Skip to content

Commit 4670ac8

Browse files
evgeniy-scherbinaevgeniy-scherbina
committed
refactor
1 parent fe4222b commit 4670ac8

File tree

1 file changed

+84
-84
lines changed

1 file changed

+84
-84
lines changed

jail/linux.go

Lines changed: 84 additions & 84 deletions
Original file line numberDiff line numberDiff line change
@@ -134,90 +134,6 @@ func (l *LinuxJail) Close() error {
134134
return nil
135135
}
136136

137-
// setupIptables configures iptables rules for comprehensive TCP traffic interception
138-
func (l *LinuxJail) configureIptables() error {
139-
runner := newCommandRunner([]*command{
140-
{
141-
"enable IP forwarding",
142-
exec.Command("sysctl", "-w", "net.ipv4.ip_forward=1"),
143-
[]uintptr{},
144-
},
145-
{
146-
"NAT rules for outgoing traffic (MASQUERADE for return traffic)",
147-
exec.Command("iptables", "-t", "nat", "-A", "POSTROUTING", "-s", "192.168.100.0/24", "-j", "MASQUERADE"),
148-
[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
149-
},
150-
{
151-
// COMPREHENSIVE APPROACH: Route ALL TCP traffic to HTTP proxy
152-
// The HTTP proxy will intelligently handle both HTTP and TLS traffic
153-
"Route ALL TCP traffic to HTTP proxy",
154-
exec.Command("iptables", "-t", "nat", "-A", "PREROUTING", "-i", l.vethHostName, "-p", "tcp", "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", l.httpProxyPort)),
155-
[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
156-
},
157-
// TODO: clean up this rules
158-
{
159-
"iptables FORWARD -s",
160-
exec.Command("iptables", "-A", "FORWARD", "-s", "192.168.100.0/24", "-j", "ACCEPT"),
161-
[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
162-
},
163-
{
164-
"iptables FORWARD -d",
165-
exec.Command("iptables", "-A", "FORWARD", "-d", "192.168.100.0/24", "-j", "ACCEPT"),
166-
[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
167-
},
168-
})
169-
if err := runner.run(); err != nil {
170-
return err
171-
}
172-
173-
l.logger.Debug("Comprehensive TCP boundarying enabled", "interface", l.vethHostName, "proxy_port", l.httpProxyPort)
174-
return nil
175-
}
176-
177-
// cleanupIptables removes iptables rules
178-
func (l *LinuxJail) cleanupIptables() error {
179-
// Remove comprehensive TCP redirect rule
180-
cmd := exec.Command("iptables", "-t", "nat", "-D", "PREROUTING", "-i", l.vethHostName, "-p", "tcp", "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", l.httpProxyPort))
181-
err := cmd.Run()
182-
if err != nil {
183-
l.logger.Error("Failed to remove TCP redirect rule", "error", err)
184-
// Continue with other cleanup even if this fails
185-
}
186-
187-
// Remove NAT rule
188-
cmd = exec.Command("iptables", "-t", "nat", "-D", "POSTROUTING", "-s", "192.168.100.0/24", "-j", "MASQUERADE")
189-
err = cmd.Run()
190-
if err != nil {
191-
l.logger.Error("Failed to remove NAT rule", "error", err)
192-
// Continue with other cleanup even if this fails
193-
}
194-
195-
return nil
196-
}
197-
198-
// cleanupNetworking removes networking configuration
199-
func (l *LinuxJail) cleanupNetworking() error {
200-
// Generate unique ID to match veth pair
201-
uniqueID := fmt.Sprintf("%d", time.Now().UnixNano()%10000000) // 7 digits max
202-
vethHost := fmt.Sprintf("veth_h_%s", uniqueID) // veth_h_1234567 = 14 chars
203-
204-
// Clean up networking
205-
cleanupCmds := []struct {
206-
description string
207-
command *exec.Cmd
208-
}{
209-
{"delete veth pair", exec.Command("ip", "link", "del", vethHost)},
210-
}
211-
212-
for _, command := range cleanupCmds {
213-
if err := command.command.Run(); err != nil {
214-
return fmt.Errorf("failed to %s: %v", command.description, err)
215-
}
216-
}
217-
218-
return nil
219-
}
220-
221137
// removeNamespace removes the network namespace
222138
func (l *LinuxJail) removeNamespace() error {
223139
cmd := exec.Command("ip", "netns", "del", l.namespace)
@@ -350,3 +266,87 @@ func SetupChildNetworking(vethNetJail string) error {
350266

351267
return nil
352268
}
269+
270+
// setupIptables configures iptables rules for comprehensive TCP traffic interception
271+
func (l *LinuxJail) configureIptables() error {
272+
runner := newCommandRunner([]*command{
273+
{
274+
"enable IP forwarding",
275+
exec.Command("sysctl", "-w", "net.ipv4.ip_forward=1"),
276+
[]uintptr{},
277+
},
278+
{
279+
"NAT rules for outgoing traffic (MASQUERADE for return traffic)",
280+
exec.Command("iptables", "-t", "nat", "-A", "POSTROUTING", "-s", "192.168.100.0/24", "-j", "MASQUERADE"),
281+
[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
282+
},
283+
{
284+
// COMPREHENSIVE APPROACH: Route ALL TCP traffic to HTTP proxy
285+
// The HTTP proxy will intelligently handle both HTTP and TLS traffic
286+
"Route ALL TCP traffic to HTTP proxy",
287+
exec.Command("iptables", "-t", "nat", "-A", "PREROUTING", "-i", l.vethHostName, "-p", "tcp", "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", l.httpProxyPort)),
288+
[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
289+
},
290+
// TODO: clean up this rules
291+
{
292+
"iptables FORWARD -s",
293+
exec.Command("iptables", "-A", "FORWARD", "-s", "192.168.100.0/24", "-j", "ACCEPT"),
294+
[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
295+
},
296+
{
297+
"iptables FORWARD -d",
298+
exec.Command("iptables", "-A", "FORWARD", "-d", "192.168.100.0/24", "-j", "ACCEPT"),
299+
[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
300+
},
301+
})
302+
if err := runner.run(); err != nil {
303+
return err
304+
}
305+
306+
l.logger.Debug("Comprehensive TCP boundarying enabled", "interface", l.vethHostName, "proxy_port", l.httpProxyPort)
307+
return nil
308+
}
309+
310+
// cleanupNetworking removes networking configuration
311+
func (l *LinuxJail) cleanupNetworking() error {
312+
// Generate unique ID to match veth pair
313+
uniqueID := fmt.Sprintf("%d", time.Now().UnixNano()%10000000) // 7 digits max
314+
vethHost := fmt.Sprintf("veth_h_%s", uniqueID) // veth_h_1234567 = 14 chars
315+
316+
// Clean up networking
317+
cleanupCmds := []struct {
318+
description string
319+
command *exec.Cmd
320+
}{
321+
{"delete veth pair", exec.Command("ip", "link", "del", vethHost)},
322+
}
323+
324+
for _, command := range cleanupCmds {
325+
if err := command.command.Run(); err != nil {
326+
return fmt.Errorf("failed to %s: %v", command.description, err)
327+
}
328+
}
329+
330+
return nil
331+
}
332+
333+
// cleanupIptables removes iptables rules
334+
func (l *LinuxJail) cleanupIptables() error {
335+
// Remove comprehensive TCP redirect rule
336+
cmd := exec.Command("iptables", "-t", "nat", "-D", "PREROUTING", "-i", l.vethHostName, "-p", "tcp", "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", l.httpProxyPort))
337+
err := cmd.Run()
338+
if err != nil {
339+
l.logger.Error("Failed to remove TCP redirect rule", "error", err)
340+
// Continue with other cleanup even if this fails
341+
}
342+
343+
// Remove NAT rule
344+
cmd = exec.Command("iptables", "-t", "nat", "-D", "POSTROUTING", "-s", "192.168.100.0/24", "-j", "MASQUERADE")
345+
err = cmd.Run()
346+
if err != nil {
347+
l.logger.Error("Failed to remove NAT rule", "error", err)
348+
// Continue with other cleanup even if this fails
349+
}
350+
351+
return nil
352+
}

0 commit comments

Comments
 (0)