Re: [Tails-dev] Tails control port filter proxy in Whonix?

Delete this message

Reply to this message
Autore: anonym
Data:  
To: The Tails public development discussion list
Oggetto: Re: [Tails-dev] Tails control port filter proxy in Whonix?
Patrick Schleizer:
> Where I need to correct myself. The injected IP is probably difficult to
> add to a config file since IPs in Qubes will remain dynamic for some
> quite some time until Qubes 4.0. We'd need something like this.
>
>     ADD_ONION:
>       - pattern: 'NEW:BEST Port=80,(176[0-5][0-9])'
>         replacement: 'NEW:BEST Port=80,<client i.e. workstation IP>:{}'

>
> (Where <workstation IP> is just used to illustrate. Not a syntax
> suggestion. Could be expressed with any other special chars.)
>
> Could you implement that please?


I hacked something together so that the following should work for you:

    ADD_ONION:
      - pattern:     'NEW:BEST Port=80,(176[0-5][0-9])'
        replacement: 'NEW:BEST Port=80,{client-address}:{}'


See attached patch, but note that I haven't tested it (and not pushed
it, since the branch is up for review, and I won't have time to test it
for that). If there's some silly syntax error, I bet you can fix it
yourself. :)

Cheers!

From 66befb6a44fcdb1c8afccf0346de0007bd52ecd3 Mon Sep 17 00:00:00 2001
From: anonym <anonym@???>
Date: Sat, 12 Nov 2016 20:46:29 +0100
Subject: [PATCH] tor-controlport-filter: add "special" replacers.

Feature requested for Whonix.
---
 .../usr/local/lib/tor-controlport-filter              | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)


diff --git a/config/chroot_local-includes/usr/local/lib/tor-controlport-filter b/config/chroot_local-includes/usr/local/lib/tor-controlport-filter
index 480925a..28800e5 100755
--- a/config/chroot_local-includes/usr/local/lib/tor-controlport-filter
+++ b/config/chroot_local-includes/usr/local/lib/tor-controlport-filter
@@ -74,7 +74,13 @@
 # * `replacement`: this rewrites the arguments. The value is a Python
 #   format string (str.format()) which will be given the match groups
 #   from the match of `pattern`. The rewritten command is then proxied
-#   without the need to match any rule.
+#   without the need to match any rule. There are also some special
+#   patterns that will be replaced as follows:
+#
+#   - {client-address}: the client's IP address
+#   - {client-port}: the client's port
+#   - {server-address}: the server's IP address
+#   - {server-port}: the server's (listening) port
 #
 # * `response`: a list of dictionaries, where the `pattern` and
 #   `replacement` keys work exactly as for commands arguments, but now
@@ -251,7 +257,7 @@ def match_and_parse_filter(filters, matchers):
             allowed_events, restrict_stream_events)



-def handle_controlport_session(controller, readh, writeh, client_desc, client_pid, allowed_commands, allowed_events, restrict_stream_events = False):
+def handle_controlport_session(controller, readh, writeh, client_desc, client_pid, client_address, server_address, allowed_commands, allowed_events, restrict_stream_events = False):

     def _log(line, format_multiline=False, sep = ': '):
         line = line.strip()
@@ -309,6 +315,14 @@ def handle_controlport_session(controller, readh, writeh, client_desc, client_pi
         respond("510 Command filtered")


     def rewrite_line(replacers, line):
+        builtin_replacers = (
+            ('{client-address}', client_address[0]),
+            ('{client-port}',    client_address[1]),
+            ('{server-address}', server_address[0]),
+            ('{server-port}',    server_address[1]),
+        )
+        for pattern, replacement in builtin_replacers:
+            line = line.replace(pattern, replacement)
         terminator = ''
         if line[-2:] == "\r\n":
             terminator = "\r\n"
@@ -548,6 +562,7 @@ class FilteredControlPortProxyHandler(socketserver.StreamRequestHandler):
         try:
             handle_controlport_session(controller, self.rfile, self.wfile,
                                        client_desc, client_pid,
+                                       self.client_address, self.server_address,
                                        allowed_commands, allowed_events,
                                        restrict_stream_events
             )
-- 
2.10.2