You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
fw-daemon/socks_server_chain.go

194 lines
4.6 KiB

package main
import (
"fmt"
"io"
"net"
"os"
"sync"
"github.com/subgraph/fw-daemon/socks5"
"github.com/subgraph/go-procsnitch"
)
type socksChainConfig struct {
TargetSocksNet string
TargetSocksAddr string
ListenSocksNet string
ListenSocksAddr string
}
type socksChain struct {
cfg *socksChainConfig
dbus *dbusServer
listener net.Listener
wg *sync.WaitGroup
procInfo procsnitch.ProcInfo
lock sync.Mutex
policyMap map[string]*Policy
policies []*Policy
}
type socksChainSession struct {
cfg *socksChainConfig
clientConn net.Conn
upstreamConn net.Conn
req *socks5.Request
bndAddr *socks5.Address
optData []byte
procInfo procsnitch.ProcInfo
server *socksChain
}
func NewSocksChain(cfg *socksChainConfig, wg *sync.WaitGroup, dbus *dbusServer) *socksChain {
chain := socksChain{
cfg: cfg,
dbus: dbus,
wg: wg,
procInfo: procsnitch.SystemProcInfo{},
policyMap: make(map[string]*Policy),
}
return &chain
}
// Start initializes the SOCKS 5 server and starts
// accepting connections.
func (s *socksChain) start() {
var err error
s.listener, err = net.Listen(s.cfg.ListenSocksNet, s.cfg.ListenSocksAddr)
if err != nil {
log.Error("ERR/socks: Failed to listen on the socks address: %v", err)
os.Exit(1)
}
s.wg.Add(1)
go s.socksAcceptLoop()
}
func (s *socksChain) socksAcceptLoop() error {
defer s.wg.Done()
defer s.listener.Close()
for {
conn, err := s.listener.Accept()
if err != nil {
if e, ok := err.(net.Error); ok && !e.Temporary() {
log.Info("ERR/socks: Failed to Accept(): %v", err)
return err
}
continue
}
session := &socksChainSession{cfg: s.cfg, clientConn: conn, procInfo: s.procInfo, server: s}
go session.sessionWorker()
}
}
func (c *socksChainSession) sessionWorker() {
defer c.clientConn.Close()
clientAddr := c.clientConn.RemoteAddr()
log.Info("INFO/socks: New connection from: %v", clientAddr)
// Do the SOCKS handshake with the client, and read the command.
var err error
if c.req, err = socks5.Handshake(c.clientConn); err != nil {
log.Info("ERR/socks: Failed SOCKS5 handshake: %v", err)
return
}
pinfo := procsnitch.FindProcessForConnection(c.clientConn, c.procInfo)
if pinfo == nil {
log.Warning("No proc found for connection from: %s", c.clientConn.RemoteAddr())
return
}
// XXX work-in-progress
// Determine policy for the connection
// if destination not specified in existing policy
// then prompt user for policy ALLOW/DENY for that destination
c.server.lock.Lock()
policy := c.policyForPath(pinfo.ExePath)
c.server.lock.Unlock()
fmt.Printf("policyForPath %s is %s\n", pinfo.ExePath, policy)
switch c.req.Cmd {
case socks5.CommandTorResolve, socks5.CommandTorResolvePTR:
err = c.dispatchTorSOCKS()
// If we reach here, the request has been dispatched and completed.
if err == nil {
// Successfully even, send the response back with the addresc.
c.req.ReplyAddr(socks5.ReplySucceeded, c.bndAddr)
}
return
case socks5.CommandConnect:
default:
// Should *NEVER* happen, validated as part of handshake.
log.Info("BUG/socks: Unsupported SOCKS command: 0x%02x", c.req.Cmd)
c.req.Reply(socks5.ReplyCommandNotSupported)
return
}
err = c.dispatchTorSOCKS()
if err != nil {
return
}
c.req.Reply(socks5.ReplySucceeded)
defer c.upstreamConn.Close()
if c.optData != nil {
if _, err = c.upstreamConn.Write(c.optData); err != nil {
log.Info("ERR/socks: Failed writing OptData: %v", err)
return
}
c.optData = nil
}
// A upstream connection has been established, push data back and forth
// till the session is done.
var wg sync.WaitGroup
wg.Add(2)
copyLoop := func(dst, src net.Conn) {
defer wg.Done()
defer dst.Close()
io.Copy(dst, src)
}
go copyLoop(c.upstreamConn, c.clientConn)
go copyLoop(c.clientConn, c.upstreamConn)
wg.Wait()
log.Info("INFO/socks: Closed SOCKS connection from: %v", clientAddr)
}
func (c *socksChainSession) dispatchTorSOCKS() (err error) {
c.upstreamConn, c.bndAddr, err = socks5.Redispatch(c.cfg.TargetSocksNet, c.cfg.TargetSocksAddr, c.req)
if err != nil {
c.req.Reply(socks5.ErrorToReplyCode(err))
}
return
}
func (s *socksChainSession) policyForPath(path string) *Policy {
s.server.lock.Lock()
defer s.server.lock.Unlock()
if _, ok := s.server.policyMap[path]; !ok {
p := new(Policy)
// XXX is fw needed?
// p.fw = fw
p.path = path
p.application = path
entry := entryForPath(path)
if entry != nil {
p.application = entry.name
p.icon = entry.icon
}
s.server.policyMap[path] = p
s.server.policies = append(s.server.policies, p)
}
return s.server.policyMap[path]
}