[orbot/master] rewrote transproxy rules to use user-defined Orbot chain

26 Oct 2012

commit b4d815f2cb8498681ffd43cbdb3d221189a89d2a
Author: n8fr8 <nathan@freitas.net>
Date:   Thu Oct 25 15:29:55 2012 +0530

    rewrote transproxy rules to use user-defined Orbot chain
---
 .../torproject/android/service/TorTransProxy.java  |  215 +++++++++++++-------
 1 files changed, 138 insertions(+), 77 deletions(-)

diff --git a/src/org/torproject/android/service/TorTransProxy.java b/src/org/torproject/android/service/TorTransProxy.java
index 78094c3..9be6cc2 100644
--- a/src/org/torproject/android/service/TorTransProxy.java
+++ b/src/org/torproject/android/service/TorTransProxy.java
@@ -13,14 +13,29 @@ import android.util.Log;
 
 public class TorTransProxy implements TorServiceConstants {
 	
+	private boolean useSystemIpTables = false;
+	private boolean mBundledFailed = false;
+	private String mSysIptables = null;
+	private TorService mTorService = null;
+	
+	public TorTransProxy (TorService torService)
+	{
+		mTorService = torService;
+	}
+	
+	public TorTransProxy ()
+	{
+	}
+	
 	public String getIpTablesPath (Context context)
 	{
+
 		String ipTablesPath = null;
 		
 		SharedPreferences prefs = PreferenceManager.getDefaultSharedPreferences(context);
-		boolean useSystemIpTables = prefs.getBoolean(TorConstants.PREF_USE_SYSTEM_IPTABLES, false);
+		useSystemIpTables = prefs.getBoolean(TorConstants.PREF_USE_SYSTEM_IPTABLES, false);
 		
-		if (useSystemIpTables)
+		if (useSystemIpTables || mBundledFailed)
 		{
 			ipTablesPath = findSystemIPTables();
 		}
@@ -33,11 +48,15 @@ public class TorTransProxy implements TorServiceConstants {
 			try
 			{
 				if (testOwnerModule(context,ipTablesPath) != 0)
+				{
+					mBundledFailed = true;
 					ipTablesPath = findSystemIPTables();
+				}
 			}
 			catch (Exception e)
 			{
 				ipTablesPath = findSystemIPTables();
+				mBundledFailed = true;
 			}
 		}
 			
@@ -46,23 +65,29 @@ public class TorTransProxy implements TorServiceConstants {
 
 	private String findSystemIPTables ()
 	{
-		String path = null;
-		
-		//if the user wants us to use the built-in iptables, then we have to find it
-		File fileIpt = new File("/system/bin/iptables");
-		
-		if (fileIpt.exists())
-			 path = fileIpt.getAbsolutePath();
+		if (mSysIptables != null)
+		{
+			return mSysIptables;
+		}
 		else
 		{
 		
-			fileIpt = new File("/system/xbin/iptables");
+			//if the user wants us to use the built-in iptables, then we have to find it
+			File fileIpt = new File("/system/bin/iptables");
 			
 			if (fileIpt.exists())
-				path = fileIpt.getAbsolutePath();
+				mSysIptables = fileIpt.getAbsolutePath();
+			else
+			{
+			
+				fileIpt = new File("/system/xbin/iptables");
+				
+				if (fileIpt.exists())
+					mSysIptables = fileIpt.getAbsolutePath();
+			}
 		}
 		
-		return path;
+		return mSysIptables;
 	}
 	
 	/*
@@ -213,7 +238,9 @@ public class TorTransProxy implements TorServiceConstants {
     	
 		code = TorServiceUtils.doShellCommand(cmdAdd, res, runRoot, waitFor);
 		String msg = res.toString();
-		TorService.logMessage(cmdAdd[0] + ";errCode=" + code + ";resp=" + msg);
+		
+		if (mTorService != null)
+		logMessage(cmdAdd[0] + ";errCode=" + code + ";resp=" + msg);
 		
 		
 		return code;
@@ -244,12 +271,23 @@ public class TorTransProxy implements TorServiceConstants {
     	StringBuilder res = new StringBuilder();
     	int code = -1;
     	
-    	String modCmd = " -" + cmd + " OUTPUT";
-    	
-    //	flushIptables(context);
-				
-    	int torUid = context.getApplicationInfo().uid;
+    	String chainName = "ORBOT";
+		String jumpChainName = "OUTPUT";
+		
+    	if (cmd.equals("A")) //only if we are adding rules
+    	{
+    		script.append(ipTablesPath);
+    		script.append(" -N ").append(chainName); //create user-defined chain
+    		script.append(" || exit\n");
 
+    		script.append(ipTablesPath);
+        	script.append(" -A ").append(jumpChainName);
+        	script.append(" -j ").append(chainName);
+        	script.append(" || exit\n");
+    	}
+    	
+    	String modCmd = " -" + cmd + " " + chainName;
+    				
 		//build up array of shell cmds to execute under one root context
 		for (TorifiedApp tApp:apps)
 		{
@@ -260,11 +298,11 @@ public class TorTransProxy implements TorServiceConstants {
 					) //if app is set to true
 			{
 				
-				TorService.logMessage("enabling transproxy for app: " + tApp.getUsername() + "(" + tApp.getUid() + ")");
+				logMessage("enabling transproxy for app: " + tApp.getUsername() + "(" + tApp.getUid() + ")");
 			 
 				// Set up port redirection
 		    	script.append(ipTablesPath);
-				script.append(modCmd);
+		    	script.append(" -" + cmd + " ").append(jumpChainName);
 				script.append(" -t nat");
 				script.append(" -p tcp");
 				script.append(" ! -d 127.0.0.1"); //allow access to localhost
@@ -277,7 +315,7 @@ public class TorTransProxy implements TorServiceConstants {
 				
 				// Same for DNS
 				script.append(ipTablesPath);
-				script.append(modCmd);
+		    	script.append(" -" + cmd + " ").append(jumpChainName);
 				script.append(" -t nat");
 				script.append(" -p udp -m owner --uid-owner ");
 				script.append(tApp.getUid());
@@ -316,20 +354,6 @@ public class TorTransProxy implements TorServiceConstants {
 				script.append(" -j ACCEPT");
 				script.append(" || exit\n");
 				
-				// Reject DNS that is not from Tor (order is important - first matched rule counts!)
-				/*
-				script.append(ipTablesPath);
-				script.append(modCmd);
-				script.append(" -t filter");
-				script.append(" -m owner --uid-owner ");
-				script.append(tApp.getUid());
-				script.append(" -p udp");
-				script.append(" --dport ");
-				script.append(STANDARD_DNS_PORT);
-				script.append(" -j REJECT");
-				script.append(" || exit\n");
-				*/
-				
 				// Reject all other outbound TCP packets
 				script.append(ipTablesPath);
 				script.append(modCmd);
@@ -353,24 +377,32 @@ public class TorTransProxy implements TorServiceConstants {
 				script.append(" || exit\n");
 				
 			}		
-		}			
+		}		
 		
-		/*
-		// Allow everything for Tor
-		script.append(ipTablesPath);
-		script.append(modCmd);
-		script.append(" -t filter");
-		script.append(" -m owner --uid-owner ");
-		script.append(torUid);
-		script.append(" -j ACCEPT");
-		script.append(" || exit\n");
-		*/
+		if (cmd.equals("D"))
+    	{
+
+			script.append(ipTablesPath);
+        	script.append(" --flush ").append(chainName); //delete previous user-defined chain
+        	script.append(" || exit\n");
+        	
+    		script.append(ipTablesPath);
+        	script.append(" -D ").append(jumpChainName);
+        	script.append(" -j ").append(chainName);
+        	script.append(" || exit\n");
+        	
+        	script.append(ipTablesPath);
+        	script.append(" -X ").append(chainName); //delete previous user-defined chain
+        	script.append(" || exit\n");
+        	
+    	}
 		
 		String[] cmdAdd = {script.toString()};    	
     		
 		code = TorServiceUtils.doShellCommand(cmdAdd, res, runRoot, waitFor);
 		String msg = res.toString();
-		TorService.logMessage(cmdAdd[0] + ";errCode=" + code + ";resp=" + msg);
+		
+		logMessage(cmdAdd[0] + ";errCode=" + code + ";resp=" + msg);
 		
 		return code;
     }	
@@ -471,12 +503,20 @@ public class TorTransProxy implements TorServiceConstants {
     	
 		code = TorServiceUtils.doShellCommand(cmdAdd, res, runRoot, waitFor);
 		String msg = res.toString();
-		TorService.logMessage(cmdAdd[0] + ";errCode=" + code + ";resp=" + msg);
+		logMessage(cmdAdd[0] + ";errCode=" + code + ";resp=" + msg);
 		
 		
 		return code;
 	}
 	
+	private void logMessage (String msg)
+	{
+		if (mTorService != null)
+			mTorService.logMessage(msg);
+		else
+			Log.w(TorConstants.TAG,msg);
+	}
+	
 	public int setTransparentProxyingAll(Context context) throws Exception 
 	{
 		return modifyTransparentProxyingAll(context, "A");
@@ -490,6 +530,7 @@ public class TorTransProxy implements TorServiceConstants {
 	
 	public int modifyTransparentProxyingAll(Context context, String cmd) throws Exception 
 	{
+		
 		boolean runRoot = true;
     	boolean waitFor = true;
     	
@@ -502,13 +543,26 @@ public class TorTransProxy implements TorServiceConstants {
     	StringBuilder res = new StringBuilder();
     	int code = -1;
     	
-    	//flushIptables(context);
-    	
     	int torUid = context.getApplicationInfo().uid;
 
+    	String chainName = "ORBOT";
+		String jumpChainName = "OUTPUT";
+		
+    	if (cmd.equals("A")) //only if we are adding rules
+    	{
+    		script.append(ipTablesPath);
+    		script.append(" -N ").append(chainName); //create user-defined chain
+    		script.append(" || exit\n");
+
+    		script.append(ipTablesPath);
+        	script.append(" -A ").append(jumpChainName);
+        	script.append(" -j ").append(chainName);
+        	script.append(" || exit\n");
+    	}
+    	
 		// Allow everything for Tor
 		script.append(ipTablesPath);
-    	script.append(" -" + cmd + " OUTPUT");
+    	script.append(" -" + cmd + " ").append(chainName);
 		script.append(" -t filter");
 		script.append(" -m owner --uid-owner ");
 		script.append(torUid);
@@ -517,7 +571,7 @@ public class TorTransProxy implements TorServiceConstants {
 		
     	// Set up port redirection
     	script.append(ipTablesPath);
-    	script.append(" -" + cmd + " OUTPUT");
+    	script.append(" -" + cmd + " ").append(jumpChainName);
 		script.append(" -t nat");
 		script.append(" -p tcp");
 		script.append(" ! -d 127.0.0.1"); //allow access to localhost
@@ -530,7 +584,7 @@ public class TorTransProxy implements TorServiceConstants {
 		
 		// Same for DNS
 		script.append(ipTablesPath);
-    	script.append(" -" + cmd + " OUTPUT");
+    	script.append(" -" + cmd + " ").append(jumpChainName);
 		script.append(" -t nat");
 		script.append(" -p udp -m owner ! --uid-owner ");
 		script.append(torUid);
@@ -546,7 +600,7 @@ public class TorTransProxy implements TorServiceConstants {
 		{
 			// Allow packets to localhost (contains all the port-redirected ones)
 			script.append(ipTablesPath);
-	    	script.append(" -" + cmd + " OUTPUT");
+	    	script.append(" -" + cmd + " ").append(chainName);
 			script.append(" -t filter");
 			script.append(" -m owner ! --uid-owner ");
 			script.append(torUid);
@@ -561,7 +615,7 @@ public class TorTransProxy implements TorServiceConstants {
 		
 		// Allow loopback
 		script.append(ipTablesPath);
-    	script.append(" -" + cmd + " OUTPUT");
+    	script.append(" -" + cmd + " ").append(chainName);
 		script.append(" -t filter");
 		script.append(" -p tcp");
 		script.append(" -o lo");
@@ -573,7 +627,7 @@ public class TorTransProxy implements TorServiceConstants {
 		{
 			//XXX: Comment the following rules for non-debug builds
 			script.append(ipTablesPath);
-	    	script.append(" -" + cmd + " OUTPUT");
+	    	script.append(" -" + cmd + " ").append(chainName);
 			script.append(" -t filter");
 			script.append(" -p udp");
 			script.append(" --dport ");
@@ -582,33 +636,21 @@ public class TorTransProxy implements TorServiceConstants {
 			script.append(" --log-prefix='ORBOT_DNSLEAK_PROTECTION'");
 			script.append(" --log-uid");
 			script.append(" || exit\n");
+			
 			script.append(ipTablesPath);
-			script.append(" -t filter");
-			script.append(" -A OUTPUT");
-			script.append(" -p tcp");
+	    	script.append(" -" + cmd + " ").append(chainName);
+	    	script.append(" -t filter");
+	    	script.append(" -p tcp");
 			script.append(" -j LOG");
 			script.append(" --log-prefix='ORBOT_TCPLEAK_PROTECTION'");
 			script.append(" --log-uid");
 			script.append(" || exit\n");
 		}
 		
-		// Reject DNS that is not from Tor (order is important - first matched rule counts!)
-		/*
-		script.append(ipTablesPath);
-    	script.append(" -" + cmd + " OUTPUT");
-		script.append(" -t filter");
-		script.append(" -m owner ! --uid-owner ");
-		script.append(torUid);
-		script.append(" -p udp");
-		script.append(" --dport ");
-		script.append(STANDARD_DNS_PORT);
-		script.append(" -j REJECT");
-		script.append(" || exit\n");
-		*/
 		
 		// Reject all other outbound TCP packets
 		script.append(ipTablesPath);
-    	script.append(" -" + cmd + " OUTPUT");
+    	script.append(" -" + cmd + " ").append(chainName);
 		script.append(" -t filter");
 		script.append(" -m owner ! --uid-owner ");
 		script.append(torUid);
@@ -619,7 +661,7 @@ public class TorTransProxy implements TorServiceConstants {
 
 		// Reject all other outbound UDP packets
 		script.append(ipTablesPath);
-    	script.append(" -" + cmd + " OUTPUT");
+    	script.append(" -" + cmd + " ").append(chainName);
 		script.append(" -t filter");
 		script.append(" -m owner ! --uid-owner ");
 		script.append(torUid);
@@ -628,11 +670,30 @@ public class TorTransProxy implements TorServiceConstants {
 		script.append(" -j REJECT");
 		script.append(" || exit\n");
 
-		String[] cmdAdd = {script.toString()};    	
+		if (cmd.equals("D"))
+    	{
+
+			script.append(ipTablesPath);
+        	script.append(" --flush ").append(chainName); //delete previous user-defined chain
+        	script.append(" || exit\n");
+        	
+    		script.append(ipTablesPath);
+        	script.append(" -D ").append(jumpChainName);
+        	script.append(" -j ").append(chainName);
+        	script.append(" || exit\n");
+        	
+        	script.append(ipTablesPath);
+        	script.append(" -X ").append(chainName); //delete previous user-defined chain
+        	script.append(" || exit\n");
+        	
+    	}
+		
+		String[] cmdExec = {script.toString()};    	
     	
-		code = TorServiceUtils.doShellCommand(cmdAdd, res, runRoot, waitFor);
+		code = TorServiceUtils.doShellCommand(cmdExec, res, runRoot, waitFor);
 		String msg = res.toString();
-		TorService.logMessage(cmdAdd[0] + ";errCode=" + code + ";resp=" + msg);
+	
+		logMessage("Exec resp: errCode=" + code + ";resp=" + msg);
 		
     	return code;
 	}

    

n8fr8＠torproject.org

tags

participants (1)