Re: [Tails-dev] Tails control port filter proxy in Whonix?

Supprimer ce message

Répondre à ce message
Auteur: Patrick Schleizer
Date:  
À: tails-dev
Sujet: Re: [Tails-dev] Tails control port filter proxy in Whonix?
anonym:
> Patrick Schleizer:
>> anonym:
>>> Patrick Schleizer:
>>>> Where I need to correct myself. The injected IP is probably difficult to
>>>> add to a config file since IPs in Qubes will remain dynamic for some
>>>> quite some time until Qubes 4.0. We'd need something like this.
>>>>
>>>>     ADD_ONION:
>>>>       - pattern: 'NEW:BEST Port=80,(176[0-5][0-9])'
>>>>         replacement: 'NEW:BEST Port=80,<client i.e. workstation IP>:{}'

>>>>
>>>> (Where <workstation IP> is just used to illustrate. Not a syntax
>>>> suggestion. Could be expressed with any other special chars.)
>>>>
>>>> Could you implement that please?
>>>
>>> I hacked something together so that the following should work for you:
>>>
>>>     ADD_ONION:
>>>       - pattern:     'NEW:BEST Port=80,(176[0-5][0-9])'
>>>         replacement: 'NEW:BEST Port=80,{client-address}:{}'

>>>
>>> See attached patch, but note that I haven't tested it (and not pushed
>>> it, since the branch is up for review, and I won't have time to test it
>>> for that). If there's some silly syntax error, I bet you can fix it
>>> yourself. :)
>>
>> Fixed some minor issues indeed. Patch attached.
>>
>> However, there is an offending line, I am stuck with.
>>
>> return r['replacement'].format(*match.groups()) + terminator
>>
>>   File "./tor-controlport-filter", line 334, in rewrite_line
>>     return r['replacement'].format(*match.groups()) + terminator
>> KeyError: 'client-address'

>>
>> Could you fix that please?
>
> Yesterday's patch was trash. See the new commit(s) I've just pushed to
> the branch.


That seems to work! :)

When the filter is terminated, onionshare apparently does not notice
that. Would be better if onionshare would notice that. Is that a bug?

About the packaging. If you like the genmkfile way to package things, I
could also do the packaging. Only disadvantage would be an extra
dependency on genmkfile.

https://github.com/Whonix/control-port-filter-python
https://github.com/Whonix/genmkfile

That would be trivial on my side since Tails control filter seems very
similar to control-port-filter-python. (control-port-filter-python
packaged with genmkfile is a lintian --pedantic warning free and to my
knowledge, fully complaint Debian source and binary package.) Otherwise,
I'd just wait for you.

I added 'Flags=DiscardPK', which works and I thought that is useful at
least in case of Whonix. The workstation does not need to learn the
hidden service key since onionshare does not use it anyhow. Not sure
this (and the following) makes also sense in Tails?

Some lines in Tor's response contain the following:
(azazazazazazaz10 is the HS)

650 HS_DESC CREATED azazazazazazaz10 UNKNOWN UNKNOWN gliberrish REPLICA=0
650 HS_DESC CREATED azazazazazazaz10 UNKNOWN UNKNOWN gliberrish REPLICA=1
650 HS_DESC UPLOAD azazazazazazaz10 UNKNOWN gliberrish gliberrish
650 HS_DESC UPLOADED azazazazazazaz10 UNKNOWN gliberrish

Could you please show how to rewrite them to:

650 HS_DESC CREATED azazazazazazaz10 UNKNOWN UNKNOWN dedacted REPLICA=0
650 HS_DESC CREATED azazazazazazaz10 UNKNOWN UNKNOWN dedacted REPLICA=1
650 HS_DESC UPLOAD azazazazazazaz10 UNKNOWN dedacted dedacted
650 HS_DESC UPLOADED azazazazazazaz10 UNKNOWN dedacted

I am not sure stem would complain about this, but I guess not and seems
useful to me be to contain that information.

Cheers,
Patrick