base_role/overlay/Linux/usr/local/bin/proxy_ping_test.bash

#!/bin/bash
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-

. /usr/local/bin/usr_local_tput.bash || exit 2
PREFIX=/usr/local
ROLE=proxy
PYVER=3

# DEBUG=1

. /usr/local/bin/proxy_ping_lib.bash || \
    { ERROR loading /usr/local/bin/proxy_ping_lib.bash ; exit 6; }
PL=/usr/local/bin/proxy_libvirt_lib.bash
declare -a tests

which traceroute 2>/dev/null >/dev/null && HAVE_TRACEROUTE=1 || HAVE_TRACEROUTE=0
which dig 2>/dev/null >/dev/null && HAVE_DIG=1 || HAVE_DIG=0
which nslookup 2>/dev/null >/dev/null && HAVE_NSLOOKUP=1 || HAVE_NSLOOKUP=0
which tor-resolve 2>/dev/null >/dev/null && HAVE_TOR_RESOLVE=1 || HAVE_TOR_RESOLVE=0

[ -z "$prog" ] || prog=proxy_ping_test
proxy_ping_get_socks
[ -z "$SOCKS_HOST" ] && SOCKS_HOST=127.0.0.1
[ -z "$SOCKS_PORT" ] && SOCKS_PORT=9050
[ -z "$SOCKS_DNS" ]  && SOCKS_DNS=9053
HTTPS_PORT=9128
HTTPS_HOST=127.0.0.1
proxy_ping_get_https
[ -z "$HTTPS_HOST" ] && HTTPS_HOST=127.0.0.1
HTTP_PORT=3128
HTTP_PROXY_HOST=127.0.0.1
proxy_ping_get_http
[ -z "$HTTP_HOST" ] && HTTP_HOST=127.0.0.1

[ -f $PREFIX/etc/testforge/testforge.bash ] && \
    . /usr/local/etc/testforge/testforge.bash >/dev/null || exit 1

P="BASE_PYTHON${PYVER}_MINOR"
PYTHON_MINOR="$(eval echo \$$P)"
[ -n "$PYTHON_MINOR" ] || \
    PYTHON_MINOR=$( python$PYVER --version 2>&1| sed -e 's@^.* @@' -e 's@\.[0-9]*$@@' )
[ -n "$PYTHON_MINOR" ] || exit 4

if [ -z "$LIB" -a -d /usr/lib/python$PYTHON_MINOR ] ; then
    LIB=lib
elif [ -z "$LIB" -a -d /usr/lib64/python$PYTHON_MINOR ] ; then
    LIB=lib64
elif [ -n "$LIB" -a ! -d /usr/$LIB/python$PYTHON_MINOR ] ; then
#?    ERROR LIB=$LIB but no /usr/$LIB/python$PYTHON_MINOR
    exit 5
fi

THOPS=40
NEEDED_BINS="ping traceroute nmap dig nslookup tor-resolve"
NEEDED_SCRIPTS="
/usr/local/bin/proxy_ping_lib.bash
/usr/local/bin/proxy_ping_test.bash
"

grep -q Debian /etc/os-release
DEBIAN=$?
TIMEOUT=30
[ -n "$GATEW_DOM" ] || GATEW_DOM="$( proxy_testforge_get_gateway_dom )"
[ -n "$GATEW_DOM" ] || GATEW_DOM="Whonix-Gateway"

DNS_HOST1="208.67.220.220"
DNS_HOST2="8.8.8.8"ggggg
[ -n "$DNS_TARGET" ] || DNS_TARGET=www.whatismypublicip.com # 108.160.151.39
[ -n "$HTTP_TARGET" ] || HTTP_TARGET=www.whatismypublicip.com # 108.160.151.39
HTTP_TARGET=www.whatismypublicip.com

# time.nist.gov 132.163.97.3
NTP_HOST1=132.163.97.3
# pool.ntp.org 78.46.53.2
NTP_HOST2=78.46.53.2
#  --no-check-certificate
WGET="wget --tries=1 --max-redirect=0 --timeout=$TIMEOUT -O /dev/null"
CURL="curl -o /dev/null $CURL_ARGS"
SCURL="/usr/local/bin/scurl.bash --output /dev/null"
NSL='nslookup -querytype=A -debug'
NETS='netstat -nl4e'
ALL=""

[ -z "$USER" ] && USER=$(id -un )
[ $USER = root ] && DMESG_LINES=1 || DMESG_LINES=0
[ -n "$PROXY_WLAN" ] || PROXY_WLAN=`proxy_ping_get_wlan`
# fixme - required
PROXY_WLAN=$( echo $PROXY_WLAN | grep ^wlan |sed -e 's/:.*//' )

[ -n "$PROXY_WLAN_GW" ] || PROXY_WLAN_GW=`proxy_ping_get_wlan_gw`
# fixme - required
PROXY_WLAN_GW=$( echo $PROXY_WLAN_GW | grep ^wlan |sed -e 's/:.*//' )
MODE=$( proxy_ping_mode )
USAGE="$prog without arguments tests the current MODE=$MODE,
or 0 to list the tests by number,
or one or more of the groups:

"

DNS_HOST=$SOCKS_HOST
[ -z "$PRIV_BIN_OWNER" ] && PRIV_BIN_OWNER=bin
[ -z "$PRIV_BIN_GID" ] && PRIV_BIN_GID=$( grep ^$PRIV_BIN_OWNER /etc/passwd|cut -d: -f 4 )

## proxy_test_netstat_dns
proxy_test_netstat_dns () { DBUG proxy_test_netstat_dns $* ;
    $NETS | grep -q ":53"
    retval=$?
    [ $retval -eq 0 ] && return 0
    ERROR  $prog test=$ARG "${tests[$ARG]}" dns not running
    [ -z "$ALL" ] && exit $ARG$retval || return 1
}

## proxy_test_traceroute_icmp_gw
proxy_test_traceroute_icmp_gw () { DBUG proxy_test_traceroute_icmp_gw $* ;
    [ -n "$PROXY_WLAN_GW" ] || 	PROXY_WLAN_GW=`proxy_ping_get_wlan_gw` || return 1
    traceroute --icmp $PROXY_WLAN_GW
    retval=$?
    [ $retval -eq 0 ] && return 0
    ERROR  $prog test=$ARG "${tests[$ARG]}" retval=$retval traceroute --icmp $PROXY_WLAN_GW
    [ -z "$ALL" ] && exit $ARG$retval || return 1
    # works
    GREP="-i icmp"
    return 0
}

## proxy_test_dig_direct
proxy_test_dig_direct () { DBUG proxy_test_dig_direct $* ;

    dig @$DNS_HOST1 pool.ntp.org +timeout=$TIMEOUT >/dev/null
    retval=$?
    [ $retval -eq 0 ] && return 0
    ERROR  $prog test=$ARG "${tests[$ARG]}" retval=$retval dig @$DNS_HOST1
    [ -z "$ALL" ] && exit $ARG$retval || return 1

    INFO  $prog test=$ARG "${tests[$ARG]}" dig @$DNS_HOST1
    # works
    GREP="53"
    return 0
}

## proxy_test_curl_firewall_bin
proxy_test_curl_firewall_bin () { DBUG proxy_test_curl_firewall_bin $* ;
    su -c "$CURL -k --noproxy '*' https://$HTTP_TARGET" -s /bin/sh $PRIV_BIN_OWNER >/dev/null
    retval=$?
    [ $retval -eq 0 ] && return 0
    ERROR  $prog test=$ARG "${tests[$ARG]}" retval=$retval \
	 su -c "$CURL -k --noproxy '*' https://$HTTP_TARGET" -s /bin/sh $PRIV_BIN_OWNER
    proxy_iptables_save|tail|grep PTABLES_filter_DROP-o
    [ -z "$ALL" ] && exit $ARG$retval || return $retval
}

## proxy_ping_curl
proxy_ping_curl () { DBUG proxy_ping_curl $* ;
    local retval
    timeout -k $TIMEOUT $TIMEOUT $CURL "$@"
    retval=$?
    # "DEBUG: wierd failure curl: (35) Encountered end of file"
    [ $retval -eq 0 -o $retval -eq 35 ] && return 0
    return $retval
}

## proxy_ping_make_help
proxy_ping_make_help () {
    grep 'tests\[[0-9][0-9]*\]=' /usr/local/bin/proxy_ping_test.bash \
	 > /tmp/proxy_ping_test.hlp
    return 0
}

## proxy_ping_test_virbr
proxy_ping_test_virbr () {
    local n=$1
    [ -z "$n" ] && n=1
    [ -z "$CONN" ] || proxy_whonix_get_conn
    [ "$CONN" = guest ] && return 0
    [ -e /proc/sys/net/ipv4/conf/virbr$n ] || return 0
    proxy_ifconfig virbr$n >/dev/null && return 0
    return 0
}

## proxy_ping_broken
proxy_ping_broken () { DBUG proxy_ping_broken PROXY_WLAN=$PROXY_WLAN $* ;
    # 0 is true
    local a=$MODE
    if [ "$a" = vda -o "$a" = ws ]; then
	# grep 10.152.152.10 /etc/resolv.conf &&
	PING_BROKEN=0
        return 0
    elif [ "$a" = gateway ]; then
	PING_BROKEN=0
        return 0
    elif [ -z "$PROXY_WLAN_GW" ] ; then
	PING_BROKEN=0
        return 0
    fi

    [ -n "$PING_BROKEN" ] && return $PING_BROKEN

    DBUG $prog proxy_ping_mode=$a PROXY_WLAN=$PROXY_WLAN PROXY_WLAN_GW=$PROXY_WLAN_GW
    ping -4 -I $PROXY_WLAN -c 1 -W $TIMEOUT $PROXY_WLAN_GW # 10.16.238.1
    if [ $? -ne 0 ] ; then
	PING_BROKEN=0
    else
	PING_BROKEN=1
      fi
    return $PING_BROKEN
}

## proxy_do_ping
proxy_do_ping () { DBUG proxy_do_ping $* ;
    proxy_route_check || { ERROR $prog route not connected ; return 1$? ; }

    proxy_ping_broken && return 0

    [ -n "$PROXY_WLAN" ] || PROXY_WLAN=`proxy_get_if` || {
	    ERROR $prog unable to get wlan $? ; return 2 ;
	}

    ping -4 -I $PROXY_WLAN -c 1 -W $TIMEOUT $DNS_HOST2 >/tmp/P$$.log 2>&1
    retval=$?
    if [ $retval -eq 1 ] ; then
	# false negatives
	sleep 4
	ping -4 -I $PROXY_WLAN -c 1 -W $TIMEOUT $DNS_HOST2 >/tmp/P$$.log 2>&1
	retval=$?
      fi
    [ $retval -lt 1 ] || {
	ERROR $prog do_ping $PROXY_WLAN retval=$retval
	rm /tmp/P$$.log
	PING_BROKEN=0
	return 3$retval
    }
    grep -q ' 0% ' /tmp/P$$.log || \
	{ ERROR $prog retval=$? test=$1 ping retval=$retval ; rm /tmp/P$$.log ; return 4 ; }
    PING=1
    grep 'packet\|bytes from' /tmp/P$$.log
    rm /tmp/P$$.log
    return 0
}

proxy_run_as_root () { DBUG proxy_run_as_root $* ;
    [ $( id -u ) -eq 0 ] && return 0
    ERROR must be root
    [ -z "$ALL" ] && exit 9
    return 1
}

## proxy_test_pretests
proxy_test_pretests () {
    if [ "$1" = panic ] ; then
	: dont ping on panic
	proxy_ping_broken || proxy_do_ping || \
	    { WARN ping failed for panic so skipping ; exit 0 ; }
    elif [ "$1" = direct -o "$1" = gateway -o "$1" = vda -o "$1" = kick ] ; then
	proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; }
	proxy_ping_broken || proxy_do_ping || exit 3$?
	proxy_ping_test_resolv $MODE ||\
	    { WARN $prog proxy_ping_test_resolv=$? 'echo nameserver 127.0.0.1 > /etc/resolv.conf' ; exit 4 ; }
	proxy_ping_firewall_start || { ERROR "proxy_ping_firewall_start ret=$?" ; exit 5 ; }
    elif [ "$1" = nat ] ; then
	proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; }
    else
	proxy_do_ping || exit 4$?
	proxy_ping_test_resolv $MODE || \
	    { WARN "$prog proxy_ping_test_resolv=$? /etc/resolv.conf.$dire" MODE=$MODE
	      exit 4 ; }

    fi
    return 0
}

## proxy_test_help_args
proxy_test_help_args () {
    declare -a ret=()
    ret=( $(grep " -.* $1 " /tmp/proxy_ping_test.hlp | \
		sed -e 's/.=.*//' -e 's/.*tests.//') )
    echo "${ret[@]}"
    return 0
}

ALL=0
## proxy_ping_test_set_args
proxy_ping_test_set_args () {
    local args="$@"
    local val="$@"
    declare -a aret=()
    rm -f /tmp/proxy_ping_test.hlp
    [ -f /tmp/proxy_ping_test.hlp ] || proxy_ping_make_help
## to_tor - tor with the firewall host side client setup tor server - call tor,dns,ntp in addition
[ "$1" = to_tor -o "$1" = test_tor -o "$1" = test_to ] &&
	aret=(  6 13 16 ) && \
	! proxy_ping_test_env && WARN to_tor and no proxy in env - use noenv

## vda - through the Gateway with the firewall - also polipo,panic - uses env
[ "$1" = vda ] &&
	aret=(  35  3 20  ) #
## tor - tor with the firewall to test the host side tor server - call to_tor,dns,ntp in addition
[ "$1" = tor ] && 
	aret=(  21 30 20 4 5 36 3 )
## kick - open firewall with tor running - call dns,polipo +tor in addition
[ "$1" = kick -o "$1" = host ] &&
	aret=(  24 31 13 16 6  )# 30 24 31 6 13 16
## gateway - on the Gateway, trans firewall with tor running - call dns in addition
[ "$1" = gateway ] &&
	aret=(  23 25 4 5 30 24 17 3 21  ) # 31 6 16

# aliases
[ "$1" = "$SOCKS_PORT"  ] && set -- socks
[ "$1" = "$HTTP_PORT"  ] && set -- http
[ "$1" = "$HTTPS_PORT"  ] && set -- https
[ "$1" = "53"  ] && set -- dns
[ "$1" = "9053"  ] && set -- tordns

[ "$1" = scan ] && set -- iwlist
[ "$1" = panic ] && set -- firewall
[ "$1" = tor ] && set -- torhost
[ "$1" = to_gateway ] && set -- whonix
[ "$1" = from_tor ] && set -- whonix
[ "$1" = from_gateway ] && set -- gateway
[ "$1" = traceroute ] && set -- = trace
[ "$1" = connected ] && set -- wifi
[ "$1" = clear ] && set -- direct 

# scenarios - modes: nat selektor
## nat - through the Gateway via the nat
[ "$1" = nat ] && \
    set -- ping dns socks http https tordns firefail libvirtguest
# wifi?
[ "$1" = whonix ] && \
	set -- ping tordns dns socks http https torhost tordns firefail gw 
[ "$1" = tor ] && \
	set -- ping tordns dns trace socks http https torhost tordns firefail nmap gw 
[ "$1" = selektor ] && \
	set -- ping tordns dns trace socks http https torhost tordns firefail nmap gw 
[ "$1" = direct -o "$1" = '' ] && \
	set -- ping dns trace nmap gw 

## all - all tests not stopping on the first error
[ "$1" = all ] && ALL=1 
# aret="${#tests[@]}"

## gw - test if we are connected to the gateway
## torhost - running tor with the firewall
## env - from the cmdline with a properly setup env
## firefail - test the proxy without env vars to expect failure
## http - assumes torhost or whonix and env setup
## https - assumes torhost or whonix and env setup
## socks - assumes torhost or whonix and env setup
## ping - connected routed test the ping to DNS hosts
## ntp - ntpdate through the firewall
## nmap - nmap sgid through the firewall - does not assume env
## iwlist - wlan scan
## firewall - test that the firewall blocks
## virbr1 - assumes tor or whonix
## gateway - ssh to the whonix gateway
## trace - traceroute to DNSHOST - icmp is allowed by the firewall, except on vda
## wifi - test if we are connected - call scan in addition
## libvirthost - hosting a libvirt container
## libvirtguest - in a libvirt container
## tordns - test 9053 for dns using tor-resolve
## dns - dns using tor or the gateway, with the firewall - does not assume env
## whonix - whonix to the Gateway with the firewall - also panic - not assume env
## whonix - whonix gateway host side client setup with the firewall was from_to## direct - assume no firewall and no proxy - but may work depend on env
r
    for elt in "$@" ; do
	if [ "$elt" = gw -o "$elt" = '' -o "$elt" = env -o \
       "$elt" = https -o "$elt" = http -o "$elt" = socks -o "$elt" = dns -o \
       "$elt" = torhost -o "$elt" = tordns -o "$elt" = whonix -o \
       "$elt" = libvirthost -o "$elt" = libvirtguest  -o "$elt" = virbr1 -o \
       "$elt" = ping -o "$elt" = trace -o "$elt" = ntp -o "$elt" = nmap -o \
       "$elt" = iwlist -o "$elt" = firefail -o "$elt" = direct -o \
       "$elt" = trace -o "$elt" = wifi -o "$elt" = '' -o "$elt" = '' \
    ] ; then
	    aret+=(  `proxy_test_help_args $elt` )
	else
	    WARN unrecognized: $elt >&2
	fi
    done
    
    DBUG "${aret[@]}" >&2
    echo "${aret[@]}"
    return 0
}

# -I $PROXY_WLAN -c 1 $DNS_HOST2
if [ "$#" = 0 ] ; then
    # default to mode
    set --  $MODE
  fi
if [ $1 = '-h' -o $1 = '--help' ] ; then
    echo USAGE: $USAGE | sed -e 's/[0-9][0-9]*)/\n&/g'
    grep '^## [a-oq-z]' $0 | sed -e 's/^## /  /'
    exit 0
  elif [ "$1" = 0 ] ; then
    INFO $prog PROXY_WLAN=$PROXY_WLAN MODE=$MODE
    echo 0 help /tmp/proxy_ping_test.hlp
    [ -f /tmp/proxy_ping_test.hlp ] || proxy_ping_make_help
    . /tmp/proxy_ping_test.hlp
    for elt in "${!tests[@]}" ; do
	echo $elt "${tests[$elt]}"
    done
    exit 0
  elif [[ $1 =~ ^[0-9] ]] ; then
    : passthrough
  else
      set -- `proxy_ping_test_set_args "$@"`
      DBUG running tests numbered "$@"
  fi
proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; }

proxy_test_pretests "$1"

# https://stackoverflow.com/questions/8290046/icmp-sockets-linux/20105379#20105379
if [ $( id -u ) -eq 0 ] ; then
    proxy_ping_chattr
  fi

DBUG $prog PROXY_WLAN=$PROXY_WLAN MODE=$MODE $*
# $( sysctl net.ipv4.ping_group_range )

# proxy_iptables_save|grep 216

while [ "$#" -gt 0 ] ; do
    # DBUG $prog $1
    ARG=$1 ; shift

    GREP=""
    if [ -z "$ARG" ] ; then
	continue

    elif ! [ "$ARG" -ge  0 ] ; then
	ERROR $prog called with an unrecognized argument $ARG from $0
	exit 9

    elif [ $ARG -le  0 ] ; then
	# do the ping and resov.conf
	true

    elif [ $ARG -eq  1 ] ; then
	tests[1]="wget_https_as_user wget ${HTTPS_PORT} - https "
	[ -n "$https_proxy" ]  && LARGS="" || \
		LARGS="env https_proxy=https://${HTTPS_HOST}:${HTTPS_PORT}"
	$LARGS $WGET https://$HTTP_TARGET
	retval=$?
	if [ $retval -eq 8 -o $retval -eq 0 ] ; then
            INFO  $prog test=$ARG "${tests[$ARG]}"
	else
	    ERROR  $prog test=$ARG "${tests[$ARG]}" retval=$retval test=$ARG
	    [ -z "$ALL" ] && continue
	fi
	# works with fix
	GREP="${HTTPS_PORT}"

    elif [ $ARG -eq  2 ] ; then
	[ -n "$https_proxy" ] && LARGS="--proxy $https_proxy" || \
		LARGS="--proxy https://${HTTPS_HOST}:${HTTPS_PORT}"
	tests[2]="curl_https_as_user curl $LARGS https://$HTTP_TARGET - https "
	proxy_ping_curl $LARGS https://$HTTP_TARGET >/dev/null || { \
	     retval=$?
	     ERROR  $prog test=$ARG "${tests[$ARG]}" retval=$retval curl $LARGS https://$HTTP_TARGET
	 [ -z "$ALL" ] && exit $ARG$retval || continue
	}
        INFO  $prog test=$ARG "${tests[$ARG]}"
	# works with fix
	GREP="${HTTPS_PORT}"

    elif [ $ARG -eq  3 ] ; then
	tests[3]="curl_socks_virbr1_as_user $SOCKS_HOST $SOCKS_PORT - torhost "
	# proxy_dest_port_wlan_config || { ERROR DEST=$DEST ; continue ; }

        # curl: (4) A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision
	[ $DEBIAN -eq 0 ] && continue

        [ -z "$socks_proxy" ] && socks_proxy=socks5h://${SOCKS_HOST}:$SOCKS_PORT
	if [ $MODE = whonix ] ; then
	    ssh -o ForwardX11=no  user@10.0.2.15 netstat -nl4e| grep 15:$SOCKS_PORT || {
		retval=$?
		ERROR ssh -o ForwardX11=no user@10.0.2.15 netstat
		[ -z "$ALL" ] && exit $ARG$retval || continue ;
		}
	    socks_proxy=socks5h://${SOCKS_HOST}:$SOCKS_PORT
	    proxy_ping_curl -x $socks_proxy \
	    --interface virbr1 n--dns-interface virbr1 https://$HTTP_TARGET >/dev/null || {
		retval=$?
		ERROR  $prog test=$ARG "${tests[$ARG]}" retval=$retval curl  -x $socks_proxy --interface virbr1 --dns-interface virbr1 https://$HTTP_TARGET
		[ -z "$ALL" ] && exit $ARG$retval || continue
		}
	else
	    socks_proxy=socks5h://${SOCKS_HOST}:$SOCKS_PORT
	    proxy_ping_curl -x $socks_proxy https://$HTTP_TARGET >/dev/null \
		|| { retval=$? ; ERROR  $prog test=$ARG "${tests[$ARG]}" retval=$retval curl ${SOCKS_HOST} $SOCKS_PORT
	    [ -z "$ALL" ] && exit $ARG$retval || continue ; }
	fi

        INFO  $prog test=$ARG "${tests[$ARG]}"
	# works with user/pass
	GREP="$SOCKS_PORT"

    elif [ $ARG -eq  4 ] ; then
	tests[4]="dig_socks_through_as_user @${SOCKS_HOST} -p $SOCKS_DNS www.whatismypublicip.com - tordns "
	[ $HAVE_DIG = 1 ] || continue
	if [ $MODE = whonix ] ; then
	    ssh -o ForwardX11=no  user@10.0.2.15 netstat -nl4e | grep 15:$SOCKS_DNS
	fi
	dig @${SOCKS_HOST} -p $SOCKS_DNS www.whatismypublicip.com +timeout=$TIMEOUT >/dev/null || { \
	     retval=$?
	     WARN  $prog test=$ARG "${tests[$ARG]}" retval=$retval dig @${SOCKS_HOST} -p $SOCKS_DNS www.whatismypublicip.com
	     [ -z "$ALL" ] && exit $ARG$retval || continue
	    }
        INFO  $prog test=$ARG "${tests[$ARG]}" 
	#  works with fix
	GREP="$SOCKS_DNS"

    elif [ $ARG -eq  5 ] ; then
	tests[5]="nslookup_socks_as_user - tordns "
	[ $HAVE_NSLOOKUP = 1 ] || continue	  
	desc="$NSL -port=$SOCKS_DNS www.whatismypublicip.com ${DNS_HOST}"
	$desc >/dev/null || { \
	     retval=$?
	    WARN  $prog test=$ARG "${tests[$ARG]}" retval=$retval $desc
	    [ -z "$ALL" ] && exit $ARG$retval || continue
	    }
        INFO  $prog test=$ARG "${tests[$ARG]}" $desc
	#  works with fix
	GREP="$SOCKS_DNS"

    elif [ $ARG -eq  6 ] ; then
	proxy=`proxy_ping_get_https`
        desc="curl --proxy http://${proxy}"
	tests[6]="curl_https_as_user - https "
	proxy_ping_curl --proxy http://${proxy} \
	    --proxy-insecure https://$HTTP_TARGET || { \
	    retval=$?
	    WARN  $prog test=$ARG "${tests[$ARG]}" retval=$retval $desc
	    [ -z "$ALL" ] && exit $ARG$retval || continue
	    }
        INFO  $prog test=$ARG "${tests[$ARG]}" $desc
	# works
	GREP="$HTTP_PORT"

    elif [ $ARG -eq  7 ] ; then
	tests[8]="traceroute_icmp_dns_as_root --icmp - trace "
	[ $USER = root ] || continue
	[ -n "$PROXY_WLAN" ] || proxy_get_if || continue
	[ $HAVE_TRACEROUTE = 1 ] || continue
	traceroute -i $PROXY_WLAN --icmp $DNS_TARGET -m $THOPS  || { \
	     retval=$?
	    ERROR $retval traceroute --icmp -m $THOPS 
	    [ -z "$ALL" ] && exit 7$retval
	    }
        INFO  $prog test=$ARG "${tests[$ARG]}"
	GREP="-i icmp"

    elif [ $ARG -eq  8 ] ; then
	tests[8]="traceroute_tcp_dns_as_root -i $PROXY_WLAN -p 53 -T4 - trace "
	[ $USER = root ] || continue
	[ -n "$PROXY_WLAN" ] || proxy_get_if || continue
	[ $HAVE_TRACEROUTE = 1 ] || continue
	traceroute -i $PROXY_WLAN -p 53 -T4 $DNS_TARGET  -m $THOPS || { \
	     retval=$?
	    WARN  $prog test=$ARG "${tests[$ARG]}" retval=$retval traceroute -T4 -p 53 -m $THOPS 
	    [ -z "$ALL" ] && exit $ARG$retval || continue
	    }
        INFO  $prog test=$ARG "${tests[$ARG]}"
	GREP="53"

    elif [ $ARG -eq  9 ] ; then
	tests[9]="traceroute_icmp_dns_as_user -p 53  - trace "
	[ $USER = root ] || continue
	[ -n "$PROXY_WLAN" ] || proxy_get_if || continue
	[ $HAVE_TRACEROUTE = 1 ] || continue
	traceroute -i $PROXY_WLAN --icmp $DNS_TARGET -p 53  -m $THOPS  || { \
	     retval=$?
	    WARN  $prog test=$ARG "${tests[$ARG]}" retval=$retval traceroute -i $PROXY_WLAN --icmp -m $THOPS 
	    [ -z "$ALL" ] && exit $ARG$retval || continue
	    }
        INFO  $prog test=$ARG "${tests[$ARG]}"
	GREP="53"

    elif [ $ARG -eq  10 ] ; then
	tests[10]="wget_http_as_user $HTTP_PORT - http "
	proxy=`proxy_ping_get_http`
	env http_proxy=http://${proxy} \
		$WGET -S http://$HTTP_TARGET 2>/dev/null
	retval=$?
	# 8 is an oddball
	if  [ $retval -eq 8 -o $retval -eq 0 ] ; then
	    INFO  $prog test=$ARG "${tests[$ARG]}" wget $HTTP_PORT
	else
	    WARN  $prog test=$ARG "${tests[$ARG]}" retval=$retval wget $HTTP_PORT
	    [ -z "$ALL" ] && exit $ARG$retval || continue
	fi
	GREP="$HTTP_PORT"

    elif [ $ARG -eq  11 ] ; then
	tests[11]="curl_https_as_user - https "
	proxy=`proxy_ping_get_https`
	proxy_ping_curl --proxy http://${proxy} \
			--proxy-insecure https://$HTTP_TARGET || { \
	     retval=$?
	    ERROR  $prog test=$ARG "${tests[$ARG]}" retval=$retval curl $HTTP_PORT
	    [ -z "$ALL" ] && exit $ARG$retval || continue
	}
        INFO  $prog test=$ARG "${tests[$ARG]}" 
	GREP="$HTTP_PORT"

    elif [ $ARG -eq  12 ] ; then
	tests[12]="nmap_dns_as_root --privileged --send-eth -Pn -sU -p U:53 $DNS_HOST1 - nmap direct "
	[ $USER = root ] || continue
	which nmap 2>/dev/null >/dev/null || continue
	[ -z "$DNS_HOST1" ] && DNS_HOST1="208.67.220.220"
        nmap --privileged --send-eth -Pn -sU -p U:53 "$DNS_HOST1" || { \
	     retval=$?
	    ERROR  $prog test=$ARG "${tests[$ARG]}" retval=$retval nmap 53
	    [ -z "$ALL" ] && exit $ARG$retval || continue
	    }
        INFO  $prog test=$ARG "${tests[$ARG]}"
	# works
	GREP="53"

    elif [ $ARG -eq  13 ] ; then
	tests[13]="curl_firewall_bin - wifi "
	[ $USER = root ] || continue
	proxy_test_curl_firewall_bin || continue
        INFO  $prog test=$ARG "${tests[$ARG]}" curl bin
	# works
	GREP="443"

    elif [ $ARG -eq  14 ] ; then
	tests[14]="traceroute_icmp_gw_as_root --icmp $PROXY_WLAN_GW - gw wifi "
	[ $USER = root ] || continue
	[ $HAVE_TRACEROUTE = 1 ] || continue
	proxy_test_traceroute_icmp_gw || continue
	# works
        INFO  $prog test=$ARG "${tests[$ARG]}"
 	GREP="-i icmp"

    elif [ $ARG -eq  15 ] ; then
	tests[15]="test_dig_direct - direct "
	[ $HAVE_DIG = 1 ] || continue
	proxy_test_dig_direct || continue
        INFO  $prog test=$ARG "${tests[$ARG]}" proxy_test_dig_direct

    elif [ $ARG -eq  16 ] ; then
	tests[16]="nslookup_as_root nslookup $PRIV_BIN_OWNER - torhost "
	[ $USER = root ] || continue
	[ $HAVE_NSLOOKUP = 1 ] || continue	  
        su -c "$NSL $DNS_TARGET $DNS_HOST1" -s /bin/sh $PRIV_BIN_OWNER >/dev/null || { \
	     retval=$?
	    ERROR  $prog test=$ARG "${tests[$ARG]}" retval=$retval "$NSL $DNS_TARGET $DNS_HOST1" -s /bin/sh $PRIV_BIN_OWNER
	    [ -z "$ALL" ] && exit $ARG$retval || continue
	    }
        INFO  $prog test=$ARG "${tests[$ARG]}" 
	# works /fails but maybe a noop
	GREP="53"

    elif [ $ARG -eq  17 ] ; then
	tests[17]="ntpdate_as_root ntpdate without service - ntp "
	proxy_run_as_root || exit 9
	[ -x /usr/sbin/ntpdate ] || continue
	# Curious: even though sgid 2755 ntp it fails as su ntp
	# 12 Nov 23:28:35 ntpdate[17341]: bind() fails: Permission denied
	/usr/sbin/ntpdate "$NTP_HOST1" || { \
	     retval=$?
	    ERROR  $prog test=$ARG "${tests[$ARG]}" retval=$retval ntpdate
	    [ -z "$ALL" ] && exit $ARG$retval || continue
	    }
        INFO  $prog test=$ARG "${tests[$ARG]}"
	GREP="123"
    elif [ $ARG -eq  18 ] ; then
	tests[18]="ntpdate_as_root ntpdate with servie - ntp "
	proxy_run_as_root || exit 9
	proxy_rc_service ntpd status >/dev/null && \
	    proxy_rc_service ntpd stop >/dev/null && sleep 2
	/usr/sbin/ntpdate $NTP_HOST1 || { \
	     retval=$?
	    ERROR  $prog test=$ARG "${tests[$ARG]}" retval=$retval ntpdate
	    [ -z "$ALL" ] && exit $ARG$retval || continue
	    }
        INFO  $prog test=$ARG "${tests[$ARG]}"
	# works
	proxy_rc_service ntpd status >/dev/null || proxy_rc_service ntpd start
	GREP="123"
    elif [ $ARG -eq  19 ] ; then
	tests[19]="curl_noproxy_http_as_user curl raw noproxy - firefail "
	proxy_ping_curl --noproxy "'*.*'" --connect-timeout $TIMEOUT \
			http://$HTTP_TARGET >/dev/null && {
	    retval=$?
	    ERROR PANIC: $prog test=$ARG "${tests[$ARG]}" curl raw --noproxy
	    [ -z "$ALL" ] && exit $ARG$retval || continue
	}
        INFO  $prog test=$ARG "${tests[$ARG]}"
	GREP=80

    elif [ $ARG -eq  20 ] ; then
	tests[20]="curl_socksproxy_as_user curl $SOCKS_PORT - socks "
	# needs dns
	[ $DEBIAN -eq 0 ] && continue

	socks_proxy=socks5h://${SOCKS_HOST}:$SOCKS_PORT
	proxy_ping_curl -x $socks_proxy https://$HTTP_TARGET >/dev/null \
         || { retval=$? ; ERROR  $prog test=$ARG "${tests[$ARG]}" retval=$retval curl $SOCKS_PORT
	    [ -z "$ALL" ] && exit $ARG$retval || continue
	    }
        INFO  $prog test=$ARG "${tests[$ARG]}"
	# works with user/pass
	GREP="$SOCKS_PORT"

    elif [ $ARG -eq  21 ] ; then
	tests[21]="curl_httpsproxy_as_user - https "
	[ -z "$https_proxy" ] && https_proxy=http://${HTTPS_PROXY_HOST}:${HTTPS_PORT}
	proxy_ping_curl -x $https_proxy https://$HTTP_TARGET >/dev/null || { \
	    if [ "$MODE" = gateway ] ; then
		WARN  $prog test=$ARG "${tests[$ARG]}" retval=$retval curl ${HTTPS_HOST} ${HTTPS_PORT}
		continue
	    else
		ERROR  $prog test=$ARG "${tests[$ARG]}" retval=$retval curl ${HTTPS_HOST} HTTPS_PORT=${HTTPS_PORT}
		[ -z "$ALL" ] && exit $ARG$retval || continue
	    fi
	    }
        INFO  $prog test=$ARG "${tests[$ARG]}" curl ${HTTPS_HOST} ${HTTPS_PORT}
	GREP="${HTTPS_PORT}"

    elif [ $ARG -eq  22 ] ; then
	tests[22]="iwlist_scan_as_user iwlist $PROXY_WLAN scan - iwlist "
	[ $USER = root ] || continue
	which iwlist 2>/dev/null || continue
	[ -n "$PROXY_WLAN" ] || proxy_get_if || continue
	iwlist $PROXY_WLAN scan >/dev/null || {
	    ERROR $prog retval=$? test=$ARG $PROXY_WLAN scan
	    [ -z "$ALL" ] && exit $ARG$1 || continue
	    }
        INFO  $prog test=$ARG "${tests[$ARG]}" 
	# works

    elif [ $ARG -eq 23 ] ; then
	tests[23]="curl_proxy_as_user - direct "
	proxy_ping_curl --insecure https://$HTTP_TARGET >/dev/null || { \
	     retval=$?
	    ERROR  $prog test=$ARG "${tests[$ARG]}" retval=$retval curl direct
	    [ -z "$ALL" ] && exit $ARG$retval || continue
	    }
        INFO  $prog test=$ARG "${tests[$ARG]}"

    elif [ $ARG -eq 24 ] ; then
	tests[24]="dig_direct_or_dnsmasq dig -b $IP www.whatismypublicip.com - direct "
	[ $HAVE_DIG = 1 ] || continue
	[ -n "$PROXY_WLAN" -a -n "$IP" ] || proxy_ping_get_wlan_gw || continue
	[ -n "$IP" ] || continue
	dig -b $IP www.whatismypublicip.com  +timeout=$TIMEOUT >/dev/null || { \
	     retval=$?
	    WARN  $prog test=$ARG "${tests[$ARG]}" retval=$retval dig -b $IP
	    [ -z "$ALL" ] && exit $ARG$retval || continue
	    }
        INFO  $prog test=$ARG "${tests[$ARG]}" dig -b $IP

    elif [ $ARG -eq 25 ] ; then
 	tests[25]="nslookup_as_user - direct "
	[ $HAVE_NSLOOKUP = 1 ] || continue	  
	# noenv with or without proxy
	# @$DNS_HOST1 should fail for firewall unless dnsmasq is working
	$NSL >/dev/null www.whatismypublicip.com || { \
	     retval=$?
	    WARN  $prog test=$ARG "${tests[$ARG]}" retval=$retval nslookup www.whatismypublicip.com
	    [ -z "$ALL" ] && exit $ARG$retval || continue
	    }
        INFO  $prog test=$ARG "${tests[$ARG]}" nslookup

    elif [ $ARG -eq 26 ] ; then
	tests[26]="route_connected_ping_scan - direct "
	[ $HAVE_DIG = 1 ] || continue
	#? proxy_test_pretests
	proxy_do_ping && \
	    INFO  $prog test=$ARG "${tests[$ARG]}" retval=$retval dig -b $IP || \
	    WARN  $prog test=$ARG "${tests[$ARG]}" retval=$retval dig -b $IP

    elif [ $ARG -eq 27 ] ; then
 	tests[27]="dns_as_user dig -b 127.0.0.1 - direct "
	[ $HAVE_DIG = 1 ] || continue
	[ -n "$PROXY_WLAN" -a -n "$IP" ] || proxy_ping_get_wlan_gw || continue
	dig -b 127.0.0.1 www.whatismypublicip.com  +timeout=$TIMEOUT >/dev/null || { \
	     retval=$?
	    WARN  $prog test=$ARG "${tests[$ARG]}" retval=$retval dig -b $IP
	    [ -z "$ALL" ] && exit $ARG$retval || continue
	    }
        INFO  $prog test=$ARG "${tests[$ARG]}"

    elif [ $ARG -eq 28 ] ; then
	tests[28]="wget_as_user - direct "
	proxy_ping_test_env || { WARN  $prog test=$ARG "${tests[$ARG]}" no proxy in env ; }
	$WGET -S https://$HTTP_TARGET 2>/dev/null
	retval=$?
	if [ $retval -eq 8 -o $retval -eq 0 ] ; then
            INFO  $prog test=$ARG "${tests[$ARG]}" wget
	else
	    ERROR  $prog test=$ARG "${tests[$ARG]}" retval=$retval wget
	    [ -z "$ALL" ] && exit $ARG$retval || continue
	fi

    elif [ $ARG -eq 29 ] ; then
	tests[29]="curl_as_user - direct "
	proxy_ping_test_env || { WARN  $prog test=$ARG "${tests[$ARG]}" no proxy in env ; }
	proxy_ping_curl https://$HTTP_TARGET >/dev/null || { \
            retval=$?
	    ERROR  $prog test=$ARG "${tests[$ARG]}" retval=$retval curl
	    [ -z "$ALL" ] && exit $ARG$retval || continue
	    }
        INFO  $prog test=$ARG "${tests[$ARG]}"

    elif [ $ARG -eq 30 ] ; then
	tests[30]="tor_bootstrap_check_as_root tor_bootstrap_check.py - torhost "
	[ $MODE = tor -o $MODE = selektor ] || {
	    ERROR $prog MODE != tor test=$ARG
	    [ -z "$ALL" ] && exit $ARG$retval || continue
	}
	port=$SOCKS_PORT
  	$NETS | grep -q :$port || {
	    ERROR $prog retval=$? test=$ARG tor not running on $port
	    [ -z "$ALL" ] && exit $ARG || continue
	}
	[ $USER = root ] || continue

	# was /usr/local/bin/tor_bootstrap_check.bash
 	[ -f /usr/local/src/helper-scripts/tor_bootstrap_check.py ] || return 1
	python3.sh /usr/local/src/helper-scripts/tor_bootstrap_check.py
        # morons 100%
        retval=$?
        [ $retval -eq 0 -o $retval -eq 100 ] || { \
            retval=$?
	    WARN  $prog test=$ARG "${tests[$ARG]}" retval=$retval tor_bootstrap_check
	    }
        INFO  $prog test=$ARG "${tests[$ARG]}" 

    elif [ $ARG -eq 31 ] ; then
	tests[31]="curl_noproxy_as_root polipo http pages $HTTP_PORT - direct http "
 	proxy_ping_curl --noproxy http://${HTTP_HOST}:$HTTP_PORT && { \
	     retval=$?
	    ERROR PANIC:  $prog test=$ARG "${tests[$ARG]}" retval=$retval polipo http pages $HTTP_PORT
	    [ -z "$ALL" ] && exit $ARG$retval || continue
	    }
        INFO  $prog test=$ARG "${tests[$ARG]}"
	# works
	GREP="$HTTP_PORT"

    elif [ $ARG -eq 32 ] ; then
	tests[32]="ping_nmap_direct_as_root nmap 53 - direct "
	[ $USER = root ] || continue
	which nmap 2>/dev/null >/dev/null || continue
	[ -n "$PROXY_WLAN" -a -n "$PROXY_WLAN_GW" ] || 	proxy_ping_get_wlan_gw || continue
  	proxy_ping_nmap_direct $DNS_HOST1 "$PROXY_WLAN_GW" U:67 || {
            retval=$?
	    ERROR  $prog test=$ARG "${tests[$ARG]}" retval=$retval nmapd 53
	    [ -z "$ALL" ] && exit $ARG$retval || continue
	}
        INFO  $prog test=$ARG "${tests[$ARG]}"
	# works
	GREP="53"

    elif [ $ARG -eq  33 ] ; then
	tests[33]="host_virbr_as_user proxy_ping_test_virbr 1 - libvirthost "
	proxy_ping_test_virbr 1 || {
	    retval=$?
	    ERROR $CONN virbr1 not running
	    [ -z "$ALL" ] && exit 1 || continue
	}
	# * Immediate connect fail for 10.0.2.15: Connection refused
        INFO  $prog test=$ARG "${tests[$ARG]}" 

    elif [ $ARG -eq  34 ] ; then
	tests[34]="python_ping_as_root  traceroute --icmp $PROXY_WLAN_GW - wifi "
	[ $USER = root ] || continue
	[ -n "$PROXY_WLAN_GW" -a -n "$IP" ] || PROXY_WLAN_GW=`proxy_ping_get_wlan_gw` || continue
        [ -f 	/usr/local/bin/ping2.py  ] || continue
	/usr/local/bin/ping2.py $IP $DNS_HOST1 $PROXY_WLAN_GW || { \
	    retval=$?
	    ERROR  $prog test=$ARG "${tests[$ARG]}" retval=$retval ping2.py $DNS_HOST1
	    [ -z "$ALL" ] && exit $ARG$retval || continue
	}
	# works
        INFO  $prog test=$ARG "${tests[$ARG]}"
 	GREP="-i icmp"

    elif [ $ARG -eq  35 ] ; then
	tests[35]="dig_as_root - firewall dig @$DNS_HOST1 - torhost dns "
	[ $USER = root ] || continue
	[ $HAVE_DIG = 1 ] || continue
	# @$DNS_HOST1
        su -c "dig pool.ntp.org +timeout=$TIMEOUT" -s /bin/sh $PRIV_BIN_OWNER >/dev/null || { \
	     retval=$?
	    ERROR  $prog test=$ARG "${tests[$ARG]}" retval=$retval dig pool.ntp.org $PRIV_BIN_OWNER
 	    [ -z "$ALL" ] && exit $ARG$retval || continue
	    }
        INFO  $prog test=$ARG "${tests[$ARG]}"
	# works
	GREP="53"

    elif [ $ARG -eq  36 ] ; then
	tests[36]="tor_resolve_as_user tor-resolve pool.ntp.org - tordns "
	[ $HAVE_TOR_RESOLVE = 1 ] || continue
        tor-resolve  pool.ntp.org >/dev/null || { \
	    retval=$?
	    # dunno Failed parsing SOCKS5 response conf?
	    WARN  $prog test=$ARG "${tests[$ARG]}" retval=$retval tor-resolve pool.ntp.org
	    continue
	}
        INFO  $prog test=$ARG "${tests[$ARG]}" 
	# works
	GREP="9053"

    elif [ $ARG -eq  37 ] ; then
	tests[37]="qemu-guest-agent and ports - libvirtguest "
	ser=qemu-guest-agent
	proxy_rc_service $ser status >/dev/null || proxy_rc_service $ser start
	proxy_rc_service $ser status >/dev/null ||  { \
	    retval=$?
	    ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval $ser status
 	    [ -z "$ALL" ] && exit $ARG$retval || continue
	}
	[ -d /dev/virtio-ports ] ||  { \
	    retval=$?
	    ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval /dev/virtio-ports
 	    [ -z "$ALL" ] && exit $ARG$retval || continue
	}
        INFO  $prog test=$ARG "${tests[$ARG]}" 
	GREP=""
    elif [ $ARG -eq  38 ] ; then
	tests[38]="qemu-guest-agent and ports - libvirthost whonix "
	[ $USER = root ] || continue
	$PL proxy_libvirt_list
	aret=$?
	if [ $aret -eq 10 ] ;then
            WARN proxy_libvirt_status hung
	elif [ $aret -ne 10 -a $aret -ne 0 ] ; then
            DBUG proxy_libvirt_status aret=$aret
	else
            $PL proxy_libvirt_list | grep -q "$GATEW_DOM" || {
		ERROR MODE=$MODE and $GATEW_DOM not running ;
 		[ -z "$ALL" ] && exit $ARG$retval || continue
	    }
            INFO  $prog test=$ARG "${tests[$ARG]}" 
	fi
    elif false ; then
	if ! grep -q '10.152.152.10\|127.0.0.1' /etc/resolv.conf ; then
	    $NETS | grep -q :53 || {
		ERROR $prog retval=$? test=$ARG local resolv.conf but :53 not running
		[ -z "$ALL" ] && exit 1 || continue
	    }
	  fi

    fi
    [ -n "$GREP" ] && [ $DMESG_LINES -gt 0 ] && \
	DBUG `dmesg|tail|grep $GREP|tail -$DMESG_LINES`

  done
exit 0

 1)
        env https_proxy=http://${SOCKS_HOST}:${HTTPS_PORT} wget $D -O - --no-check-certificate
 2)
        curl $D -k --proxy
 3)
        curl $D -k --proxy socks5://${SOCKS_HOST}:$SOCKS_PORT --proxy-insecure
 5)
        nslookup -port=$SOCKS_DNS www.whatismypublicip.com ${SOCKS_HOST} \
 6)
        curl -k --proxy $HTTP_PORT
 16)
        nslookup $PRIV_BIN_OWNER
 18)
        ntpdate as sroot
 19)
        curl raw noproxy
 0)
        usage