[tor-commits] [orbot/master] updated transproxy iptables rules to ensure clear/flush

n8fr8 at torproject.org n8fr8 at torproject.org
Fri Aug 23 20:59:49 UTC 2013


commit 9dacb5be7317154d13812df9f3c75f7b7ec97ca5
Author: Nathan Freitas <nathan at freitas.net>
Date:   Fri Aug 23 12:46:54 2013 -0400

    updated transproxy iptables rules to ensure clear/flush
---
 .../torproject/android/service/TorTransProxy.java  |  244 ++++++++++++--------
 1 file changed, 148 insertions(+), 96 deletions(-)

diff --git a/src/org/torproject/android/service/TorTransProxy.java b/src/org/torproject/android/service/TorTransProxy.java
index 1528f9a..3798710 100644
--- a/src/org/torproject/android/service/TorTransProxy.java
+++ b/src/org/torproject/android/service/TorTransProxy.java
@@ -233,24 +233,51 @@ public class TorTransProxy implements TorServiceConstants {
     }	
 	*/
 	
-	public int setTransparentProxyingByApp (Context context, ArrayList<TorifiedApp> apps) throws Exception
-	{
-		return modifyTransparentProxyingByApp(context, "A", apps);
-	}
 	
 	public int clearTransparentProxyingByApp (Context context, ArrayList<TorifiedApp> apps) throws Exception
 	{
-		return modifyTransparentProxyingByApp(context, "D", apps);
+		boolean runRoot = true;
+    	boolean waitFor = true;
+    	
+		String ipTablesPath = getIpTablesPath(context);
+		
+    	StringBuilder script = new StringBuilder();
+    	
+    	StringBuilder res = new StringBuilder();
+    	int code = -1;
+    	
+    	String chainName = "ORBOT";
+		String jumpChainName = "OUTPUT";
+		
+		script.append(ipTablesPath);
+    	script.append(" --flush ").append(chainName); //delete previous user-defined chain
+    	script.append(" || exit\n");
+    	
+		script.append(ipTablesPath);
+    	script.append(" -D ").append(jumpChainName);
+    	script.append(" -j ").append(chainName);
+    	script.append(" || exit\n");
+    	
+    	script.append(ipTablesPath);
+    	script.append(" -X ").append(chainName); //delete previous user-defined chain
+    	script.append(" || exit\n");
+
+		String[] cmdAdd = {script.toString()};    	
+    		
+		code = TorServiceUtils.doShellCommand(cmdAdd, res, runRoot, waitFor);
+		String msg = res.toString();
+		
+		logMessage(cmdAdd[0] + ";errCode=" + code + ";resp=" + msg);
+		
+		return code;
 	}
 	
-	public int modifyTransparentProxyingByApp(Context context, String cmd, ArrayList<TorifiedApp> apps) throws Exception
+	public int setTransparentProxyingByApp(Context context, ArrayList<TorifiedApp> apps) throws Exception
 	{
 
 		boolean runRoot = true;
     	boolean waitFor = true;
     	
-		//redirectDNSResolvConf(); //not working yet
-		
 		String ipTablesPath = getIpTablesPath(context);
 		
     	StringBuilder script = new StringBuilder();
@@ -261,20 +288,35 @@ public class TorTransProxy implements TorServiceConstants {
     	String chainName = "ORBOT";
 		String jumpChainName = "OUTPUT";
 		
-    	if (cmd.equals("A")) //only if we are adding rules
-    	{
-    		script.append(ipTablesPath);
-    		script.append(" -N ").append(chainName); //create user-defined chain
-    		script.append(" || exit\n");
-
-    		script.append(ipTablesPath);
-        	script.append(" -A ").append(jumpChainName);
-        	script.append(" -j ").append(chainName);
-        	script.append(" || exit\n");
-    	}
+		script.append(ipTablesPath);
+    	script.append(" --flush ").append(chainName); //delete previous user-defined chain
+    	script.append(" || exit\n");
+    	
+		script.append(ipTablesPath);
+    	script.append(" -D ").append(jumpChainName);
+    	script.append(" -j ").append(chainName);
+    	script.append(" || exit\n");
     	
-    	String modCmd = " -" + cmd + " " + chainName;
-    				
+    	script.append(ipTablesPath);
+    	script.append(" -X ").append(chainName); //delete previous user-defined chain
+    	script.append(" || exit\n");
+    	
+    	//run the delete commands in a separate process as it might error out
+    	String[] cmdExecClear = {script.toString()};    	    	
+		code = TorServiceUtils.doShellCommand(cmdExecClear, res, runRoot, waitFor);
+		
+		//reset script
+		script = new StringBuilder();    	
+		 
+		script.append(ipTablesPath);
+    	script.append(" -N ").append(chainName); //create user-defined chain
+    	script.append(" || exit\n");
+
+    	script.append(ipTablesPath);
+        script.append(" -A ").append(jumpChainName);
+        script.append(" -j ").append(chainName);
+        script.append(" || exit\n");
+    	    	
 		//build up array of shell cmds to execute under one root context
 		for (TorifiedApp tApp:apps)
 		{
@@ -289,8 +331,8 @@ public class TorTransProxy implements TorServiceConstants {
 			 
 				// Set up port redirection
 		    	script.append(ipTablesPath);
-		    	script.append(" -" + cmd + " ").append(jumpChainName);
-				script.append(" -t nat");
+		    	script.append(" -t nat");
+		    	script.append(" -A ").append(jumpChainName);				
 				script.append(" -p tcp");
 				script.append(" ! -d 127.0.0.1"); //allow access to localhost
 				script.append(" -m owner --uid-owner ");
@@ -302,8 +344,8 @@ public class TorTransProxy implements TorServiceConstants {
 				
 				// Same for DNS
 				script.append(ipTablesPath);
-		    	script.append(" -" + cmd + " ").append(jumpChainName);
-				script.append(" -t nat");
+				script.append(" -t nat");				
+				script.append(" -A ").append(jumpChainName);				
 				script.append(" -p udp -m owner --uid-owner ");
 				script.append(tApp.getUid());
 				script.append(" -m udp --dport "); 
@@ -318,8 +360,8 @@ public class TorTransProxy implements TorServiceConstants {
 				{
 					// Allow packets to localhost (contains all the port-redirected ones)
 					script.append(ipTablesPath);
-					script.append(modCmd);
 					script.append(" -t filter");
+			        script.append(" -A ").append(jumpChainName);
 					script.append(" -m owner --uid-owner ");
 					script.append(tApp.getUid());
 					script.append(" -p tcp");
@@ -332,19 +374,19 @@ public class TorTransProxy implements TorServiceConstants {
 				
 				// Allow loopback
 				script.append(ipTablesPath);
-				script.append(modCmd);
 				script.append(" -t filter");
+		        script.append(" -A ").append(jumpChainName);
 				script.append(" -m owner --uid-owner ");
 				script.append(tApp.getUid());
 				script.append(" -p tcp");
 				script.append(" -o lo");
 				script.append(" -j ACCEPT");
 				script.append(" || exit\n");
-				
+
 				// Reject all other outbound TCP packets
 				script.append(ipTablesPath);
-				script.append(modCmd);
 				script.append(" -t filter");
+		        script.append(" -A ").append(jumpChainName);
 				script.append(" -m owner --uid-owner ");
 				script.append(tApp.getUid());
 				script.append(" -p tcp");
@@ -354,8 +396,8 @@ public class TorTransProxy implements TorServiceConstants {
 				
 				// Reject all other outbound UDP packets
 				script.append(ipTablesPath);
-				script.append(modCmd);
 				script.append(" -t filter");
+		        script.append(" -A ").append(jumpChainName);
 				script.append(" -m owner --uid-owner ");
 				script.append(tApp.getUid());
 				script.append(" -p udp");
@@ -366,24 +408,6 @@ public class TorTransProxy implements TorServiceConstants {
 			}		
 		}		
 		
-		if (cmd.equals("D"))
-    	{
-
-			script.append(ipTablesPath);
-        	script.append(" --flush ").append(chainName); //delete previous user-defined chain
-        	script.append(" || exit\n");
-        	
-    		script.append(ipTablesPath);
-        	script.append(" -D ").append(jumpChainName);
-        	script.append(" -j ").append(chainName);
-        	script.append(" || exit\n");
-        	
-        	script.append(ipTablesPath);
-        	script.append(" -X ").append(chainName); //delete previous user-defined chain
-        	script.append(" || exit\n");
-        	
-    	}
-		
 		String[] cmdAdd = {script.toString()};    	
     		
 		code = TorServiceUtils.doShellCommand(cmdAdd, res, runRoot, waitFor);
@@ -394,7 +418,6 @@ public class TorTransProxy implements TorServiceConstants {
 		return code;
     }	
 	
-		
 	
 	public int enableTetheringRules (Context context) throws Exception
 	{
@@ -446,18 +469,48 @@ public class TorTransProxy implements TorServiceConstants {
 			Log.w(TorConstants.TAG,msg);
 	}
 	
-	public int setTransparentProxyingAll(Context context) throws Exception 
-	{
-		return modifyTransparentProxyingAll(context, "A");
-	}
-	
 	public int clearTransparentProxyingAll(Context context) throws Exception 
 	{
-		return modifyTransparentProxyingAll(context, "D");
 
+		boolean runRoot = true;
+    	boolean waitFor = true;
+    	
+		//redirectDNSResolvConf(); //not working yet
+		
+		String ipTablesPath = getIpTablesPath(context);
+		
+    	StringBuilder script = new StringBuilder();
+    	
+    	StringBuilder res = new StringBuilder();
+    	int code = -1;
+
+    	String chainName = "ORBOT";
+		String jumpChainName = "OUTPUT";
+
+		script.append(ipTablesPath);
+    	script.append(" --flush ").append(chainName); //delete previous user-defined chain
+    	script.append(" || exit\n");
+    	
+		script.append(ipTablesPath);
+    	script.append(" -D ").append(jumpChainName);
+    	script.append(" -j ").append(chainName);
+    	script.append(" || exit\n");
+    	
+    	script.append(ipTablesPath);
+    	script.append(" -X ").append(chainName); //delete previous user-defined chain
+    	script.append(" || exit\n");
+		
+		String[] cmdExec = {script.toString()};    	
+    	
+		code = TorServiceUtils.doShellCommand(cmdExec, res, runRoot, waitFor);
+		String msg = res.toString();
+	
+		logMessage("Exec resp: errCode=" + code + ";resp=" + msg);
+		
+    	return code;
 	}
 	
-	public int modifyTransparentProxyingAll(Context context, String cmd) throws Exception 
+	public int setTransparentProxyingAll(Context context) throws Exception 
 	{
 		
 		boolean runRoot = true;
@@ -476,32 +529,49 @@ public class TorTransProxy implements TorServiceConstants {
 
     	String chainName = "ORBOT";
 		String jumpChainName = "OUTPUT";
+
+		script.append(ipTablesPath);
+    	script.append(" --flush ").append(chainName); //delete previous user-defined chain
+    	script.append(" || exit\n");
+    	
+		script.append(ipTablesPath);
+    	script.append(" -D ").append(jumpChainName);
+    	script.append(" -j ").append(chainName);
+    	script.append(" || exit\n");
+    	
+    	script.append(ipTablesPath);
+    	script.append(" -X ").append(chainName); //delete previous user-defined chain
+    	script.append(" || exit\n");
 		
-    	if (cmd.equals("A")) //only if we are adding rules
-    	{
-    		script.append(ipTablesPath);
-    		script.append(" -N ").append(chainName); //create user-defined chain
-    		script.append(" || exit\n");
+	  	//run the delete commands in a separate process as it might error out
+    	String[] cmdExecClear = {script.toString()};    	    	
+		code = TorServiceUtils.doShellCommand(cmdExecClear, res, runRoot, waitFor);
+		
+		//reset script
+		script = new StringBuilder(); 
+		
+		script.append(ipTablesPath);
+		script.append(" -N ").append(chainName); //create user-defined chain
+		script.append(" || exit\n");
 
-    		script.append(ipTablesPath);
-        	script.append(" -A ").append(jumpChainName);
-        	script.append(" -j ").append(chainName);
-        	script.append(" || exit\n");
-    	}
+		script.append(ipTablesPath);
+    	script.append(" -A ").append(jumpChainName);
+    	script.append(" -j ").append(chainName);
+    	script.append(" || exit\n");
     	
 		// Allow everything for Tor
 		script.append(ipTablesPath);
-    	script.append(" -" + cmd + " ").append(chainName);
 		script.append(" -t filter");
+    	script.append(" -A ").append(chainName);		
 		script.append(" -m owner --uid-owner ");
 		script.append(torUid);
 		script.append(" -j ACCEPT");
 		script.append(" || exit\n");
 		
-    	// Set up port redirection
-    	script.append(ipTablesPath);
-    	script.append(" -" + cmd + " ").append(jumpChainName);
+    	// Set up port redirection    	
+		script.append(ipTablesPath);
 		script.append(" -t nat");
+    	script.append(" -A ").append(jumpChainName);		
 		script.append(" -p tcp");
 		script.append(" ! -d 127.0.0.1"); //allow access to localhost
 		script.append(" -m owner ! --uid-owner ");
@@ -513,8 +583,8 @@ public class TorTransProxy implements TorServiceConstants {
 		
 		// Same for DNS
 		script.append(ipTablesPath);
-    	script.append(" -" + cmd + " ").append(jumpChainName);
 		script.append(" -t nat");
+		script.append(" -A ").append(jumpChainName);		
 		script.append(" -p udp -m owner ! --uid-owner ");
 		script.append(torUid);
 		script.append(" -m udp --dport "); 
@@ -529,8 +599,8 @@ public class TorTransProxy implements TorServiceConstants {
 		{
 			// Allow packets to localhost (contains all the port-redirected ones)
 			script.append(ipTablesPath);
-	    	script.append(" -" + cmd + " ").append(chainName);
 			script.append(" -t filter");
+			script.append(" -A ").append(chainName);			
 			script.append(" -m owner ! --uid-owner ");
 			script.append(torUid);
 			script.append(" -p tcp");
@@ -544,8 +614,8 @@ public class TorTransProxy implements TorServiceConstants {
 		
 		// Allow loopback
 		script.append(ipTablesPath);
-    	script.append(" -" + cmd + " ").append(chainName);
 		script.append(" -t filter");
+		script.append(" -A ").append(chainName);		
 		script.append(" -p tcp");
 		script.append(" -o lo");
 		script.append(" -j ACCEPT");
@@ -556,8 +626,8 @@ public class TorTransProxy implements TorServiceConstants {
 		{
 			//XXX: Comment the following rules for non-debug builds
 			script.append(ipTablesPath);
-	    	script.append(" -" + cmd + " ").append(chainName);
 			script.append(" -t filter");
+			script.append(" -A ").append(chainName);			
 			script.append(" -p udp");
 			script.append(" --dport ");
 			script.append(STANDARD_DNS_PORT);
@@ -567,8 +637,8 @@ public class TorTransProxy implements TorServiceConstants {
 			script.append(" || exit\n");
 			
 			script.append(ipTablesPath);
-	    	script.append(" -" + cmd + " ").append(chainName);
-	    	script.append(" -t filter");
+			script.append(" -t filter");
+			script.append(" -A ").append(chainName);	    	
 	    	script.append(" -p tcp");
 			script.append(" -j LOG");
 			script.append(" --log-prefix='ORBOT_TCPLEAK_PROTECTION'");
@@ -579,8 +649,8 @@ public class TorTransProxy implements TorServiceConstants {
 		
 		// Reject all other outbound TCP packets
 		script.append(ipTablesPath);
-    	script.append(" -" + cmd + " ").append(chainName);
 		script.append(" -t filter");
+		script.append(" -A ").append(chainName);		
 		script.append(" -m owner ! --uid-owner ");
 		script.append(torUid);
 		script.append(" -p tcp");
@@ -590,32 +660,14 @@ public class TorTransProxy implements TorServiceConstants {
 
 		// Reject all other outbound UDP packets
 		script.append(ipTablesPath);
-    	script.append(" -" + cmd + " ").append(chainName);
 		script.append(" -t filter");
+		script.append(" -A ").append(chainName);		
 		script.append(" -m owner ! --uid-owner ");
 		script.append(torUid);
 		script.append(" -p udp");
 		script.append(" ! -d 127.0.0.1"); //allow access to localhost
 		script.append(" -j REJECT");
 		script.append(" || exit\n");
-
-		if (cmd.equals("D"))
-    	{
-
-			script.append(ipTablesPath);
-        	script.append(" --flush ").append(chainName); //delete previous user-defined chain
-        	script.append(" || exit\n");
-        	
-    		script.append(ipTablesPath);
-        	script.append(" -D ").append(jumpChainName);
-        	script.append(" -j ").append(chainName);
-        	script.append(" || exit\n");
-        	
-        	script.append(ipTablesPath);
-        	script.append(" -X ").append(chainName); //delete previous user-defined chain
-        	script.append(" || exit\n");
-        	
-    	}
 		
 		String[] cmdExec = {script.toString()};    	
     	





More information about the tor-commits mailing list