitmaskAnchor()
 }
 
-func (firewall *firewallT) stop(w http.ResponseWriter, r *http.Request) {
-	flushBitmaskAnchor()
-	log.Println("Stop firewall: firewall stopped")
+func firewallStop() error {
+	return exec.Command(pfctl, "-a", bitmask_anchor, "-F", "all").Run()
 }
 
 func enablePf() {
@@ -80,13 +77,13 @@ func enablePf() {
 	cmd.Run()
 }
 
-func resetGatewaysTable() {
-	// TODO pass gateways as parameter instead
-	gateways := [2]string{"199.58.81.145", "5.79.86.180"}
-
+func resetGatewaysTable(gateways []string) error {
 	log.Println("Resetting gateways")
 	cmd := exec.Command(pfctl, "-a", bitmask_anchor, "-t", gateways_table, "-T", "delete")
 	err := cmd.Run()
+	if err != nil {
+		return err
+	}
 
 	for _, gateway := range gateways {
 		log.Println("Adding Gateway:", gateway)
@@ -98,10 +95,7 @@ func resetGatewaysTable() {
 	}
 
 	cmd = exec.Command(pfctl, "-a", bitmask_anchor, "-t", gateways_table, "-T", "add", nameserver)
-	err = cmd.Run()
-	if err != nil {
-		log.Printf("Error adding nameserver: %v", err)
-	}
+	return cmd.Run()
 
 }
 
@@ -113,35 +107,37 @@ func getDefaultDevice() string {
 	return strings.TrimSpace(bytesToString(out))
 }
 
-func loadBitmaskAnchor() {
-	// TODO check that rulefile exists
-
+func loadBitmaskAnchor() error {
 	dev := getDefaultDevice()
-	cmdline := fmt.Sprintf("%s -D default_device=%s -a %s -f %s", pfctl, dev, bitmask_anchor, rulefile)
+	rulePath, err := getRulefilePath()
+	if err != nil {
+		return err
+	}
+	cmdline := fmt.Sprintf("%s -D default_device=%s -a %s -f %s", pfctl, dev, bitmask_anchor, rulePath)
 
 	log.Println("Loading Bitmask Anchor:", cmdline)
 
-	_, err := exec.Command("/bin/sh", "-c", cmdline).Output()
-	if err != nil {
-		log.Printf("Error loading Bitmask anchor: %v\n", err)
-	}
+	_, err = exec.Command("/bin/sh", "-c", cmdline).Output()
+	return err
 }
 
-func flushBitmaskAnchor() {
-	exec.Command(pfctl, "-a", bitmask_anchor, "-F", "all").Run()
+func getRulefilePath() (string, error) {
+	if _, err := os.Stat(rulefilePath); !os.IsNotExist(err) {
+		return rulefilePath, nil
+	}
+
+	gopath := os.Getenv("GOPATH")
+	if gopath == "" {
+		gopath = path.Join(os.Getenv("HOME"), "go")
+	}
+	rulefile := path.Join(gopath, "0xacab.org", "leap", "riseup_vpn", "osx", "bitmask.pf.conf")
+
+	if _, err := os.Stat(rulefile); !os.IsNotExist(err) {
+		return rulefile, nil
+	}
+	return "", errors.New("Can't find rule file for the firewall")
 }
 
 func bytesToString(data []byte) string {
 	return string(data[:])
 }
-
-// for testing
-
-/*
-func main() {
-	enablePf()
-	flushBitmaskAnchor()
-	resetGatewaysTable()
-	loadBitmaskAnchor()
-}
-*/
diff --git a/helper/helper.go b/helper/helper.go
index 04eafc7..4671868 100644
--- a/helper/helper.go
+++ b/helper/helper.go
@@ -74,11 +74,10 @@ func daemonize() {
 
 func serveHTTP() {
 	openvpn := openvpnT{nil}
-	firewall := firewallT{}
 	http.HandleFunc("/openvpn/start", openvpn.start)
 	http.HandleFunc("/openvpn/stop", openvpn.stop)
-	http.HandleFunc("/firewall/start", firewall.start)
-	http.HandleFunc("/firewall/stop", firewall.stop)
+	http.HandleFunc("/firewall/start", firewallStartHandler)
+	http.HandleFunc("/firewall/stop", firewallStopHandler)
 
 	log.Fatal(http.ListenAndServe(bindAddr, nil))
 }
@@ -139,6 +138,31 @@ func (openvpn *openvpnT) kill() error {
 	return nil
 }
 
+func firewallStartHandler(w http.ResponseWriter, r *http.Request) {
+	gateways, err := getArgs(r)
+	if err != nil {
+		log.Printf("An error has occurred processing gateways: %v", err)
+		w.Write([]byte(err.Error()))
+		return
+	}
+
+	err = firewallStart(gateways)
+	if err != nil {
+		log.Printf("Error starting firewall: %v", err)
+		w.Write([]byte(err.Error()))
+	}
+	log.Println("Start firewall: firewall started")
+}
+
+func firewallStopHandler(w http.ResponseWriter, r *http.Request) {
+	err := firewallStop()
+	if err != nil {
+		log.Printf("Error stoping firewall: %v", err)
+		w.Write([]byte(err.Error()))
+	}
+	log.Println("Stop firewall: firewall stopped")
+}
+
 func getArgs(r *http.Request) ([]string, error) {
 	args := []string{}
 	decoder := json.NewDecoder(r.Body)
diff --git a/helper/linux.go b/helper/linux.go
index 5b167fb..ba43d82 100644
--- a/helper/linux.go
+++ b/helper/linux.go
@@ -18,7 +18,6 @@ package main
 
 import (
 	"log"
-	"net/http"
 	"os"
 	"os/exec"
 )
@@ -40,12 +39,12 @@ func kill(cmd *exec.Cmd) error {
 	return cmd.Process.Signal(os.Interrupt)
 }
 
-type firewallT struct{}
-
-func (firewall *firewallT) start(w http.ResponseWriter, r *http.Request) {
+func firewallStart(gateways []string) error {
 	log.Println("Start firewall: do nothing, not implemented")
+	return nil
 }
 
-func (firewall *firewallT) stop(w http.ResponseWriter, r *http.Request) {
+func firewallStop() error {
 	log.Println("Stop firewall: do nothing, not implemented")
+	return nil
 }
diff --git a/helper/windows.go b/helper/windows.go
index a2e538f..47f53ff 100644
--- a/helper/windows.go
+++ b/helper/windows.go
@@ -18,7 +18,6 @@ package main
 
 import (
 	"log"
-	"net/http"
 	"os"
 	"os/exec"
 )
@@ -42,12 +41,12 @@ func kill(cmd *exec.Cmd) error {
 	return cmd.Process.Kill()
 }
 
-type firewallT struct{}
-
-func (firewall *firewallT) start(w http.ResponseWriter, r *http.Request) {
+func firewallStart(gateways []string) error {
 	log.Println("Start firewall: do nothing, not implemented")
+	return nil
 }
 
-func (firewall *firewallT) stop(w http.ResponseWriter, r *http.Request) {
+func firewallStop() error {
 	log.Println("Stop firewall: do nothing, not implemented")
+	return nil
 }
-- 
cgit v1.2.3