tlspretense 0.6.1

data/lib/packetthief/impl.rb

@@ -0,0 +1,11 @@
+module PacketThief
+  # PacketThief implementations. Each one contains the implementation details
+  # for working with a given firewall.
+  module Impl
+    autoload :Manual,     'packetthief/impl/manual'
+    autoload :Netfilter,  'packetthief/impl/netfilter'
+    autoload :Ipfw,       'packetthief/impl/ipfw'
+    autoload :PFDivert,   'packetthief/impl/pf_divert'
+    autoload :PFRdr,      'packetthief/impl/pf_rdr'
+  end
+end

data/lib/packetthief/impl/ipfw.rb

@@ -0,0 +1,140 @@
+
+
+module PacketThief
+module Impl
+  # Use Ipfw to redirect traffic.
+  #
+  # Needed in at least Mac OS X 10.6 and later[1]?:
+  #     sysctl -w net.inet.ip.scopedroute=0
+  #
+  # [1]: https://trac.macports.org/wiki/howto/SetupInterceptionSquid
+  #
+  # Sample rule:
+  #
+  #     sudo ipfw add 1013 fwd 127.0.0.1,3129 tcp from any to any 80 recv INTERFACE
+  #
+  # Note that in Mac OS X 10.7 Lion, Apple still includes ipfw, but they are
+  # using pfctl to do network firewalling and routing.
+  class Ipfw
+    module IpfwRuleHandler
+
+      include Logging
+
+      attr_accessor :active_rules
+
+      # Executes a rule and holds onto it for later removal.
+      def run(rule)
+        @active_rules ||= []
+
+        args = ['/sbin/ipfw', 'add', 'set', '30'] # TODO: make the rule number customizable
+
+        args.concat rule.to_ipfw_command
+
+        # Lion claims net.inet.ip.scopedroute is read only. According to: http://pastebin.com/NzAARKVG it is possible to set it at boot time:
+        # /Library/Preferences/SystemConfiguration/com.apple.Boot.plist:
+        # <dict>
+        #     <key>Kernel Flags</key>
+        #     <string>net.inet.ip.scopedroute=0</string>
+        # </dict>
+        if /darwin/ === RUBY_PLATFORM
+          unless system(*%W{/usr/sbin/sysctl -w net.inet.ip.scopedroute=0})
+            if /darwin1[1-9]/ === RUBY_PLATFORM
+              logerror "Failed to set net.inet.ip.scopedroute=0. As of Lion, this is marked read-only after boot. However, you might be able to get IPFW working by setting the sysctl in /Library/Preferences/SystemConfiguration/com.apple.Boot.plist"
+            else
+              raise "Command /usr/sbin/sysctl -w net.inet.ip.scopedroute=0 exited with error code #{$?.inspect}."
+            end
+          end
+        end
+
+        # run the command
+        unless system(*args)
+          raise "Command #{args.inspect} exited with error code #{$?.inspect}"
+        end
+
+        @active_rules << rule
+      end
+
+      # Reverts all executed rules that this handler knows about.
+      def revert
+        return if @active_rules == nil or @active_rules.empty?
+
+#        @active_rules.each do |rule|
+          args = ['/sbin/ipfw', 'del', 'set', '30']
+#          args.concat rule.to_ipfw_command
+          unless system(*args)
+            raise "Command #{args.inspect} exited with error code #{$?.inspect}"
+          end
+#        end
+
+        @active_rules = []
+      end
+    end
+    extend IpfwRuleHandler
+
+    class IpfwRule < RedirectRule
+
+      attr_accessor :rule_number
+
+      def initialize(handler, rule_number=nil)
+        super(handler)
+        @rule_number = rule_number
+      end
+
+      def to_ipfw_command
+        args = []
+
+        if self.redirectspec
+          if self.redirectspec.has_key? :to_ports
+            args << 'fwd'
+            args << "127.0.0.1,#{self.redirectspec[:to_ports].to_s}"
+          else
+            raise "Rule lacks a valid redirect: #{self.inspect}"
+          end
+        end
+
+        if self.rulespec
+          args << self.rulespec.fetch(:protocol,'ip').to_s
+
+          args << 'from'
+          args << self.rulespec.fetch(:source_address, 'any').to_s
+          args << self.rulespec[:source_port].to_s if self.rulespec.has_key? :source_port
+
+          args << 'to'
+          args << self.rulespec.fetch(:dest_address, 'any').to_s
+          args << 'dst-port' << self.rulespec[:dest_port].to_s if self.rulespec.has_key? :dest_port
+
+          args << 'recv' << self.rulespec[:in_interface].to_s if self.rulespec.has_key? :in_interface
+        end
+
+        args
+      end
+    end
+
+    def self.redirect(args={})
+      rule = IpfwRule.new(self)
+      rule.redirect(args)
+    end
+
+    # Returns the [port, host] for the original destination of +sock+.
+    #
+    # +Sock+ can be a Ruby socket or an EventMachine::Connection (including
+    # handler modules, which are mixed in to an anonymous descendent of
+    # EM::Connection).
+    #
+    # When Ipfw uses a fwd/forward rule to redirect a connection to a local
+    # socket, the destination address remains unchanged, meaning that C's
+    # getsockname() will return the original destination.
+    def self.original_dest(sock)
+      if sock.respond_to? :getsockname
+        sockname = sock.getsockname
+      elsif sock.respond_to? :get_sockname
+        sockname = sock.get_sockname
+      else
+        raise ArgumentError, "#{sock.inspect} supports neither :getsockname nor :get_sockname!"
+      end
+      Socket::unpack_sockaddr_in(sockname)
+    end
+  end
+
+end
+end

data/lib/packetthief/impl/manual.rb

@@ -0,0 +1,54 @@
+
+
+module PacketThief
+  module Impl
+  # PacketThief implementation that does apply any firewall rules. Furthermore,
+  # Manual.original_dest will always return a pre-configured destination address.
+  class Manual
+    module NullRuleHandler
+
+      include Logging
+
+      attr_accessor :active_rules
+
+      # Executes a rule and holds onto it for later removal.
+      def run(rule)
+      end
+
+      # Reverts all executed rules that this handler knows about.
+      def revert
+      end
+    end
+    extend NullRuleHandler
+
+    class NullRule < RedirectRule
+      def initialize(handler, rule_number=nil)
+        super(handler)
+      end
+    end
+
+    def self.redirect(args={})
+      rule = NullRule.new(self)
+      rule.redirect(args)
+    end
+
+    def self.set_dest(host, port)
+      @dest_host = host
+      @dest_port = port
+    end
+
+    # Returns the [port, host] for the original destination of +sock+.
+    #
+    # The Manual implementation only returns a preconfigured original
+    # destination. Making it only good for testing clients that only talk to a
+    # single remote host.
+    def self.original_dest(sock)
+      raise "You must call .set_dest(host,port) to set the original_dest in the Manual PacketThief implementation!" if @dest_host == nil or @dest_port == nil
+      return [ @dest_port, @dest_host ]
+
+    end
+
+  end
+
+end
+end

data/lib/packetthief/impl/netfilter.rb

@@ -0,0 +1,109 @@
+
+module PacketThief
+module Impl
+  # PacketThief implemented using the Linux kernel's Netfilter.
+  #
+  # This is roughly equivalent to:
+  #
+  # echo 1 > /proc/sys/net/ipv4/ip_forward
+  # iptables -t nat -A PREROUTING -p tcp --destination-port <DEST> -j REDIRECT --to-ports <LISTENER>
+  #
+  # Currently only implements IPv4.
+  #
+  # Note that the listening socket must have a blank hostname. If it is set to
+  # 127.0.0.1, then the socket will only run on the loopback device, and
+  # traffic that gets redirected from another device won't reach it.
+  class Netfilter
+
+    # Manages IPTablesRules. It actually runs the rule, and it tracks the rule
+    # so it can be deleted later.
+    module IPTablesRuleHandler
+      attr_accessor :active_rules
+
+      # Executes a rule and holds onto it for later removal.
+      def run(rule)
+        @active_rules ||= []
+
+        args = ['/sbin/iptables', '-t', rule.table, '-A', rule.chain]
+
+        args.concat rule.to_netfilter_command
+
+        unless system(*args)
+          raise "Command #{args.inspect} exited with error code #{$?.inspect}"
+        end
+
+        @active_rules << rule
+      end
+
+      # Reverts all executed rules that this handler knows about.
+      def revert
+        return if @active_rules == nil or @active_rules.empty?
+
+        @active_rules.each do |rule|
+          args = ['/sbin/iptables', '-t', rule.table, '-D', rule.chain]
+          args.concat rule.to_netfilter_command
+
+          unless system(*args)
+            raise "Command #{args.inspect} exited with error code #{$?.inspect}"
+          end
+        end
+
+        @active_rules = []
+      end
+    end
+    extend IPTablesRuleHandler
+
+    # Adds IPTables specific details to a Redirectrule.
+    class IPTablesRule < RedirectRule
+
+      attr_accessor :table
+      attr_accessor :chain
+
+      def initialize(handler, table, chain)
+        super(handler)
+        @table = table
+        @chain = chain
+      end
+
+      def to_netfilter_command
+        args = []
+
+        if self.rulespec
+          args << '-p' << self.rulespec[:protocol].to_s if self.rulespec.has_key? :protocol
+          args << '--destination-port' << self.rulespec[:dest_port].to_s if self.rulespec.has_key? :dest_port
+          args << '--in-interface' << self.rulespec[:in_interface].to_s if self.rulespec.has_key? :in_interface
+        end
+
+        if self.redirectspec
+          args << '-j' << 'REDIRECT'
+          args << '--to-ports' << self.redirectspec[:to_ports].to_s if self.redirectspec.has_key? :to_ports
+        end
+
+        args
+      end
+
+    end
+
+    def self.redirect(args={})
+      rule = IPTablesRule.new(self,'nat','PREROUTING')
+      rule.redirect(args)
+    end
+
+    #/usr/include/linux/netfilter_ipv4.h:#define SO_ORIGINAL_DST 80
+    SO_ORIGINAL_DST = 80
+
+    # Returns the [port, host] for a socket or EM::Connection that whose
+    # connection was redirected by netfilter
+    def self.original_dest(socket)
+      if socket.respond_to? :getsockopt
+        sockname = socket.getsockopt(Socket::IPPROTO_IP, SO_ORIGINAL_DST)
+      elsif socket.respond_to? :get_sock_opt
+        sockname = socket.get_sock_opt(Socket::IPPROTO_IP, SO_ORIGINAL_DST)
+      end
+        Socket::unpack_sockaddr_in(sockname)
+    end
+
+  end
+
+end
+end

data/lib/packetthief/impl/pf_divert.rb

@@ -0,0 +1,168 @@
+
+
+module PacketThief
+module Impl
+  # Untested and likely broken PacketThief implementation that uses PF's
+  # divert-to to redirect traffic. It is currently untested, and it requires a
+  # newer version of PF to redirect traffic than is available in Mac OS X 10.7
+  # (and probably 10.8)
+  #
+  # == Capturing Traffic
+  #
+  # It works by dynamically changing the rules in the "packetthief" anchor. To
+  # use it, you must add the following to your /etc/pf.conf file in the
+  # "Packet Filtering" section::
+  #
+  #     anchor "packetthief"
+  #
+  # Then you must reload your pf config by rebooting or by executing:
+  #
+  #     sudo pfctl -f /etc/pf.conf
+  #
+  # When PacketThief adds a rule, it constructs a new rule set for the
+  # packetthief anchor and replaces the current ruleset in the anchor by
+  # calling:
+  #
+  #     echo "#{our rules}" | pfctl -a packetthief -f -
+  #
+  # Rules look something like:
+  #
+  #     pass in on en1 proto tcp from any to any port 443 divert-to 127.0.0.1 port 54321
+  #
+  # == Acquiring the original destination
+  #
+  # According to [1], if we use a divert-to rule, we can get the original
+  # destination using getsockname(2) instead of having to perform ioctl
+  # operations on the /dev/pf pseudo-device.
+  #
+  # [1]: http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&sektion=5&arch=&apropos=0&manpath=OpenBSD+Current
+  #
+  #
+  # == Alternative implementations
+  #
+  # TODO:
+  #
+  # divert-to is too new of Mac OS X 10.7 (Lion is using a relatively "old"
+  # implementation of PF).
+  #
+  # A possible alternative is to use rdr rules:
+  #
+  #     rdr on en1 proto tcp from any to any port 443 -> 127.0.0.1 port 54321
+  #
+  # This also requires:
+  #
+  #     rdr-anchor "packetthief"
+  #
+  # in /etc/pf.conf in the "Translation" section of /etc/pf.conf. We can then
+  # use the ioctl with DIOCNATLOOK approach that Squid uses to get a
+  # pfioc_natlook data structure to get the original destination of the connection.
+  class PFDivert
+    module PFDivertRuleHandler
+      attr_accessor :active_rules
+
+      # Executes a rule and holds onto it for later removal.
+      def run(rule)
+        @active_rules ||= []
+
+#        args = ['pfctl', 'add', 'set', '30'] # TODO: make the rule number customizable
+        args = ['echo']
+
+        @active_rules << rule
+        args << @active_rules.map { |r| r.to_pf_command.join(" ") }.join("\n")
+
+        args = args + %w{| pfctl -a packetthief -f -}
+
+        # run the command
+        unless system(*args)
+          raise "Command #{args.inspect} exited with error code #{$?.inspect}"
+        end
+
+      end
+
+      # Reverts all executed rules that this handler knows about.
+      def revert
+        return if @active_rules == nil or @active_rules.empty?
+
+          args = %W{pfctl -a packetthief -F rules}
+          unless system(*args)
+            raise "Command #{args.inspect} exited with error code #{$?.inspect}"
+          end
+#        end
+
+        @active_rules = []
+      end
+    end
+    extend PFDivertRuleHandler
+
+    class PFDivertRule < RedirectRule
+
+      attr_accessor :rule_number
+
+      def initialize(handler, rule_number=nil)
+        super(handler)
+        @rule_number = rule_number
+      end
+
+      def to_pf_command
+        args = []
+
+        args << "pass" << "in"
+
+        if self.rulespec
+          args << 'on' << self.rulespec[:in_interface].to_s if self.rulespec.has_key? :in_interface
+
+          args << "proto" << self.rulespec.fetch(:protocol,'ip').to_s
+
+          args << 'from'
+          args << self.rulespec.fetch(:source_address, 'any').to_s
+          args << 'port' << self.rulespec[:source_port].to_s if self.rulespec.has_key? :source_port
+
+          args << 'to'
+          args << self.rulespec.fetch(:dest_address, 'any').to_s
+          args << 'port' << self.rulespec[:dest_port].to_s if self.rulespec.has_key? :dest_port
+        end
+
+        if self.redirectspec
+          if self.redirectspec.has_key? :to_ports
+            args << 'divert-to'
+            args << "127.0.0.1"
+            args << 'port' << self.redirectspec[:to_ports].to_s if self.redirectspec.has_key? :to_ports
+          else
+            raise "Rule lacks a valid redirect: #{self.inspect}"
+          end
+        end
+
+
+        args
+      end
+    end
+
+    def self.redirect(args={})
+      rule = PFDivertRule.new(self)
+      rule.redirect(args)
+    end
+
+    # Returns the [port, host] for the original destination of +sock+.
+    #
+    # +Sock+ can be a Ruby socket or an EventMachine::Connection (including
+    # handler modules, which are mixed in to an anonymous descendent of
+    # EM::Connection).
+    #
+    # When PF uses a divert-to[1] rule to redirect a connection to a local socket,
+    # the destination address remains unchanged, meaning that C's getsockname()
+    # will return the original destination.
+    # [1]: http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&sektion=5&arch=&apropos=0&manpath=OpenBSD+Current
+    def self.original_dest(sock)
+      if sock.respond_to? :getsockname
+        sockname = sock.getsockname
+      elsif sock.respond_to? :get_sockname
+        sockname = sock.get_sockname
+      else
+        raise ArgumentError, "#{sock.inspect} supports neither :getsockname nor :get_sockname!"
+      end
+      Socket::unpack_sockaddr_in(sockname)
+    end
+  end
+
+end
+end