Added SO_MARK setting for redirect auto configuration

Author: shadowy-pycoder

README.md

@@ -159,6 +159,8 @@ Options:
         Address of HTTP proxy server (default "127.0.0.1:8080")
   -logfile string
         Log file path (Default: stdout)
+  -mark uint
+        Set the mark for each packet sent through transparent proxy
   -nocolor
         Disable colored output for logs (no effect if -j flag specified)
   -s string
@@ -387,6 +389,12 @@ sudo env PATH=$PATH gohpts -d -T 8888 -M redirect -auto
 
 Please note, automatic configuration requires `sudo` and is very generic, which might not be suitable for your needs.
 
+You can optionally specify `-mark <value>` to prevent possible proxy loops
+
+```shell
+sudo env PATH=$PATH gohpts -d -T 8888 -M redirect -auto -mark 100
+```
+
 ## `tproxy` (via _MANGLE_ and _IP_TRANSPARENT_)
 
 [[Back]](#table-of-contents)

cmd/gohpts/cli.go

@@ -55,6 +55,7 @@ func root(args []string) error {
 			return nil
 		})
 		flags.BoolVar(&conf.Auto, "auto", false, "Automatically setup iptables for transparent proxy (requires elevated privileges)")
+		flags.UintVar(&conf.Mark, "mark", 0, "Set the mark for each packet sent through transparent proxy")
 	}
 	flags.StringVar(&conf.LogFilePath, "logfile", "", "Log file path (Default: stdout)")
 	flags.BoolVar(&conf.Debug, "d", false, "Show logs in DEBUG mode")
@@ -110,6 +111,11 @@ func root(args []string) error {
 			return fmt.Errorf("-auto is available only for -M redirect")
 		}
 	}
+	if seen["mark"] {
+		if !seen["auto"] {
+			return fmt.Errorf("-mark requires -auto flag")
+		}
+	}
 	if seen["f"] {
 		for _, da := range []string{"s", "u", "U", "c", "k", "l"} {
 			if seen[da] {

gohpts.go

@@ -87,6 +87,7 @@ type Config struct {
 	TProxyOnly     string
 	TProxyMode     string
 	Auto           bool
+	Mark           uint
 	LogFilePath    string
 	Debug          bool
 	Json           bool
@@ -109,6 +110,7 @@ type proxyapp struct {
 	tproxyAddr     string
 	tproxyMode     string
 	auto           bool
+	mark           uint
 	user           string
 	pass           string
 	proxychain     chain
@@ -544,7 +546,7 @@ func (p *proxyapp) updateSocksList() {
 	p.mu.Lock()
 	defer p.mu.Unlock()
 	p.availProxyList = p.availProxyList[:0]
-	var base proxy.Dialer = &net.Dialer{Timeout: timeout}
+	var base proxy.Dialer = getBaseSockDialer(timeout, p.mark)
 	var dialer proxy.Dialer
 	var err error
 	failed := 0
@@ -683,7 +685,7 @@ func (p *proxyapp) getSocks() (proxy.Dialer, *http.Client, error) {
 		p.logger.Error().Msgf("%s Not all SOCKS5 Proxy available", ctl)
 		return nil, nil, fmt.Errorf("not all socks5 proxy available")
 	}
-	var dialer proxy.Dialer = &net.Dialer{Timeout: timeout}
+	var dialer proxy.Dialer = getBaseSockDialer(timeout, p.mark)
 	var err error
 	for _, pr := range copyProxyList {
 		auth := proxy.Auth{
@@ -1166,48 +1168,68 @@ func (p *proxyapp) applyRedirectRules() string {
 	if err := cmd0.Run(); err != nil {
 		p.logger.Fatal().Err(err).Msg("Failed while configuring iptables. Are you root?")
 	}
-	_, tproxyPort, _ := net.SplitHostPort(p.tproxyAddr)
-	cmd1 := exec.Command("bash", "-c", fmt.Sprintf(`
+	cmd1 := exec.Command("bash", "-c", `
     set -ex
     iptables -t nat -N GOHPTS 2>/dev/null 
     iptables -t nat -F GOHPTS 
      
     iptables -t nat -A GOHPTS -d 127.0.0.0/8 -j RETURN 
-    iptables -t nat -A GOHPTS -p tcp --dport %s -j RETURN
     iptables -t nat -A GOHPTS -p tcp --dport 22 -j RETURN
-    `, tproxyPort))
+    `)
 	cmd1.Stdout = os.Stdout
 	cmd1.Stderr = os.Stderr
 	if err := cmd1.Run(); err != nil {
 		p.logger.Fatal().Err(err).Msg("Failed while configuring iptables. Are you root?")
 	}
-	if len(p.proxylist) > 0 {
-		for _, pr := range p.proxylist {
-			_, port, _ := net.SplitHostPort(pr.Address)
-			cmd2 := exec.Command("bash", "-c", fmt.Sprintf(`
+	_, tproxyPort, _ := net.SplitHostPort(p.tproxyAddr)
+	if p.mark > 0 {
+		cmd2 := exec.Command("bash", "-c", fmt.Sprintf(`
         set -ex
-        iptables -t nat -A GOHPTS -p tcp --dport %s -j RETURN
-        `, port))
-			cmd2.Stdout = os.Stdout
-			cmd2.Stderr = os.Stderr
-			if err := cmd2.Run(); err != nil {
-				p.logger.Fatal().Err(err).Msg("Failed while configuring iptables. Are you root?")
-			}
+        iptables -t nat -A GOHPTS -p tcp -m mark --mark %d -j RETURN
+        `, p.mark))
+		cmd2.Stdout = os.Stdout
+		cmd2.Stderr = os.Stderr
+		if err := cmd2.Run(); err != nil {
+			p.logger.Fatal().Err(err).Msg("Failed while configuring iptables. Are you root?")
 		}
-	}
-	if p.httpServerAddr != "" {
-		_, httpPort, _ := net.SplitHostPort(p.httpServerAddr)
-		cmd3 := exec.Command("bash", "-c", fmt.Sprintf(`
+	} else {
+		cmd2 := exec.Command("bash", "-c", fmt.Sprintf(`
         set -ex
         iptables -t nat -A GOHPTS -p tcp --dport %s -j RETURN
-        `, httpPort))
-		cmd3.Stdout = os.Stdout
-		cmd3.Stderr = os.Stderr
-		if err := cmd3.Run(); err != nil {
+        `, tproxyPort))
+		cmd2.Stdout = os.Stdout
+		cmd2.Stderr = os.Stderr
+		if err := cmd2.Run(); err != nil {
 			p.logger.Fatal().Err(err).Msg("Failed while configuring iptables. Are you root?")
 		}
+		if len(p.proxylist) > 0 {
+			for _, pr := range p.proxylist {
+				_, port, _ := net.SplitHostPort(pr.Address)
+				cmd3 := exec.Command("bash", "-c", fmt.Sprintf(`
+                set -ex
+                iptables -t nat -A GOHPTS -p tcp --dport %s -j RETURN
+                `, port))
+				cmd3.Stdout = os.Stdout
+				cmd3.Stderr = os.Stderr
+				if err := cmd3.Run(); err != nil {
+					p.logger.Fatal().Err(err).Msg("Failed while configuring iptables. Are you root?")
+				}
+			}
+		}
+		if p.httpServerAddr != "" {
+			_, httpPort, _ := net.SplitHostPort(p.httpServerAddr)
+			cmd4 := exec.Command("bash", "-c", fmt.Sprintf(`
+            set -ex
+            iptables -t nat -A GOHPTS -p tcp --dport %s -j RETURN
+            `, httpPort))
+			cmd4.Stdout = os.Stdout
+			cmd4.Stderr = os.Stderr
+			if err := cmd4.Run(); err != nil {
+				p.logger.Fatal().Err(err).Msg("Failed while configuring iptables. Are you root?")
+			}
+		}
 	}
-	cmd4 := exec.Command("bash", "-c", fmt.Sprintf(`
+	cmd5 := exec.Command("bash", "-c", fmt.Sprintf(`
     set -ex
     if command -v docker >/dev/null 2>&1
     then
@@ -1224,25 +1246,25 @@ func (p *proxyapp) applyRedirectRules() string {
     iptables -t nat -C OUTPUT -p tcp -j GOHPTS 2>/dev/null || \
     iptables -t nat -A OUTPUT -p tcp -j GOHPTS
     `, tproxyPort))
-	cmd4.Stdout = os.Stdout
-	cmd4.Stderr = os.Stderr
-	if err := cmd4.Run(); err != nil {
+	cmd5.Stdout = os.Stdout
+	cmd5.Stderr = os.Stderr
+	if err := cmd5.Run(); err != nil {
 		p.logger.Fatal().Err(err).Msg("Failed while configuring iptables. Are you root?")
 	}
-	cmd5 := exec.Command("bash", "-c", `
+	cmd6 := exec.Command("bash", "-c", `
     cat /proc/sys/net/ipv4/ip_forward
     `)
-	output, err := cmd5.CombinedOutput()
+	output, err := cmd6.CombinedOutput()
 	if err != nil {
 		p.logger.Fatal().Err(err).Msg("Failed while configuring iptables. Are you root?")
 	}
-	cmd6 := exec.Command("bash", "-c", `
+	cmd7 := exec.Command("bash", "-c", `
     set -ex
     sysctl -w net.ipv4.ip_forward=1
     `)
-	cmd6.Stdout = os.Stdout
-	cmd6.Stderr = os.Stderr
-	_ = cmd6.Run()
+	cmd7.Stdout = os.Stdout
+	cmd7.Stderr = os.Stderr
+	_ = cmd7.Run()
 	return string(output)
 }
 
@@ -1572,9 +1594,19 @@ func New(conf *Config) *proxyapp {
 		}
 	}
 	p.auto = conf.Auto
-	if p.auto && p.tproxyMode != "" && p.tproxyMode != "redirect" {
+	if p.auto && runtime.GOOS != "linux" {
+		p.logger.Fatal().Msg("Auto setup is available only for linux system")
+	}
+	if p.auto && p.tproxyMode != "redirect" {
 		p.logger.Fatal().Msg("Auto setup is available only for redirect mode")
 	}
+	p.mark = conf.Mark
+	if p.mark > 0 && runtime.GOOS != "linux" {
+		p.logger.Fatal().Msg("SO_MARK is available only for linux system")
+	}
+	if p.mark > 0xFFFFFFFF {
+		p.logger.Fatal().Msg("SO_MARK is out of range")
+	}
 	var addrHTTP, addrSOCKS, certFile, keyFile string
 	if conf.ServerConfPath != "" {
 		var sconf serverConfig
@@ -1645,7 +1677,7 @@ func New(conf *Config) *proxyapp {
 			User:     conf.User,
 			Password: conf.Pass,
 		}
-		dialer, err := proxy.SOCKS5("tcp", addrSOCKS, &auth, &net.Dialer{Timeout: timeout})
+		dialer, err := proxy.SOCKS5("tcp", addrSOCKS, &auth, getBaseSockDialer(timeout, p.mark))
 		if err != nil {
 			p.logger.Fatal().Err(err).Msg("Unable to create SOCKS5 dialer")
 		}

tproxy_linux.go

@@ -222,3 +222,20 @@ func (ts *tproxyServer) Shutdown() {
 		return
 	}
 }
+
+func getBaseSockDialer(timeout time.Duration, mark uint) *net.Dialer {
+	var dialer *net.Dialer
+	if mark > 0 {
+		dialer = &net.Dialer{
+			Timeout: timeout,
+			Control: func(_, _ string, c syscall.RawConn) error {
+				return c.Control(func(fd uintptr) {
+					unix.SetsockoptInt(int(fd), unix.SOL_SOCKET, unix.SO_MARK, int(mark))
+				})
+			},
+		}
+	} else {
+		dialer = &net.Dialer{Timeout: timeout}
+	}
+	return dialer
+}

tproxy_nonlinux.go

@@ -7,6 +7,7 @@ import (
 	"net"
 	"sync"
 	"syscall"
+	"time"
 )
 
 type tproxyServer struct {
@@ -40,3 +41,8 @@ func (ts *tproxyServer) handleConnection(srcConn net.Conn) {
 }
 
 func (ts *tproxyServer) Shutdown() {}
+
+func getBaseSockDialer(timeout time.Duration, mark uint) *net.Dialer {
+	_ = mark
+	return &net.Dialer{Timeout: timeout}
+}