first
This commit is contained in:
commit
757ca483f0
41
Makefile
Normal file
41
Makefile
Normal file
@ -0,0 +1,41 @@
|
|||||||
|
# -*-mode: makefile; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
|
||||||
|
PREFIX=/usr/local
|
||||||
|
ROLE=proxy
|
||||||
|
VAGRANT_DOCTEST=python3.sh ../../../src/ansible/bin/vagrant_doctest-ssh.py
|
||||||
|
PYTHON_DOCTEST=python3.sh -m doctest
|
||||||
|
SSH_DOCTEST=python3.sh ../../../src/ansible/bin/vagrant_doctest-ssh.py -p 2222 --box="vagrant@127.0.0.1"
|
||||||
|
LOCAL_DOCTEST=/var/local/bin/testforge_run_doctest2.bash
|
||||||
|
|
||||||
|
DOCTEST=$(LOCAL_DOCTEST)
|
||||||
|
|
||||||
|
USER=`grep PRIV_SKEL_USERS_LIST /usr/local/etc/testforge/testforge.bash|sed -e 's/.*=//' -e 's/"//g'`
|
||||||
|
|
||||||
|
default:: local
|
||||||
|
|
||||||
|
test:: local
|
||||||
|
|
||||||
|
check::
|
||||||
|
sudo -u ${USER} ${PREFIX}/src/usr_local_$(ROLE).bash $@
|
||||||
|
|
||||||
|
test::
|
||||||
|
sudo -u ${USER} ${PREFIX}/src/usr_local_$(ROLE).bash $@
|
||||||
|
|
||||||
|
lint::
|
||||||
|
sudo -u ${USER} ${PREFIX}/src/usr_local_$(ROLE).bash $@
|
||||||
|
|
||||||
|
local::
|
||||||
|
[ -f $(LOCAL_DOCTEST) ] || exit 0
|
||||||
|
$(DOCTEST) overlay/Linux/usr/local/share/doc/txt/proxy2.txt
|
||||||
|
$(DOCTEST) overlay/Linux/usr/local/share/doc/txt/proxy3.txt
|
||||||
|
|
||||||
|
refresh::
|
||||||
|
find . -maxdepth 1 -type l -delete
|
||||||
|
ln -s overlay/Linux/var/local/share/doc/txt/*txt .
|
||||||
|
|
||||||
|
veryclean:: clean
|
||||||
|
find * -name \*.py | xargs grep -l '[ ]*$$' | \
|
||||||
|
xargs sed -i -e 's/[ ]*$$//'
|
||||||
|
|
||||||
|
clean::
|
||||||
|
find * -name \*~ -delete
|
97
defaults/main.yml
Normal file
97
defaults/main.yml
Normal file
@ -0,0 +1,97 @@
|
|||||||
|
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
|
||||||
|
---
|
||||||
|
|
||||||
|
# these can be overridden using --extra-vars on the playbook command line
|
||||||
|
|
||||||
|
# bind to all interfaces for docker
|
||||||
|
|
||||||
|
# this is base - before /var/local is used
|
||||||
|
PROXY_VAR_LOCAL: "{{ VAR_LOCAL }}"
|
||||||
|
PROXY_USR_LOCAL: "{{ USR_LOCAL }}"
|
||||||
|
|
||||||
|
PROXY_POLIPO_HTTPPORT: 3128
|
||||||
|
PROXY_POLIPO_PROXYPORT: 3128
|
||||||
|
PROXY_PRIVOXY_HTTPPORT: 3128
|
||||||
|
PROXY_TOR_DNS_FORWARD: socat # polipo privoxy socat
|
||||||
|
|
||||||
|
PLAY_CA_CERT: "/usr/local/etc/ssl/cacert-curl.haxx.se.pem" # proxy?
|
||||||
|
|
||||||
|
PROXY_POLIPO_LOG: '{{ "/var/log/polipo.log" if ansible_distribution == "Gentoo" else "/var/log/polipo/polipo.log" }}'
|
||||||
|
PROXY_POLIPO_OWNER: '{{ "polipo" if ansible_distribution == "Gentoo" else "proxy" }}'
|
||||||
|
PROXY_POLIPO_GROUP: '{{ "root" if ansible_distribution == "Gentoo" else "adm" }}'
|
||||||
|
|
||||||
|
PROXY_PRIVOXY_LOG: '{{ "/var/log/privoxy.log" if ansible_distribution == "Gentoo" else "/var/log/privoxy/privoxy.log" }}'
|
||||||
|
PROXY_PRIVOXY_OWNER: '{{ "privoxy" if ansible_distribution == "Gentoo" else "proxy" }}'
|
||||||
|
PROXY_PRIVOXY_GROUP: '{{ "root" if ansible_distribution == "Gentoo" else "adm" }}'
|
||||||
|
|
||||||
|
PROXY_DNS_PORT: 53
|
||||||
|
HARDEN_DNS_PORT: "{{PROXY_DNS_PORT}}"
|
||||||
|
|
||||||
|
PROXY_SERVICE_DNSPORT: 53
|
||||||
|
PROXY_SERVICE_NTPPORT: 123
|
||||||
|
PROXY_NTP_OWNER: "ntp"
|
||||||
|
|
||||||
|
# could derive from SOCKS
|
||||||
|
PROXY_WHONIX_HTTPS_PORT: "{{BOX_WHONIX_HTTPS_PORT|default(9128)}}"
|
||||||
|
PROXY_WHONIX_SOCKS_HOST: "{{BOX_WHONIX_HTTPS_PORT|default('10.0.2.15')}}"
|
||||||
|
PROXY_WHONIX_SOCKS_NET: "{{BOX_WHONIX_HTTPS_PORT|default('10.0.2.2')}}"
|
||||||
|
PROXY_WHONIX_SOCKS_PORT: "{{BOX_WHONIX_SOCKS_PORT|default(9050)}}"
|
||||||
|
PROXY_WHONIX_SOCKS_USER: ""
|
||||||
|
PROXY_WHONIX_SOCKS_PASS: ""
|
||||||
|
PROXY_WHONIX_DNS_PORT: "{{BOX_WHONIX_DNS_PORT|default(9053)}}"
|
||||||
|
PROXY_WHONIX_TRANS_PORT: "{{BOX_WHONIX_TRANS_PORT|default(9040)}}"
|
||||||
|
PROXY_WHONIX_BUKU_PORT: "{{BOX_WHONIX_BUKU_PORT|default(7001)}}"
|
||||||
|
|
||||||
|
|
||||||
|
PROXY_DNSCRYPT_TGZ_URL: github.com/jedisct1/dnscrypt-proxy/releases/download/2.0.19/dnscrypt-proxy-linux_x86_64-2.0.19.tar.gz
|
||||||
|
PROXY_GATEWAY_QEMU_DIR: /c/data/Vms/Lati/Qemu/var/lib/kvm/2020-10-30
|
||||||
|
PRIV_WHONIX_VERSION: 15.0.1.4.9
|
||||||
|
|
||||||
|
# was dnscrypt was "pdnsd"
|
||||||
|
# new default - figure out tor/gateway/socks-neither
|
||||||
|
PROXY_DNS_PROXY: "dnsmasq"
|
||||||
|
HARDEN_DNS_PROXY: "{{PROXY_DNS_PROXY}}"
|
||||||
|
|
||||||
|
PROXY_DNS_PROXY_ALL:
|
||||||
|
- "dnsmasq"
|
||||||
|
- "dnscrypt"
|
||||||
|
- socat
|
||||||
|
# - "pdnsd"
|
||||||
|
|
||||||
|
PROXY_DNS_NETMAN: "{{BOX_NET_MANAGER}}"
|
||||||
|
PROXY_DNS_NETMAN_ALL:
|
||||||
|
- "networkmanager"
|
||||||
|
- "wicd"
|
||||||
|
|
||||||
|
|
||||||
|
PROXY_NTP_GROUP: "{{BOX_NTP_GROUP}}"
|
||||||
|
PROXY_NTP_SERVERS:
|
||||||
|
- 132.163.97.4
|
||||||
|
- time.nist.gov
|
||||||
|
- 159.203.158.197
|
||||||
|
- pool.ntp.org
|
||||||
|
|
||||||
|
PROXY_GNUPG_SERVERS:
|
||||||
|
#dead keyserver hkp://keys.gnupg.net
|
||||||
|
#dead keyserver hkp://hkps.pool.sks-keyservers.net
|
||||||
|
# 18.9.60.141
|
||||||
|
- hkp://pgp.mit.edu
|
||||||
|
# 162.213.33.8
|
||||||
|
- hkp://keyserver.ubuntu.com
|
||||||
|
|
||||||
|
PROXY_GNUPG_CERTS:
|
||||||
|
- "{{PLAY_CA_CERT}}"
|
||||||
|
# these are ignored
|
||||||
|
- /usr/local/etc/ssl/cacert-testforge.pem
|
||||||
|
- /usr/share/gnupg/sks-keyservers.netCA.pem
|
||||||
|
#? - /usr/share/gnupg/sks-keyservers.netCA.pem
|
||||||
|
#hkp-cacert /usr/local/etc/ssl/cacert-curl.se.pem
|
||||||
|
#hkp-cacert /usr/local/etc/ssl/cacert-testforge.pem
|
||||||
|
#hkp-cacert /usr/share/gnupg/sks-keyservers.netCA.pem
|
||||||
|
|
||||||
|
PROXY_FEATURES: "{{BOX_PROXY_FEATURES}}"
|
||||||
|
proxy_also_users: "{{BOX_ALSO_USERS}}"
|
||||||
|
|
||||||
|
#- stat: path=/etc/java-config-2/current-system-vm/jre/lib/net.properties
|
||||||
|
# register: net_properties_file
|
||||||
|
proxy_net_properties_file: "{{BOX_PROXY_JAVA_NET_PROPERTIES}}"
|
10
handlers/main.yml
Normal file
10
handlers/main.yml
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
#- name: update env
|
||||||
|
# command: env-update
|
||||||
|
|
||||||
|
- name: update locales
|
||||||
|
command: locale-gen --update
|
||||||
|
|
21
meta/main.yml
Normal file
21
meta/main.yml
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
galaxy_info:
|
||||||
|
# author:
|
||||||
|
# company:
|
||||||
|
# description:
|
||||||
|
# license: MIT
|
||||||
|
min_ansible_version: 2.3 # maybe - curently tested under 2.7
|
||||||
|
platforms:
|
||||||
|
- name: "Gentoo"
|
||||||
|
- name: "Ubuntu"
|
||||||
|
categories:
|
||||||
|
- system
|
||||||
|
|
||||||
|
# The proxy role is a base role that is required before all other roles
|
||||||
|
# proxy role is a dependency even if you dont use a proxy
|
||||||
|
# dependencies seem to get pulled in again even if they have already been run!
|
||||||
|
dependencies: []
|
||||||
|
|
31
overlay/Debian/usr/local/sbin/debian_uris_to_urls.bash
Executable file
31
overlay/Debian/usr/local/sbin/debian_uris_to_urls.bash
Executable file
@ -0,0 +1,31 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
# filter or .uris
|
||||||
|
|
||||||
|
ROLE=base
|
||||||
|
[ -z "$CACHE" ] && CACHE=/mnt/o/Cache/Apt/Debian/10.6
|
||||||
|
[ -d "$CACHE" ] || mkdir $CACHE # || exit 1$?
|
||||||
|
|
||||||
|
# debian --print-uris
|
||||||
|
if [ $? -eq 0 ] ; then
|
||||||
|
# filter
|
||||||
|
grep 'https*://' | \
|
||||||
|
sed -e 's@ftp://[^ ]*@@g' -e 's@.*https*://@https://@g' -e "s@'.*@@g" | \
|
||||||
|
while read line ; do
|
||||||
|
for url in $line ; do
|
||||||
|
base=`basename "$url"`
|
||||||
|
pre=`sed -e "s@https*://@${CACHE}@" <<< $url`
|
||||||
|
[ -e $pre ] && break
|
||||||
|
echo $line
|
||||||
|
break
|
||||||
|
done
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
for elt in "$@" ; do
|
||||||
|
base=$( basename $elt .elts )
|
||||||
|
[ -s $base.urls ] && continue
|
||||||
|
sh $0 < $elt > $base.urls
|
||||||
|
[ -s $base.urls ] || rm $base.urls
|
||||||
|
done
|
||||||
|
|
||||||
|
exit 0
|
34
overlay/Debian/usr/local/sbin/debian_whonix_tor.bash
Executable file
34
overlay/Debian/usr/local/sbin/debian_whonix_tor.bash
Executable file
@ -0,0 +1,34 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
|
||||||
|
ROLE=privacy
|
||||||
|
[ -z "$PRIV_TOR_OWNER" ] && grep -q ^debian-tor /etc/passwd && PRIV_TOR_OWNER=debian-tor
|
||||||
|
|
||||||
|
# Nov 09 21:00:27 host vanguards[715]: WARNING[Mon Nov 09 21:00:27 2020]: Tor daemon connection failed: [Errno 24] Too many open files. Trying again...
|
||||||
|
systemctl stop vanguards
|
||||||
|
systemctl stop onion-grater
|
||||||
|
sh /etc/rc.local
|
||||||
|
|
||||||
|
#su -c 'tor --verify-config' -s /bin/sh $PRIV_TOR_OWNER || exit 1
|
||||||
|
tor --verify-config | grep -v 'notice\|DisableNetwork'
|
||||||
|
rm -f /etc/torrc.d/*~
|
||||||
|
|
||||||
|
netstat -nlp -t inet|grep 15:90 || { echo ERROR: alrady running ; exit 2 ; }
|
||||||
|
|
||||||
|
cp /dev/null /run/tor/log.err
|
||||||
|
cp /dev/null /run/tor/log.log
|
||||||
|
rm -f /usr/local/etc/torrc.d/*~ /etc/torrc.d/*~
|
||||||
|
|
||||||
|
#su -c '/etc/init.d/tor stop' -s /bin/sh $PRIV_TOR_OWNER
|
||||||
|
#sleep 5
|
||||||
|
|
||||||
|
# su -c '/etc/init.d/tor start' -s /bin/sh $PRIV_TOR_OWNER
|
||||||
|
systemctl start tor || exit 4$?
|
||||||
|
|
||||||
|
sleep 10
|
||||||
|
|
||||||
|
sed -e '/configured a non-loopback address/d' /run/tor/log.*
|
||||||
|
|
||||||
|
[ -f /run/tor/log.err ] && cat /run/tor/log.err && exit 5
|
||||||
|
|
||||||
|
grep % /run/tor/log.*
|
1
overlay/Devuan
Symbolic link
1
overlay/Devuan
Symbolic link
@ -0,0 +1 @@
|
|||||||
|
Debian
|
30
overlay/Gentoo/usr/local/bin/gentoo_curl_urls.sh
Normal file
30
overlay/Gentoo/usr/local/bin/gentoo_curl_urls.sh
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
# filter - arguments are to wget - quoted?
|
||||||
|
|
||||||
|
ROOTDIR=/mnt/i
|
||||||
|
ROLE=base
|
||||||
|
|
||||||
|
LARGS="-X -P $ROOTDIR/net/Http "
|
||||||
|
RARGS="--retry 1"
|
||||||
|
|
||||||
|
grep ^http | \
|
||||||
|
sed -e 's@http://@https://@g' \
|
||||||
|
-e 's@^\(https://distfiles.gentoo.org/distfiles/[a-f0-9][a-f0-9]/[^ ]*\) \(https*://[^ ]*\) @\2 \1@' \
|
||||||
|
-e 's@^\(https://distfiles.gentoo.org/distfiles/[^ ]*\) \(https*://[^ ]*\) @\2 \1@' \
|
||||||
|
-e 's@^\(https://dev.gentoo.org/~sam/distfiles/[^ ]*\) \(https*://[^ ]*\) @\2 \1@' \
|
||||||
|
| \
|
||||||
|
sed -e 's@ftp://[^ ]*@@' \
|
||||||
|
-e 's@^https://distfiles.gentoo.org/distfiles/[^ ]* https://pypi.python.org/@https://pypi.python.org/@' \
|
||||||
|
-e 's@https*://distfiles.gentoo.org@https://gentoo.osuosl.org@g' \
|
||||||
|
-e 's@https*://gentoo.osuosl.org@https://mirror.leaseweb.com/gentoo@g' \
|
||||||
|
-e 's@https*://download.sourceforge.net@https://download.sourceforge.net@g' | \
|
||||||
|
while read urls ; do
|
||||||
|
url=`echo $urls|sed -e 's@ .*@@'`
|
||||||
|
base=`basename "$url"`
|
||||||
|
[ -e /usr/portage/distfiles/$base ] && echo distfiles/$base && continue
|
||||||
|
for url in $urls ; do
|
||||||
|
/usr/local/bin/scurl.bash $LARGS -- $RARGS $url || continue
|
||||||
|
break
|
||||||
|
done
|
||||||
|
done
|
90
overlay/Gentoo/usr/local/bin/gentoo_scurl_urls.sh
Executable file
90
overlay/Gentoo/usr/local/bin/gentoo_scurl_urls.sh
Executable file
@ -0,0 +1,90 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
# filter - arguments are to wget - quoted?
|
||||||
|
|
||||||
|
prog=$( basename $0 .bash )
|
||||||
|
prog=ScurlU
|
||||||
|
ROOTDIR=/mnt/i/net/Http
|
||||||
|
ROLE=base
|
||||||
|
CACHE=/usr/portage/distfiles
|
||||||
|
[ -z "$SCURL_BG" ] && SCURL_BG=0
|
||||||
|
SSL_VER=2
|
||||||
|
|
||||||
|
. /usr/local/bin/proxy_curl_lib.bash
|
||||||
|
. /usr/local/bin/usr_local_tput.bash
|
||||||
|
|
||||||
|
route | grep -q ^def || { ERROR not connected ; exit -1 ; }
|
||||||
|
|
||||||
|
FETCHCOMMAND='/usr/local/bin/scurl.bash --force-directories --directory-prefix "\${DISTDIR}" -- "\${URI}"'
|
||||||
|
|
||||||
|
# RARGS="--retry 1 --connect-timeout 10"
|
||||||
|
RARGS=" -S $SSL_VER"
|
||||||
|
if [ "$#" -eq 0 ] ; then
|
||||||
|
LARGS="--force-directories --directory-prefix $ROOTDIR"
|
||||||
|
else
|
||||||
|
LARGS="$@"
|
||||||
|
fi
|
||||||
|
cp /dev/null /tmp/$prog$$.urls
|
||||||
|
|
||||||
|
# //www.simplesystems.org/users/bfriesen/public-key.txt no https:
|
||||||
|
# https://opencoder.net/WayneDavison.key cloudflare 403
|
||||||
|
# https://www.simplesystems.org/users/bfriesen/public-key.txt 503
|
||||||
|
# https://tiswww.case.edu/php/chet/gpgkey.asc 500 timeout
|
||||||
|
# https://botan.randombit.net/pgpkey.txt no tls1.3
|
||||||
|
# https://sourceware.org/elfutils/ftp/gpgkey-1AA44BE649DE760A.gpg no tls1.3
|
||||||
|
# https://gnutls.org/gnutls-release-keyring.gpg no tls1.3
|
||||||
|
|
||||||
|
declare -A IPS
|
||||||
|
retval=0
|
||||||
|
# NOT 1.3 -e 's@^https://distfiles.gentoo.org/distfiles/[^ ]* https://pypi.python.org/@https://pypi.python.org/@'
|
||||||
|
grep ^http | \
|
||||||
|
sed -e 's@ftp://[^ ]*@@' \
|
||||||
|
-e 's/http:/https:/' \
|
||||||
|
-e 's@^https://distfiles.gentoo.org/distfiles/openpgp-keys-[^ ]*.asc @@' \
|
||||||
|
-e 's@https*://distfiles.gentoo.org@https://gentoo.osuosl.org@g' \
|
||||||
|
-e 's@https://gentoo.osuosl.org@https://mirror.leaseweb.com/gentoo@g' \
|
||||||
|
| \
|
||||||
|
while read urls ; do
|
||||||
|
url=`echo $urls|sed -e 's@ .*@@'`
|
||||||
|
base=`basename "$url"`
|
||||||
|
[ -e $CACHE/$base ] && echo $CACHE/$base && continue
|
||||||
|
base=`echo $url | sed -e 's@ .*@@' -e 's@https*://@@'`
|
||||||
|
[ -e $ROOTDIR/"$base" ] && echo $ROOTDIR/"$base" && continue
|
||||||
|
for url in $urls ; do
|
||||||
|
url=`sed -e 's@http://@https://@g' <<< $url`
|
||||||
|
domain=`sed -e 's@^https*://@@' -e 's@/.*@@' <<< $url`
|
||||||
|
a=`proxy_ami_nottlsv3 $domain`
|
||||||
|
ar=$?
|
||||||
|
[ $ar -eq 0 -a "$a" = True ] && \
|
||||||
|
WARN $prog proxy_ami_nottlsv3 $domain $url && continue
|
||||||
|
if [ -z "${IPS[$domain]}" ] ; then
|
||||||
|
ip=`tor-resolve $domain`
|
||||||
|
ir=$?
|
||||||
|
[ $ir -eq 0 ] && IPS[$domain]=$ip
|
||||||
|
else
|
||||||
|
ip="${IPS[$domain]}"
|
||||||
|
ir=0
|
||||||
|
fi
|
||||||
|
if [ $ir -eq 0 -a -n "$ip" ] ; then
|
||||||
|
a=`proxy_ami_cloudflared $ip`
|
||||||
|
[ $? -eq 0 -a "$a" = True ] && \
|
||||||
|
WARN $prog $url Cloudflared $ip && \
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$SCURL_BG" = 1 ] ; then
|
||||||
|
/usr/local/bin/scurl.bash $LARGS -- $RARGS $url &
|
||||||
|
INFO $prog /usr/local/bin/scurl.bash $LARGS -- $RARGS $url
|
||||||
|
else
|
||||||
|
/usr/local/bin/scurl.bash $LARGS -- $RARGS $url || {
|
||||||
|
retval=$?
|
||||||
|
WARN $prog retval=$retval /usr/local/bin/scurl.bash $LARGS -- $RARGS $url
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
fi
|
||||||
|
|
||||||
|
break
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
||||||
|
exit $retval
|
26
overlay/Gentoo/usr/local/bin/gentoo_wget_urls.sh
Executable file
26
overlay/Gentoo/usr/local/bin/gentoo_wget_urls.sh
Executable file
@ -0,0 +1,26 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# filter - arguments are to wget - quoted?
|
||||||
|
|
||||||
|
ROOTDIR=/mnt/i
|
||||||
|
ROLE=base
|
||||||
|
if [ "$#" -eq 0 ] ; then
|
||||||
|
WARGS="-xc -P $ROOTDIR/net/Http --tries=1"
|
||||||
|
else
|
||||||
|
WARGS="$@"
|
||||||
|
fi
|
||||||
|
# NOT 1.3 -e 's@^https://distfiles.gentoo.org/distfiles/[^ ]* https://pypi.python.org/@https://pypi.python.org/@'
|
||||||
|
grep ^http | \
|
||||||
|
sed -e 's@^\(https://distfiles.gentoo.org/distfiles/[a-f0-9][a-f0-9]/[^ ]*\) \(https*://[^ ]*\) @\2 \1@' | \
|
||||||
|
sed -e 's@ftp://[^ ]*@@' -e 's/http:/https:/' \
|
||||||
|
-e 's@https*://distfiles.gentoo.org@https://gentoo.osuosl.org@g' \
|
||||||
|
-e 's@https*://gentoo.osuosl.org@https://mirror.leaseweb.com/gentoo@g' \
|
||||||
|
-e 's@https*://download.sourceforge.net@https://download.sourceforge.net@g' | \
|
||||||
|
while read urls ; do
|
||||||
|
url=`echo $urls|sed -e 's@ .*@@'`
|
||||||
|
base=`basename "$url"`
|
||||||
|
[ -e /usr/portage/distfiles/$base ] && echo distfiles/$base && continue
|
||||||
|
for url in $urls ; do
|
||||||
|
wget --restrict-file-names=windows --no-verbose $WARGS $url || continue
|
||||||
|
break
|
||||||
|
done
|
||||||
|
done
|
52
overlay/Gentoo/usr/local/bin/str_replace
Executable file
52
overlay/Gentoo/usr/local/bin/str_replace
Executable file
@ -0,0 +1,52 @@
|
|||||||
|
#!/usr/bin/perl -w
|
||||||
|
|
||||||
|
use strict;
|
||||||
|
use warnings;
|
||||||
|
|
||||||
|
|
||||||
|
my $numarg = $#ARGV + 1;
|
||||||
|
if ($numarg < 2) {
|
||||||
|
print "Usage: str_replace Search Replace File\nOr: STDIN str_replace Search Replace\n";
|
||||||
|
exit 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
my $find=$ARGV[0];
|
||||||
|
my $replace=$ARGV[1];
|
||||||
|
my $file;
|
||||||
|
my $contents;
|
||||||
|
my $found=0;
|
||||||
|
my $fh;
|
||||||
|
|
||||||
|
if(defined $ARGV[2]){
|
||||||
|
$file=$ARGV[2];
|
||||||
|
open($fh, '<', $file) or die "Cannot open the file '$file'";
|
||||||
|
{
|
||||||
|
local $/;
|
||||||
|
$contents = <$fh>;
|
||||||
|
}
|
||||||
|
close($fh);
|
||||||
|
}
|
||||||
|
else{
|
||||||
|
{
|
||||||
|
local $/;
|
||||||
|
$contents = <STDIN>;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
my $pos = index($contents, $find);
|
||||||
|
while ( $pos > -1 ) {
|
||||||
|
if(substr( $contents, $pos, length( $find ), $replace )){$found =$found+1;}
|
||||||
|
$pos = index( $contents, $find, $pos + length( $replace ));
|
||||||
|
}
|
||||||
|
|
||||||
|
if(!defined $ARGV[2]){
|
||||||
|
print $contents;
|
||||||
|
exit;
|
||||||
|
}
|
||||||
|
|
||||||
|
if($found==0) {print "Nothing replaced\n";}
|
||||||
|
else{ print "$found occurrences of '$find' have been replaced with '$replace'\n";}
|
||||||
|
|
||||||
|
|
||||||
|
open($fh, '>', $file);
|
||||||
|
print $fh $contents;
|
||||||
|
close $fh;
|
168
overlay/Gentoo/usr/local/sbin/gentoo_base_verify-sig.bash
Executable file
168
overlay/Gentoo/usr/local/sbin/gentoo_base_verify-sig.bash
Executable file
@ -0,0 +1,168 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# -*- mode: sh; tab-width: 8; encoding: utf-8-unix -*-
|
||||||
|
|
||||||
|
prog=$( basename $0 .bash )
|
||||||
|
ROLE=base
|
||||||
|
. /usr/local/bin/usr_local_tput.bash
|
||||||
|
|
||||||
|
PYVER=3
|
||||||
|
PYTHON_MINOR=$( python$PYVER --version 2>&1| sed -e 's@^.* @@' -e 's@\.[0-9]*$@@' )
|
||||||
|
|
||||||
|
[ -d /etc/portage ] || exit 0
|
||||||
|
|
||||||
|
usage () { echo "USAGE: $prog [command args] -" $* ; exit 1 ; }
|
||||||
|
error () { retval=$1 ; shift; ERROR "$prog" $* ; exit $retval ; }
|
||||||
|
warn () { : ; }
|
||||||
|
info () { : ; }
|
||||||
|
debug () { : ; }
|
||||||
|
|
||||||
|
# must be run as root
|
||||||
|
[ "$( id -u )" -ne "0" ] && error 1 "must be run as root"
|
||||||
|
|
||||||
|
[ -f /etc/portage/package.use/2021-00_verify-sig.txt ] || \
|
||||||
|
touch /etc/portage/package.use/2021-00_verify-sig.txt || exit 2
|
||||||
|
|
||||||
|
equery h -F '$cp:$slot' verify-sig | \
|
||||||
|
sed -e 's/:0.*//' | while read b ; do \
|
||||||
|
grep -q "^$b " /etc/portage/package.use/2021-00_verify-sig.txt && continue
|
||||||
|
eix -r "^$b$" | grep -q Installed && \
|
||||||
|
echo '#' $b verify-sig>>/etc/portage/package.use/2021-00_verify-sig.txt || \
|
||||||
|
echo '##' $b verify-sig>>/etc/portage/package.use/2021-00_verify-sig.txt
|
||||||
|
done
|
||||||
|
|
||||||
|
[ -f /usr/lib/python$PYTHON_MINOR/site-packages/portage/eclass_cache.py.diff ] || \
|
||||||
|
cat > /usr/lib/python$PYTHON_MINOR/site-packages/portage/eclass_cache.py.diff << EOF
|
||||||
|
*** eclass_cache.py.dst 2021-06-13 21:26:05.000000000 +0000
|
||||||
|
--- eclass_cache.py 2021-06-24 10:45:12.422857990 +0000
|
||||||
|
***************
|
||||||
|
*** 166,175 ****
|
||||||
|
--- 166,176 ----
|
||||||
|
return d
|
||||||
|
|
||||||
|
def get_eclass_data(self, inherits):
|
||||||
|
ec_dict = {}
|
||||||
|
for x in inherits:
|
||||||
|
+ if x not in self.eclasses: continue
|
||||||
|
ec_dict[x] = self.eclasses[x]
|
||||||
|
|
||||||
|
return ec_dict
|
||||||
|
|
||||||
|
@property
|
||||||
|
EOF
|
||||||
|
[ -f /usr/lib/python$PYTHON_MINOR/site-packages/portage/eclass_cache.py.dst ] || \
|
||||||
|
patch -b -z .dst /usr/lib/python$PYTHON_MINOR/site-packages/portage/eclass_cache.py \
|
||||||
|
< /usr/lib/python$PYTHON_MINOR/site-packages/portage/eclass_cache.py.diff
|
||||||
|
|
||||||
|
[ -f /usr/portage/eclass/verify-sig.eclass.diff ] || \
|
||||||
|
cat > /usr/portage/eclass/verify-sig.eclass.diff << EOF
|
||||||
|
*** /usr/portage/eclass/verify-sig.eclass.dst 2021-07-29 06:09:55.000000000 +0000
|
||||||
|
--- /usr/portage/eclass/verify-sig.eclass 2021-08-18 19:13:29.502980940 +0000
|
||||||
|
***************
|
||||||
|
*** 86,95 ****
|
||||||
|
--- 86,99 ----
|
||||||
|
[[ -n ${key} ]] ||
|
||||||
|
die "${FUNCNAME}: no key passed and VERIFY_SIG_OPENPGP_KEY_PATH unset"
|
||||||
|
|
||||||
|
local extra_args=()
|
||||||
|
[[ ${VERIFY_SIG_OPENPGP_KEY_REFRESH} == yes ]] || extra_args+=( -R )
|
||||||
|
+ # gemato -R, --no-refresh-keys
|
||||||
|
+ # Disable refreshing OpenPGP key (prevents network
|
||||||
|
+ # access, applicable when using -K only)
|
||||||
|
+ [ -z "$http_proxy" ] || extra_args+=( --proxy $http_proxy )
|
||||||
|
[[ -n ${VERIFY_SIG_OPENPGP_KEYSERVER+1} ]] && extra_args+=(
|
||||||
|
--keyserver "${VERIFY_SIG_OPENPGP_KEYSERVER}"
|
||||||
|
)
|
||||||
|
|
||||||
|
# GPG upstream knows better than to follow the spec, so we can't
|
||||||
|
***************
|
||||||
|
*** 98,110 ****
|
||||||
|
addpredict /run/user
|
||||||
|
|
||||||
|
local filename=${file##*/}
|
||||||
|
[[ ${file} == - ]] && filename='(stdin)'
|
||||||
|
einfo "Verifying ${filename} ..."
|
||||||
|
! gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
|
||||||
|
! gpg --verify "${sig}" "${file}" ||
|
||||||
|
! die "PGP signature verification failed"
|
||||||
|
}
|
||||||
|
|
||||||
|
# @FUNCTION: verify-sig_verify_message
|
||||||
|
# @USAGE: <file> <output-file> [<key-file>]
|
||||||
|
# @DESCRIPTION:
|
||||||
|
--- 102,121 ----
|
||||||
|
addpredict /run/user
|
||||||
|
|
||||||
|
local filename=${file##*/}
|
||||||
|
[[ ${file} == - ]] && filename='(stdin)'
|
||||||
|
einfo "Verifying ${filename} ..."
|
||||||
|
! einfo gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
|
||||||
|
! gpg --verify --disable-dirmngr \
|
||||||
|
! "${sig}" "${file}"
|
||||||
|
! # --keyserver-options http-proxy=http://localhost:3128
|
||||||
|
! einfo `env |sort`
|
||||||
|
! # env - is necessary andx sufficient
|
||||||
|
! env - gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
|
||||||
|
! gpg --verify --disable-dirmngr \
|
||||||
|
! "${sig}" "${file}" || \
|
||||||
|
! die "PGP signature verification failed"
|
||||||
|
}
|
||||||
|
|
||||||
|
# @FUNCTION: verify-sig_verify_message
|
||||||
|
# @USAGE: <file> <output-file> [<key-file>]
|
||||||
|
# @DESCRIPTION:
|
||||||
|
***************
|
||||||
|
*** 122,131 ****
|
||||||
|
--- 133,143 ----
|
||||||
|
[[ -n ${key} ]] ||
|
||||||
|
die "${FUNCNAME}: no key passed and VERIFY_SIG_OPENPGP_KEY_PATH unset"
|
||||||
|
|
||||||
|
local extra_args=()
|
||||||
|
[[ ${VERIFY_SIG_OPENPGP_KEY_REFRESH} == yes ]] || extra_args+=( -R )
|
||||||
|
+ [ -z "$http_proxy" ] || extra_args+=( --proxy $http_proxy )
|
||||||
|
[[ -n ${VERIFY_SIG_OPENPGP_KEYSERVER+1} ]] && extra_args+=(
|
||||||
|
--keyserver "${VERIFY_SIG_OPENPGP_KEYSERVER}"
|
||||||
|
)
|
||||||
|
|
||||||
|
# GPG upstream knows better than to follow the spec, so we can't
|
||||||
|
***************
|
||||||
|
*** 134,146 ****
|
||||||
|
addpredict /run/user
|
||||||
|
|
||||||
|
local filename=${file##*/}
|
||||||
|
[[ ${file} == - ]] && filename='(stdin)'
|
||||||
|
einfo "Verifying ${filename} ..."
|
||||||
|
! gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
|
||||||
|
! gpg --verify --output="${output_file}" "${file}" ||
|
||||||
|
! die "PGP signature verification failed"
|
||||||
|
}
|
||||||
|
|
||||||
|
# @FUNCTION: verify-sig_verify_signed_checksums
|
||||||
|
# @USAGE: <checksum-file> <algo> <files> [<key-file>]
|
||||||
|
# @DESCRIPTION:
|
||||||
|
--- 146,165 ----
|
||||||
|
addpredict /run/user
|
||||||
|
|
||||||
|
local filename=${file##*/}
|
||||||
|
[[ ${file} == - ]] && filename='(stdin)'
|
||||||
|
einfo "Verifying ${filename} ..."
|
||||||
|
! einfo gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
|
||||||
|
! gpg --verify --disable-dirmngr --output="${output_file}" \
|
||||||
|
! "${file}"
|
||||||
|
! # --keyserver-options http-proxy=http://localhost:3128
|
||||||
|
! einfo `env |sort`
|
||||||
|
! # env - is necessary and sufficient
|
||||||
|
! env - gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
|
||||||
|
! gpg --verify --disable-dirmngr --output="${output_file}" \
|
||||||
|
! "${file}" || \
|
||||||
|
! die "PGP signature verification failed"
|
||||||
|
}
|
||||||
|
|
||||||
|
# @FUNCTION: verify-sig_verify_signed_checksums
|
||||||
|
# @USAGE: <checksum-file> <algo> <files> [<key-file>]
|
||||||
|
# @DESCRIPTION:
|
||||||
|
EOF
|
||||||
|
|
||||||
|
[ -f /usr/portage/eclass/verify-sig.eclass.dst ] || \
|
||||||
|
patch -b -z .dst /usr/portage/eclass/verify-sig.eclass \
|
||||||
|
< /usr/portage/eclass/verify-sig.eclass.diff || exit 3
|
||||||
|
|
39
overlay/Gentoo/usr/local/sbin/gentoo_check_manifest.bash
Executable file
39
overlay/Gentoo/usr/local/sbin/gentoo_check_manifest.bash
Executable file
@ -0,0 +1,39 @@
|
|||||||
|
# This is recent - Pentoo not Funtoo
|
||||||
|
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
|
||||||
|
BASE_PORTDIR=/usr/portage
|
||||||
|
|
||||||
|
keyf=/usr/share/openpgp-keys/gentoo-release.asc
|
||||||
|
[ -f $keyf ] || exit 1
|
||||||
|
|
||||||
|
gpg2 --disable-dirmngr --list-keys --with-sig-check --keyring $keyf >/tmp/G$$.log # 2>&1 || exit 1
|
||||||
|
# gpg: 1 bad signature on Clipos
|
||||||
|
# gpg: 1 bad signature on Pentoo19
|
||||||
|
if grep 'bad signature' /tmp/G$$.log ; then
|
||||||
|
echo ERROR: bad signature /tmp/G$$.log # exit 2
|
||||||
|
# sig-3 BB572E0E2D182910 2009-08-25 Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>
|
||||||
|
gpg2 --disable-dirmngr --batch --delete-key BB572E0E2D182910
|
||||||
|
fi
|
||||||
|
|
||||||
|
# numbers 1-3 for certificate check level (see --ask-cert-level)
|
||||||
|
grep '^sig-[0-9]' /tmp/G$$.log && { echo WARN: bad signature ; exit 3 ;}
|
||||||
|
# gpg: 104 signatures not checked due to missing keys
|
||||||
|
|
||||||
|
[ -f $BASE_PORTDIR/Manifest ] || exit 0
|
||||||
|
# on stderr!
|
||||||
|
gpg2 --verify --keyring $keyf $BASE_PORTDIR/Manifest >/tmp/K$$.log 2>&1 || exit 3
|
||||||
|
# DCD05B71EAB94199527F44ACDB6B8C1F96D8BF6D
|
||||||
|
# grep 'This key has expired' /tmp/K$$.log && exit 3
|
||||||
|
grep 'using RSA key' /tmp/K$$.log || exit 4
|
||||||
|
grep 'Primary key fingerprint:' /tmp/K$$.log | sed -e 's/.*: //' -e 's/ //g' > /tmp/K$$.key || exit 5
|
||||||
|
|
||||||
|
if route | grep -q ^default ; then
|
||||||
|
. /root/bin/tor.sh
|
||||||
|
wget -O /tmp/K$$.html https://www.gentoo.org/downloads/signatures/ || exit 0
|
||||||
|
grep "`cat /tmp/K$$.key`" /tmp/K$$.html || {
|
||||||
|
echo ERROR: failed 'Primary key fingerprint:' "`cat /tmp/K$$.key`"
|
||||||
|
exit 5
|
||||||
|
}
|
||||||
|
fi
|
||||||
|
|
||||||
|
exit 0
|
120
overlay/Gentoo/usr/local/sbin/gentoo_chroot_pentoo.bash
Executable file
120
overlay/Gentoo/usr/local/sbin/gentoo_chroot_pentoo.bash
Executable file
@ -0,0 +1,120 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# -*- mode: sh; tab-width: 8; encoding: utf-8-unix -*-
|
||||||
|
|
||||||
|
ROLE=testforge
|
||||||
|
# export PATH=$PATH:/usr/local/bin
|
||||||
|
MOUNTS="mnt/i mnt/j mnt/o"
|
||||||
|
|
||||||
|
. /usr/local/bin/usr_local_tput.bash
|
||||||
|
error () { retval=$1 ; shift; ERROR "$0" $* ; exit $retval ; }
|
||||||
|
info () { INFO " $0 " $* ; }
|
||||||
|
|
||||||
|
# must be run as root
|
||||||
|
[ "`id -u`" -ne "0" ] && error 1 "must be run as root"
|
||||||
|
|
||||||
|
if [ "$#" -eq "0" ] ; then
|
||||||
|
error 2 "give an absolute directory name as argument"
|
||||||
|
fi
|
||||||
|
LARGS=""
|
||||||
|
CMD=""
|
||||||
|
while true; do
|
||||||
|
case "$1" in
|
||||||
|
'-'*)
|
||||||
|
LARGS="$LARGS $1"
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
break
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
root=$1
|
||||||
|
shift
|
||||||
|
if [ ! -d "$root" ] ; then
|
||||||
|
error 3 "absolute directory name for chroot not found - $root"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# unix partition
|
||||||
|
[ -d $root/lost+found ] || exit 4
|
||||||
|
# linux partition
|
||||||
|
[ -e $root/usr/src/ ] || exit 5
|
||||||
|
cd $root || exit 6
|
||||||
|
|
||||||
|
if [ ! -d boot ] ; then
|
||||||
|
error 7 "missing boot/"
|
||||||
|
fi
|
||||||
|
for file in tmp usr/tmp var/tmp ; do
|
||||||
|
[ -d $file ] && continue
|
||||||
|
mkdir $file || error 8 " missing directory $file"
|
||||||
|
chmod 1777 $file
|
||||||
|
done
|
||||||
|
# df /var/tmp | grep -q sd.12 || mount /var/tmp
|
||||||
|
|
||||||
|
for file in proc sys dev dev/pts dev/shm usr ; do
|
||||||
|
[ -d $file ] && continue
|
||||||
|
mkdir $file || exit 9
|
||||||
|
chmod 755 $file
|
||||||
|
done
|
||||||
|
|
||||||
|
# Think -R is causing problems
|
||||||
|
[ -e proc/self ] || mount -t proc none proc || error 10
|
||||||
|
# this was rbind
|
||||||
|
[ -e sys/kernel ] || mount -o bind /sys sys || error 12
|
||||||
|
[ -e dev/null ] || mount -o bind /dev dev || error 11
|
||||||
|
[ -e /dev/pts/0 ] || \
|
||||||
|
mount -t devpts -o rw,relatime,mode=600 devpts dev/pts \
|
||||||
|
|| error 12
|
||||||
|
#? try mount| while read a on what type [ tmpfs cgroup binfmt_misc? ] without rbind
|
||||||
|
mount| while read what foo on bar type rest ; do
|
||||||
|
# cgroup devpts devtmpfs ecryptfs ext2 fuseblk proc rpc_pipefs sysfs tmpfs vfat
|
||||||
|
# leave real disks for $MOUNTS
|
||||||
|
[ $type = 'fuse' -o $type = 'ext2' -o $type = 'ext4' -o $type = 'vfat' -o ] && continue
|
||||||
|
# have done these
|
||||||
|
[ $type = 'proc' -o $type = 'sys' -o $type = 'dev' -o $type = 'devpts' -o ] && continue
|
||||||
|
DBUG "Dunno $what $on $type"
|
||||||
|
done
|
||||||
|
# check for /dev/loop devices - up to 255 on android
|
||||||
|
[ -e /dev/loop1 ] || \
|
||||||
|
( cd /dev && \
|
||||||
|
for i in 0 1 2 3 4 5 6 7 ; do
|
||||||
|
[ -e loop$i ] && continue
|
||||||
|
mknod loop$i b 7 $i
|
||||||
|
chmod 660 loop$i
|
||||||
|
chgrp disk loop$i
|
||||||
|
done )
|
||||||
|
|
||||||
|
for elt in $MOUNTS ; do
|
||||||
|
[ -d $elt ] || { mkdir $elt ; chmod 755 $elt ; }
|
||||||
|
grep -q /$elt /proc/mounts || continue
|
||||||
|
[ -d $elt/tmp ] && continue
|
||||||
|
grep -q $root/$elt /proc/mounts && continue
|
||||||
|
mount --bind /$elt $root/$elt
|
||||||
|
done
|
||||||
|
|
||||||
|
# You'll also want to copy over resolv.conf in order to have proper DNS name
|
||||||
|
# resolution from inside the chroot:
|
||||||
|
# but in chroot, you'll need to change this to your connected IP address.
|
||||||
|
cp -L /etc/resolv.conf etc || exit 16
|
||||||
|
|
||||||
|
for file in .bashrc .profile .jedrc ; do
|
||||||
|
[ -f root/$file ] || \
|
||||||
|
cp -p /root/$file root/$file
|
||||||
|
done
|
||||||
|
|
||||||
|
|
||||||
|
EARGS="CHROOT=1 LANG=en_US.UTF-8 LC_COLLATE=C"
|
||||||
|
EELTS="$EELTS TERM DISPLAY HOME USER LOGNAME USERNAME PATH"
|
||||||
|
EELTS="$EELTS http_proxy https_proxy socks_proxy no_proxy"
|
||||||
|
for elt in $EELTS ; do
|
||||||
|
EARGS="$EARGS `env|grep ^${elt}=`"
|
||||||
|
done
|
||||||
|
|
||||||
|
# was /bin/bash -l
|
||||||
|
[ "$#" -eq 0 ] && set -- /bin/sh -i
|
||||||
|
|
||||||
|
# Now you can chroot into your new system. Use env before chroot to ensure that no
|
||||||
|
# environment variables from the installation media are used by your new system:
|
||||||
|
#? PATH=$PATH
|
||||||
|
echo chroot $LARGS $root /usr/bin/env -i $EARGS "$@"
|
||||||
|
chroot $LARGS $root /usr/bin/env -i $EARGS "$@"
|
45
overlay/Gentoo/usr/local/sbin/gentoo_clean_portage_packages.bash
Executable file
45
overlay/Gentoo/usr/local/sbin/gentoo_clean_portage_packages.bash
Executable file
@ -0,0 +1,45 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# -*- mode: sh; tab-width: 8; encoding: utf-8-unix -*-
|
||||||
|
|
||||||
|
# shopt -s nullglob
|
||||||
|
|
||||||
|
[ -f /etc/conf.d/hostname ] && . /etc/conf.d/hostname
|
||||||
|
|
||||||
|
if [ $# -eq 1 ] ; then
|
||||||
|
TO=$1
|
||||||
|
elif [ -n "$hostname" -a "$hostname" = "pentoo" ] ; then
|
||||||
|
TO=/mnt/o/Cache/linuxPen19/var/cache/portage/packages
|
||||||
|
elif [ -f /etc/dracut.conf.d/funtoo.conf ] ; then
|
||||||
|
TO=/mnt/o/Cache/linuxFun64/var/cache/portage/packages
|
||||||
|
elif [ -f /etc/dracut.conf.d/clipos.conf ] ; then
|
||||||
|
TO=/mnt/o/Cache/linuxClipos/var/cache/portage/packages
|
||||||
|
else
|
||||||
|
exit 3
|
||||||
|
fi
|
||||||
|
|
||||||
|
[ -n "$TO" ] || { echo ERROR: empty TO ; exit 4 ; }
|
||||||
|
[ -d $TO ] || { echo ERROR: mkdir -p $TO ; exit 5 ; }
|
||||||
|
|
||||||
|
pushd $TO
|
||||||
|
# -o -name \*.xpak
|
||||||
|
find *-* virtual pentoo -type f -name \*tbz2 | grep -v '_sources\|_download_' | while read file ; do
|
||||||
|
dir=`dirname $file`
|
||||||
|
base=`basename $file`
|
||||||
|
subdir=`sed -e 's/-[0-9].*//' <<< $base`
|
||||||
|
xdir=$dir/$subdir
|
||||||
|
[ -d $xdir ] || continue
|
||||||
|
xpak=`sed -e 's/.tbz2/-?.xpak/' <<< $base`
|
||||||
|
ls $file $xdir/$xpak 2>/dev/null && rm -f $xdir/$xpak
|
||||||
|
done
|
||||||
|
popd
|
||||||
|
|
||||||
|
cd $OUT
|
||||||
|
rm -rf sys-firmware/intel-microcode* \
|
||||||
|
sys-kernel/linux-firmware/* qpkg.*
|
||||||
|
|
||||||
|
find -L *-*/ -type l -delete 2>&1| \
|
||||||
|
grep 'Too many levels'| \
|
||||||
|
sed -e 's/find: .//' -e 's/xpak.:.*/xpak/'| \
|
||||||
|
xargs rm -f
|
||||||
|
|
||||||
|
exit 0
|
16
overlay/Gentoo/usr/local/sbin/gentoo_early-ucode.cpio.bash
Executable file
16
overlay/Gentoo/usr/local/sbin/gentoo_early-ucode.cpio.bash
Executable file
@ -0,0 +1,16 @@
|
|||||||
|
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
|
||||||
|
ROLE=gpgkey
|
||||||
|
DST=/boot/intel-uc_pentoo19.cpio
|
||||||
|
|
||||||
|
a=$( find /lib/firmware/intel-ucode/ -type f -newer $DST |wc -l )
|
||||||
|
[ $? -ne 0 -o $a -eq 0 ] && exit 0
|
||||||
|
|
||||||
|
iucode_tool -S --write-earlyfw=$DST /lib/firmware/intel-ucode/*
|
||||||
|
|
||||||
|
base=$( basename $DST )
|
||||||
|
dir=/l/syslinux
|
||||||
|
[ -d $dir ] || exit 0
|
||||||
|
[ -f $dir/$base ] && diff -q $DST /l/syslinux/$base && exit 0
|
||||||
|
cp -p $DST /l/syslinux/$base
|
||||||
|
exit 0
|
8
overlay/Gentoo/usr/local/sbin/gentoo_eix-test-obsolete.bash
Executable file
8
overlay/Gentoo/usr/local/sbin/gentoo_eix-test-obsolete.bash
Executable file
@ -0,0 +1,8 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
# https://forums.gentoo.org/viewtopic-t-1044220-start-0.html
|
||||||
|
|
||||||
|
ROLE=base
|
||||||
|
|
||||||
|
eix-test-obsolete -H brief | grep -v -e "^No " -e "^Skipping " -e "^$"
|
||||||
|
exit 0
|
11
overlay/Gentoo/usr/local/sbin/gentoo_emerge-rebuild-missing.bash
Executable file
11
overlay/Gentoo/usr/local/sbin/gentoo_emerge-rebuild-missing.bash
Executable file
@ -0,0 +1,11 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
|
||||||
|
# https://www.commandlinefu.com/commands/view/5988/re-emerge-all-ebuilds-with-missing-files-gentoo-linux
|
||||||
|
# Re-emerge all ebuilds with missing files (Gentoo Linux)
|
||||||
|
qlist --installed --nocolor | uniq | while read cp; do
|
||||||
|
qlist --exact $cp | while read file; do
|
||||||
|
test -e $file || { echo $cp; echo "$cp: missing $file (and maybe more)" 1>&2; break; };
|
||||||
|
done;
|
||||||
|
done
|
||||||
|
exit 0
|
109
overlay/Gentoo/usr/local/sbin/gentoo_etc_portage.bash
Executable file
109
overlay/Gentoo/usr/local/sbin/gentoo_etc_portage.bash
Executable file
@ -0,0 +1,109 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
|
||||||
|
prog=$( basename $0 .bash )
|
||||||
|
PREFIX=/var/local
|
||||||
|
ROLE=base
|
||||||
|
. /usr/local/etc/testforge/testforge.bash || exit 1
|
||||||
|
. /usr/local/bin/usr_local_base.bash || exit 2
|
||||||
|
USAGE="$0 role-directory"
|
||||||
|
#echo 1
|
||||||
|
[ $# -ge 1 ] || { ERROR $USAGE ; exit 3 ; }
|
||||||
|
|
||||||
|
[ -n "$TESTFORGE_ANSIBLE_SRC" ] || TESTFORGE_ANSIBLE_SRC=/g/TestForge/src/ansible
|
||||||
|
base=`cat /etc/hostname`
|
||||||
|
json="$TESTFORGE_ANSIBLE_SRC"/tmp/Hosts/$base.json
|
||||||
|
if [ -d "$TESTFORGE_ANSIBLE_SRC" ] ; then
|
||||||
|
if [ ! -s $json ] || [ "$TESTFORGE_ANSIBLE_SRC"/hosts.yml -nt $json ] ; then
|
||||||
|
/usr/local/sbin/gentoo_hosts_json.bash || exit 4$?
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
BOX_OS_FLAVOR=`/usr/local/sbin/gentoo_hosts_json.bash` || exit 4$?
|
||||||
|
|
||||||
|
# "BOX_PYTHON3_MINOR": "3.10"
|
||||||
|
PYTHON3_VER=`grep BOX_PYTHON3_MINOR <$json|sed -e 's/.*\.//' -e 's/,//' -e 's/"//'`
|
||||||
|
|
||||||
|
TASKS="Gentoo/$BOX_OS_FLAVOR"
|
||||||
|
YAML_HEAD="# -*- mode: yaml; tab-width: 0; coding: utf-8-unix -*-
|
||||||
|
# This is an automatically generated file: do not edit
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
"""
|
||||||
|
TEXT_HEAD="# -*- mode: text; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
|
||||||
|
"""
|
||||||
|
|
||||||
|
for dir in $* ; do
|
||||||
|
[ -d $dir ] || { ERROR $dir ; exit 5 ; }
|
||||||
|
[ -d $dir/vars ] || { WARN not a roles directory $dir/vars ; }
|
||||||
|
YAML_BODY="- name: \"\\1\"\n blockinfile:\n dest: \\1\n create: true\n marker: \"# {mark} Ansible Managed Block $dir \\2\"\n block: |"
|
||||||
|
for port in use mask unmask license accept_keywords ; do
|
||||||
|
# DBUG $dir $port
|
||||||
|
cp /dev/null $dir/vars/$port.txt
|
||||||
|
grep '^ *- .*/' $dir/vars/Gentoo2.yml \
|
||||||
|
| sed -e 's@^ *- @@' -e 's@ .*@@' \
|
||||||
|
| uniq \
|
||||||
|
| while read elt ; do
|
||||||
|
base=`basename $elt`
|
||||||
|
# override with $dir/tasks/$TASKS/portage.yml
|
||||||
|
file=$dir/tasks/$TASKS/portage.yml
|
||||||
|
[ -f $file ] && \
|
||||||
|
grep -Hq "^ *[=>]*$elt" $file && \
|
||||||
|
DBUG $port - "^ *[=>]*$elt" is already in $file && \
|
||||||
|
continue
|
||||||
|
file=$dir/vars/$port.txt
|
||||||
|
[ -f $file ] && \
|
||||||
|
grep -Hq "^ *[=>]*$elt" $file && \
|
||||||
|
DBUG "^ *[=>]*$elt" is already in $file
|
||||||
|
# && continue
|
||||||
|
grep "^[=<>]*$elt" /etc/portage/package.$port/2*txt \
|
||||||
|
| sed -e 's@^@# @' -e 's@.txt:@.txt '$base'\n@' \
|
||||||
|
| sed -e 's@^\([^#][^ ]*\)@ \1%@' -e 's@^#@\n#@' \
|
||||||
|
>> $dir/vars/$port.txt || exit 6
|
||||||
|
#? grep "^#.*required by $elt" /etc/portage/package.$port/2*txt
|
||||||
|
|
||||||
|
done
|
||||||
|
#echo 2
|
||||||
|
if [ ! -s $dir/vars/$port.txt ] ; then
|
||||||
|
rm -f $dir/vars/$port.txt $dir/tasks/$TASKS/$port.yml
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
|
||||||
|
INFO $port lines `wc -l $dir/vars/$port.txt`
|
||||||
|
[ -d $dir/tasks/$TASKS ] || { ERROR no dir $dir/tasks/$TASKS ; continue ; }
|
||||||
|
#echo 3
|
||||||
|
to_yaml=$dir/tasks/$TASKS/$port.yml.new
|
||||||
|
# overwrite if its there as .new
|
||||||
|
echo "$YAML_HEAD" > $to_yaml
|
||||||
|
# sed -e "s/\"\n block: |/ $base\0/"
|
||||||
|
sed -e 's@^# \([^ ]*\) \([^ /]*\)$@'"$YAML_BODY"'@' $dir/vars/$port.txt \
|
||||||
|
>> $to_yaml || exit 7
|
||||||
|
# | sed -e "s/BLOCK $dir/BLOCK $dir $base/"
|
||||||
|
if [ "$port" = "use" -o "$port" = "license" ] ; then
|
||||||
|
sed -e 's@^ [=<>][=<>]*\([^:<>=]*\)-[0-9][-0-9.]*%@ \1@' -i $to_yaml || exit 8
|
||||||
|
sed -e 's@^ [>=][>=]*\([^%]*\)%@ \1@' -i $to_yaml || exit 9
|
||||||
|
elif [ "$port" = "mask" -o "$port" = "unmask" -o "$port" = "accept_keywords" ] ; then
|
||||||
|
sed -e 's@^ \([^:]*\)/\([^%]*\)%@ \1/\2@' -i $to_yaml || exit 10
|
||||||
|
fi
|
||||||
|
sed -e 's@^ \([^:\n]*\)/\([^%\n]*\)%@ \1/\2@' -i $to_yaml || exit 11
|
||||||
|
echo >> $to_yaml
|
||||||
|
#echo 5
|
||||||
|
grep % $to_yaml && ERROR "% in $to_yaml" && exit 12
|
||||||
|
grep -q "^- [importinclude]*_tasks:.*$port.yml" $dir/tasks/$TASKS/main.yml || { \
|
||||||
|
echo "- include_tasks: $TASKS/$port.yml" >> $dir/tasks/$TASKS/main.yml
|
||||||
|
WARN "ADDED $port.yml to $dir/tasks/$TASKS/main.yml"
|
||||||
|
}
|
||||||
|
if [ ! -f $dir/tasks/$TASKS/$port.yml ] ; then
|
||||||
|
mv $to_yaml $dir/tasks/$TASKS/$port.yml
|
||||||
|
INFO created $dir/tasks/$TASKS/$port.yml
|
||||||
|
elif diff -qw $to_yaml $dir/tasks/$TASKS/$port.yml ; then
|
||||||
|
rm -f $to_yaml
|
||||||
|
# DBUG unchanged $to_yaml
|
||||||
|
else
|
||||||
|
: diff is verbose
|
||||||
|
fi
|
||||||
|
done | sed -e 's/ and / /' -e 's/ differ$//' -e 's/^Files/mv/'
|
||||||
|
done
|
||||||
|
exit 0
|
119
overlay/Gentoo/usr/local/sbin/gentoo_funtoo_world.bash
Executable file
119
overlay/Gentoo/usr/local/sbin/gentoo_funtoo_world.bash
Executable file
@ -0,0 +1,119 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
|
||||||
|
if [ "$#" -ne 0 ] ; then
|
||||||
|
ARGS=$*
|
||||||
|
LARGS=""
|
||||||
|
else
|
||||||
|
ARGS="@world"
|
||||||
|
# --changed-deps --deep
|
||||||
|
LARGS="-vb --update"
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
LARGS="$LARGS --changed-use --with-bdeps=y --changed-deps-report -k"
|
||||||
|
LARGS="$LARGS --backtrack=30 --ignore-built-slot-operator-deps=y --keep-going"
|
||||||
|
|
||||||
|
# Skips the packages specified on the command-line that have already been installed.
|
||||||
|
LARGS="$LARGS --noreplace"
|
||||||
|
|
||||||
|
# dangerous
|
||||||
|
LARGS="$LARGS --exclude baselayout"
|
||||||
|
|
||||||
|
# gone
|
||||||
|
LARGS="$LARGS --exclude sci-chemistry/PyMca"
|
||||||
|
LARGS="$LARGS --exclude dev-python/PyQt4"
|
||||||
|
LARGS="$LARGS --exclude dev-python/pyqwt"
|
||||||
|
|
||||||
|
# I wont do this routinely
|
||||||
|
#?LARGS="$LARGS --exclude app-office/libreoffice"
|
||||||
|
#?LARGS="$LARGS --exclude app-office/libreoffice-bin"
|
||||||
|
|
||||||
|
# /usr/local
|
||||||
|
LARGS="$LARGS --exclude seamonkey"
|
||||||
|
LARGS="$LARGS --exclude firefox"
|
||||||
|
LARGS="$LARGS --exclude thunderbird"
|
||||||
|
|
||||||
|
LARGS="$LARGS --exclude gentoo-sources"
|
||||||
|
|
||||||
|
#? LARGS="$LARGS --exclude net-analyzer/openvas*"
|
||||||
|
#LARGS="$LARGS --exclude "
|
||||||
|
|
||||||
|
#LARGS="$LARGS --exclude sys-libs/zlib"
|
||||||
|
LARGS="$LARGS --exclude dev-util/android-sdk-update-manager"
|
||||||
|
LARGS="$LARGS --exclude dev-util/android-ndk"
|
||||||
|
|
||||||
|
LARGS="$LARGS --exclude sys-kernel/clipos-kernel"
|
||||||
|
|
||||||
|
# always problems with icu
|
||||||
|
LARGS="$LARGS --exclude dev-libs/icu"
|
||||||
|
|
||||||
|
#emerge: there are no ebuilds to satisfy ">=dev-libs/nsgenbind-0.7".
|
||||||
|
LARGS="$LARGS --exclude www-client/netsurf"
|
||||||
|
# emerge: there are no ebuilds to satisfy ">=dev-python/attrs-19.1.0[python_targets_python3_6(-)?,python_targets_python3_7(-)?,-python_single_target_python3_6(-),-python_single_target_python3_7(-)]".
|
||||||
|
#LARGS="$LARGS --exclude www-client/qutebrowser"
|
||||||
|
|
||||||
|
LARGS="$LARGS --exclude dev-ruby/builder:3.1"
|
||||||
|
|
||||||
|
# required by dev-python/pyqtgraph-0.10.0-r1::python-modules-kit
|
||||||
|
# required by @selected
|
||||||
|
# required by @world (argument)
|
||||||
|
# >=dev-python/PyQt5-5.10.1-r1 -opengl
|
||||||
|
LARGS="$LARGS --exclude dev-python/pyqtgraph"
|
||||||
|
LARGS="$LARGS --exclude net-print/hplip"
|
||||||
|
|
||||||
|
LARGS="$LARGS --exclude pentoo/pentoo-scanner"
|
||||||
|
#LARGS="$LARGS --exclude net-analyzer/wpscan"
|
||||||
|
#LARGS="$LARGS --exclude dev-ruby/cms_scanner"
|
||||||
|
|
||||||
|
LARGS="$LARGS --exclude net-wireless/gnuradio" # [python_single_target_python2_7,qt5]
|
||||||
|
LARGS="$LARGS --exclude net-wireless/gr-iio"
|
||||||
|
LARGS="$LARGS --exclude net-wireless/gr-iqbal"
|
||||||
|
LARGS="$LARGS --exclude net-wireless/gr-osmosdr" # [iqbalance]
|
||||||
|
LARGS="$LARGS --exclude pentoo/pentoo-radio"
|
||||||
|
LARGS="$LARGS --exclude gnuradio"
|
||||||
|
|
||||||
|
# LARGS="$LARGS --exclude "
|
||||||
|
|
||||||
|
# morons
|
||||||
|
#(dependency required by "dev-ruby/activesupport-4.2.11.1-r1::pentoo[ruby_targets_ruby26,-test]" [ebuild])
|
||||||
|
#(dependency required by "dev-ruby/activemodel-4.2.11.1::pentoo[ruby_targets_ruby26]" [ebuild])
|
||||||
|
#(dependency required by "dev-ruby/metasploit-model-2.0.4::pentoo[ruby_targets_ruby26]" [ebuild])
|
||||||
|
#(dependency required by "net-analyzer/metasploit-4.17.21-r8::pentoo[ruby_targets_ruby25]" [ebuild])
|
||||||
|
#
|
||||||
|
#(dependency required by "dev-ruby/metasploit-concern-2.0.5::pentoo[ruby_targets_ruby26]" [ebuild])
|
||||||
|
#(dependency required by "dev-ruby/metasploit-credential-2.0.14::pentoo[ruby_targets_ruby25]" [ebuild])
|
||||||
|
#(dependency required by "net-analyzer/metasploit-4.17.21-r8::pentoo[ruby_targets_ruby25]" [ebuild])
|
||||||
|
LARGS="$LARGS --exclude net-analyzer/metasploit"
|
||||||
|
|
||||||
|
# pentoo-rce
|
||||||
|
#?LARGS="$LARGS --exclude dev-util/redasm --exclude pentoo-rce"
|
||||||
|
|
||||||
|
#(dependency required by "dev-ml/ocaml-gettext-0.3.7::gentoo" [ebuild])
|
||||||
|
#(dependency required by "app-emulation/libguestfs-1.38.6::gentoo" [ebuild])
|
||||||
|
LARGS="$LARGS --exclude dev-ml/ocaml-gettext --exclude app-emulation/libguestfs"
|
||||||
|
|
||||||
|
# broken
|
||||||
|
#LARGS="$LARGS --exclude net-libs/libtorrent-rasterbar"
|
||||||
|
#LARGS="$LARGS --exclude net-p2p/qbittorrent"
|
||||||
|
# 9.0.1 even though it did work before
|
||||||
|
LARGS="$LARGS --exclude sys-devel/llvm"
|
||||||
|
# 6.1.6 even though app-emulation/virtualbox worked
|
||||||
|
# cc1: error: incompatible gcc/plugin versions
|
||||||
|
# cc1: error: fail to initialize plugin ./scripts/gcc-plugins/randomize_layout_plugin.so
|
||||||
|
LARGS="$LARGS --exclude app-emulation/virtualbox-modules"
|
||||||
|
# Unpacking NVIDIA-Linux-x86_64-440.82.run to /mnt/linuxBack52/mnt/tmp/Pentoo19/portage/x11-drivers/nvidia-drivers-440.82-r3/work
|
||||||
|
#tar: Archive is compressed. Use -J option
|
||||||
|
LARGS="$LARGS --exclude x11-drivers/nvidia-drivers"
|
||||||
|
|
||||||
|
#(dependency required by "dev-qt/qtx11extras-5.14.2::gentoo" [ebuild])
|
||||||
|
#(dependency required by "app-emulation/virtualbox-6.1.6::gentoo[-headless,qt5]" [installed])
|
||||||
|
#(dependency required by "app-emulation/libvirt-6.1.0-r1::gentoo[virtualbox]" [ebuild])
|
||||||
|
#(dependency required by "app-emulation/qt-virt-manager-9999::testforge" [ebuild])
|
||||||
|
LARGS="$LARGS --exclude dev-qt/qtx11extras --exclude app-emulation/virtualbox --exclude app-emulation/libvirt --exclude app-emulation/qt-virt-manager"
|
||||||
|
|
||||||
|
echo INFO: nice python3 emerge $LARGS $ARGS |tee -a world.log
|
||||||
|
nice python3 `which emerge` $LARGS $ARGS >> world.log 2>&1
|
||||||
|
# grep ' U ' world.log |grep -v =|sed -e 's@^.* \] @@' -e 's@-[0-9].*@@'
|
||||||
|
# cat /var/lib/portage/world>world.elts;grep '^L.*exclude' world.sh|sed -e 's/.*exclude//' -e 's/"$//' -e 's/[*:].*$//' -e 's@/@\\\\/@' |sort -u |while read elt;do [ -z "$elt" ] && continue ; sed -e "/$elt/d" -i world.elts ;done
|
||||||
|
|
32
overlay/Gentoo/usr/local/sbin/gentoo_gemato.bash
Executable file
32
overlay/Gentoo/usr/local/sbin/gentoo_gemato.bash
Executable file
@ -0,0 +1,32 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
# Gentoo only
|
||||||
|
|
||||||
|
ROLE=base
|
||||||
|
PY_MINOR=3.8
|
||||||
|
|
||||||
|
if [ $# -gt 0 -a $1 = --help ] ; then
|
||||||
|
/usr/lib/python-exec/python${PY_MINOR}/gemato "$@"
|
||||||
|
exit $?
|
||||||
|
fi
|
||||||
|
. /usr/local/bin/proxy_export.bash >/dev/null
|
||||||
|
|
||||||
|
declare -a G
|
||||||
|
if [ $1 = gpg-wrap ] ; then
|
||||||
|
G=(${*:1:1} -W ${*:2})
|
||||||
|
# need --
|
||||||
|
[[ $G =~ '--' ]] && G+=('--')
|
||||||
|
[ -f /etc/gnupg/gpgconf.conf ] && G+=(--options /etc/gnupg/gpgconf.conf)
|
||||||
|
else
|
||||||
|
G=(${*:1:1} ${*:2})
|
||||||
|
fi
|
||||||
|
|
||||||
|
# The --proxy code is for requests and is wrong: $http_proxy or $https_proxy
|
||||||
|
#? [ -z "$https_proxy" ] || G=(${G:1:1} --proxy $https_proxy ${G:2})
|
||||||
|
|
||||||
|
echo INFO: /usr/lib/python-exec/python${PY_MINOR}/gemato ${G[@]} >> /tmp/G$$.log 2>&1
|
||||||
|
/usr/lib/python-exec/python${PY_MINOR}/gemato "${G[@]}" >> /tmp/G$$.log 2>&1
|
||||||
|
ret=$?
|
||||||
|
DBUG "$ret" >> /tmp/G$$.log 2>&1
|
||||||
|
cat /tmp/G$$.log
|
||||||
|
exit 0
|
43
overlay/Gentoo/usr/local/sbin/gentoo_link_portage_packages.bash
Executable file
43
overlay/Gentoo/usr/local/sbin/gentoo_link_portage_packages.bash
Executable file
@ -0,0 +1,43 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# -*- mode: sh; tab-width: 8; encoding: utf-8-unix -*-
|
||||||
|
|
||||||
|
prog=$( basename $0 .bash )
|
||||||
|
. /usr/local/bin/usr_local_tput.bash
|
||||||
|
ROLE=testforge
|
||||||
|
|
||||||
|
shopt -s nullglob || exit 1
|
||||||
|
|
||||||
|
. /usr/local/bin/usr_local_tput.bash
|
||||||
|
[ -f /etc/conf.d/hostname ] && . /etc/conf.d/hostname
|
||||||
|
|
||||||
|
if [ -n "$hostname" -a "$hostname" = "pentoo" ] ; then
|
||||||
|
TO=/mnt/o/Cache/linuxPen19/var/cache/portage/packages
|
||||||
|
elif [ -f /etc/dracut.conf.d/funtoo.conf ] ; then
|
||||||
|
TO=/mnt/o/Cache/linuxFun64/var/cache/portage/packages
|
||||||
|
elif [ -f /etc/dracut.conf.d/clipos.conf ] ; then
|
||||||
|
TO=/mnt/o/Cache/linuxClipos/var/cache/portage/packages
|
||||||
|
else
|
||||||
|
exit 3
|
||||||
|
fi
|
||||||
|
|
||||||
|
[ -n "$TO" ] || { echo ERROR: empty TO ; exit 4 ; }
|
||||||
|
[ -d $TO ] || { echo ERROR: mkdir -p $TO ; exit 5 ; }
|
||||||
|
|
||||||
|
[ "$#" -eq 0 ] && set -- /usr/portage/packages
|
||||||
|
|
||||||
|
for root in $* ; do
|
||||||
|
cd $root || exit 2$?
|
||||||
|
INFO $root
|
||||||
|
find -L $root -type l -delete &
|
||||||
|
|
||||||
|
pushd $TO
|
||||||
|
# -o -name \*.xpak
|
||||||
|
find *-* virtual pentoo -type f -name \*tbz2 | grep -v '_sources\|_download_' | while read file ; do
|
||||||
|
[ -h $root/$file ] && [ -f $file ] && continue
|
||||||
|
dir=`dirname $root/$file`
|
||||||
|
[ -d $dir ] || mkdir $dir
|
||||||
|
ln -s $TO/$file $root/$file
|
||||||
|
done
|
||||||
|
popd
|
||||||
|
done
|
||||||
|
exit 0
|
45
overlay/Gentoo/usr/local/sbin/gentoo_link_to_cache.bash
Executable file
45
overlay/Gentoo/usr/local/sbin/gentoo_link_to_cache.bash
Executable file
@ -0,0 +1,45 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
|
||||||
|
ROLE=testforge
|
||||||
|
TXT=/usr/local/sbin/gentoo_link_to_cache.txt
|
||||||
|
|
||||||
|
# replace /usr/net/Http/Makefile
|
||||||
|
[ "$#" -gt 0 ] && cd $1 || cd /usr/net/Http
|
||||||
|
[ -z "$DISTFILES" ] && DISTFILES=../../portage/distfiles
|
||||||
|
|
||||||
|
find -L $DISTFILES/ -type l -delete
|
||||||
|
|
||||||
|
find */ prdownloads.sourceforge.net/*/ github.com/*/ -type f -o -type l -name \*.\* | \
|
||||||
|
grep -v ' \|\.[a-z]\|/archive/\|/tarball/' \
|
||||||
|
| grep -v 'htm$\|html$\|txt$\|Makefile$\|\.py$\|~$' \
|
||||||
|
| while read file ; do
|
||||||
|
base=`basename $file`
|
||||||
|
[ -h ${DISTFILES}/"$base" ] && continue
|
||||||
|
from=$(readlink ../../net/Http/"$file")
|
||||||
|
[ -z "$from" ] && from=../../net/Http/"$file"
|
||||||
|
ln -s $from ${DISTFILES}/"$base"
|
||||||
|
done
|
||||||
|
|
||||||
|
# golang/net/archive/8d16fa6dc9a8.tar.gz
|
||||||
|
# burpsuite_community_v2020.9.1.jar portswigger.net/burp/releases/download@product=community&version=2020.9.1
|
||||||
|
# burpsuite_community_v2020.4.jar mirror.leaseweb.com/gentoo/distfiles/0f/burpsuite_community_v2020.4.jar
|
||||||
|
# burpsuite_community_v2020.4.jar portswigger.net/burp/releases/download@product=community&version=2020.4
|
||||||
|
# burpsuite_community_v2020.4.1.jar portswigger.net/burp/releases/download@product=community&version=2020.4.1
|
||||||
|
|
||||||
|
grep -v '^#' $TXT | while read base file ; do
|
||||||
|
if [ -z "$base" ] ; then
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
if [ -z "$file" ] ; then
|
||||||
|
echo ERROR: empty target for $base && continue
|
||||||
|
fi
|
||||||
|
|
||||||
|
rm -f "${DISTFILES}/$base"
|
||||||
|
ln -s ../../net/Http/"$file" ${DISTFILES}/"$base"
|
||||||
|
[ -e /i/net/Http/distfiles.gentoo.org/distfiles/"$base" ] || \
|
||||||
|
ln -s /i/net/Http/"$file" /i/net/Http/distfiles.gentoo.org/distfiles/"$base"
|
||||||
|
base=""
|
||||||
|
done
|
||||||
|
exit 0
|
||||||
|
# RfCatDonsCCBootloader-1.9.2.hex atlas0fd00m/rfcat/releases/download/v1.9.2/RfCatDonsCCBootloader.hex
|
18
overlay/Gentoo/usr/local/sbin/gentoo_lis_to_urls.bash
Executable file
18
overlay/Gentoo/usr/local/sbin/gentoo_lis_to_urls.bash
Executable file
@ -0,0 +1,18 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
# filter
|
||||||
|
|
||||||
|
CACHE=/mnt/i/net/Http
|
||||||
|
grep ^http:// | \
|
||||||
|
sed -e 's@ftp://[^ ]*@@g' | \
|
||||||
|
while read line ; do
|
||||||
|
for url in $line ; do
|
||||||
|
base=`basename "$url"`
|
||||||
|
[ -e /usr/portage/distfiles/$base ] && break
|
||||||
|
pre=`sed -e "s@http://@${CACHE}@" <<< $url`
|
||||||
|
[ -e $pre ] && break
|
||||||
|
echo $line
|
||||||
|
break
|
||||||
|
done
|
||||||
|
done
|
||||||
|
exit 0
|
17
overlay/Gentoo/usr/local/sbin/gentoo_lis_to_urls.sh
Executable file
17
overlay/Gentoo/usr/local/sbin/gentoo_lis_to_urls.sh
Executable file
@ -0,0 +1,17 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# filter
|
||||||
|
grep ^http:// | \
|
||||||
|
sed -e 's@ftp://[^ ]*@@g' | \
|
||||||
|
while read line ; do
|
||||||
|
for url in $line ; do
|
||||||
|
base=`basename "$url"`
|
||||||
|
[ -e /usr/portage/distfiles/$base ] && break
|
||||||
|
pre=`echo $url|sed -e 's@http://@/k/net/Http@'`
|
||||||
|
[ -e $pre ] && break
|
||||||
|
pre=`echo $url|sed -e 's@http://@/o/net/Http@'`
|
||||||
|
[ -e $pre ] && break
|
||||||
|
echo $line
|
||||||
|
break
|
||||||
|
done
|
||||||
|
|
||||||
|
done
|
60
overlay/Gentoo/usr/local/sbin/gentoo_missing_roles.bash
Executable file
60
overlay/Gentoo/usr/local/sbin/gentoo_missing_roles.bash
Executable file
@ -0,0 +1,60 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
|
||||||
|
ROLE=testforge
|
||||||
|
|
||||||
|
. /usr/local/bin/usr_local_tput.bash
|
||||||
|
|
||||||
|
BASE_ROLES="base proxy"
|
||||||
|
VAR_ROLES="testforge text"
|
||||||
|
DEV_ROLES="${VAR_ROLES} testing pydev logging"
|
||||||
|
WWORK_ROLES="${DEV_ROLES}"
|
||||||
|
# LXD_ROLES="${DEV_ROLES} ansible-lxd"
|
||||||
|
# text must come before harden
|
||||||
|
HARD_ROLES="${DEV_ROLES} gpgkey harden privacy hostvms"
|
||||||
|
PEN_ROLES="${HARD_ROLES} pentest ${juju4}"
|
||||||
|
GUEST_ROLES="${HARD_ROLES} trading update"
|
||||||
|
UPD_ROLES="${PEN_ROLES} update trading winrm "
|
||||||
|
ALL_ROLES="${BASE_ROLES} ${UPD_ROLES}"
|
||||||
|
|
||||||
|
cd /o/data/TestForge/src/ansible/ || exit 1
|
||||||
|
|
||||||
|
for dir in src ; do
|
||||||
|
grep -L 'ROLE=$' /usr/local/*$dir/*bash 2>/dev/null | \
|
||||||
|
xargs grep -L 'ROLE=[a-z"]' 2>/dev/null | \
|
||||||
|
xargs echo ERROR: missing in $dir
|
||||||
|
INFO /usr/local/$dir
|
||||||
|
for role in ${BASE_ROLES} ; do
|
||||||
|
grep -L 'ROLE=$' /usr/local/*$dir/${role}*bash 2>/dev/null | \
|
||||||
|
xargs grep -L ROLE=$role 2>/dev/null | while read f; do
|
||||||
|
! grep -q ROLE= "$f" && echo ROLE=$role >> "$f" && continue
|
||||||
|
sed -e "s/^ROLE=.*/ROLE=$role/" -i "$f"
|
||||||
|
done
|
||||||
|
grep -L 'ROLE=$' /usr/local/*$dir/${role}*bash 2>/dev/null | \
|
||||||
|
xargs grep -l ROLE=$role | while read f ; do
|
||||||
|
num=`ls roles/*/overlay/Linux/"$f" 2>/dev/null|wc -l|sed -e 's/ .*//'`
|
||||||
|
[ $num -gt 1 ] && WARN DUP $f && echo `ls roles/*/overlay/Linux/"$f" 2>/dev/null` && continue
|
||||||
|
[ ! -e roles/$role/overlay/Linux/"$f" ] && \
|
||||||
|
echo cp -ip "$f" roles/$role/overlay/Linux/"$f"
|
||||||
|
done
|
||||||
|
done
|
||||||
|
INFO /var/local/$dir
|
||||||
|
grep -L 'ROLE=$' /var/local/*$dir/*bash 2>/dev/null | \
|
||||||
|
xargs grep -L 'ROLE=[a-z"]' 2>/dev/null | \
|
||||||
|
xargs echo ERROR: missing in $dir
|
||||||
|
|
||||||
|
for role in ${UPD_ROLES} ; do
|
||||||
|
grep -L 'ROLE=$' /var/local/*$dir/${role}*bash 2>/dev/null | \
|
||||||
|
xargs grep -L ROLE=$role 2>/dev/null | while read f; do
|
||||||
|
! grep -q ROLE= "$f" && echo ROLE=$role >> "$f" && continue
|
||||||
|
sed -e "s/^ROLE=.*/ROLE=$role/" -i "$f"
|
||||||
|
done
|
||||||
|
grep -L 'ROLE=$' /var/local/*$dir/${role}*bash 2>/dev/null | \
|
||||||
|
xargs grep -l ROLE=$role 2>/dev/null | while read f ; do
|
||||||
|
num=`ls roles/*/overlay/Linux/"$f" 2>/dev/null | wc -l|sed -e 's/ .*//'`
|
||||||
|
[ $num -gt 1 ] && WARN DUP $f && echo `ls roles/*/overlay/Linux/"$f" 2>/dev/null` && continue
|
||||||
|
[ ! -e roles/$role/overlay/Linux/"$f" ] && \
|
||||||
|
echo cp -ip "$f" roles/$role/overlay/Linux/"$f"
|
||||||
|
done
|
||||||
|
done
|
||||||
|
done
|
68
overlay/Gentoo/usr/local/sbin/gentoo_move_portage_packages.bash
Executable file
68
overlay/Gentoo/usr/local/sbin/gentoo_move_portage_packages.bash
Executable file
@ -0,0 +1,68 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# -*- mode: sh; tab-width: 8; encoding: utf-8-unix -*-
|
||||||
|
|
||||||
|
ROLE=base
|
||||||
|
DEBUG=1
|
||||||
|
|
||||||
|
shopt -s nullglob || exit 1
|
||||||
|
|
||||||
|
. /usr/local/bin/usr_local_tput.bash || exit 2
|
||||||
|
[ -f /etc/conf.d/hostname ] && . /etc/conf.d/hostname
|
||||||
|
|
||||||
|
if [ -n "$hostname" -a "$hostname" = "pentoo" ] ; then
|
||||||
|
TO=/mnt/o/Cache/linuxPen19/var/cache/portage/packages
|
||||||
|
elif [ -f /etc/dracut.conf.d/funtoo.conf ] ; then
|
||||||
|
TO=/mnt/o/Cache/linuxFun64/var/cache/portage/packages
|
||||||
|
elif [ -f /etc/dracut.conf.d/clipos.conf ] ; then
|
||||||
|
TO=/mnt/o/Cache/linuxClipos/var/cache/portage/packages
|
||||||
|
elif [ -d /mnt/o/Cache/linuxPen19/var/cache/portage/packages ] ; then
|
||||||
|
TO=/mnt/o/Cache/linuxPen19/var/cache/portage/packages
|
||||||
|
else
|
||||||
|
exit 3
|
||||||
|
fi
|
||||||
|
|
||||||
|
[ -n "$TO" ] || { ERROR empty TO ; exit 4 ; }
|
||||||
|
[ -d $TO ] || { ERROR mkdir -p $TO ; exit 5 ; }
|
||||||
|
find $TO -type f -exec chmod 644 {} \; &
|
||||||
|
|
||||||
|
[ "$#" -eq 0 ] && set -- /usr/portage/packages
|
||||||
|
|
||||||
|
grep -v : /var/lib/portage/world | while read f; do \
|
||||||
|
ls /var/db/repos/*/$f 2>/dev/null >/dev/null && continue;
|
||||||
|
ls /var/local/portage/*/$f 2>/dev/null >/dev/null && continue;
|
||||||
|
echo $f
|
||||||
|
done |tee /var/lib/portage/world.dead
|
||||||
|
|
||||||
|
for root in $* ; do
|
||||||
|
cd $root || exit 2$?
|
||||||
|
INFO $root
|
||||||
|
|
||||||
|
find -L . -type l -delete 2>&1 | grep Too | \
|
||||||
|
sed -e 's/.: Too.*//' -e 's/find: .//'|xargs rm -f
|
||||||
|
find . -type f -exec chmod 644 {} \; &
|
||||||
|
find *-* virtual pentoo -type f -name \*tbz2 -o -name \*qpkg.tar -o -name \*.xpak | grep -v '_sources\|_download_' | while read file ; do
|
||||||
|
dir=$( dirname $file )
|
||||||
|
[[ $dir =~ dev-python/nltk-data ]] && continue
|
||||||
|
[[ $dir =~ sys-kernel/pentoo-sources ]] && continue
|
||||||
|
[[ $dir =~ app-emulation/virtio-win ]] && continue
|
||||||
|
[ -d $TO/$dir ] || { DBUG mkdir -p $TO/$dir ; mkdir -p $TO/$dir ; }
|
||||||
|
[ -h $TO/$file ] && [ -f $file ] && DBUG rm $TO/$file && rm $TO/$file
|
||||||
|
if [ -f $TO/$file -a -f $file ] ; then
|
||||||
|
diff -q $TO/$file $file && rm -f $file && ln -s $TO/$file $file && continue
|
||||||
|
echo WARN: exists $TO/$file $file && mv $file $TO/$file && ln -s $TO/$file $file && continue
|
||||||
|
fi
|
||||||
|
[ ! -h $file ] && mv $root/$file $TO/$file && ln -s $TO/$file $root/$file && DBUG ln -s $TO/$file $root/$file && continue || exit 1
|
||||||
|
DBUG dunno $file `ls -lF $TO/$file $file`
|
||||||
|
done
|
||||||
|
|
||||||
|
pushd $TO
|
||||||
|
# -o -name \*.xpak
|
||||||
|
find *-* virtual pentoo -type f -name \*tbz2 -o -name \*.tar | grep -v '_sources\|_download_' | while read file ; do
|
||||||
|
[ -h $root/$file ] && [ -f $file ] && continue
|
||||||
|
dir=`dirname $root/$file`
|
||||||
|
[ -d $dir ] || mkdir $dir
|
||||||
|
ln -s $TO/$file $root/$file
|
||||||
|
done
|
||||||
|
popd
|
||||||
|
done
|
||||||
|
exit 0
|
9
overlay/Gentoo/usr/local/sbin/gentoo_qcheck_missing.bash
Executable file
9
overlay/Gentoo/usr/local/sbin/gentoo_qcheck_missing.bash
Executable file
@ -0,0 +1,9 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
# https://forums.gentoo.org/viewtopic-t-1044220-start-0.html
|
||||||
|
qcheck -C \
|
||||||
|
| grep -v -e '.*\.pyo$' -e '.*\.pyc$' \
|
||||||
|
-e '.*/examples/.*' -e '^.*/doc/.*/[^/.]*$' \
|
||||||
|
-e '^/usr/lib/debug/.*' -e '.*\.debug' \
|
||||||
|
-e '^/usr/.*compiled' -e '^/usr/.*\.cache' \
|
||||||
|
| grep -B 1 -e '^ MD5-DIGEST:' -e '^ AFK:' -e '^ MTIME:'
|
70
overlay/Gentoo/usr/local/sbin/gentoo_scurl_urls.sh
Executable file
70
overlay/Gentoo/usr/local/sbin/gentoo_scurl_urls.sh
Executable file
@ -0,0 +1,70 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# filter - arguments are to wget - quoted?
|
||||||
|
|
||||||
|
prog=$( basename $0 .bash )
|
||||||
|
prog=ScurlU
|
||||||
|
ROOTDIR=/mnt/i/net/Http
|
||||||
|
ROLE=base
|
||||||
|
CACHE=/usr/portage/distfiles
|
||||||
|
|
||||||
|
. /usr/local/bin/proxy_curl_lib.bash
|
||||||
|
|
||||||
|
route | grep -q ^def || { echo ERROR: not connected ; exit 1 ; }
|
||||||
|
|
||||||
|
. /usr/local/bin/usr_local_tput.bash
|
||||||
|
FETCHCOMMAND='/usr/local/bin/scurl.bash --force-directories --directory-prefix "\${DISTDIR}" -- "\${URI}"'
|
||||||
|
|
||||||
|
# RARGS="--retry 1 --connect-timeout 10"
|
||||||
|
if [ "$#" -eq 0 ] ; then
|
||||||
|
LARGS="--force-directories --directory-prefix $ROOTDIR"
|
||||||
|
else
|
||||||
|
LARGS="$@"
|
||||||
|
fi
|
||||||
|
cp /dev/null /tmp/$prog$$.urls
|
||||||
|
|
||||||
|
# //www.simplesystems.org/users/bfriesen/public-key.txt no https:
|
||||||
|
# https://opencoder.net/WayneDavison.key cloudflare 403
|
||||||
|
# https://www.simplesystems.org/users/bfriesen/public-key.txt 503
|
||||||
|
# https://tiswww.case.edu/php/chet/gpgkey.asc 500 timeout
|
||||||
|
# https://botan.randombit.net/pgpkey.txt no tls1.3
|
||||||
|
# https://sourceware.org/elfutils/ftp/gpgkey-1AA44BE649DE760A.gpg no tls1.3
|
||||||
|
# https://gnutls.org/gnutls-release-keyring.gpg no tls1.3
|
||||||
|
|
||||||
|
retval=0
|
||||||
|
# NOT 1.3 -e 's@^https://distfiles.gentoo.org/distfiles/[^ ]* https://pypi.python.org/@https://pypi.python.org/@'
|
||||||
|
grep ^http | \
|
||||||
|
sed -e 's@ftp://[^ ]*@@' \
|
||||||
|
-e 's/http:/https:/' \
|
||||||
|
-e 's@^https://distfiles.gentoo.org/distfiles/openpgp-keys-[^ ]*.asc @@' \
|
||||||
|
-e 's@https*://distfiles.gentoo.org@https://gentoo.osuosl.org@g' \
|
||||||
|
-e 's@https://gentoo.osuosl.org@https://mirror.leaseweb.com/gentoo@g' \
|
||||||
|
-e 's@https*://download.sourceforge.net@https://download.sourceforge.net@g' | \
|
||||||
|
while read urls ; do
|
||||||
|
url=`echo $urls|sed -e 's@ .*@@'`
|
||||||
|
base=`basename "$url"`
|
||||||
|
[ -e $CACHE/$base ] && echo $CACHE/$base && continue
|
||||||
|
base=`echo $url | sed -e 's@ .*@@' -e 's@https*://@@'`
|
||||||
|
[ -e $ROOTDIR/"$base" ] && echo $ROOTDIR/"$base" && continue
|
||||||
|
for url in $urls ; do
|
||||||
|
for no in "${NOTLSV3[@]}" ; do
|
||||||
|
[[ $url =~ $no ]] && continue
|
||||||
|
done
|
||||||
|
domain=`sed -e 's@/.*@@' <<< $base`
|
||||||
|
ip=`tor-resolve $domain`
|
||||||
|
if [ $? -eq 0 -a -n "$ip" ] ; then
|
||||||
|
a=`proxy_ami_cloudflared $ip`
|
||||||
|
[ $? -eq 0 -a "$a" = True ] && \
|
||||||
|
WARN $url Cloudflared $ip $no && \
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
|
||||||
|
DBUG $prog /usr/local/bin/scurl.bash $LARGS -- $RARGS $url
|
||||||
|
/usr/local/bin/scurl.bash $LARGS -- $RARGS $url || {
|
||||||
|
retval=$?
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
break
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
||||||
|
exit $retval
|
62
overlay/Gentoo/usr/local/sbin/gentoo_sec-keys_overlay.bash
Executable file
62
overlay/Gentoo/usr/local/sbin/gentoo_sec-keys_overlay.bash
Executable file
@ -0,0 +1,62 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
|
||||||
|
shopt -s nullglob || exit 1
|
||||||
|
|
||||||
|
prog=`basename $0 .bash`
|
||||||
|
ROLE=base
|
||||||
|
export PATH=/sbin:$PATH
|
||||||
|
|
||||||
|
PREFIX=/usr/local
|
||||||
|
. /usr/local/bin/usr_local_tput.bash || exit 2
|
||||||
|
|
||||||
|
DEST=$PREFIX/portage/testforge/sec-keys
|
||||||
|
FROM=/usr/portage/sec-keys
|
||||||
|
|
||||||
|
cd /
|
||||||
|
grep /~sam/ /usr/portage/sec-keys/*/*d| \
|
||||||
|
sed -e 's@.*/@@' -e 's/"//' -e 's/.*-//'|grep -v P | \
|
||||||
|
while read f;do
|
||||||
|
b=`ls /usr/portage/distfiles/*"$f"`|| continue;
|
||||||
|
a=`readlink "$b"`;
|
||||||
|
echo $a;[ -h "$a" ] && continue;
|
||||||
|
echo $b;
|
||||||
|
done | \
|
||||||
|
sed -e 's@\.\./\.\.@/i@'|zip -m9 --symlinks sam.zip -@
|
||||||
|
|
||||||
|
cd $FROM
|
||||||
|
#
|
||||||
|
tar cf - *-* | tar xf - --keep-newer-files -C $DEST 2>/dev/null >/dev/null
|
||||||
|
|
||||||
|
[ -d $DEST ] || mkdir -p $DEST
|
||||||
|
cd $FROM
|
||||||
|
i=0
|
||||||
|
for dir in *-*; do
|
||||||
|
[ -d $dir ] || continue
|
||||||
|
[ -d $DEST/$dir ] || mkdir $DEST/$dir
|
||||||
|
ls $dir/*ebuild >/dev/null 2>/dev/null || { WARN no *ebuild in $dir ; continue ; }
|
||||||
|
for file in $dir/*ebuild ; do
|
||||||
|
[ -f $DEST/$file ] && [ $DEST/$file -nt $FROM/$file ] && continue
|
||||||
|
sed -e 's/^LICENSE=/RESTRICT="mirror"\nLICENSE=/' > $DEST/$file < $FROM/$file
|
||||||
|
if grep -q 'Mirrored from ' $FROM/$file ; then
|
||||||
|
url="`grep 'Mirrored from ' $FROM/$file|sed -e 's/.*Mirrored from //' -e 's/ .*//'`"
|
||||||
|
if [ -n "$url" ] ; then
|
||||||
|
i=`expr $i + 1`
|
||||||
|
rep=`sed -e 's/[$]/\\\\$/g' -e 's/[&]/\\\\&/g' <<< $url`
|
||||||
|
# could change some keyservers here
|
||||||
|
rep=`sed -e 's/http:/https:/' <<< $rep`
|
||||||
|
DBUG rep="$rep"
|
||||||
|
sed -e "s@https://dev.gentoo.org/.sam/[^ \"]*@$rep@" \
|
||||||
|
-i $DEST/$file
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
cd $DEST/$dir
|
||||||
|
for dfile in $dir/*ebuild ; do
|
||||||
|
ddir=`dirname $dfile`
|
||||||
|
cd $ddir
|
||||||
|
ebuild manifest *ebuild
|
||||||
|
done
|
||||||
|
cd $DEST
|
||||||
|
done
|
||||||
|
done
|
||||||
|
INFO $i $DEST
|
24
overlay/Gentoo/usr/local/sbin/gentoo_wget_urls.bash
Executable file
24
overlay/Gentoo/usr/local/sbin/gentoo_wget_urls.bash
Executable file
@ -0,0 +1,24 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
# filter - arguments are to wget - quoted?
|
||||||
|
|
||||||
|
ROOTDIR=/mnt/i
|
||||||
|
if [ "$#" -eq 0 ] ; then
|
||||||
|
WARGS="-xc -P $ROOTDIR/net/Http --tries=1"
|
||||||
|
else
|
||||||
|
WARGS="$@"
|
||||||
|
fi
|
||||||
|
grep ^http | \
|
||||||
|
sed -e 's@^\(https://distfiles.gentoo.org/distfiles/[a-f0-9][a-f0-9]/[^ ]*\) \(https://[^ ]*\) @\2 \1@' | \
|
||||||
|
sed -e 's@ftp://[^ ]*@@' -e 's@^https://distfiles.gentoo.org/distfiles/[^ ]* https://pypi.python.org/@https://pypi.python.org/@' -e 's/http:/https:/' \
|
||||||
|
-e 's@https*://mirror.leaseweb.com/gentoo/@https://gentoo.osuosl.org@g' \
|
||||||
|
-e 's@https*://distfiles.gentoo.org@https://gentoo.osuosl.org@g' | \
|
||||||
|
while read urls ; do
|
||||||
|
url=`sed -e 's@ .*@@' <<< $urls`
|
||||||
|
base=`basename "$url"`
|
||||||
|
[ -e /usr/portage/distfiles/$base ] && echo distfiles/$base && continue
|
||||||
|
for url in $urls ; do
|
||||||
|
wget --restrict-file-names=windows --no-verbose $WARGS $url || continue
|
||||||
|
break
|
||||||
|
done
|
||||||
|
done
|
BIN
overlay/Gentoo/usr/local/src/wicd-old.zip
Normal file
BIN
overlay/Gentoo/usr/local/src/wicd-old.zip
Normal file
Binary file not shown.
13
overlay/Linux/etc/firewall.conf.block
Normal file
13
overlay/Linux/etc/firewall.conf.block
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
# Add your spoofed IP range/IPs here
|
||||||
|
0.0.0.0/8
|
||||||
|
127.0.0.0/8
|
||||||
|
10.0.0.0/8
|
||||||
|
172.16.0.0/12
|
||||||
|
192.168.0.0/16
|
||||||
|
224.0.0.0/3
|
||||||
|
#
|
||||||
|
51.79.22.224/32
|
||||||
|
37.191.192.147/32
|
||||||
|
5.1.56.52/32
|
||||||
|
5.39.72.2/32
|
||||||
|
71.143.196.76/32
|
143
overlay/Linux/etc/firewall.conf.blocks.dig
Normal file
143
overlay/Linux/etc/firewall.conf.blocks.dig
Normal file
@ -0,0 +1,143 @@
|
|||||||
|
|
||||||
|
; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> -x 95.211.136.23
|
||||||
|
;; global options: +cmd
|
||||||
|
;; Got answer:
|
||||||
|
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 31931
|
||||||
|
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
|
||||||
|
|
||||||
|
;; QUESTION SECTION:
|
||||||
|
;23.136.211.95.in-addr.arpa. IN PTR
|
||||||
|
|
||||||
|
;; Query time: 1282 msec
|
||||||
|
;; SERVER: 127.0.0.1#53(127.0.0.1)
|
||||||
|
;; WHEN: Fri Dec 11 07:40:43 UTC 2020
|
||||||
|
;; MSG SIZE rcvd: 44
|
||||||
|
|
||||||
|
|
||||||
|
; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> -x 51.79.22.224
|
||||||
|
;; global options: +cmd
|
||||||
|
;; Got answer:
|
||||||
|
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64446
|
||||||
|
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
|
||||||
|
|
||||||
|
;; QUESTION SECTION:
|
||||||
|
;224.22.79.51.in-addr.arpa. IN PTR
|
||||||
|
|
||||||
|
;; ANSWER SECTION:
|
||||||
|
REVERSE[224.22.79.51.in-addr.arpa]. 60 IN PTR ip224.ip-51-79-22.net.
|
||||||
|
|
||||||
|
;; Query time: 1 msec
|
||||||
|
;; SERVER: 127.0.0.1#53(127.0.0.1)
|
||||||
|
;; WHEN: Fri Dec 11 07:45:05 UTC 2020
|
||||||
|
;; MSG SIZE rcvd: 112
|
||||||
|
|
||||||
|
|
||||||
|
; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> -x 37.191.192.147
|
||||||
|
;; global options: +cmd
|
||||||
|
;; Got answer:
|
||||||
|
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21844
|
||||||
|
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
|
||||||
|
|
||||||
|
;; OPT PSEUDOSECTION:
|
||||||
|
; EDNS: version: 0, flags:; udp: 4096
|
||||||
|
;; QUESTION SECTION:
|
||||||
|
;147.192.191.37.in-addr.arpa. IN PTR
|
||||||
|
|
||||||
|
;; ANSWER SECTION:
|
||||||
|
147.192.191.37.in-addr.arpa. 3261 IN PTR host-37-191-192-147.lynet.no.
|
||||||
|
|
||||||
|
;; Query time: 0 msec
|
||||||
|
;; SERVER: 127.0.0.1#53(127.0.0.1)
|
||||||
|
;; WHEN: Fri Dec 11 07:45:05 UTC 2020
|
||||||
|
;; MSG SIZE rcvd: 98
|
||||||
|
|
||||||
|
|
||||||
|
; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> -x 5.1.56.52
|
||||||
|
;; global options: +cmd
|
||||||
|
;; Got answer:
|
||||||
|
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 13766
|
||||||
|
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
|
||||||
|
|
||||||
|
;; QUESTION SECTION:
|
||||||
|
;52.56.1.5.in-addr.arpa. IN PTR
|
||||||
|
|
||||||
|
;; Query time: 192 msec
|
||||||
|
;; SERVER: 127.0.0.1#53(127.0.0.1)
|
||||||
|
;; WHEN: Fri Dec 11 07:45:05 UTC 2020
|
||||||
|
;; MSG SIZE rcvd: 40
|
||||||
|
|
||||||
|
|
||||||
|
; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> -x 5.39.72.2
|
||||||
|
;; global options: +cmd
|
||||||
|
;; Got answer:
|
||||||
|
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59857
|
||||||
|
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
|
||||||
|
|
||||||
|
;; OPT PSEUDOSECTION:
|
||||||
|
; EDNS: version: 0, flags:; udp: 4096
|
||||||
|
;; QUESTION SECTION:
|
||||||
|
;2.72.39.5.in-addr.arpa. IN PTR
|
||||||
|
|
||||||
|
;; ANSWER SECTION:
|
||||||
|
2.72.39.5.in-addr.arpa. 3335 IN PTR ns3065363.ip-5-39-72.eu.
|
||||||
|
|
||||||
|
;; Query time: 0 msec
|
||||||
|
;; SERVER: 127.0.0.1#53(127.0.0.1)
|
||||||
|
;; WHEN: Fri Dec 11 07:45:05 UTC 2020
|
||||||
|
;; MSG SIZE rcvd: 88
|
||||||
|
|
||||||
|
|
||||||
|
; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> -x 51.38.81.39
|
||||||
|
;; global options: +cmd
|
||||||
|
;; Got answer:
|
||||||
|
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24210
|
||||||
|
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
|
||||||
|
|
||||||
|
;; OPT PSEUDOSECTION:
|
||||||
|
; EDNS: version: 0, flags:; udp: 4096
|
||||||
|
;; QUESTION SECTION:
|
||||||
|
;39.81.38.51.in-addr.arpa. IN PTR
|
||||||
|
|
||||||
|
;; ANSWER SECTION:
|
||||||
|
39.81.38.51.in-addr.arpa. 3336 IN PTR vps-87b023ab.vps.ovh.net.
|
||||||
|
|
||||||
|
;; Query time: 0 msec
|
||||||
|
;; SERVER: 127.0.0.1#53(127.0.0.1)
|
||||||
|
;; WHEN: Fri Dec 11 07:45:05 UTC 2020
|
||||||
|
;; MSG SIZE rcvd: 91
|
||||||
|
|
||||||
|
|
||||||
|
; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> -x 136.243.4.139
|
||||||
|
;; global options: +cmd
|
||||||
|
;; Got answer:
|
||||||
|
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25018
|
||||||
|
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
|
||||||
|
|
||||||
|
;; OPT PSEUDOSECTION:
|
||||||
|
; EDNS: version: 0, flags:; udp: 4096
|
||||||
|
;; QUESTION SECTION:
|
||||||
|
;139.4.243.136.in-addr.arpa. IN PTR
|
||||||
|
|
||||||
|
;; ANSWER SECTION:
|
||||||
|
139.4.243.136.in-addr.arpa. 3336 IN PTR static.139.4.243.136.clients.your-server.de.
|
||||||
|
|
||||||
|
;; Query time: 0 msec
|
||||||
|
;; SERVER: 127.0.0.1#53(127.0.0.1)
|
||||||
|
;; WHEN: Fri Dec 11 07:45:05 UTC 2020
|
||||||
|
;; MSG SIZE rcvd: 112
|
||||||
|
|
||||||
|
|
||||||
|
; <<>> DiG 9.11.5-P4-5.1+deb10u2-Debian <<>> -x 95.211.136.23
|
||||||
|
;; global options: +cmd
|
||||||
|
;; Got answer:
|
||||||
|
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23102
|
||||||
|
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
|
||||||
|
|
||||||
|
;; QUESTION SECTION:
|
||||||
|
;23.136.211.95.in-addr.arpa. IN PTR
|
||||||
|
|
||||||
|
;; Query time: 192 msec
|
||||||
|
;; SERVER: 127.0.0.1#53(127.0.0.1)
|
||||||
|
;; WHEN: Fri Dec 11 07:45:05 UTC 2020
|
||||||
|
;; MSG SIZE rcvd: 44
|
||||||
|
|
134
overlay/Linux/etc/firewall.conf.gateway
Normal file
134
overlay/Linux/etc/firewall.conf.gateway
Normal file
@ -0,0 +1,134 @@
|
|||||||
|
# Generated by xtables-save v1.8.2 on Sat Dec 12 13:40:39 2020
|
||||||
|
*filter
|
||||||
|
:INPUT DROP [0:0]
|
||||||
|
:FORWARD DROP [0:0]
|
||||||
|
:OUTPUT DROP [0:0]
|
||||||
|
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||||
|
-A INPUT -m state --state INVALID -j DROP
|
||||||
|
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j DROP
|
||||||
|
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
|
||||||
|
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
||||||
|
-A INPUT -f -j DROP
|
||||||
|
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
|
||||||
|
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
|
||||||
|
-A INPUT -i lo -j ACCEPT
|
||||||
|
-A INPUT -m state --state ESTABLISHED -j ACCEPT
|
||||||
|
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
|
||||||
|
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
|
||||||
|
-A INPUT -i eth0 -p tcp -m tcp --dport 9050 -j ACCEPT
|
||||||
|
-A INPUT -i eth0 -p tcp -m tcp --dport 9053 -j ACCEPT
|
||||||
|
-A INPUT -i eth0 -p tcp -m tcp --dport 9040 -j ACCEPT
|
||||||
|
-A INPUT -i eth0 -p tcp -m tcp --dport 9128 -j ACCEPT
|
||||||
|
-A INPUT -i eth1 -p udp -m udp --dport 5300 -j ACCEPT
|
||||||
|
-A INPUT -i eth1 -p tcp -m tcp --dport 9040 -j ACCEPT
|
||||||
|
-A INPUT -i eth1 -p tcp -m tcp --dport 9051 -j ACCEPT
|
||||||
|
-A INPUT -i eth1 -p tcp -m tcp --dport 9124 -j ACCEPT
|
||||||
|
-A INPUT -i eth1 -p tcp -m tcp --dport 9104 -j ACCEPT
|
||||||
|
-A INPUT -i eth1 -p tcp -m tcp --dport 9111 -j ACCEPT
|
||||||
|
-A INPUT -i eth1 -p tcp -m tcp --dport 9117 -j ACCEPT
|
||||||
|
-A INPUT -i eth1 -p tcp -m tcp --dport 9107 -j ACCEPT
|
||||||
|
-A INPUT -i eth1 -p tcp -m tcp --dport 9123 -j ACCEPT
|
||||||
|
-A INPUT -i eth1 -p tcp -m tcp --dport 9105 -j ACCEPT
|
||||||
|
-A INPUT -i eth1 -p tcp -m tcp --dport 9103 -j ACCEPT
|
||||||
|
-A INPUT -i eth1 -p tcp -m tcp --dport 9101 -j ACCEPT
|
||||||
|
-A INPUT -i eth1 -p tcp -m tcp --dport 9122 -j ACCEPT
|
||||||
|
-A INPUT -i eth1 -p tcp -m tcp --dport 9121 -j ACCEPT
|
||||||
|
-A INPUT -i eth1 -p tcp -m tcp --dport 9120 -j ACCEPT
|
||||||
|
-A INPUT -i eth1 -p tcp -m tcp --dport 9113 -j ACCEPT
|
||||||
|
-A INPUT -i eth1 -p tcp -m tcp --dport 9112 -j ACCEPT
|
||||||
|
-A INPUT -i eth1 -p tcp -m tcp --dport 9118 -j ACCEPT
|
||||||
|
-A INPUT -i eth1 -p tcp -m tcp --dport 9108 -j ACCEPT
|
||||||
|
-A INPUT -i eth1 -p tcp -m tcp --dport 9106 -j ACCEPT
|
||||||
|
-A INPUT -i eth1 -p tcp -m tcp --dport 9100 -j ACCEPT
|
||||||
|
-A INPUT -i eth1 -p tcp -m tcp --dport 9150 -j ACCEPT
|
||||||
|
-A INPUT -i eth1 -p tcp -m tcp --dport 9115 -j ACCEPT
|
||||||
|
-A INPUT -i eth1 -p tcp -m tcp --dport 9116 -j ACCEPT
|
||||||
|
-A INPUT -i eth1 -p tcp -m tcp --dport 9102 -j ACCEPT
|
||||||
|
-A INPUT -i eth1 -p tcp -m tcp --dport 9119 -j ACCEPT
|
||||||
|
-A INPUT -i eth1 -p tcp -m tcp --dport 9050 -j ACCEPT
|
||||||
|
-A INPUT -i eth1 -p tcp -m tcp --dport 9109 -j ACCEPT
|
||||||
|
-A INPUT -i eth1 -p tcp -m tcp --dport 9110 -j ACCEPT
|
||||||
|
-A INPUT -i eth1 -p tcp -m tcp --dport 9114 -j ACCEPT
|
||||||
|
-A INPUT -i eth1 -p tcp -m tcp --dport 9125 -j ACCEPT
|
||||||
|
-A INPUT -i eth1 -p tcp -m multiport --dports 9152:9189 -j ACCEPT
|
||||||
|
-A INPUT -i eth0 -p udp -m udp --dport 9053 -j ACCEPT
|
||||||
|
-A INPUT -j DROP
|
||||||
|
-A FORWARD -j REJECT --reject-with icmp-admin-prohibited
|
||||||
|
-A OUTPUT -m conntrack --ctstate INVALID -j REJECT --reject-with icmp-admin-prohibited
|
||||||
|
-A OUTPUT -m state --state INVALID -j REJECT --reject-with icmp-admin-prohibited
|
||||||
|
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j REJECT --reject-with icmp-admin-prohibited
|
||||||
|
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j REJECT --reject-with icmp-admin-prohibited
|
||||||
|
-A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j REJECT --reject-with icmp-admin-prohibited
|
||||||
|
-A OUTPUT -f -j REJECT --reject-with icmp-admin-prohibited
|
||||||
|
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j REJECT --reject-with icmp-admin-prohibited
|
||||||
|
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j REJECT --reject-with icmp-admin-prohibited
|
||||||
|
-A OUTPUT -m state --state ESTABLISHED -j ACCEPT
|
||||||
|
-A OUTPUT -m iprange --dst-range 127.0.0.0-127.0.0.24 -j ACCEPT
|
||||||
|
-A OUTPUT -m iprange --dst-range 192.168.0.0-192.168.0.24 -j ACCEPT
|
||||||
|
-A OUTPUT -m iprange --dst-range 192.168.1.0-192.168.1.24 -j ACCEPT
|
||||||
|
-A OUTPUT -m iprange --dst-range 10.152.152.0-10.152.152.24 -j ACCEPT
|
||||||
|
-A OUTPUT -m iprange --dst-range 10.0.2.2-10.0.2.24 -j ACCEPT
|
||||||
|
-A OUTPUT -o lo -j ACCEPT
|
||||||
|
-A OUTPUT -m owner --uid-owner 108 -j ACCEPT
|
||||||
|
-A OUTPUT -m owner --uid-owner 106 -j ACCEPT
|
||||||
|
-A OUTPUT -m owner --uid-owner 105 -j ACCEPT
|
||||||
|
-A OUTPUT -j REJECT --reject-with icmp-admin-prohibited
|
||||||
|
COMMIT
|
||||||
|
# Completed on Sat Dec 12 13:40:40 2020
|
||||||
|
# Generated by xtables-save v1.8.2 on Sat Dec 12 13:40:40 2020
|
||||||
|
*nat
|
||||||
|
:PREROUTING ACCEPT [0:0]
|
||||||
|
:INPUT ACCEPT [0:0]
|
||||||
|
:POSTROUTING ACCEPT [0:0]
|
||||||
|
:OUTPUT ACCEPT [0:0]
|
||||||
|
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9051 -j REDIRECT --to-ports 9051
|
||||||
|
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9124 -j REDIRECT --to-ports 9124
|
||||||
|
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9104 -j REDIRECT --to-ports 9104
|
||||||
|
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9111 -j REDIRECT --to-ports 9111
|
||||||
|
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9117 -j REDIRECT --to-ports 9117
|
||||||
|
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9107 -j REDIRECT --to-ports 9107
|
||||||
|
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9123 -j REDIRECT --to-ports 9123
|
||||||
|
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9105 -j REDIRECT --to-ports 9105
|
||||||
|
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9103 -j REDIRECT --to-ports 9103
|
||||||
|
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9101 -j REDIRECT --to-ports 9101
|
||||||
|
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9122 -j REDIRECT --to-ports 9122
|
||||||
|
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9121 -j REDIRECT --to-ports 9121
|
||||||
|
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9120 -j REDIRECT --to-ports 9120
|
||||||
|
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9113 -j REDIRECT --to-ports 9113
|
||||||
|
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9112 -j REDIRECT --to-ports 9112
|
||||||
|
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9118 -j REDIRECT --to-ports 9118
|
||||||
|
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9108 -j REDIRECT --to-ports 9108
|
||||||
|
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9106 -j REDIRECT --to-ports 9106
|
||||||
|
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9100 -j REDIRECT --to-ports 9100
|
||||||
|
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9150 -j REDIRECT --to-ports 9150
|
||||||
|
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9115 -j REDIRECT --to-ports 9115
|
||||||
|
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9116 -j REDIRECT --to-ports 9116
|
||||||
|
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9102 -j REDIRECT --to-ports 9102
|
||||||
|
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9119 -j REDIRECT --to-ports 9119
|
||||||
|
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9050 -j REDIRECT --to-ports 9050
|
||||||
|
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9109 -j REDIRECT --to-ports 9109
|
||||||
|
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9110 -j REDIRECT --to-ports 9110
|
||||||
|
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9114 -j REDIRECT --to-ports 9114
|
||||||
|
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9125 -j REDIRECT --to-ports 9125
|
||||||
|
-A PREROUTING -d 10.152.152.10/32 -i eth1 -p tcp -m tcp --dport 9152:9189 -j REDIRECT
|
||||||
|
-A PREROUTING -i eth1 -p udp -m udp --dport 53 -j REDIRECT --to-ports 5300
|
||||||
|
-A PREROUTING -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 9040
|
||||||
|
-A OUTPUT -m owner --uid-owner 108 -j RETURN
|
||||||
|
-A OUTPUT -m owner --uid-owner 106 -j RETURN
|
||||||
|
-A OUTPUT -m owner --uid-owner 105 -j RETURN
|
||||||
|
-A OUTPUT -m iprange --dst-range 127.0.0.0-127.0.0.24 -j RETURN
|
||||||
|
-A OUTPUT -m iprange --dst-range 192.168.0.0-192.168.0.24 -j RETURN
|
||||||
|
-A OUTPUT -m iprange --dst-range 192.168.1.0-192.168.1.24 -j RETURN
|
||||||
|
-A OUTPUT -m iprange --dst-range 10.152.152.0-10.152.152.24 -j RETURN
|
||||||
|
-A OUTPUT -m iprange --dst-range 10.0.2.2-10.0.2.24 -j RETURN
|
||||||
|
COMMIT
|
||||||
|
# Completed on Sat Dec 12 13:40:40 2020
|
||||||
|
# Generated by xtables-save v1.8.2 on Sat Dec 12 13:40:40 2020
|
||||||
|
*mangle
|
||||||
|
:PREROUTING ACCEPT [0:0]
|
||||||
|
:INPUT ACCEPT [0:0]
|
||||||
|
:FORWARD ACCEPT [0:0]
|
||||||
|
:OUTPUT ACCEPT [0:0]
|
||||||
|
:POSTROUTING ACCEPT [0:0]
|
||||||
|
COMMIT
|
||||||
|
# Completed on Sat Dec 12 13:40:40 2020
|
183
overlay/Linux/etc/firewall.conf.host
Normal file
183
overlay/Linux/etc/firewall.conf.host
Normal file
@ -0,0 +1,183 @@
|
|||||||
|
# -*-mode: conf[Space]; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
# firewall.bash.libvirt.9
|
||||||
|
*mangle
|
||||||
|
:PREROUTING ACCEPT [0:0]
|
||||||
|
:INPUT ACCEPT [0:0]
|
||||||
|
:FORWARD ACCEPT [0:0]
|
||||||
|
:OUTPUT ACCEPT [0:0]
|
||||||
|
:POSTROUTING ACCEPT [0:0]
|
||||||
|
:LIBVIRT_PRT - [0:0]
|
||||||
|
#D#-A INPUT -j LOG --log-prefix "iptables_mangle_END-i: " --log-uid
|
||||||
|
-A POSTROUTING -j LIBVIRT_PRT
|
||||||
|
COMMIT
|
||||||
|
|
||||||
|
*nat
|
||||||
|
:PREROUTING ACCEPT [0:0]
|
||||||
|
:INPUT ACCEPT [0:0]
|
||||||
|
:OUTPUT ACCEPT [0:0]
|
||||||
|
:POSTROUTING ACCEPT [0:0]
|
||||||
|
:LIBVIRT_PRT - [0:0]
|
||||||
|
# was ! -o lo - -o wlan4
|
||||||
|
# let resolve.conf redirect to lo - this rule cannot be removed
|
||||||
|
#-A OUTPUT -o wlan4 -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1:53
|
||||||
|
#-A OUTPUT -o wlan4 -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:53
|
||||||
|
|
||||||
|
# .onion mapped addresses redirection to Tor.
|
||||||
|
###-A OUTPUT -d 172.16.0.0/12 -p tcp -j DNAT --to-destination 127.0.0.1:9040
|
||||||
|
## Log.
|
||||||
|
#D-A INPUT -j LOG --log-prefix "iptables_nat_END-i: " --log-uid
|
||||||
|
-A POSTROUTING -j LIBVIRT_PRT
|
||||||
|
-A LIBVIRT_PRT -s 10.0.2.0/24 -d 224.0.0.0/24 -j RETURN
|
||||||
|
-A LIBVIRT_PRT -s 10.0.2.0/24 -d 255.255.255.255/32 -j RETURN
|
||||||
|
-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
|
||||||
|
-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
|
||||||
|
-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -j MASQUERADE
|
||||||
|
COMMIT
|
||||||
|
|
||||||
|
*filter
|
||||||
|
:INPUT DROP [0:0]
|
||||||
|
:FORWARD DROP [0:0]
|
||||||
|
:OUTPUT DROP [0:0]
|
||||||
|
:LIBVIRT_FWI - [0:0]
|
||||||
|
:LIBVIRT_FWO - [0:0]
|
||||||
|
:LIBVIRT_FWX - [0:0]
|
||||||
|
:LIBVIRT_INP - [0:0]
|
||||||
|
:LIBVIRT_OUT - [0:0]
|
||||||
|
|
||||||
|
#D#-A INPUT -j LOG --log-prefix "iptables_filter_BEGIN-i: firewall.conf.new.9" --log-uid
|
||||||
|
# blocks
|
||||||
|
-A INPUT -i wlan6 -s 5.1.56.52 -p tcp -j DROP
|
||||||
|
-A INPUT -i wlan6 -s 5.39.72.2 -p tcp -j DROP
|
||||||
|
-A INPUT -i wlan4 -s 37.191.192.147 -p tcp -j DROP
|
||||||
|
-A INPUT -i wlan4 -s 51.79.22.224 -p tcp -j DROP
|
||||||
|
|
||||||
|
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||||
|
-A INPUT -m state --state INVALID -j DROP
|
||||||
|
-A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
|
||||||
|
-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
|
||||||
|
-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
||||||
|
-A INPUT -f -j DROP
|
||||||
|
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
|
||||||
|
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
|
||||||
|
-A INPUT -i lo -j ACCEPT
|
||||||
|
-A INPUT -m state --state ESTABLISHED -j ACCEPT
|
||||||
|
### this is required for outgoing pings
|
||||||
|
-A INPUT -i wlan4 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-i: " --log-uid
|
||||||
|
-A INPUT -i wlan4 -p icmp -j ACCEPT
|
||||||
|
|
||||||
|
# these are NOT needed
|
||||||
|
#!-A INPUT -i wlan4 -m owner --gid-owner 226 -p udp --sport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: "
|
||||||
|
#!-A INPUT -i wlan4 -m owner --gid-owner 226 -p udp --sport 123 -j ACCEPT
|
||||||
|
#!-A INPUT -i wlan4 -m owner --uid-owner 0 -p udp --sport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: "
|
||||||
|
#!-A INPUT -i wlan4 -m owner --uid-owner 0 -p udp --sport 123 -j ACCEPT
|
||||||
|
# these are NOT needed
|
||||||
|
#!-A INPUT -i wlan4 -p tcp -m owner --gid-owner 1 -j ACCEPT
|
||||||
|
# these are NOT needed
|
||||||
|
#!-A INPUT -i wlan4 -p tcp -m owner --gid-owner 216 -j ACCEPT
|
||||||
|
#?# let dhcp through?
|
||||||
|
#?-A INPUT -p udp --sport 68 -j ACCEPT
|
||||||
|
#?-A INPUT -p udp --sport 67 -j ACCEPT
|
||||||
|
-A INPUT -i wlan4 -p udp --sport 137 -j DROP
|
||||||
|
-A INPUT -i wlan4 -p udp --sport 138 -j DROP
|
||||||
|
-A INPUT -i wlan4 -p udp --sport 139 -j DROP
|
||||||
|
### this is required for outgoing pings
|
||||||
|
-A INPUT -i virbr1 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-i: " --log-uid
|
||||||
|
-A INPUT -i virbr1 -p icmp -j ACCEPT
|
||||||
|
#D#-A INPUT -i virbr1 -p tcp --sport 22 -j LOG --log-uid --log-prefix "iptables_22_ACCEPT-i: "
|
||||||
|
-A INPUT -i virbr1 -p tcp --sport 22 -j ACCEPT
|
||||||
|
#D#-A INPUT -i virbr1 -p tcp --sport 9128 -j LOG --log-uid --log-prefix "iptables_9128_ACCEPT-i: "
|
||||||
|
-A INPUT -i virbr1 -p tcp --sport 9128 -j ACCEPT
|
||||||
|
#D#-A INPUT -i virbr1 -p tcp --sport 9050 -j LOG --log-uid --log-prefix "iptables_9050_ACCEPT-i: "
|
||||||
|
-A INPUT -i virbr1 -p tcp --sport 9050 -j ACCEPT
|
||||||
|
#D#-A INPUT -i virbr1 -p tcp --sport 7001 -j LOG --log-uid --log-prefix "iptables_7001_ACCEPT-i: "
|
||||||
|
-A INPUT -i virbr1 -p tcp --sport 7001 -j ACCEPT
|
||||||
|
#D#-A INPUT -i virbr1 -p udp --sport 9053 -j LOG --log-uid --log-prefix "iptables_9053_ACCEPT-i: "
|
||||||
|
-A INPUT -i virbr1 -p udp --sport 9053 -j ACCEPT
|
||||||
|
#D#-A INPUT -j LOG --log-prefix "IPTABLES_filter_DROP-i: " --log-uid
|
||||||
|
#D#-A INPUT -j DROP
|
||||||
|
-A INPUT -j LIBVIRT_INP
|
||||||
|
|
||||||
|
-A FORWARD -j LIBVIRT_FWX
|
||||||
|
-A FORWARD -j LIBVIRT_FWI
|
||||||
|
-A FORWARD -j LIBVIRT_FWO
|
||||||
|
-A OUTPUT -o lo -j ACCEPT
|
||||||
|
-A OUTPUT -m state --state ESTABLISHED -j ACCEPT
|
||||||
|
#D#-A OUTPUT -o wlan4 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-o: " --log-uid
|
||||||
|
-A OUTPUT -o wlan4 -p icmp -j ACCEPT
|
||||||
|
#?-A OUTPUT -d 10.16.238.81/24 -j ACCEPT
|
||||||
|
#?-A OUTPUT -d 10.152.152.0/24 -j ACCEPT
|
||||||
|
#?-A OUTPUT -d 10.0.2.0/24 -j ACCEPT
|
||||||
|
|
||||||
|
# The ntp user is allowed to connect to services listening on the ntp port...
|
||||||
|
# If root runs ntpdate manually you will see requests to port 53 UID=0
|
||||||
|
#D#-A OUTPUT -o wlan4 -m owner --gid-owner 226 -p udp --dport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: "
|
||||||
|
-A OUTPUT -o wlan4 -m owner --gid-owner 226 -p udp --dport 123 -j ACCEPT
|
||||||
|
#D#-A OUTPUT -o wlan4 -m owner --uid-owner 0 -p udp --dport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: "
|
||||||
|
-A OUTPUT -o wlan4 -m owner --uid-owner 0 -p udp --dport 123 -j ACCEPT
|
||||||
|
# ssh - specifically forbid ssh out the wlan
|
||||||
|
-A OUTPUT -o wlan4 -p tcp --dport 22 -j LOG --log-uid --log-prefix "IPTABLES_ssh_REJECT-o: "
|
||||||
|
-A OUTPUT -o wlan4 -p tcp --dport 22 -j REJECT --reject-with icmp-port-unreachable
|
||||||
|
-A OUTPUT -o wlan4 -m owner --gid-owner 1 -j ACCEPT
|
||||||
|
# necessary and sufficient
|
||||||
|
-A OUTPUT -o wlan4 -m owner --gid-owner 216 -j ACCEPT
|
||||||
|
#D#-A OUTPUT -o virbr1 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-o: " --log-uid
|
||||||
|
-A OUTPUT -o virbr1 -p icmp -j ACCEPT
|
||||||
|
#D#-A OUTPUT -o virbr1 -p tcp --dport 22 -j LOG --log-uid --log-prefix "iptables_22_ACCEPT-o: "
|
||||||
|
-A OUTPUT -o virbr1 -p tcp --dport 22 -j ACCEPT
|
||||||
|
#D#-A OUTPUT -o virbr1 -p tcp --dport 9128 -j LOG --log-uid --log-prefix "iptables_9128_ACCEPT-o: "
|
||||||
|
-A OUTPUT -o virbr1 -p tcp --dport 9128 -j ACCEPT
|
||||||
|
#D#-A OUTPUT -o virbr1 -p tcp --dport 9050 -j LOG --log-uid --log-prefix "iptables_9050_ACCEPT-o: "
|
||||||
|
-A OUTPUT -o virbr1 -p tcp --dport 9050 -j ACCEPT
|
||||||
|
#D#-A OUTPUT -o virbr1 -p tcp --dport 7001 -j LOG --log-uid --log-prefix "iptables_7001_ACCEPT-o: "
|
||||||
|
-A OUTPUT -o virbr1 -p tcp --dport 7001 -j ACCEPT
|
||||||
|
#D#-A OUTPUT -o virbr1 -p udp --dport 9053 -j LOG --log-uid --log-prefix "iptables_9053_ACCEPT-o: "
|
||||||
|
-A OUTPUT -o virbr1 -p udp --dport 9053 -j ACCEPT
|
||||||
|
#??-A OUTPUT -p udp -m udp --sport 68 --dport 67 -j RETURN
|
||||||
|
#?-A OUTPUT -p udp -m udp --sport 68 --dport 67 -j ACCEPT
|
||||||
|
-A OUTPUT -j LIBVIRT_OUT
|
||||||
|
-A LIBVIRT_FWI -o virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWI_REJECT-o: "
|
||||||
|
-A LIBVIRT_FWI -o virbr2 -j REJECT --reject-with icmp-port-unreachable
|
||||||
|
|
||||||
|
-A LIBVIRT_FWI -d 10.0.2.0/24 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
|
|
||||||
|
-A LIBVIRT_FWI -o virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWI_REJECT-o: "
|
||||||
|
-A LIBVIRT_FWI -o virbr1 -j REJECT --reject-with icmp-port-unreachable
|
||||||
|
|
||||||
|
-A LIBVIRT_FWO -i virbr2 -j LOG --log-uid --log-prefix "IPTABLES_FWO_REJECT-i: "
|
||||||
|
-A LIBVIRT_FWO -i virbr2 -j REJECT --reject-with icmp-port-unreachable
|
||||||
|
|
||||||
|
-A LIBVIRT_FWO -s 10.0.2.0/24 -i virbr1 -j ACCEPT
|
||||||
|
|
||||||
|
-A LIBVIRT_FWO -i virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWO_REJECT-i: "
|
||||||
|
-A LIBVIRT_FWO -i virbr1 -j REJECT --reject-with icmp-port-unreachable
|
||||||
|
|
||||||
|
-A LIBVIRT_FWX -i virbr2 -o virbr2 -j ACCEPT
|
||||||
|
-A LIBVIRT_FWX -i virbr1 -o virbr1 -j ACCEPT
|
||||||
|
|
||||||
|
# FixMe: sic this is what libvirt did -i --dport
|
||||||
|
# FixMe: I will disable them as I dont think theyre needed or wanted
|
||||||
|
#no -A LIBVIRT_INP -i virbr2 -p udp --dport 53 -j ACCEPT
|
||||||
|
#no -A LIBVIRT_INP -i virbr2 -p tcp --dport 53 -j ACCEPT
|
||||||
|
#no -A LIBVIRT_INP -i virbr2 -p udp --dport 67 -j ACCEPT
|
||||||
|
#no -A LIBVIRT_INP -i virbr2 -p tcp --dport 67 -j ACCEPT
|
||||||
|
#no
|
||||||
|
#no # FixMe:sic this is what libvirt did -i --dport
|
||||||
|
#no -A LIBVIRT_INP -i virbr1 -p udp --dport 53 -j ACCEPT
|
||||||
|
#no -A LIBVIRT_INP -i virbr1 -p tcp --dport 53 -j ACCEPT
|
||||||
|
#no -A LIBVIRT_INP -i virbr1 -p udp --dport 67 -j ACCEPT
|
||||||
|
#no -A LIBVIRT_INP -i virbr1 -p tcp --dport 67 -j ACCEPT
|
||||||
|
#no
|
||||||
|
#no -A LIBVIRT_OUT -o virbr2 -p udp --dport 53 -j ACCEPT
|
||||||
|
#no -A LIBVIRT_OUT -o virbr2 -p tcp --dport 53 -j ACCEPT
|
||||||
|
#no -A LIBVIRT_OUT -o virbr2 -p udp --dport 68 -j ACCEPT
|
||||||
|
#no -A LIBVIRT_OUT -o virbr2 -p tcp --dport 68 -j ACCEPT
|
||||||
|
#no
|
||||||
|
#no -A LIBVIRT_OUT -o virbr1 -p udp --dport 53 -j ACCEPT
|
||||||
|
#no -A LIBVIRT_OUT -o virbr1 -p tcp --dport 53 -j ACCEPT
|
||||||
|
#no -A LIBVIRT_OUT -o virbr1 -p udp --dport 68 -j ACCEPT
|
||||||
|
#no -A LIBVIRT_OUT -o virbr1 -p tcp --dport 68 -j ACCEPT
|
||||||
|
-A OUTPUT -j LOG --log-uid --log-prefix "IPTABLES_filter_DROP-o: "
|
||||||
|
#D#-A OUTPUT -j DROP
|
||||||
|
COMMIT
|
||||||
|
# Generated Mon 23 Nov 2020 10:02:17 PM UTC
|
||||||
|
# Whonix firewall for wlan=wlan4 IP=10.16.238.81 NET=10.16.238.81/24 LIBVIRT_FW=1
|
53
overlay/Linux/etc/firewall.conf.vda
Executable file
53
overlay/Linux/etc/firewall.conf.vda
Executable file
@ -0,0 +1,53 @@
|
|||||||
|
# Generated by xtables-save v1.8.2 on Mon Nov 23 20:47:58 2020
|
||||||
|
*filter
|
||||||
|
:INPUT DROP [0:0]
|
||||||
|
:FORWARD DROP [0:0]
|
||||||
|
:OUTPUT DROP [0:0]
|
||||||
|
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||||
|
-A INPUT -m state --state INVALID -j DROP
|
||||||
|
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j DROP
|
||||||
|
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
|
||||||
|
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
||||||
|
-A INPUT -f -j DROP
|
||||||
|
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
|
||||||
|
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
|
||||||
|
-A INPUT -i lo -j ACCEPT
|
||||||
|
-A INPUT -m state --state ESTABLISHED -j ACCEPT
|
||||||
|
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
|
||||||
|
-A INPUT -p tcp -m tcp --dport 7001 -j ACCEPT
|
||||||
|
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
|
||||||
|
-A INPUT -j REJECT --reject-with icmp-port-unreachable
|
||||||
|
-A FORWARD -j DROP
|
||||||
|
-A OUTPUT -m conntrack --ctstate INVALID -j REJECT --reject-with icmp-admin-prohibited
|
||||||
|
-A OUTPUT -m state --state INVALID -j REJECT --reject-with icmp-admin-prohibited
|
||||||
|
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j REJECT --reject-with icmp-admin-prohibited
|
||||||
|
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j REJECT --reject-with icmp-admin-prohibited
|
||||||
|
-A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j REJECT --reject-with icmp-admin-prohibited
|
||||||
|
-A OUTPUT -f -j REJECT --reject-with icmp-admin-prohibited
|
||||||
|
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j REJECT --reject-with icmp-admin-prohibited
|
||||||
|
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j REJECT --reject-with icmp-admin-prohibited
|
||||||
|
-A OUTPUT -o lo -j ACCEPT
|
||||||
|
-A OUTPUT -d 10.152.152.10/32 -p udp -m udp --dport 53 -j ACCEPT
|
||||||
|
-A OUTPUT -d 10.152.152.10/32 -p udp -m udp --dport 53 -j ACCEPT
|
||||||
|
-A OUTPUT ! -p tcp -j REJECT --reject-with icmp-port-unreachable
|
||||||
|
-A OUTPUT -j ACCEPT
|
||||||
|
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
|
||||||
|
COMMIT
|
||||||
|
# Completed on Mon Nov 23 20:47:58 2020
|
||||||
|
# Generated by xtables-save v1.8.2 on Mon Nov 23 20:47:58 2020
|
||||||
|
*nat
|
||||||
|
:PREROUTING ACCEPT [0:0]
|
||||||
|
:INPUT ACCEPT [0:0]
|
||||||
|
:POSTROUTING ACCEPT [0:0]
|
||||||
|
:OUTPUT ACCEPT [0:0]
|
||||||
|
COMMIT
|
||||||
|
# Completed on Mon Nov 23 20:47:58 2020
|
||||||
|
# Generated by xtables-save v1.8.2 on Mon Nov 23 20:47:58 2020
|
||||||
|
*mangle
|
||||||
|
:PREROUTING ACCEPT [0:0]
|
||||||
|
:INPUT ACCEPT [0:0]
|
||||||
|
:FORWARD ACCEPT [0:0]
|
||||||
|
:OUTPUT ACCEPT [0:0]
|
||||||
|
:POSTROUTING ACCEPT [0:0]
|
||||||
|
COMMIT
|
||||||
|
# Completed on Mon Nov 23 20:47:58 2020
|
232
overlay/Linux/etc/firewall.conf.whonix
Normal file
232
overlay/Linux/etc/firewall.conf.whonix
Normal file
@ -0,0 +1,232 @@
|
|||||||
|
# firewall.conf.new.9
|
||||||
|
*mangle
|
||||||
|
:PREROUTING ACCEPT [0:0]
|
||||||
|
:INPUT ACCEPT [0:0]
|
||||||
|
:FORWARD ACCEPT [0:0]
|
||||||
|
:OUTPUT ACCEPT [0:0]
|
||||||
|
:POSTROUTING ACCEPT [0:0]
|
||||||
|
:LIBVIRT_PRT - [0:0]
|
||||||
|
#D#-A INPUT -j LOG --log-prefix "iptables_mangle_END-i: " --log-uid
|
||||||
|
-A POSTROUTING -j LIBVIRT_PRT
|
||||||
|
COMMIT
|
||||||
|
*nat
|
||||||
|
:PREROUTING ACCEPT [0:0]
|
||||||
|
:INPUT ACCEPT [0:0]
|
||||||
|
:OUTPUT ACCEPT [0:0]
|
||||||
|
:POSTROUTING ACCEPT [0:0]
|
||||||
|
:LIBVIRT_PRT - [0:0]
|
||||||
|
# was ! -o lo - -o wlan6
|
||||||
|
# let resolve.conf redirect to lo - this rule cannot be removed
|
||||||
|
#-A OUTPUT -o wlan6 -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1:53
|
||||||
|
#-A OUTPUT -o wlan6 -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:53
|
||||||
|
|
||||||
|
# .onion mapped addresses redirection to Tor.
|
||||||
|
###-A OUTPUT -d 172.16.0.0/12 -p tcp -j DNAT --to-destination 127.0.0.1:9040
|
||||||
|
|
||||||
|
-A POSTROUTING -j LIBVIRT_PRT
|
||||||
|
-A LIBVIRT_PRT -s 10.0.2.0/24 -d 224.0.0.0/24 -j RETURN
|
||||||
|
-A LIBVIRT_PRT -s 10.0.2.0/24 -d 255.255.255.255/32 -j RETURN
|
||||||
|
-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
|
||||||
|
-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
|
||||||
|
-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -j MASQUERADE
|
||||||
|
COMMIT
|
||||||
|
*filter
|
||||||
|
:INPUT DROP [0:0]
|
||||||
|
:FORWARD DROP [0:0]
|
||||||
|
:OUTPUT DROP [0:0]
|
||||||
|
:LIBVIRT_FWI - [0:0]
|
||||||
|
:LIBVIRT_FWO - [0:0]
|
||||||
|
:LIBVIRT_FWX - [0:0]
|
||||||
|
:LIBVIRT_INP - [0:0]
|
||||||
|
:LIBVIRT_OUT - [0:0]
|
||||||
|
|
||||||
|
#D#-A INPUT -j LOG --log-prefix "iptables_filter_BEGIN-i: firewall.conf.new.9" --log-uid
|
||||||
|
|
||||||
|
# blocks wlan
|
||||||
|
-A INPUT -s 217.182.196.70 -p tcp -j DROP
|
||||||
|
-A INPUT -s 185.213.20.105 -p tcp -j DROP
|
||||||
|
-A INPUT -s 185.32.222.237 -p tcp -j DROP
|
||||||
|
-A INPUT -s 92.223.105.174 -p tcp -j DROP
|
||||||
|
-A INPUT -s 195.201.168.111 -p tcp -j DROP
|
||||||
|
-A INPUT -s 51.15.115.217 -p tcp -j DROP
|
||||||
|
-A INPUT -s 89.163.224.33 -p tcp -j DROP
|
||||||
|
-A INPUT -s 130.193.15.49 -p tcp -j DROP
|
||||||
|
-A INPUT -s 95.216.19.207 -p tcp -j DROP
|
||||||
|
-A INPUT -s 176.158.122.84 -p tcp -j DROP
|
||||||
|
-A INPUT -s 80.66.135.13 -p tcp -j DROP
|
||||||
|
-A INPUT -s 176.9.118.73 -p tcp -j DROP
|
||||||
|
-A INPUT -s 109.236.90.209 -p tcp -j DROP
|
||||||
|
-A INPUT -s 51.79.22.224 -m tcp -p tcp -j DROP
|
||||||
|
-A INPUT -s 37.191.192.147 -m tcp -p tcp -j DROP
|
||||||
|
-A INPUT -s 5.1.56.52 -m tcp -p tcp -j DROP
|
||||||
|
-A INPUT -s 5.39.72.2 -m tcp -p tcp -j DROP
|
||||||
|
-A INPUT -s 51.38.81.39 -m tcp -p tcp -j DROP
|
||||||
|
-A INPUT -s 136.243.4.139 -m tcp -p tcp -j DROP
|
||||||
|
-A INPUT -s 95.211.136.23 -m tcp -p tcp -j DROP
|
||||||
|
|
||||||
|
## DROP INVALID
|
||||||
|
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||||
|
-A INPUT -m state --state INVALID -j DROP
|
||||||
|
|
||||||
|
## DROP INVALID SYN PACKETS
|
||||||
|
-A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
|
||||||
|
-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
|
||||||
|
-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
||||||
|
|
||||||
|
## DROP PACKETS WITH INCOMING FRAGMENTS. THIS ATTACK ONCE RESULTED IN KERNEL PANICS
|
||||||
|
-A INPUT -f -j DROP
|
||||||
|
## DROP INCOMING MALFORMED XMAS PACKETS
|
||||||
|
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
|
||||||
|
## DROP INCOMING MALFORMED NULL PACKETS
|
||||||
|
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
|
||||||
|
|
||||||
|
-A INPUT -i lo -j ACCEPT
|
||||||
|
-A INPUT -m state --state ESTABLISHED -j ACCEPT
|
||||||
|
### this is required for outgoing pings
|
||||||
|
-A INPUT -i wlan6 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-i: " --log-uid
|
||||||
|
-A INPUT -i wlan6 -p icmp -j ACCEPT
|
||||||
|
|
||||||
|
#!-A INPUT -i wlan6 -m owner --gid-owner 226 -p udp --sport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: "
|
||||||
|
#!-A INPUT -i wlan6 -m udp -p udp --sport 123 -m owner --gid-owner 226 -j ACCEPT
|
||||||
|
#!-A INPUT -i wlan6 -m owner --uid-owner 0 -p udp --sport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: "
|
||||||
|
#!-A INPUT -i wlan6 -p udp --sport 123 -m owner --uid-owner 0 -j ACCEPT
|
||||||
|
#!-A INPUT -i wlan6 -p udp --sport 123 -m owner --uid-owner 0 -j ACCEPT
|
||||||
|
#!!-A INPUT -i wlan6 -p tcp -m owner --gid-owner 216 -j ACCEPT
|
||||||
|
#!!-A INPUT -i wlan6 -p tcp -m owner --gid-owner 1 -j ACCEPT
|
||||||
|
#!!-A INPUT -i wlan6 -p tcp -m owner --gid-owner 115 -j ACCEPT
|
||||||
|
|
||||||
|
### let dhcp through?
|
||||||
|
#?-A INPUT -p udp --sport 68 -j ACCEPT
|
||||||
|
#?-A INPUT -p udp --sport 67 -j ACCEPT
|
||||||
|
-A INPUT -i wlan6 -p udp --sport 137 -j DROP
|
||||||
|
-A INPUT -i wlan6 -p udp --sport 138 -j DROP
|
||||||
|
-A INPUT -i wlan6 -p udp --sport 139 -j DROP
|
||||||
|
### this is required for outgoing pings
|
||||||
|
-A INPUT -i virbr1 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-i: " --log-uid
|
||||||
|
-A INPUT -i virbr1 -p icmp -j ACCEPT
|
||||||
|
-A INPUT -i virbr1 -p tcp --sport 22 -j LOG --log-uid --log-prefix "iptables_22_ACCEPT-i: "
|
||||||
|
-A INPUT -i virbr1 -p tcp --sport 22 -j ACCEPT
|
||||||
|
-A INPUT -i virbr1 -p tcp --sport 9128 -j LOG --log-uid --log-prefix "iptables_9128_ACCEPT-i: "
|
||||||
|
-A INPUT -i virbr1 -p tcp --sport 9128 -j ACCEPT
|
||||||
|
-A INPUT -i virbr1 -p tcp --sport 9040 -j LOG --log-uid --log-prefix "iptables_9040_ACCEPT-i: "
|
||||||
|
-A INPUT -i virbr1 -p tcp --sport 9040 -j ACCEPT
|
||||||
|
-A INPUT -i virbr1 -p tcp --sport 9050 -j LOG --log-uid --log-prefix "iptables_9050_ACCEPT-i: "
|
||||||
|
-A INPUT -i virbr1 -p tcp --sport 9050 -j ACCEPT
|
||||||
|
-A INPUT -i virbr1 -p udp --sport 9053 -j LOG --log-uid --log-prefix "iptables_9053_ACCEPT-i: "
|
||||||
|
-A INPUT -i virbr1 -p udp --sport 9053 -j ACCEPT
|
||||||
|
-A INPUT -i virbr1 -p udp --sport 7001 -j LOG --log-uid --log-prefix "iptables_7001_ACCEPT-i: "
|
||||||
|
-A INPUT -i virbr1 -p udp --sport 7001 -j ACCEPT
|
||||||
|
|
||||||
|
#D#-A INPUT -j LOG --log-prefix "IPTABLES_filter_DROP-i: " --log-uid
|
||||||
|
#D#-A INPUT -j DROP
|
||||||
|
##-A FORWARD -j LOG --log-prefix "IPTABLES_forward_DROP-i: " --log-uid
|
||||||
|
##-A FORWARD -j REJECT --reject-with icmp-admin-prohibited
|
||||||
|
-A INPUT -j LIBVIRT_INP
|
||||||
|
-A FORWARD -j LIBVIRT_FWX
|
||||||
|
-A FORWARD -j LIBVIRT_FWI
|
||||||
|
-A FORWARD -j LIBVIRT_FWO
|
||||||
|
-A OUTPUT -o lo -j ACCEPT
|
||||||
|
-A OUTPUT -m state --state ESTABLISHED -j ACCEPT
|
||||||
|
-A OUTPUT -o wlan6 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-o: " --log-uid
|
||||||
|
-A OUTPUT -o wlan6 -p icmp -j ACCEPT
|
||||||
|
## Accept outgoing connections to local network, Whonix-Workstation and VirtualBox,
|
||||||
|
#? WHY?!
|
||||||
|
##-A OUTPUT -d 192.168.1.0/24 -j ACCEPT
|
||||||
|
##-A OUTPUT -d 10.16.238.0/24 -j ACCEPT
|
||||||
|
##-A OUTPUT -d 10.152.152.0/24 -j ACCEPT
|
||||||
|
##-A OUTPUT -d 10.0.2.0/24 -j ACCEPT
|
||||||
|
|
||||||
|
# The ntp user is allowed to connect to services listening on the ntp port...
|
||||||
|
# If root runs ntpdate manually you will see requests to port 53 UID=0
|
||||||
|
-A OUTPUT -o wlan6 -m owner --gid-owner 226 -p udp --dport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: "
|
||||||
|
-A OUTPUT -o wlan6 -m owner --gid-owner 226 -p udp --dport 123 -j ACCEPT
|
||||||
|
-A OUTPUT -o wlan6 -m owner --uid-owner 0 -p udp --dport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: "
|
||||||
|
-A OUTPUT -o wlan6 -m owner --uid-owner 0 -p udp --dport 123 -j ACCEPT
|
||||||
|
-A OUTPUT -o wlan6 -p tcp --dport 22 -j LOG --log-uid --log-prefix "IPTABLES_ssh_REJECT-o: "
|
||||||
|
-A OUTPUT -o wlan6 -p tcp --dport 22 -j REJECT --reject-with icmp-port-unreachable
|
||||||
|
-A OUTPUT -o wlan6 -m owner --gid-owner 216 -j ACCEPT
|
||||||
|
-A OUTPUT -o wlan6 -m owner --gid-owner 115 -j ACCEPT
|
||||||
|
-A OUTPUT -o wlan6 -m owner --gid-owner 1 -j ACCEPT
|
||||||
|
-A OUTPUT -o virbr1 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-o: " --log-uid
|
||||||
|
-A OUTPUT -o virbr1 -p icmp -j ACCEPT
|
||||||
|
-A OUTPUT -o virbr1 -p tcp --dport 22 -j LOG --log-uid --log-prefix "iptables_22_ACCEPT-o: "
|
||||||
|
-A OUTPUT -o virbr1 -p tcp --dport 22 -j ACCEPT
|
||||||
|
-A OUTPUT -o virbr1 -p tcp --dport 9128 -j LOG --log-uid --log-prefix "iptables_9128_ACCEPT-o: "
|
||||||
|
-A OUTPUT -o virbr1 -p tcp --dport 9128 -j ACCEPT
|
||||||
|
-A OUTPUT -o virbr1 -p tcp --dport 9040 -j LOG --log-uid --log-prefix "iptables_9040_ACCEPT-o: "
|
||||||
|
-A OUTPUT -o virbr1 -p tcp --dport 9040 -j ACCEPT
|
||||||
|
-A OUTPUT -o virbr1 -p tcp --dport 9050 -j LOG --log-uid --log-prefix "iptables_9050_ACCEPT-o: "
|
||||||
|
-A OUTPUT -o virbr1 -p tcp --dport 9050 -j ACCEPT
|
||||||
|
-A OUTPUT -o virbr1 -p udp --dport 9053 -j LOG --log-uid --log-prefix "iptables_9053_ACCEPT-o: "
|
||||||
|
-A OUTPUT -o virbr1 -p udp --dport 9053 -j ACCEPT
|
||||||
|
-A OUTPUT -o virbr1 -p tcp --dport 7001 -j LOG --log-uid --log-prefix "iptables_7001_ACCEPT-o: "
|
||||||
|
-A OUTPUT -o virbr1 -p tcp --dport 7001 -j ACCEPT
|
||||||
|
#??-A OUTPUT -p udp -m udp --sport 68 --dport 67 -j RETURN
|
||||||
|
#?-A OUTPUT -p udp -m udp --sport 68 --dport 67 -j ACCEPT
|
||||||
|
-A OUTPUT -j LIBVIRT_OUT
|
||||||
|
|
||||||
|
# blocks virbr1
|
||||||
|
-A LIBVIRT_FWI -s 217.182.196.70 -p tcp -j DROP
|
||||||
|
-A LIBVIRT_FWI -s 185.213.20.105 -p tcp -j DROP
|
||||||
|
-A LIBVIRT_FWI -s 185.32.222.237 -p tcp -j DROP
|
||||||
|
-A LIBVIRT_FWI -s 92.223.105.174 -p tcp -j DROP
|
||||||
|
-A LIBVIRT_FWI -s 195.201.168.111 -p tcp -j DROP
|
||||||
|
-A LIBVIRT_FWI -s 51.15.115.217 -p tcp -j DROP
|
||||||
|
-A LIBVIRT_FWI -s 89.163.224.33 -p tcp -j DROP
|
||||||
|
-A LIBVIRT_FWI -s 130.193.15.49 -p tcp -j DROP
|
||||||
|
-A LIBVIRT_FWI -s 95.216.19.207 -p tcp -j DROP
|
||||||
|
-A LIBVIRT_FWI -s 176.158.122.84 -p tcp -j DROP
|
||||||
|
-A LIBVIRT_FWI -s 80.66.135.13 -p tcp -j DROP
|
||||||
|
-A LIBVIRT_FWI -s 176.9.118.73 -p tcp -j DROP
|
||||||
|
-A LIBVIRT_FWI -s 109.236.90.209 -p tcp -j DROP
|
||||||
|
-A LIBVIRT_FWI -s 51.79.22.224 -m tcp -p tcp -j DROP
|
||||||
|
-A LIBVIRT_FWI -s 37.191.192.147 -m tcp -p tcp -j DROP
|
||||||
|
-A LIBVIRT_FWI -s 5.1.56.52 -m tcp -p tcp -j DROP
|
||||||
|
-A LIBVIRT_FWI -s 5.39.72.2 -m tcp -p tcp -j DROP
|
||||||
|
-A LIBVIRT_FWI -s 51.38.81.39 -m tcp -p tcp -j DROP
|
||||||
|
-A LIBVIRT_FWI -s 136.243.4.139 -m tcp -p tcp -j DROP
|
||||||
|
-A LIBVIRT_FWI -s 95.211.136.23 -m tcp -p tcp -j DROP
|
||||||
|
|
||||||
|
# Drop any TCP Acknowlegements they are not needed an they trigger the logs
|
||||||
|
# https://serverfault.com/questions/578735/for-what-is-a-general-allow-ack-rule-in-iptables-good-for
|
||||||
|
# This creates a hole in the firewall big enough to portscan through;
|
||||||
|
# nmap even has a flag to do an ACK scan which this rule will permit. Michael Hampton
|
||||||
|
# -A LIBVIRT_FWI -i wlan6 -m tcp -p tcp --tcp-flags ACK ACK -j DROP
|
||||||
|
|
||||||
|
-A LIBVIRT_FWI -o virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWI_REJECT-o: "
|
||||||
|
-A LIBVIRT_FWI -o virbr2 -j REJECT --reject-with icmp-port-unreachable
|
||||||
|
-A LIBVIRT_FWI -d 10.0.2.0/24 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
|
-A LIBVIRT_FWI -o virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWI_REJECT-o: "
|
||||||
|
-A LIBVIRT_FWI -o virbr1 -j REJECT --reject-with icmp-port-unreachable
|
||||||
|
-A LIBVIRT_FWO -i virbr2 -j LOG --log-uid --log-prefix "IPTABLES_FWO_REJECT-i: "
|
||||||
|
-A LIBVIRT_FWO -i virbr2 -j REJECT --reject-with icmp-port-unreachable
|
||||||
|
-A LIBVIRT_FWO -s 10.0.2.0/24 -i virbr1 -j ACCEPT
|
||||||
|
-A LIBVIRT_FWO -i virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWO_REJECT-i: "
|
||||||
|
-A LIBVIRT_FWO -i virbr1 -j REJECT --reject-with icmp-port-unreachable
|
||||||
|
-A LIBVIRT_FWX -i virbr2 -o virbr2 -j ACCEPT
|
||||||
|
-A LIBVIRT_FWX -i virbr1 -o virbr1 -j ACCEPT
|
||||||
|
# FixMe: sic this is what libvirt did -i --dport
|
||||||
|
# FixMe: I will disable them as I dont think theyre needed
|
||||||
|
#no -A LIBVIRT_INP -i virbr2 -p udp --dport 53 -j ACCEPT
|
||||||
|
#no -A LIBVIRT_INP -i virbr2 -p tcp --dport 53 -j ACCEPT
|
||||||
|
#no -A LIBVIRT_INP -i virbr2 -p udp --dport 67 -j ACCEPT
|
||||||
|
#no -A LIBVIRT_INP -i virbr2 -p tcp --dport 67 -j ACCEPT
|
||||||
|
#no -A LIBVIRT_INP -i virbr1 -p udp --dport 53 -j ACCEPT
|
||||||
|
#no -A LIBVIRT_INP -i virbr1 -p tcp --dport 53 -j ACCEPT
|
||||||
|
#no -A LIBVIRT_INP -i virbr1 -p udp --dport 67 -j ACCEPT
|
||||||
|
#no -A LIBVIRT_INP -i virbr1 -p tcp --dport 67 -j ACCEPT
|
||||||
|
#no -A LIBVIRT_OUT -o virbr2 -p udp --dport 53 -j ACCEPT
|
||||||
|
#no -A LIBVIRT_OUT -o virbr2 -p tcp --dport 53 -j ACCEPT
|
||||||
|
#no -A LIBVIRT_OUT -o virbr2 -p udp --dport 68 -j ACCEPT
|
||||||
|
#no -A LIBVIRT_OUT -o virbr2 -p tcp --dport 68 -j ACCEPT
|
||||||
|
#no -A LIBVIRT_OUT -o virbr1 -p udp --dport 53 -j ACCEPT
|
||||||
|
#no -A LIBVIRT_OUT -o virbr1 -p tcp --dport 53 -j ACCEPT
|
||||||
|
#no -A LIBVIRT_OUT -o virbr1 -p udp --dport 68 -j ACCEPT
|
||||||
|
#no -A LIBVIRT_OUT -o virbr1 -p tcp --dport 68 -j ACCEPT
|
||||||
|
-A OUTPUT -j LOG --log-uid --log-prefix "IPTABLES_filter_DROP-o: "
|
||||||
|
-A OUTPUT -j DROP
|
||||||
|
COMMIT
|
||||||
|
# Completed on Wed Nov 4 01:14:37 2020
|
||||||
|
# Whonix firewall for wlan6 10.16.238.64 10.16.238.64/24 LIBVIRT_FW=1
|
||||||
|
# WORKS with Gateway tor - ssh
|
||||||
|
|
52
overlay/Linux/etc/firewall.conf.ws
Executable file
52
overlay/Linux/etc/firewall.conf.ws
Executable file
@ -0,0 +1,52 @@
|
|||||||
|
# Generated by xtables-save v1.8.2 on Mon Nov 23 20:47:58 2020
|
||||||
|
*filter
|
||||||
|
:INPUT DROP [0:0]
|
||||||
|
:FORWARD DROP [0:0]
|
||||||
|
:OUTPUT DROP [0:0]
|
||||||
|
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||||
|
-A INPUT -m state --state INVALID -j DROP
|
||||||
|
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j DROP
|
||||||
|
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
|
||||||
|
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
||||||
|
-A INPUT -f -j DROP
|
||||||
|
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
|
||||||
|
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
|
||||||
|
-A INPUT -i lo -j ACCEPT
|
||||||
|
-A INPUT -m state --state ESTABLISHED -j ACCEPT
|
||||||
|
-A INPUT -p tcp -m tcp --dport 7002 -j ACCEPT
|
||||||
|
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
|
||||||
|
-A INPUT -j REJECT --reject-with icmp-port-unreachable
|
||||||
|
-A FORWARD -j DROP
|
||||||
|
-A OUTPUT -m conntrack --ctstate INVALID -j REJECT --reject-with icmp-admin-prohibited
|
||||||
|
-A OUTPUT -m state --state INVALID -j REJECT --reject-with icmp-admin-prohibited
|
||||||
|
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j REJECT --reject-with icmp-admin-prohibited
|
||||||
|
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j REJECT --reject-with icmp-admin-prohibited
|
||||||
|
-A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j REJECT --reject-with icmp-admin-prohibited
|
||||||
|
-A OUTPUT -f -j REJECT --reject-with icmp-admin-prohibited
|
||||||
|
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j REJECT --reject-with icmp-admin-prohibited
|
||||||
|
-A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j REJECT --reject-with icmp-admin-prohibited
|
||||||
|
-A OUTPUT -o lo -j ACCEPT
|
||||||
|
-A OUTPUT -d 10.152.152.10/32 -p udp -m udp --dport 53 -j ACCEPT
|
||||||
|
-A OUTPUT -d 10.152.152.10/32 -p udp -m udp --dport 53 -j ACCEPT
|
||||||
|
-A OUTPUT ! -p tcp -j REJECT --reject-with icmp-port-unreachable
|
||||||
|
-A OUTPUT -j ACCEPT
|
||||||
|
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
|
||||||
|
COMMIT
|
||||||
|
# Completed on Mon Nov 23 20:47:58 2020
|
||||||
|
# Generated by xtables-save v1.8.2 on Mon Nov 23 20:47:58 2020
|
||||||
|
*nat
|
||||||
|
:PREROUTING ACCEPT [0:0]
|
||||||
|
:INPUT ACCEPT [0:0]
|
||||||
|
:POSTROUTING ACCEPT [0:0]
|
||||||
|
:OUTPUT ACCEPT [0:0]
|
||||||
|
COMMIT
|
||||||
|
# Completed on Mon Nov 23 20:47:58 2020
|
||||||
|
# Generated by xtables-save v1.8.2 on Mon Nov 23 20:47:58 2020
|
||||||
|
*mangle
|
||||||
|
:PREROUTING ACCEPT [0:0]
|
||||||
|
:INPUT ACCEPT [0:0]
|
||||||
|
:FORWARD ACCEPT [0:0]
|
||||||
|
:OUTPUT ACCEPT [0:0]
|
||||||
|
:POSTROUTING ACCEPT [0:0]
|
||||||
|
COMMIT
|
||||||
|
# Completed on Mon Nov 23 20:47:58 2020
|
89
overlay/Linux/etc/gnupg/gpgconf.conf.tor
Normal file
89
overlay/Linux/etc/gnupg/gpgconf.conf.tor
Normal file
@ -0,0 +1,89 @@
|
|||||||
|
# -*- mode: conf; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
|
||||||
|
# https://github.com/ioerror/duraconf/blob/master/configs/gnupg/gpg.conf
|
||||||
|
#
|
||||||
|
# This is an implementation of the Riseup OpenPGP Best Practices
|
||||||
|
# https://help.riseup.net/en/security/message-security/openpgp/best-practices
|
||||||
|
#
|
||||||
|
|
||||||
|
|
||||||
|
#-----------------------------
|
||||||
|
# default key
|
||||||
|
#-----------------------------
|
||||||
|
|
||||||
|
# The default key to sign with. If this option is not used, the default key is
|
||||||
|
# the first key found in the secret keyring
|
||||||
|
|
||||||
|
#default-key 0xD8692123C4065DEA5E0F3AB5249B39D24F25E3B6
|
||||||
|
|
||||||
|
|
||||||
|
#-----------------------------
|
||||||
|
# behavior
|
||||||
|
#-----------------------------
|
||||||
|
|
||||||
|
# Disable inclusion of the version string in ASCII armored output
|
||||||
|
no-emit-version
|
||||||
|
|
||||||
|
# Disable comment string in clear text signatures and ASCII armored messages
|
||||||
|
no-comments
|
||||||
|
|
||||||
|
# Display long key IDs
|
||||||
|
keyid-format 0xlong
|
||||||
|
|
||||||
|
# List all keys (or the specified ones) along with their fingerprints
|
||||||
|
with-fingerprint
|
||||||
|
|
||||||
|
# Display the calculated validity of user IDs during key listings
|
||||||
|
list-options show-uid-validity
|
||||||
|
verify-options show-uid-validity
|
||||||
|
|
||||||
|
# Try to use the GnuPG-Agent. With this option, GnuPG first tries to connect to
|
||||||
|
# the agent before it asks for a passphrase.
|
||||||
|
use-agent
|
||||||
|
|
||||||
|
|
||||||
|
#-----------------------------
|
||||||
|
# keyserver
|
||||||
|
#-----------------------------
|
||||||
|
|
||||||
|
# This is the server that --recv-keys, --send-keys, and --search-keys will
|
||||||
|
# communicate with to receive keys from, send keys to, and search for keys on
|
||||||
|
keyserver hkps://keys.openpgp.org/
|
||||||
|
|
||||||
|
# Set the proxy to use for HTTP and HKP keyservers - default to the standard
|
||||||
|
# local Tor socks proxy
|
||||||
|
# It is encouraged to use Tor for improved anonymity. Preferrably use either a
|
||||||
|
# dedicated SOCKSPort for GnuPG and/or enable IsolateDestPort and
|
||||||
|
# IsolateDestAddr
|
||||||
|
keyserver-options http-proxy=http://localhost:3128
|
||||||
|
|
||||||
|
# Don't leak DNS, see https://trac.torproject.org/projects/tor/ticket/2846
|
||||||
|
# Debian! gpg: keyserver option 'no-try-dns-srv' is unknown
|
||||||
|
#keyserver-options no-try-dns-srv
|
||||||
|
|
||||||
|
# When using --refresh-keys, if the key in question has a preferred keyserver
|
||||||
|
# URL, then disable use of that preferred keyserver to refresh the key from
|
||||||
|
keyserver-options no-honor-keyserver-url
|
||||||
|
|
||||||
|
# When searching for a key with --search-keys, include keys that are marked on
|
||||||
|
# the keyserver as revoked
|
||||||
|
keyserver-options include-revoked
|
||||||
|
|
||||||
|
|
||||||
|
#-----------------------------
|
||||||
|
# algorithm and ciphers
|
||||||
|
#-----------------------------
|
||||||
|
|
||||||
|
# list of personal digest preferences. When multiple digests are supported by
|
||||||
|
# all recipients, choose the strongest one
|
||||||
|
personal-cipher-preferences AES256 AES192 AES CAST5
|
||||||
|
|
||||||
|
# list of personal digest preferences. When multiple ciphers are supported by
|
||||||
|
# all recipients, choose the strongest one
|
||||||
|
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
|
||||||
|
|
||||||
|
# message digest algorithm used when signing a key
|
||||||
|
cert-digest-algo SHA512
|
||||||
|
|
||||||
|
# This preference list is used for new keys and becomes the default for
|
||||||
|
# "setpref" in the edit menu
|
||||||
|
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
|
89
overlay/Linux/etc/gnupg/gpgconf.conf.whonix
Normal file
89
overlay/Linux/etc/gnupg/gpgconf.conf.whonix
Normal file
@ -0,0 +1,89 @@
|
|||||||
|
# -*- mode: conf; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
|
||||||
|
# https://github.com/ioerror/duraconf/blob/master/configs/gnupg/gpg.conf
|
||||||
|
#
|
||||||
|
# This is an implementation of the Riseup OpenPGP Best Practices
|
||||||
|
# https://help.riseup.net/en/security/message-security/openpgp/best-practices
|
||||||
|
#
|
||||||
|
|
||||||
|
|
||||||
|
#-----------------------------
|
||||||
|
# default key
|
||||||
|
#-----------------------------
|
||||||
|
|
||||||
|
# The default key to sign with. If this option is not used, the default key is
|
||||||
|
# the first key found in the secret keyring
|
||||||
|
|
||||||
|
#default-key 0xD8692123C4065DEA5E0F3AB5249B39D24F25E3B6
|
||||||
|
|
||||||
|
|
||||||
|
#-----------------------------
|
||||||
|
# behavior
|
||||||
|
#-----------------------------
|
||||||
|
|
||||||
|
# Disable inclusion of the version string in ASCII armored output
|
||||||
|
no-emit-version
|
||||||
|
|
||||||
|
# Disable comment string in clear text signatures and ASCII armored messages
|
||||||
|
no-comments
|
||||||
|
|
||||||
|
# Display long key IDs
|
||||||
|
keyid-format 0xlong
|
||||||
|
|
||||||
|
# List all keys (or the specified ones) along with their fingerprints
|
||||||
|
with-fingerprint
|
||||||
|
|
||||||
|
# Display the calculated validity of user IDs during key listings
|
||||||
|
list-options show-uid-validity
|
||||||
|
verify-options show-uid-validity
|
||||||
|
|
||||||
|
# Try to use the GnuPG-Agent. With this option, GnuPG first tries to connect to
|
||||||
|
# the agent before it asks for a passphrase.
|
||||||
|
use-agent
|
||||||
|
|
||||||
|
|
||||||
|
#-----------------------------
|
||||||
|
# keyserver
|
||||||
|
#-----------------------------
|
||||||
|
|
||||||
|
# This is the server that --recv-keys, --send-keys, and --search-keys will
|
||||||
|
# communicate with to receive keys from, send keys to, and search for keys on
|
||||||
|
keyserver hkps://keys.openpgp.org/
|
||||||
|
|
||||||
|
# Set the proxy to use for HTTP and HKP keyservers - default to the standard
|
||||||
|
# local Tor socks proxy
|
||||||
|
# It is encouraged to use Tor for improved anonymity. Preferrably use either a
|
||||||
|
# dedicated SOCKSPort for GnuPG and/or enable IsolateDestPort and
|
||||||
|
# IsolateDestAddr
|
||||||
|
keyserver-options http-proxy=http://localhost:3128
|
||||||
|
|
||||||
|
# Don't leak DNS, see https://trac.torproject.org/projects/tor/ticket/2846
|
||||||
|
# Debian! gpg: keyserver option 'no-try-dns-srv' is unknown
|
||||||
|
keyserver-options no-try-dns-srv
|
||||||
|
|
||||||
|
# When using --refresh-keys, if the key in question has a preferred keyserver
|
||||||
|
# URL, then disable use of that preferred keyserver to refresh the key from
|
||||||
|
keyserver-options no-honor-keyserver-url
|
||||||
|
|
||||||
|
# When searching for a key with --search-keys, include keys that are marked on
|
||||||
|
# the keyserver as revoked
|
||||||
|
keyserver-options include-revoked
|
||||||
|
|
||||||
|
|
||||||
|
#-----------------------------
|
||||||
|
# algorithm and ciphers
|
||||||
|
#-----------------------------
|
||||||
|
|
||||||
|
# list of personal digest preferences. When multiple digests are supported by
|
||||||
|
# all recipients, choose the strongest one
|
||||||
|
personal-cipher-preferences AES256 AES192 AES CAST5
|
||||||
|
|
||||||
|
# list of personal digest preferences. When multiple ciphers are supported by
|
||||||
|
# all recipients, choose the strongest one
|
||||||
|
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
|
||||||
|
|
||||||
|
# message digest algorithm used when signing a key
|
||||||
|
cert-digest-algo SHA512
|
||||||
|
|
||||||
|
# This preference list is used for new keys and becomes the default for
|
||||||
|
# "setpref" in the edit menu
|
||||||
|
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
|
138
overlay/Linux/usr/local/Whonix-Host.rc
Executable file
138
overlay/Linux/usr/local/Whonix-Host.rc
Executable file
@ -0,0 +1,138 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
#
|
||||||
|
# rc.local
|
||||||
|
#
|
||||||
|
# This script is executed at the end of each multiuser runlevel.
|
||||||
|
# Make sure that the script will "exit 0" on success or any other
|
||||||
|
# value on error.
|
||||||
|
. /usr/local/etc/local.d/local.bash
|
||||||
|
|
||||||
|
chmod 775 /usr/local/sbin/*sh /usr/local/bin/*sh
|
||||||
|
export PATH=$PATH:/usr/local/bin:/usr/local/sbin
|
||||||
|
|
||||||
|
grep -q root=/dev/vda /proc/cmdline
|
||||||
|
PROXY_IS_VDA=$?
|
||||||
|
if [ $PROXY_IS_VDA -eq 0 ] ; then
|
||||||
|
/usr/local/sbin/proxy_whonix_lib.bash proxy_vda_config
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Host and Vda
|
||||||
|
[ -d /etc/apt ] && \
|
||||||
|
local_manual_stop_services openvpn exim4 apt-daily-upgrade udisks2 \
|
||||||
|
sdwdate tb-updater-first-boot lvm2-monitor
|
||||||
|
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK base initctl
|
||||||
|
if [ ! -e /dev/initctl -a -e /run/initctl ] ; then
|
||||||
|
ln -s /run/initctl /dev/initctl
|
||||||
|
elif [ ! -e /dev/initctl ] ; then
|
||||||
|
mknod -m=0600 /dev/initctl p
|
||||||
|
fi
|
||||||
|
# END ANSIBLE MANAGED BLOCK base initctl
|
||||||
|
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK base
|
||||||
|
( cd /var/tmp && rm -rf ansible-local-* Temp-* ssh-* pulse-* .xfsm-ICE-* )
|
||||||
|
# END ANSIBLE MANAGED BLOCK base
|
||||||
|
|
||||||
|
# sh "/var/local/etc/local.d/testforge.start"
|
||||||
|
|
||||||
|
# redis
|
||||||
|
# WARNING you have Transparent Huge Pages (THP) support enabled in your kernel. This will create latency and memory usage issues with Redis. To fix this issue run the command 'echo never > /sys/kernel/mm/transparent_hugepage/enabled' as root, and add it to your /etc/rc.local in order to retain the setting after a reboot. Redis must be restarted after THP is disabled.
|
||||||
|
#? echo never > /sys/kernel/mm/transparent_hugepage/enabled
|
||||||
|
|
||||||
|
if false;then
|
||||||
|
# failsafe but independent of whether wlan exists
|
||||||
|
[ -f /usr/local/sbin/proxy_whonix_host_libvirt.bash ] && \
|
||||||
|
sh /usr/local/sbin/proxy_whonix_host_libvirt.bash proxy_whonix_libvirt_start
|
||||||
|
|
||||||
|
if ! /usr/local/sbin/proxy_whonix_host.bash config ; then
|
||||||
|
echo WARN: Whonix-Host.rc proxy_whonix_host.bash config failed $?
|
||||||
|
fi
|
||||||
|
if ! /usr/local/sbin/proxy_whonix_host.bash start ; then
|
||||||
|
echo WARN: Whonix-Host.rc proxy_whonix_host.bash start failed $?
|
||||||
|
fi
|
||||||
|
if ! /usr/local/sbin/proxy_whonix_host.bash test ; then
|
||||||
|
echo WARN: Whonix-Host.rc proxy_whonix_host.bash test failed $?
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
exit 0
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml text
|
||||||
|
local_systemd_stop_services display-manager
|
||||||
|
# END ANSIBLE MANAGED BLOCK update lati_unix.yml text
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml fstab
|
||||||
|
for eltin h i j o q v q w l ; do
|
||||||
|
[ -d /mnt/$elt/tmp ] || mount /mnt/$elt
|
||||||
|
done
|
||||||
|
exit 0
|
||||||
|
# END ANSIBLE MANAGED BLOCK update lati_unix.yml fstab
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml mask
|
||||||
|
# local_manual_stop_services
|
||||||
|
SYSTEMD_STOP_AND_MASK="
|
||||||
|
debug-shell.service
|
||||||
|
systemd-backlight@.service
|
||||||
|
phpsessionclean.service
|
||||||
|
phpsessionclean.timer
|
||||||
|
apt-daily-upgrade.service
|
||||||
|
apt-daily-upgrade.timer
|
||||||
|
dbus-org.freedesktop.nm-dispatcher.service
|
||||||
|
tb-updater-first-boot.service
|
||||||
|
openvpn.service
|
||||||
|
systemd-backlight@.service
|
||||||
|
systemd-backlight@backlight.service
|
||||||
|
vboxadd-service.service
|
||||||
|
vboxautostart-service.service
|
||||||
|
vboxballoonctrl-service.service
|
||||||
|
vboxdrv.service
|
||||||
|
vboxweb-service.service
|
||||||
|
"
|
||||||
|
# /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask $SYSTEMD_STOP_AND_MASK
|
||||||
|
for file in /usr/local/etc/systemd/*.mask ; do
|
||||||
|
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
|
||||||
|
done
|
||||||
|
# END ANSIBLE MANAGED BLOCK update lati_unix.yml mask
|
||||||
|
/var/local/bin/harden_dbus_neuter.bash
|
||||||
|
which brightnessctl 2>/dev/null >/dev/null && brightnessctl set 90%
|
||||||
|
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK update
|
||||||
|
/usr/local/etc/local.d/local.bash local_disable_lid
|
||||||
|
# END ANSIBLE MANAGED BLOCK update
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK update local_disable_lid
|
||||||
|
/usr/local/etc/local.d/local.bash local_disable_lid
|
||||||
|
# END ANSIBLE MANAGED BLOCK update local_disable_lid
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK base lati_unix.yml mask
|
||||||
|
ROLE=base
|
||||||
|
for file in /usr/local/etc/systemd/$ROLE.mask ; do
|
||||||
|
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
|
||||||
|
done
|
||||||
|
# END ANSIBLE MANAGED BLOCK base lati_unix.yml mask
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK gpgkey lati_unix.yml mask
|
||||||
|
ROLE=gpgkey
|
||||||
|
for file in /usr/local/etc/systemd/$ROLE.mask ; do
|
||||||
|
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
|
||||||
|
done
|
||||||
|
# END ANSIBLE MANAGED BLOCK gpgkey lati_unix.yml mask
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK hostvms lati_unix.yml mask
|
||||||
|
ROLE=hostvms
|
||||||
|
for file in /usr/local/etc/systemd/$ROLE.mask ; do
|
||||||
|
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
|
||||||
|
done
|
||||||
|
# END ANSIBLE MANAGED BLOCK hostvms lati_unix.yml mask
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK privacy lati_unix.yml mask
|
||||||
|
ROLE=privacy
|
||||||
|
for file in /usr/local/etc/systemd/$ROLE.mask ; do
|
||||||
|
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
|
||||||
|
done
|
||||||
|
# END ANSIBLE MANAGED BLOCK privacy lati_unix.yml mask
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK proxy lati_unix.yml mask
|
||||||
|
ROLE=proxy
|
||||||
|
for file in /usr/local/etc/systemd/$ROLE.mask ; do
|
||||||
|
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
|
||||||
|
done
|
||||||
|
# END ANSIBLE MANAGED BLOCK proxy lati_unix.yml mask
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK testforge lati_unix.yml mask
|
||||||
|
ROLE=testforge
|
||||||
|
for file in /usr/local/etc/systemd/$ROLE.mask ; do
|
||||||
|
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
|
||||||
|
done
|
||||||
|
# END ANSIBLE MANAGED BLOCK testforge lati_unix.yml mask
|
45
overlay/Linux/usr/local/bin/curl.bash
Executable file
45
overlay/Linux/usr/local/bin/curl.bash
Executable file
@ -0,0 +1,45 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# -*- mode: sh; tab-width: 8; encoding: utf-8-unix -*-
|
||||||
|
|
||||||
|
ROLE=proxy
|
||||||
|
|
||||||
|
ip route | grep -q ^def || {
|
||||||
|
WARN we are not connected
|
||||||
|
}
|
||||||
|
|
||||||
|
[ -f $HOME/.curlrc ] || touch $HOME/.curlrc
|
||||||
|
|
||||||
|
declare -a CURL_OPTS
|
||||||
|
if [[ "$socks_proxy" =~ socks5://.* ]] ; then
|
||||||
|
export socks_proxy="$( echo $socks_proxy | sed -e 's@socks5://@socks5h://@' )"
|
||||||
|
CURL_OPTS+=( --proxy $socks_proxy )
|
||||||
|
[ -n "$https_proxy" ] && export https_proxy= && unset https_proxy
|
||||||
|
[ -n "$http_proxy" ] && export http_proxy= && unset http_proxy
|
||||||
|
elif [ -n "$https_proxy" ] ; then
|
||||||
|
CURL_OPTS+=( --proxy $https_proxy )
|
||||||
|
[ -n "$http_proxy" ] && export http_proxy= && unset http_proxy
|
||||||
|
elif [ -n "$http_proxy" ] ; then
|
||||||
|
CURL_OPTS+=( --proxy $http_proxy )
|
||||||
|
fi
|
||||||
|
|
||||||
|
export CURL_OPTS+=( -L --remote-time )
|
||||||
|
if ! uname -a | grep -q 'Devuan\|Debian' && [ -s $HOME/.local/alt.svc ] ; then
|
||||||
|
export CURL_OPTS+=( --alt-svc $HOME/.local/alt.svc )
|
||||||
|
# #define CURLALTSVC_H2 (1<<4)
|
||||||
|
export CURLOPT_ALTSVC_CTRL=16
|
||||||
|
fi
|
||||||
|
|
||||||
|
[[ ! "$*" =~ --config ]] && [ -s "$HOME/.curlrc" ] && \
|
||||||
|
export CURL_OPTS+=( --config $HOME/.curlrc )
|
||||||
|
[[ ! "$*" =~ --cookie-jar ]] && [ -s $HOME/.local/jar.cookie ] && \
|
||||||
|
export CURL_OPTS+=( --cookie-jar $HOME/.local/jar.cookie )
|
||||||
|
if [[ ! "$*" =~ --capath ]] && \
|
||||||
|
[[ ! "$*" =~ --cacert ]] && \
|
||||||
|
[ -s /usr/local/etc/ssl/cacert-testforge.pem ] ; then
|
||||||
|
# --capath /usr/local/etc/:/etc/ssl/certs
|
||||||
|
export CURL_OPTS+=( --cacert /usr/local/etc/ssl/cacert-testforge.pem )
|
||||||
|
export CURL_CA_BUNDLE=/usr/local/etc/ssl/cacert-testforge.pem
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo INFO: curl $CURL_OPTS "$@"
|
||||||
|
exec curl $CURL_OPTS "$@"
|
63
overlay/Linux/usr/local/bin/dirmngr.bash
Executable file
63
overlay/Linux/usr/local/bin/dirmngr.bash
Executable file
@ -0,0 +1,63 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
|
||||||
|
PREFIX=/usr/local
|
||||||
|
ROLE=proxy
|
||||||
|
|
||||||
|
. /usr/local/bin/usr_local_base.bash || exit 2
|
||||||
|
|
||||||
|
if [ "$#" -eq 1 -a "$1" = '--version' ] ; then
|
||||||
|
exec /usr/bin/dirmngr.bin --version
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
# echo "DEBUG: $0 GNUPGHOME=$GNUPGHOME $*" >> /tmp/$$.out
|
||||||
|
PROXY_GPG_KEYSERVER=keys.openpgp.org
|
||||||
|
|
||||||
|
[ -f /usr/local/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash >/dev/null
|
||||||
|
[ -z "$PROXY_GPG_KEYERVER_URL" ] && PROXY_GPG_KEYERVER_URL=hkps://$PROXY_GPG_KEYSERVER
|
||||||
|
|
||||||
|
# ONLY disabling on the command line or
|
||||||
|
[ -e /proc/sys/net/ipv6/conf/default/disable_ipv6 ] && \
|
||||||
|
[ `cat /proc/sys/net/ipv6/conf/default/disable_ipv6` -eq 0 ] && \
|
||||||
|
echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6
|
||||||
|
|
||||||
|
PROXY_WLAN=$( /usr/local/bin/proxy_ping_lib.bash proxy_set_if ) # || return 1$?
|
||||||
|
if [ -n "$PROXY_WLAN" ] ; then
|
||||||
|
wlan7=$PROXY_WLAN
|
||||||
|
|
||||||
|
[ -e /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6 ] && \
|
||||||
|
[ `cat /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6` -eq 0 ] && \
|
||||||
|
echo 1 > /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6
|
||||||
|
fi
|
||||||
|
|
||||||
|
route | grep -q ^default || { ERROR no route ; exit 1; }
|
||||||
|
[ ! -x /usr/bin/netstat ] || \
|
||||||
|
netstat -nlp | grep -q 127.0.0.1:53 || { ERROR no nameserver ; exit 4; }
|
||||||
|
|
||||||
|
[ -z "$USER" ] && USER=$(id -un )
|
||||||
|
if [ $USER = root ] ; then
|
||||||
|
[ -x /usr/bin/dirmngr -a ! -x /usr/bin/dirmngr.bin ] && \
|
||||||
|
mv /usr/bin/dirmngr /usr/bin/dirmngr.bin
|
||||||
|
[ -x /usr/bin/dirmngr.bin -a ! -x /usr/bin/dirmngr ] && \
|
||||||
|
ln -s /usr/local/bin/proxy_dirmngr.bash /usr/bin/dirmngr
|
||||||
|
fi
|
||||||
|
|
||||||
|
[ ! -x /usr/bin/dirmngr -o ! -x /usr/bin/dirmngr.bin ] && exit 2
|
||||||
|
[ -f /etc/dirmngr/dirmngr.conf ] || exit 3
|
||||||
|
|
||||||
|
# This is not enough: --disable-ipv6
|
||||||
|
# --keyserver hkps://keys.gentoo.org is required
|
||||||
|
# --http-proxy http://127.0.0.1:3128
|
||||||
|
# --keyserver $PROXY_GPG_KEYERVER_URL
|
||||||
|
# --no-use-tor is REQUIRED if you are running tor
|
||||||
|
# EVEN IF YOU DOT USE use-tor - silent dns failure
|
||||||
|
|
||||||
|
exec /usr/bin/dirmngr.bin --server -vvv --debug-all \
|
||||||
|
--options /etc/dirmngr/dirmngr.conf \
|
||||||
|
--nameserver 127.0.0.1 \
|
||||||
|
--disable-ipv6 \
|
||||||
|
--disable-ldap \
|
||||||
|
--no-use-tor \
|
||||||
|
--log-file /var/log/dirmngr.log --debug-level 4 \
|
||||||
|
"$@"
|
10
overlay/Linux/usr/local/bin/gitproxy.bash
Executable file
10
overlay/Linux/usr/local/bin/gitproxy.bash
Executable file
@ -0,0 +1,10 @@
|
|||||||
|
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
|
||||||
|
PREFIX=/usr/local
|
||||||
|
ROLE=proxy
|
||||||
|
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK proxy
|
||||||
|
exec corkscrew $1 $2
|
||||||
|
# $1 %h $2 %p
|
||||||
|
#? exec connect -4 -S : $(tor-resolve $1 :) $2
|
||||||
|
# END ANSIBLE MANAGED BLOCK proxy
|
89
overlay/Linux/usr/local/bin/ping2.py
Executable file
89
overlay/Linux/usr/local/bin/ping2.py
Executable file
@ -0,0 +1,89 @@
|
|||||||
|
#!/usr/local/bin/python2.sh
|
||||||
|
# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
|
||||||
|
#
|
||||||
|
# This software is provided under under a slightly modified version
|
||||||
|
# of the Apache Software License. See the accompanying LICENSE file
|
||||||
|
# for more information.
|
||||||
|
#
|
||||||
|
# Simple ICMP ping.
|
||||||
|
#
|
||||||
|
# This implementation of ping uses the ICMP echo and echo-reply packets
|
||||||
|
# to check the status of a host. If the remote host is up, it should reply
|
||||||
|
# to the echo probe with an echo-reply packet.
|
||||||
|
# Note that this isn't a definite test, as in the case the remote host is up
|
||||||
|
# but refuses to reply the probes.
|
||||||
|
# Also note that the user must have special access to be able to open a raw
|
||||||
|
# socket, which this program requires.
|
||||||
|
#
|
||||||
|
# Authors:
|
||||||
|
# Gerardo Richarte <gera@coresecurity.com>
|
||||||
|
# Javier Kohen <jkohen@coresecurity.com>
|
||||||
|
#
|
||||||
|
# Reference for:
|
||||||
|
# ImpactPacket: IP, ICMP, DATA.
|
||||||
|
# ImpactDecoder.
|
||||||
|
|
||||||
|
import select
|
||||||
|
import socket
|
||||||
|
import time
|
||||||
|
import sys
|
||||||
|
|
||||||
|
from impacket import ImpactDecoder, ImpactPacket
|
||||||
|
|
||||||
|
if len(sys.argv) < 3:
|
||||||
|
print("Use: %s <src ip> <dst ip>" % sys.argv[0])
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
src = sys.argv[1]
|
||||||
|
dst = sys.argv[2]
|
||||||
|
|
||||||
|
# Create a new IP packet and set its source and destination addresses.
|
||||||
|
|
||||||
|
ip = ImpactPacket.IP()
|
||||||
|
ip.set_ip_src(src)
|
||||||
|
ip.set_ip_dst(dst)
|
||||||
|
|
||||||
|
# Create a new ICMP packet of type ECHO.
|
||||||
|
|
||||||
|
icmp = ImpactPacket.ICMP()
|
||||||
|
icmp.set_icmp_type(icmp.ICMP_ECHO)
|
||||||
|
|
||||||
|
# Include a 156-character long payload inside the ICMP packet.
|
||||||
|
icmp.contains(ImpactPacket.Data("A"*156))
|
||||||
|
|
||||||
|
# Have the IP packet contain the ICMP packet (along with its payload).
|
||||||
|
ip.contains(icmp)
|
||||||
|
|
||||||
|
# Open a raw socket. Special permissions are usually required.
|
||||||
|
s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_ICMP)
|
||||||
|
s.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)
|
||||||
|
|
||||||
|
seq_id = 0
|
||||||
|
i = 0
|
||||||
|
while i < 10:
|
||||||
|
i += 1
|
||||||
|
# Give the ICMP packet the next ID in the sequence.
|
||||||
|
seq_id += 1
|
||||||
|
icmp.set_icmp_id(seq_id)
|
||||||
|
|
||||||
|
# Calculate its checksum.
|
||||||
|
icmp.set_icmp_cksum(0)
|
||||||
|
icmp.auto_checksum = 1
|
||||||
|
|
||||||
|
# Send it to the target host.
|
||||||
|
s.sendto(ip.get_packet(), (dst, 0))
|
||||||
|
|
||||||
|
# Wait for incoming replies.
|
||||||
|
if s in select.select([s],[],[],1)[0]:
|
||||||
|
reply = s.recvfrom(2000)[0]
|
||||||
|
|
||||||
|
# Use ImpactDecoder to reconstruct the packet hierarchy.
|
||||||
|
rip = ImpactDecoder.IPDecoder().decode(reply)
|
||||||
|
# Extract the ICMP packet from its container (the IP packet).
|
||||||
|
ricmp = rip.child()
|
||||||
|
|
||||||
|
# If the packet matches, report it to the user.
|
||||||
|
if rip.get_ip_dst() == src and rip.get_ip_src() == dst and icmp.ICMP_ECHOREPLY == ricmp.get_icmp_type():
|
||||||
|
print("Ping reply for sequence #%d" % ricmp.get_icmp_id())
|
||||||
|
|
||||||
|
time.sleep(1)
|
89
overlay/Linux/usr/local/bin/ping3.py
Executable file
89
overlay/Linux/usr/local/bin/ping3.py
Executable file
@ -0,0 +1,89 @@
|
|||||||
|
#!/usr/local/bin/python3.sh
|
||||||
|
# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
|
||||||
|
#
|
||||||
|
# This software is provided under under a slightly modified version
|
||||||
|
# of the Apache Software License. See the accompanying LICENSE file
|
||||||
|
# for more information.
|
||||||
|
#
|
||||||
|
# Simple ICMP ping.
|
||||||
|
#
|
||||||
|
# This implementation of ping uses the ICMP echo and echo-reply packets
|
||||||
|
# to check the status of a host. If the remote host is up, it should reply
|
||||||
|
# to the echo probe with an echo-reply packet.
|
||||||
|
# Note that this isn't a definite test, as in the case the remote host is up
|
||||||
|
# but refuses to reply the probes.
|
||||||
|
# Also note that the user must have special access to be able to open a raw
|
||||||
|
# socket, which this program requires.
|
||||||
|
#
|
||||||
|
# Authors:
|
||||||
|
# Gerardo Richarte <gera@coresecurity.com>
|
||||||
|
# Javier Kohen <jkohen@coresecurity.com>
|
||||||
|
#
|
||||||
|
# Reference for:
|
||||||
|
# ImpactPacket: IP, ICMP, DATA.
|
||||||
|
# ImpactDecoder.
|
||||||
|
|
||||||
|
import select
|
||||||
|
import socket
|
||||||
|
import time
|
||||||
|
import sys
|
||||||
|
|
||||||
|
from impacket import ImpactDecoder, ImpactPacket
|
||||||
|
|
||||||
|
if len(sys.argv) < 3:
|
||||||
|
print("Use: %s <src ip> <dst ip>" % sys.argv[0])
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
src = sys.argv[1]
|
||||||
|
dst = sys.argv[2]
|
||||||
|
|
||||||
|
# Create a new IP packet and set its source and destination addresses.
|
||||||
|
|
||||||
|
ip = ImpactPacket.IP()
|
||||||
|
ip.set_ip_src(src)
|
||||||
|
ip.set_ip_dst(dst)
|
||||||
|
|
||||||
|
# Create a new ICMP packet of type ECHO.
|
||||||
|
|
||||||
|
icmp = ImpactPacket.ICMP()
|
||||||
|
icmp.set_icmp_type(icmp.ICMP_ECHO)
|
||||||
|
|
||||||
|
# Include a 156-character long payload inside the ICMP packet.
|
||||||
|
icmp.contains(ImpactPacket.Data(b"A"*156))
|
||||||
|
|
||||||
|
# Have the IP packet contain the ICMP packet (along with its payload).
|
||||||
|
ip.contains(icmp)
|
||||||
|
|
||||||
|
# Open a raw socket. Special permissions are usually required.
|
||||||
|
s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_ICMP)
|
||||||
|
s.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)
|
||||||
|
|
||||||
|
seq_id = 0
|
||||||
|
i = 0
|
||||||
|
while i < 10:
|
||||||
|
i += 1
|
||||||
|
# Give the ICMP packet the next ID in the sequence.
|
||||||
|
seq_id += 1
|
||||||
|
icmp.set_icmp_id(seq_id)
|
||||||
|
|
||||||
|
# Calculate its checksum.
|
||||||
|
icmp.set_icmp_cksum(0)
|
||||||
|
icmp.auto_checksum = 1
|
||||||
|
|
||||||
|
# Send it to the target host.
|
||||||
|
s.sendto(ip.get_packet(), (dst, 0))
|
||||||
|
|
||||||
|
# Wait for incoming replies.
|
||||||
|
if s in select.select([s],[],[],1)[0]:
|
||||||
|
reply = s.recvfrom(2000)[0]
|
||||||
|
|
||||||
|
# Use ImpactDecoder to reconstruct the packet hierarchy.
|
||||||
|
rip = ImpactDecoder.IPDecoder().decode(reply)
|
||||||
|
# Extract the ICMP packet from its container (the IP packet).
|
||||||
|
ricmp = rip.child()
|
||||||
|
|
||||||
|
# If the packet matches, report it to the user.
|
||||||
|
if rip.get_ip_dst() == src and rip.get_ip_src() == dst and icmp.ICMP_ECHOREPLY == ricmp.get_icmp_type():
|
||||||
|
print("Ping reply for sequence #%d" % ricmp.get_icmp_id())
|
||||||
|
|
||||||
|
time.sleep(1)
|
82
overlay/Linux/usr/local/bin/ping62.py
Executable file
82
overlay/Linux/usr/local/bin/ping62.py
Executable file
@ -0,0 +1,82 @@
|
|||||||
|
#!/usr/local/bin/python2.sh
|
||||||
|
# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
|
||||||
|
#
|
||||||
|
# This software is provided under under a slightly modified version
|
||||||
|
# of the Apache Software License. See the accompanying LICENSE file
|
||||||
|
# for more information.
|
||||||
|
#
|
||||||
|
# Simple ICMP6 ping.
|
||||||
|
#
|
||||||
|
# This implementation of ping uses the ICMP echo and echo-reply packets
|
||||||
|
# to check the status of a host. If the remote host is up, it should reply
|
||||||
|
# to the echo probe with an echo-reply packet.
|
||||||
|
# Note that this isn't a definite test, as in the case the remote host is up
|
||||||
|
# but refuses to reply the probes.
|
||||||
|
# Also note that the user must have special access to be able to open a raw
|
||||||
|
# socket, which this program requires.
|
||||||
|
#
|
||||||
|
# Authors:
|
||||||
|
# Alberto Solino (@agsolino)
|
||||||
|
#
|
||||||
|
# Reference for:
|
||||||
|
# ImpactPacket: ICMP6
|
||||||
|
# ImpactDecoder.
|
||||||
|
|
||||||
|
import select
|
||||||
|
import socket
|
||||||
|
import time
|
||||||
|
import sys
|
||||||
|
|
||||||
|
from impacket import ImpactDecoder, IP6, ICMP6, version
|
||||||
|
|
||||||
|
print(version.BANNER)
|
||||||
|
|
||||||
|
if len(sys.argv) < 3:
|
||||||
|
print("Use: %s <src ip> <dst ip>" % sys.argv[0])
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
src = sys.argv[1]
|
||||||
|
dst = sys.argv[2]
|
||||||
|
|
||||||
|
# Create a new IP packet and set its source and destination addresses.
|
||||||
|
|
||||||
|
ip = IP6.IP6()
|
||||||
|
ip.set_ip_src(src)
|
||||||
|
ip.set_ip_dst(dst)
|
||||||
|
ip.set_traffic_class(0)
|
||||||
|
ip.set_flow_label(0)
|
||||||
|
ip.set_hop_limit(64)
|
||||||
|
|
||||||
|
# Open a raw socket. Special permissions are usually required.
|
||||||
|
s = socket.socket(socket.AF_INET6, socket.SOCK_RAW, socket.IPPROTO_ICMPV6)
|
||||||
|
|
||||||
|
payload = "A"*156
|
||||||
|
|
||||||
|
print("PING %s %d data bytes" % (dst, len(payload)))
|
||||||
|
seq_id = 0
|
||||||
|
while 1:
|
||||||
|
# Give the ICMP packet the next ID in the sequence.
|
||||||
|
seq_id += 1
|
||||||
|
icmp = ICMP6.ICMP6.Echo_Request(1, seq_id, payload)
|
||||||
|
|
||||||
|
# Have the IP packet contain the ICMP packet (along with its payload).
|
||||||
|
ip.contains(icmp)
|
||||||
|
ip.set_next_header(ip.child().get_ip_protocol_number())
|
||||||
|
ip.set_payload_length(ip.child().get_size())
|
||||||
|
icmp.calculate_checksum()
|
||||||
|
|
||||||
|
# Send it to the target host.
|
||||||
|
s.sendto(icmp.get_packet(), (dst, 0))
|
||||||
|
|
||||||
|
# Wait for incoming replies.
|
||||||
|
if s in select.select([s],[],[],1)[0]:
|
||||||
|
reply = s.recvfrom(2000)[0]
|
||||||
|
|
||||||
|
# Use ImpactDecoder to reconstruct the packet hierarchy.
|
||||||
|
rip = ImpactDecoder.ICMP6Decoder().decode(reply)
|
||||||
|
|
||||||
|
# If the packet matches, report it to the user.
|
||||||
|
if ICMP6.ICMP6.ECHO_REPLY == rip.get_type():
|
||||||
|
print("%d bytes from %s: icmp_seq=%d " % (rip.child().get_size()-4,dst,rip.get_echo_sequence_number()))
|
||||||
|
|
||||||
|
time.sleep(1)
|
344
overlay/Linux/usr/local/bin/pr$
Executable file
344
overlay/Linux/usr/local/bin/pr$
Executable file
@ -0,0 +1,344 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
|
||||||
|
ROLE=proxy
|
||||||
|
|
||||||
|
. /usr/local/bin/usr_local_tput.bash || exit 2
|
||||||
|
|
||||||
|
## proxy_ami_cloudflared
|
||||||
|
proxy_ami_cloudflared() {
|
||||||
|
[ $# -gt 0 ] || return 1
|
||||||
|
local ip=$1
|
||||||
|
# https://netaddr.readthedocs.io/en/latest/tutorial_01.html
|
||||||
|
# a=`python3 -c "import netaddr; print(netaddr.IPAddress('$ip') in list(netaddr.IPNetwork('$no')))"`
|
||||||
|
# https://stackoverflow.com/questions/819355/how-can-i-check-if-an-ip-is-in-a-network-in-python
|
||||||
|
for no in "${CLOUDF[@]}" ; do
|
||||||
|
nopat=`sed -e 's/\.0.*//' <<< $no`
|
||||||
|
[[ $ip =~ ${nopat}.* ]] && {
|
||||||
|
# WARN $url cloudflared $ip $no
|
||||||
|
echo True
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
done
|
||||||
|
echo False
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
## proxy_ami_cloudflared_py
|
||||||
|
proxy_ami_cloudflared_py() {
|
||||||
|
[ $# -gt 0 ] || return 1
|
||||||
|
local ip=$1
|
||||||
|
a=`proxy_ami_cloudflared $ip`
|
||||||
|
if [ $? -eq 0 -a "$a" = True ] ; then
|
||||||
|
echo $a
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
for no in "${CLOUDF[@]}" ; do
|
||||||
|
a=`python3 -c "import ipaddress; print(ipaddress.IPv4Address('$ip') in list(ipaddress.IPv4Network('$no')))"`
|
||||||
|
if [ $? -eq 0 -a "$a" = True ] ; then
|
||||||
|
echo $a
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
echo False
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
# /usr/include/openssl/x509_vfy.h
|
||||||
|
declare -A OPENSSL_X509_V
|
||||||
|
OPENSSL_X509_V=(
|
||||||
|
[0]=OK
|
||||||
|
[1]=ERR_UNSPECIFIED
|
||||||
|
[2]=ERR_UNABLE_TO_GET_ISSUER_CERT
|
||||||
|
[3]=ERR_UNABLE_TO_GET_CRL
|
||||||
|
[4]=ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
|
||||||
|
[5]=ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE
|
||||||
|
[6]=ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
|
||||||
|
[7]=ERR_CERT_SIGNATURE_FAILURE
|
||||||
|
[8]=ERR_CRL_SIGNATURE_FAILURE
|
||||||
|
[9]=ERR_CERT_NOT_YET_VALID
|
||||||
|
[10]=ERR_CERT_HAS_EXPIRED
|
||||||
|
[11]=ERR_CRL_NOT_YET_VALID
|
||||||
|
[12]=ERR_CRL_HAS_EXPIRED
|
||||||
|
[13]=ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
|
||||||
|
[14]=ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
|
||||||
|
[15]=ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
|
||||||
|
[16]=ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
|
||||||
|
[17]=ERR_OUT_OF_MEM
|
||||||
|
[18]=ERR_DEPTH_ZERO_SELF_SIGNED_CERT
|
||||||
|
[19]=ERR_SELF_SIGNED_CERT_IN_CHAIN
|
||||||
|
[20]=ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
|
||||||
|
[21]=ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
|
||||||
|
[22]=ERR_CERT_CHAIN_TOO_LONG
|
||||||
|
[23]=ERR_CERT_REVOKED
|
||||||
|
[24]=ERR_INVALID_CA
|
||||||
|
[25]=ERR_PATH_LENGTH_EXCEEDED
|
||||||
|
[26]=ERR_INVALID_PURPOSE
|
||||||
|
[27]=ERR_CERT_UNTRUSTED
|
||||||
|
[28]=ERR_CERT_REJECTED
|
||||||
|
# These are 'informational' when looking for issuer cert
|
||||||
|
[29]=ERR_SUBJECT_ISSUER_MISMATCH
|
||||||
|
[30]=ERR_AKID_SKID_MISMATCH
|
||||||
|
[31]=ERR_AKID_ISSUER_SERIAL_MISMATCH
|
||||||
|
[32]=ERR_KEYUSAGE_NO_CERTSIGN
|
||||||
|
[33]=ERR_UNABLE_TO_GET_CRL_ISSUER
|
||||||
|
[34]=ERR_UNHANDLED_CRITICAL_EXTENSION
|
||||||
|
[35]=ERR_KEYUSAGE_NO_CRL_SIGN
|
||||||
|
[36]=ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
|
||||||
|
[37]=ERR_INVALID_NON_CA
|
||||||
|
[38]=ERR_PROXY_PATH_LENGTH_EXCEEDED
|
||||||
|
[39]=ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
|
||||||
|
[40]=ERR_PROXY_CERTIFICATES_NOT_ALLOWED
|
||||||
|
[41]=ERR_INVALID_EXTENSION
|
||||||
|
[42]=ERR_INVALID_POLICY_EXTENSION
|
||||||
|
[43]=ERR_NO_EXPLICIT_POLICY
|
||||||
|
[44]=ERR_DIFFERENT_CRL_SCOPE
|
||||||
|
[45]=ERR_UNSUPPORTED_EXTENSION_FEATURE
|
||||||
|
[46]=ERR_UNNESTED_RESOURCE
|
||||||
|
[47]=ERR_PERMITTED_VIOLATION
|
||||||
|
[48]=ERR_EXCLUDED_VIOLATION
|
||||||
|
[49]=ERR_SUBTREE_MINMAX
|
||||||
|
# The application is not happy
|
||||||
|
[50]=ERR_APPLICATION_VERIFICATION
|
||||||
|
[51]=ERR_UNSUPPORTED_CONSTRAINT_TYPE
|
||||||
|
[52]=ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
|
||||||
|
[53]=ERR_UNSUPPORTED_NAME_SYNTAX
|
||||||
|
[54]=ERR_CRL_PATH_VALIDATION_ERROR
|
||||||
|
# Another issuer check debug option
|
||||||
|
[55]=ERR_PATH_LOOP
|
||||||
|
# Suite B mode algorithm violation
|
||||||
|
[56]=ERR_SUITE_B_INVALID_VERSION
|
||||||
|
[57]=ERR_SUITE_B_INVALID_ALGORITHM
|
||||||
|
[58]=ERR_SUITE_B_INVALID_CURVE
|
||||||
|
[59]=ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM
|
||||||
|
[60]=ERR_SUITE_B_LOS_NOT_ALLOWED
|
||||||
|
[61]=ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256
|
||||||
|
# Host, email and IP check errors
|
||||||
|
[62]=ERR_HOSTNAME_MISMATCH
|
||||||
|
[63]=ERR_EMAIL_MISMATCH
|
||||||
|
[64]=ERR_IP_ADDRESS_MISMATCH
|
||||||
|
# DANE TLSA errors
|
||||||
|
[65]=ERR_DANE_NO_MATCH
|
||||||
|
# security level errors
|
||||||
|
[66]=ERR_EE_KEY_TOO_SMALL
|
||||||
|
[67]=ERR_CA_KEY_TOO_SMALL
|
||||||
|
[68]=ERR_CA_MD_TOO_WEAK
|
||||||
|
# Caller error
|
||||||
|
[69]=ERR_INVALID_CALL
|
||||||
|
# Issuer lookup error
|
||||||
|
[70]=ERR_STORE_LOOKUP
|
||||||
|
# Certificate transparency
|
||||||
|
[71]=ERR_NO_VALID_SCTS
|
||||||
|
|
||||||
|
[72]=ERR_PROXY_SUBJECT_NAME_VIOLATION
|
||||||
|
# OCSP status errors
|
||||||
|
[73]=ERR_OCSP_VERIFY_NEEDED # Need OCSP verification
|
||||||
|
[74]=ERR_OCSP_VERIFY_FAILED # Couldn't verify cert through OCSP
|
||||||
|
[75]=ERR_OCSP_CERT_UNKNOWN # Certificate wasn't recognized by the OCSP responder
|
||||||
|
[76]=ERR_SIGNATURE_ALGORITHM_MISMATCH
|
||||||
|
[77]=ERR_NO_ISSUER_PUBLIC_KEY
|
||||||
|
[78]=ERR_UNSUPPORTED_SIGNATURE_ALGORITHM
|
||||||
|
[79]=ERR_EC_KEY_EXPLICIT_PARAMS
|
||||||
|
)
|
||||||
|
|
||||||
|
# man 3 libcurl-errors
|
||||||
|
declare -A CURLE
|
||||||
|
CURLE=(
|
||||||
|
[0]=CURLE_OK
|
||||||
|
[1]=CURLE_UNSUPPORTED_PROTOCOL
|
||||||
|
[2]=CURLE_FAILED_INIT
|
||||||
|
[3]=CURLE_URL_MALFORMAT
|
||||||
|
[4]=CURLE_NOT_BUILT_IN
|
||||||
|
[5]=CURLE_COULDNT_RESOLVE_PROXY
|
||||||
|
[6]=CURLE_COULDNT_RESOLVE_HOST
|
||||||
|
[7]=CURLE_COULDNT_CONNECT
|
||||||
|
[8]=CURLE_WEIRD_SERVER_REPLY
|
||||||
|
[9]=CURLE_REMOTE_ACCESS_DENIED
|
||||||
|
[10]=CURLE_FTP_ACCEPT_FAILED
|
||||||
|
[11]=CURLE_FTP_WEIRD_PASS_REPLY
|
||||||
|
[12]=CURLE_FTP_ACCEPT_TIMEOUT
|
||||||
|
[13]=CURLE_FTP_WEIRD_PASV_REPLY
|
||||||
|
[14]=CURLE_FTP_WEIRD_227_FORMAT
|
||||||
|
[15]=CURLE_FTP_CANT_GET_HOST
|
||||||
|
[16]=CURLE_HTTP2
|
||||||
|
[17]=CURLE_FTP_COULDNT_SET_TYPE
|
||||||
|
[18]=CURLE_PARTIAL_FILE
|
||||||
|
[19]=CURLE_FTP_COULDNT_RETR_FILE
|
||||||
|
[21]=CURLE_QUOTE_ERROR
|
||||||
|
[22]=CURLE_HTTP_RETURNED_ERROR
|
||||||
|
[23]=CURLE_WRITE_ERROR
|
||||||
|
[25]=CURLE_UPLOAD_FAILED
|
||||||
|
[26]=CURLE_READ_ERROR
|
||||||
|
[27]=CURLE_OUT_OF_MEMORY
|
||||||
|
[28]=CURLE_OPERATION_TIMEDOUT
|
||||||
|
[30]=CURLE_FTP_PORT_FAILED
|
||||||
|
[31]=CURLE_FTP_COULDNT_USE_REST
|
||||||
|
[33]=CURLE_RANGE_ERROR
|
||||||
|
[34]=CURLE_HTTP_POST_ERROR
|
||||||
|
[35]=CURLE_SSL_CONNECT_ERROR
|
||||||
|
[36]=CURLE_BAD_DOWNLOAD_RESUME
|
||||||
|
[37]=CURLE_FILE_COULDNT_READ_FILE
|
||||||
|
[38]=CURLE_LDAP_CANNOT_BIND
|
||||||
|
[39]=CURLE_LDAP_SEARCH_FAILED
|
||||||
|
[41]=CURLE_FUNCTION_NOT_FOUND
|
||||||
|
[42]=CURLE_ABORTED_BY_CALLBACK
|
||||||
|
[43]=CURLE_BAD_FUNCTION_ARGUMENT
|
||||||
|
[45]=CURLE_INTERFACE_FAILED
|
||||||
|
[47]=CURLE_TOO_MANY_REDIRECTS
|
||||||
|
[48]=CURLE_UNKNOWN_OPTION
|
||||||
|
[49]=CURLE_SETOPT_OPTION_SYNTAX
|
||||||
|
[52]=CURLE_GOT_NOTHING
|
||||||
|
[53]=CURLE_SSL_ENGINE_NOTFOUND
|
||||||
|
[54]=CURLE_SSL_ENGINE_SETFAILED
|
||||||
|
[55]=CURLE_SEND_ERROR
|
||||||
|
[56]=CURLE_RECV_ERROR
|
||||||
|
[58]=CURLE_SSL_CERTPROBLEM
|
||||||
|
[59]=CURLE_SSL_CIPHER
|
||||||
|
[60]=CURLE_PEER_FAILED_VERIFICATION
|
||||||
|
[61]=CURLE_BAD_CONTENT_ENCODING
|
||||||
|
[62]=CURLE_LDAP_INVALID_URL
|
||||||
|
[63]=CURLE_FILESIZE_EXCEEDED
|
||||||
|
[64]=CURLE_USE_SSL_FAILED
|
||||||
|
[65]=CURLE_SEND_FAIL_REWIND
|
||||||
|
[66]=CURLE_SSL_ENGINE_INITFAILED
|
||||||
|
[67]=CURLE_LOGIN_DENIED
|
||||||
|
[68]=CURLE_TFTP_NOTFOUND
|
||||||
|
[69]=CURLE_TFTP_PERM
|
||||||
|
[70]=CURLE_REMOTE_DISK_FULL
|
||||||
|
[71]=CURLE_TFTP_ILLEGAL
|
||||||
|
[72]=CURLE_TFTP_UNKNOWNID
|
||||||
|
[73]=CURLE_REMOTE_FILE_EXISTS
|
||||||
|
[74]=CURLE_TFTP_NOSUCHUSER
|
||||||
|
[75]=CURLE_CONV_FAILED
|
||||||
|
[76]=CURLE_CONV_REQD
|
||||||
|
[77]=CURLE_SSL_CACERT_BADFILE
|
||||||
|
[78]=CURLE_REMOTE_FILE_NOT_FOUND
|
||||||
|
[79]=CURLE_SSH
|
||||||
|
[80]=CURLE_SSL_SHUTDOWN_FAILED
|
||||||
|
[81]=CURLE_AGAIN
|
||||||
|
[82]=CURLE_SSL_CRL_BADFILE
|
||||||
|
[83]=CURLE_SSL_ISSUER_ERROR
|
||||||
|
[84]=CURLE_FTP_PRET_FAILED
|
||||||
|
[85]=CURLE_RTSP_CSEQ_ERROR
|
||||||
|
[86]=CURLE_RTSP_SESSION_ERROR
|
||||||
|
[87]=CURLE_FTP_BAD_FILE_LIST
|
||||||
|
[88]=CURLE_CHUNK_FAILED
|
||||||
|
[89]=CURLE_NO_CONNECTION_AVAILABLE
|
||||||
|
[90]=CURLE_SSL_PINNEDPUBKEYNOTMATCH
|
||||||
|
[91]=CURLE_SSL_INVALIDCERTSTATUS
|
||||||
|
[92]=CURLE_HTTP2_STREAM
|
||||||
|
[93]=CURLE_RECURSIVE_API_CALL
|
||||||
|
[94]=CURLE_AUTH_ERROR
|
||||||
|
[95]=CURLE_HTTP3
|
||||||
|
[96]=CURLE_QUIC_CONNECT_ERROR
|
||||||
|
[98]=CURLE_SSL_CLIENTCERT
|
||||||
|
[99]=CURLE_UNRECOVERABLE_POLL
|
||||||
|
)
|
||||||
|
|
||||||
|
# 20 HTTP response status codes
|
||||||
|
declare -A HTTP_RESPONSE
|
||||||
|
HTTP_RESPONSE=(
|
||||||
|
[100]="Continue"
|
||||||
|
[101]="Switching Protocols"
|
||||||
|
[103]="Early Hints"
|
||||||
|
[200]="OK"
|
||||||
|
[201]="Created"
|
||||||
|
[202]="Accepted"
|
||||||
|
[203]="Non-Authoritative Information"
|
||||||
|
[204]="No Content"
|
||||||
|
[205]="Reset Content"
|
||||||
|
[206]="Partial Content"
|
||||||
|
[300]="Multiple Choices"
|
||||||
|
[301]="Moved Permanently"
|
||||||
|
[302]="Found"
|
||||||
|
[303]="See Other"
|
||||||
|
[304]="Not Modified"
|
||||||
|
[307]="Temporary Redirect"
|
||||||
|
[308]="Permanent Redirect"
|
||||||
|
[400]="Bad Request"
|
||||||
|
[401]="Unauthorized"
|
||||||
|
[402]="Payment Required"
|
||||||
|
[403]="Forbidden"
|
||||||
|
[404]="Not Found"
|
||||||
|
[405]="Method Not Allowed"
|
||||||
|
[406]="Not Acceptable"
|
||||||
|
[407]="Proxy Authentication Required"
|
||||||
|
[408]="Request Timeout"
|
||||||
|
[409]="Conflict"
|
||||||
|
[410]="Gone"
|
||||||
|
[411]="Length Required"
|
||||||
|
[412]="Precondition Failed"
|
||||||
|
[413]="Payload Too Large"
|
||||||
|
[414]="URI Too Long"
|
||||||
|
[415]="Unsupported Media Type"
|
||||||
|
[416]="Range Not Satisfiable"
|
||||||
|
[417]="Expectation Failed"
|
||||||
|
[418]="Im a teapot"
|
||||||
|
[422]="Unprocessable Entity"
|
||||||
|
[425]="Too Early"
|
||||||
|
[426]="Upgrade Required"
|
||||||
|
[428]="Precondition Required"
|
||||||
|
[429]="Too Many Requests"
|
||||||
|
[431]="Request Header Fields Too Large"
|
||||||
|
[451]="Unavailable For Legal Reasons"
|
||||||
|
[500]="Internal Server Error"
|
||||||
|
[501]="Not Implemented"
|
||||||
|
[502]="Bad Gateway"
|
||||||
|
[503]="Service Unavailable"
|
||||||
|
[504]="Gateway Timeout"
|
||||||
|
[505]="HTTP Version Not Supported"
|
||||||
|
[506]="Variant Also Negotiates"
|
||||||
|
[507]="Insufficient Storage"
|
||||||
|
[508]="Loop Detected"
|
||||||
|
[510]="Not Extended"
|
||||||
|
[511]="Network Authentication Required"
|
||||||
|
)
|
||||||
|
|
||||||
|
# https://curl.se/docs/ssl-ciphers.html
|
||||||
|
|
||||||
|
# openssl
|
||||||
|
# https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html
|
||||||
|
|
||||||
|
# https://curl.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html
|
||||||
|
openssl=openssl
|
||||||
|
# CURLOPT_TLS13_CIPHERS --tls13-ciphers
|
||||||
|
if [ $openssl = openssl ] ; then
|
||||||
|
export CURLOPT_TLS13_CIPHERS="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,TLS_AES_128_CCM_8_SHA256,TLS_AES_128_CCM_SHA256"
|
||||||
|
elif [ $openssl = nss ] ; then
|
||||||
|
export CURLOPT_TLS13_CIPHERS="aes_128_gcm_sha_256,aes_256_gcm_sha_384,chacha20_poly1305_sha_256"
|
||||||
|
fi
|
||||||
|
|
||||||
|
declare -a NOTLSV3
|
||||||
|
NOTLSV3=(
|
||||||
|
# connection refused
|
||||||
|
www.mirrorservice.org
|
||||||
|
# no ipv3
|
||||||
|
files.pythonhosted.org
|
||||||
|
)
|
||||||
|
|
||||||
|
# https://web.archive.org/web/20220722104744/https://www.cloudflare.com/ips-v4
|
||||||
|
declare -a CLOUDFN
|
||||||
|
CLOUDFN=(
|
||||||
|
173.245.48.0/20
|
||||||
|
103.21.244.0/22
|
||||||
|
103.22.200.0/22
|
||||||
|
103.31.4.0/22
|
||||||
|
141.101.64.0/18
|
||||||
|
108.162.192.0/18
|
||||||
|
190.93.240.0/20
|
||||||
|
188.114.96.0/20
|
||||||
|
197.234.240.0/22
|
||||||
|
198.41.128.0/17
|
||||||
|
162.158.0.0/15
|
||||||
|
104.16.0.0/13
|
||||||
|
104.24.0.0/14
|
||||||
|
172.64.0.0/13
|
||||||
|
131.0.72.0/22
|
||||||
|
)
|
||||||
|
|
||||||
|
#for no in "${CLOUDF[@]}" ; do
|
||||||
|
# # https://netaddr.readthedocs.io/en/latest/tutorial_01.html
|
||||||
|
# a=`python3 -c "import netaddr; print('\n'.join(map(str,list(netaddr.IPNetwork('$no')))))"`
|
||||||
|
#done
|
||||||
|
|
23
overlay/Linux/usr/local/bin/pro
Executable file
23
overlay/Linux/usr/local/bin/pro
Executable file
@ -0,0 +1,23 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
|
||||||
|
# https://unix.stackexchange.com/questions/293304/using-netcat-for-port-forwarding
|
||||||
|
. /usr/local/bin/usr_local_tput.bash || exit 2
|
||||||
|
|
||||||
|
prog=$( basename $0 .bash )
|
||||||
|
PREFIX=/usr/local
|
||||||
|
ROLE=proxy
|
||||||
|
|
||||||
|
netstat -nlpe4 | grep -q 127.0.0.1:53 && {
|
||||||
|
ERROR 127.0.0.1:53 already bound
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
MODE=$( /usr/local/bin/proxy_ping_lib.bash proxy_whonix_mode )
|
||||||
|
|
||||||
|
if [ "$MODE" = tor -o "$MODE" = tor -o "$MODE" = gateway -o "$MODE" = selektor ] ; then
|
||||||
|
socat udp-l:53,bind=127.0.0.1,fork,reuseaddr udp:127.0.0.1:9053
|
||||||
|
elif [ "$MODE" = whonix -o "$MODE" = ws -o "$MODE" = tor -o "$MODE" = selektor ] ; then
|
||||||
|
socat udp-l:53,bind=127.0.0.1,fork,reuseaddr udp:10.0.2.2:9053
|
||||||
|
fi
|
||||||
|
|
12
overlay/Linux/usr/local/bin/proxy_ansible.bash
Executable file
12
overlay/Linux/usr/local/bin/proxy_ansible.bash
Executable file
@ -0,0 +1,12 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
|
||||||
|
|
||||||
|
. /usr/local/etc/testforge/testforge.bash
|
||||||
|
PREFIX=$PROXY_VAR_LOCAL
|
||||||
|
|
||||||
|
[ "$#" -eq 0 ] && set -- proxy
|
||||||
|
|
||||||
|
exec bash $PREFIX/bin/testforge_ansible.bash "$@"
|
||||||
|
|
||||||
|
ROLE=proxy
|
401
overlay/Linux/usr/local/bin/proxy_curl_lib.bash
Executable file
401
overlay/Linux/usr/local/bin/proxy_curl_lib.bash
Executable file
@ -0,0 +1,401 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
|
||||||
|
ROLE=proxy
|
||||||
|
|
||||||
|
. /usr/local/bin/usr_local_tput.bash || exit 2
|
||||||
|
|
||||||
|
|
||||||
|
## proxy_ami_cloudflared
|
||||||
|
proxy_ami_cloudflared() {
|
||||||
|
[ $# -gt 0 ] || return 1
|
||||||
|
local ip=$1
|
||||||
|
for no in "${CLOUDFN[@]}" ; do
|
||||||
|
nopat=`sed -e 's@[.0]*/[0-9][0-9]@@' <<< $no`
|
||||||
|
[[ $ip =~ ${nopat}.* ]] && {
|
||||||
|
# WARN $url cloudflared $ip $no
|
||||||
|
echo True
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
done
|
||||||
|
echo False
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
## proxy_ami_cloudflared_py
|
||||||
|
proxy_ami_cloudflared_py() {
|
||||||
|
[ $# -gt 0 ] || return 1
|
||||||
|
local ip=$1
|
||||||
|
a=`proxy_ami_cloudflared $ip`
|
||||||
|
if [ $? -eq 0 -a "$a" = True ] ; then
|
||||||
|
echo $a
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
# https://netaddr.readthedocs.io/en/latest/tutorial_01.html
|
||||||
|
# a=`python3 -c "import netaddr; print(netaddr.IPAddress('$ip') in list(netaddr.IPNetwork('$no')))"`
|
||||||
|
# https://stackoverflow.com/questions/819355/how-can-i-check-if-an-ip-is-in-a-network-in-python
|
||||||
|
|
||||||
|
for no in "${CLOUDFN[@]}" ; do
|
||||||
|
a=`python3 -c "import ipaddress; print(ipaddress.IPv4Address('$ip') in list(ipaddress.IPv4Network('$no')))"`
|
||||||
|
if [ $? -eq 0 -a "$a" = True ] ; then
|
||||||
|
echo $a
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
echo False
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
## proxy_ami_nottlsv3
|
||||||
|
proxy_ami_nottlsv3() {
|
||||||
|
[ $# -gt 0 ] || return 1
|
||||||
|
local site=$1
|
||||||
|
for no in "${NOTLSV3[@]}" ; do
|
||||||
|
[[ $site =~ $no ]] && echo True && return 0
|
||||||
|
done
|
||||||
|
echo False
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
declare -a NOTLSV3
|
||||||
|
NOTLSV3=(
|
||||||
|
# connection refused
|
||||||
|
www.mirrorservice.org
|
||||||
|
# no ipv3
|
||||||
|
files.pythonhosted.org
|
||||||
|
# forbidden
|
||||||
|
download.nvidia.com
|
||||||
|
# 500
|
||||||
|
www.x.org
|
||||||
|
)
|
||||||
|
|
||||||
|
# https://web.archive.org/web/20220722104744/https://www.cloudflare.com/ips-v4
|
||||||
|
declare -a CLOUDFN
|
||||||
|
CLOUDFN=(
|
||||||
|
173.245.48.0/20
|
||||||
|
103.21.244.0/22
|
||||||
|
103.22.200.0/22
|
||||||
|
103.31.4.0/22
|
||||||
|
104.16.0.0/13
|
||||||
|
104.24.0.0/14
|
||||||
|
108.162.192.0/18
|
||||||
|
131.0.72.0/22
|
||||||
|
141.101.64.0/18
|
||||||
|
162.158.0.0/15
|
||||||
|
172.64.0.0/13
|
||||||
|
188.114.96.0/20
|
||||||
|
190.93.240.0/20
|
||||||
|
197.234.240.0/22
|
||||||
|
198.41.128.0/17
|
||||||
|
)
|
||||||
|
|
||||||
|
#for no in "${CLOUDFN[@]}" ; do
|
||||||
|
# # https://netaddr.readthedocs.io/en/latest/tutorial_01.html
|
||||||
|
# a=`python3 -c "import netaddr; print('\n'.join(map(str,list(netaddr.IPNetwork('$no')))))"`
|
||||||
|
#done
|
||||||
|
|
||||||
|
# /usr/include/openssl/x509_vfy.h
|
||||||
|
declare -A OPENSSL_X509_V
|
||||||
|
OPENSSL_X509_V=(
|
||||||
|
[0]=OK
|
||||||
|
[1]=ERR_UNSPECIFIED
|
||||||
|
[2]=ERR_UNABLE_TO_GET_ISSUER_CERT
|
||||||
|
[3]=ERR_UNABLE_TO_GET_CRL
|
||||||
|
[4]=ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE
|
||||||
|
[5]=ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE
|
||||||
|
[6]=ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY
|
||||||
|
[7]=ERR_CERT_SIGNATURE_FAILURE
|
||||||
|
[8]=ERR_CRL_SIGNATURE_FAILURE
|
||||||
|
[9]=ERR_CERT_NOT_YET_VALID
|
||||||
|
[10]=ERR_CERT_HAS_EXPIRED
|
||||||
|
[11]=ERR_CRL_NOT_YET_VALID
|
||||||
|
[12]=ERR_CRL_HAS_EXPIRED
|
||||||
|
[13]=ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
|
||||||
|
[14]=ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
|
||||||
|
[15]=ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD
|
||||||
|
[16]=ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD
|
||||||
|
[17]=ERR_OUT_OF_MEM
|
||||||
|
[18]=ERR_DEPTH_ZERO_SELF_SIGNED_CERT
|
||||||
|
[19]=ERR_SELF_SIGNED_CERT_IN_CHAIN
|
||||||
|
[20]=ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
|
||||||
|
[21]=ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
|
||||||
|
[22]=ERR_CERT_CHAIN_TOO_LONG
|
||||||
|
[23]=ERR_CERT_REVOKED
|
||||||
|
[24]=ERR_INVALID_CA
|
||||||
|
[25]=ERR_PATH_LENGTH_EXCEEDED
|
||||||
|
[26]=ERR_INVALID_PURPOSE
|
||||||
|
[27]=ERR_CERT_UNTRUSTED
|
||||||
|
[28]=ERR_CERT_REJECTED
|
||||||
|
# These are 'informational' when looking for issuer cert
|
||||||
|
[29]=ERR_SUBJECT_ISSUER_MISMATCH
|
||||||
|
[30]=ERR_AKID_SKID_MISMATCH
|
||||||
|
[31]=ERR_AKID_ISSUER_SERIAL_MISMATCH
|
||||||
|
[32]=ERR_KEYUSAGE_NO_CERTSIGN
|
||||||
|
[33]=ERR_UNABLE_TO_GET_CRL_ISSUER
|
||||||
|
[34]=ERR_UNHANDLED_CRITICAL_EXTENSION
|
||||||
|
[35]=ERR_KEYUSAGE_NO_CRL_SIGN
|
||||||
|
[36]=ERR_UNHANDLED_CRITICAL_CRL_EXTENSION
|
||||||
|
[37]=ERR_INVALID_NON_CA
|
||||||
|
[38]=ERR_PROXY_PATH_LENGTH_EXCEEDED
|
||||||
|
[39]=ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE
|
||||||
|
[40]=ERR_PROXY_CERTIFICATES_NOT_ALLOWED
|
||||||
|
[41]=ERR_INVALID_EXTENSION
|
||||||
|
[42]=ERR_INVALID_POLICY_EXTENSION
|
||||||
|
[43]=ERR_NO_EXPLICIT_POLICY
|
||||||
|
[44]=ERR_DIFFERENT_CRL_SCOPE
|
||||||
|
[45]=ERR_UNSUPPORTED_EXTENSION_FEATURE
|
||||||
|
[46]=ERR_UNNESTED_RESOURCE
|
||||||
|
[47]=ERR_PERMITTED_VIOLATION
|
||||||
|
[48]=ERR_EXCLUDED_VIOLATION
|
||||||
|
[49]=ERR_SUBTREE_MINMAX
|
||||||
|
# The application is not happy
|
||||||
|
[50]=ERR_APPLICATION_VERIFICATION
|
||||||
|
[51]=ERR_UNSUPPORTED_CONSTRAINT_TYPE
|
||||||
|
[52]=ERR_UNSUPPORTED_CONSTRAINT_SYNTAX
|
||||||
|
[53]=ERR_UNSUPPORTED_NAME_SYNTAX
|
||||||
|
[54]=ERR_CRL_PATH_VALIDATION_ERROR
|
||||||
|
# Another issuer check debug option
|
||||||
|
[55]=ERR_PATH_LOOP
|
||||||
|
# Suite B mode algorithm violation
|
||||||
|
[56]=ERR_SUITE_B_INVALID_VERSION
|
||||||
|
[57]=ERR_SUITE_B_INVALID_ALGORITHM
|
||||||
|
[58]=ERR_SUITE_B_INVALID_CURVE
|
||||||
|
[59]=ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM
|
||||||
|
[60]=ERR_SUITE_B_LOS_NOT_ALLOWED
|
||||||
|
[61]=ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256
|
||||||
|
# Host, email and IP check errors
|
||||||
|
[62]=ERR_HOSTNAME_MISMATCH
|
||||||
|
[63]=ERR_EMAIL_MISMATCH
|
||||||
|
[64]=ERR_IP_ADDRESS_MISMATCH
|
||||||
|
# DANE TLSA errors
|
||||||
|
[65]=ERR_DANE_NO_MATCH
|
||||||
|
# security level errors
|
||||||
|
[66]=ERR_EE_KEY_TOO_SMALL
|
||||||
|
[67]=ERR_CA_KEY_TOO_SMALL
|
||||||
|
[68]=ERR_CA_MD_TOO_WEAK
|
||||||
|
# Caller error
|
||||||
|
[69]=ERR_INVALID_CALL
|
||||||
|
# Issuer lookup error
|
||||||
|
[70]=ERR_STORE_LOOKUP
|
||||||
|
# Certificate transparency
|
||||||
|
[71]=ERR_NO_VALID_SCTS
|
||||||
|
|
||||||
|
[72]=ERR_PROXY_SUBJECT_NAME_VIOLATION
|
||||||
|
# OCSP status errors
|
||||||
|
[73]=ERR_OCSP_VERIFY_NEEDED # Need OCSP verification
|
||||||
|
[74]=ERR_OCSP_VERIFY_FAILED # Couldn't verify cert through OCSP
|
||||||
|
[75]=ERR_OCSP_CERT_UNKNOWN # Certificate wasn't recognized by the OCSP responder
|
||||||
|
[76]=ERR_SIGNATURE_ALGORITHM_MISMATCH
|
||||||
|
[77]=ERR_NO_ISSUER_PUBLIC_KEY
|
||||||
|
[78]=ERR_UNSUPPORTED_SIGNATURE_ALGORITHM
|
||||||
|
[79]=ERR_EC_KEY_EXPLICIT_PARAMS
|
||||||
|
)
|
||||||
|
|
||||||
|
# man 3 libcurl-errors
|
||||||
|
declare -A CURLE
|
||||||
|
CURLE=(
|
||||||
|
[0]=CURLE_OK
|
||||||
|
[1]=CURLE_UNSUPPORTED_PROTOCOL
|
||||||
|
[2]=CURLE_FAILED_INIT
|
||||||
|
[3]=CURLE_URL_MALFORMAT
|
||||||
|
[4]=CURLE_NOT_BUILT_IN
|
||||||
|
[5]=CURLE_COULDNT_RESOLVE_PROXY
|
||||||
|
[6]=CURLE_COULDNT_RESOLVE_HOST
|
||||||
|
[7]=CURLE_COULDNT_CONNECT
|
||||||
|
[8]=CURLE_WEIRD_SERVER_REPLY
|
||||||
|
[9]=CURLE_REMOTE_ACCESS_DENIED
|
||||||
|
[10]=CURLE_FTP_ACCEPT_FAILED
|
||||||
|
[11]=CURLE_FTP_WEIRD_PASS_REPLY
|
||||||
|
[12]=CURLE_FTP_ACCEPT_TIMEOUT
|
||||||
|
[13]=CURLE_FTP_WEIRD_PASV_REPLY
|
||||||
|
[14]=CURLE_FTP_WEIRD_227_FORMAT
|
||||||
|
[15]=CURLE_FTP_CANT_GET_HOST
|
||||||
|
[16]=CURLE_HTTP2
|
||||||
|
[17]=CURLE_FTP_COULDNT_SET_TYPE
|
||||||
|
[18]=CURLE_PARTIAL_FILE
|
||||||
|
[19]=CURLE_FTP_COULDNT_RETR_FILE
|
||||||
|
[21]=CURLE_QUOTE_ERROR
|
||||||
|
[22]=CURLE_HTTP_RETURNED_ERROR
|
||||||
|
[23]=CURLE_WRITE_ERROR
|
||||||
|
[25]=CURLE_UPLOAD_FAILED
|
||||||
|
[26]=CURLE_READ_ERROR
|
||||||
|
[27]=CURLE_OUT_OF_MEMORY
|
||||||
|
[28]=CURLE_OPERATION_TIMEDOUT
|
||||||
|
[30]=CURLE_FTP_PORT_FAILED
|
||||||
|
[31]=CURLE_FTP_COULDNT_USE_REST
|
||||||
|
[33]=CURLE_RANGE_ERROR
|
||||||
|
[34]=CURLE_HTTP_POST_ERROR
|
||||||
|
[35]=CURLE_SSL_CONNECT_ERROR
|
||||||
|
[36]=CURLE_BAD_DOWNLOAD_RESUME
|
||||||
|
[37]=CURLE_FILE_COULDNT_READ_FILE
|
||||||
|
[38]=CURLE_LDAP_CANNOT_BIND
|
||||||
|
[39]=CURLE_LDAP_SEARCH_FAILED
|
||||||
|
[41]=CURLE_FUNCTION_NOT_FOUND
|
||||||
|
[42]=CURLE_ABORTED_BY_CALLBACK
|
||||||
|
[43]=CURLE_BAD_FUNCTION_ARGUMENT
|
||||||
|
[45]=CURLE_INTERFACE_FAILED
|
||||||
|
[47]=CURLE_TOO_MANY_REDIRECTS
|
||||||
|
[48]=CURLE_UNKNOWN_OPTION
|
||||||
|
[49]=CURLE_SETOPT_OPTION_SYNTAX
|
||||||
|
[52]=CURLE_GOT_NOTHING
|
||||||
|
[53]=CURLE_SSL_ENGINE_NOTFOUND
|
||||||
|
[54]=CURLE_SSL_ENGINE_SETFAILED
|
||||||
|
[55]=CURLE_SEND_ERROR
|
||||||
|
[56]=CURLE_RECV_ERROR
|
||||||
|
[58]=CURLE_SSL_CERTPROBLEM
|
||||||
|
[59]=CURLE_SSL_CIPHER
|
||||||
|
[60]=CURLE_PEER_FAILED_VERIFICATION
|
||||||
|
[61]=CURLE_BAD_CONTENT_ENCODING
|
||||||
|
[62]=CURLE_LDAP_INVALID_URL
|
||||||
|
[63]=CURLE_FILESIZE_EXCEEDED
|
||||||
|
[64]=CURLE_USE_SSL_FAILED
|
||||||
|
[65]=CURLE_SEND_FAIL_REWIND
|
||||||
|
[66]=CURLE_SSL_ENGINE_INITFAILED
|
||||||
|
[67]=CURLE_LOGIN_DENIED
|
||||||
|
[68]=CURLE_TFTP_NOTFOUND
|
||||||
|
[69]=CURLE_TFTP_PERM
|
||||||
|
[70]=CURLE_REMOTE_DISK_FULL
|
||||||
|
[71]=CURLE_TFTP_ILLEGAL
|
||||||
|
[72]=CURLE_TFTP_UNKNOWNID
|
||||||
|
[73]=CURLE_REMOTE_FILE_EXISTS
|
||||||
|
[74]=CURLE_TFTP_NOSUCHUSER
|
||||||
|
[75]=CURLE_CONV_FAILED
|
||||||
|
[76]=CURLE_CONV_REQD
|
||||||
|
[77]=CURLE_SSL_CACERT_BADFILE
|
||||||
|
[78]=CURLE_REMOTE_FILE_NOT_FOUND
|
||||||
|
[79]=CURLE_SSH
|
||||||
|
[80]=CURLE_SSL_SHUTDOWN_FAILED
|
||||||
|
[81]=CURLE_AGAIN
|
||||||
|
[82]=CURLE_SSL_CRL_BADFILE
|
||||||
|
[83]=CURLE_SSL_ISSUER_ERROR
|
||||||
|
[84]=CURLE_FTP_PRET_FAILED
|
||||||
|
[85]=CURLE_RTSP_CSEQ_ERROR
|
||||||
|
[86]=CURLE_RTSP_SESSION_ERROR
|
||||||
|
[87]=CURLE_FTP_BAD_FILE_LIST
|
||||||
|
[88]=CURLE_CHUNK_FAILED
|
||||||
|
[89]=CURLE_NO_CONNECTION_AVAILABLE
|
||||||
|
[90]=CURLE_SSL_PINNEDPUBKEYNOTMATCH
|
||||||
|
[91]=CURLE_SSL_INVALIDCERTSTATUS
|
||||||
|
[92]=CURLE_HTTP2_STREAM
|
||||||
|
[93]=CURLE_RECURSIVE_API_CALL
|
||||||
|
[94]=CURLE_AUTH_ERROR
|
||||||
|
[95]=CURLE_HTTP3
|
||||||
|
[96]=CURLE_QUIC_CONNECT_ERROR
|
||||||
|
[98]=CURLE_SSL_CLIENTCERT
|
||||||
|
[99]=CURLE_UNRECOVERABLE_POLL
|
||||||
|
)
|
||||||
|
|
||||||
|
# 20 HTTP response status codes
|
||||||
|
declare -A HTTP_RESPONSE
|
||||||
|
HTTP_RESPONSE=(
|
||||||
|
[100]="Continue"
|
||||||
|
[101]="Switching Protocols"
|
||||||
|
[103]="Early Hints"
|
||||||
|
[200]="OK"
|
||||||
|
[201]="Created"
|
||||||
|
[202]="Accepted"
|
||||||
|
[203]="Non-Authoritative Information"
|
||||||
|
[204]="No Content"
|
||||||
|
[205]="Reset Content"
|
||||||
|
[206]="Partial Content"
|
||||||
|
[300]="Multiple Choices"
|
||||||
|
[301]="Moved Permanently"
|
||||||
|
[302]="Found"
|
||||||
|
[303]="See Other"
|
||||||
|
[304]="Not Modified"
|
||||||
|
[307]="Temporary Redirect"
|
||||||
|
[308]="Permanent Redirect"
|
||||||
|
[400]="Bad Request"
|
||||||
|
[401]="Unauthorized"
|
||||||
|
[402]="Payment Required"
|
||||||
|
[403]="Forbidden"
|
||||||
|
[404]="Not Found"
|
||||||
|
[405]="Method Not Allowed"
|
||||||
|
[406]="Not Acceptable"
|
||||||
|
[407]="Proxy Authentication Required"
|
||||||
|
[408]="Request Timeout"
|
||||||
|
[409]="Conflict"
|
||||||
|
[410]="Gone"
|
||||||
|
[411]="Length Required"
|
||||||
|
[412]="Precondition Failed"
|
||||||
|
[413]="Payload Too Large"
|
||||||
|
[414]="URI Too Long"
|
||||||
|
[415]="Unsupported Media Type"
|
||||||
|
[416]="Range Not Satisfiable"
|
||||||
|
[417]="Expectation Failed"
|
||||||
|
[418]="Im a teapot"
|
||||||
|
[422]="Unprocessable Entity"
|
||||||
|
[425]="Too Early"
|
||||||
|
[426]="Upgrade Required"
|
||||||
|
[428]="Precondition Required"
|
||||||
|
[429]="Too Many Requests"
|
||||||
|
[431]="Request Header Fields Too Large"
|
||||||
|
[451]="Unavailable For Legal Reasons"
|
||||||
|
[500]="Internal Server Error"
|
||||||
|
[501]="Not Implemented"
|
||||||
|
[502]="Bad Gateway"
|
||||||
|
[503]="Service Unavailable"
|
||||||
|
[504]="Gateway Timeout"
|
||||||
|
[505]="HTTP Version Not Supported"
|
||||||
|
[506]="Variant Also Negotiates"
|
||||||
|
[507]="Insufficient Storage"
|
||||||
|
[508]="Loop Detected"
|
||||||
|
[510]="Not Extended"
|
||||||
|
[511]="Network Authentication Required"
|
||||||
|
)
|
||||||
|
|
||||||
|
# https://techcommunity.microsoft.com/t5/iis-support-blog/ssl-tls-alert-protocol-and-the-alert-codes/ba-p/377132
|
||||||
|
declare -a SSL_ALERT_CODES
|
||||||
|
# B.2. Alert Messages
|
||||||
|
SSL_ALERT_CODES=(
|
||||||
|
[0]="close_notify"
|
||||||
|
[10]="unexpected_message"
|
||||||
|
[20]="bad_record_mac"
|
||||||
|
[21]="decryption_failed_RESERVED"
|
||||||
|
[22]="record_overflow"
|
||||||
|
[30]="decompression_failure_RESERVED"
|
||||||
|
[40]="handshake_failure"
|
||||||
|
[41]="no_certificate_RESERVED"
|
||||||
|
[42]="bad_certificate"
|
||||||
|
[43]="unsupported_certificate"
|
||||||
|
[44]="certificate_revoked"
|
||||||
|
[45]="certificate_expired"
|
||||||
|
[46]="certificate_unknown"
|
||||||
|
[47]="illegal_parameter"
|
||||||
|
[48]="unknown_ca"
|
||||||
|
[49]="access_denied"
|
||||||
|
[50]="decode_error"
|
||||||
|
[51]="decrypt_error"
|
||||||
|
[60]="export_restriction_RESERVED"
|
||||||
|
[70]="protocol_version"
|
||||||
|
[71]="insufficient_security"
|
||||||
|
[80]="internal_error"
|
||||||
|
[86]="inappropriate_fallback"
|
||||||
|
[90]="user_canceled"
|
||||||
|
[100]="no_renegotiation_RESERVED"
|
||||||
|
[109]="missing_extension"
|
||||||
|
[110]="unsupported_extension"
|
||||||
|
[111]="certificate_unobtainable_RESERVED"
|
||||||
|
[112]="unrecognized_name"
|
||||||
|
[113]="bad_certificate_status_response"
|
||||||
|
[114]="bad_certificate_hash_value_RESERVED"
|
||||||
|
[115]="unknown_psk_identity"
|
||||||
|
[116]="certificate_required"
|
||||||
|
[120]="no_application_protocol"
|
||||||
|
)
|
||||||
|
|
||||||
|
# https://curl.se/docs/ssl-ciphers.html
|
||||||
|
|
||||||
|
# openssl
|
||||||
|
# https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html
|
||||||
|
|
||||||
|
# https://curl.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html
|
||||||
|
openssl=openssl
|
||||||
|
# CURLOPT_TLS13_CIPHERS --tls13-ciphers
|
||||||
|
if [ $openssl = openssl ] ; then
|
||||||
|
export CURLOPT_TLS13_CIPHERS="TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_AES_128_GCM_SHA256,TLS_AES_128_CCM_8_SHA256,TLS_AES_128_CCM_SHA256"
|
||||||
|
elif [ $openssl = nss ] ; then
|
||||||
|
export CURLOPT_TLS13_CIPHERS="aes_128_gcm_sha_256,aes_256_gcm_sha_384,chacha20_poly1305_sha_256"
|
||||||
|
fi
|
||||||
|
|
55
overlay/Linux/usr/local/bin/proxy_daily.bash
Executable file
55
overlay/Linux/usr/local/bin/proxy_daily.bash
Executable file
@ -0,0 +1,55 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
|
||||||
|
prog=$( basename $0 .bash )
|
||||||
|
. /usr/local/bin/usr_local_tput.bash || exit 2
|
||||||
|
PREFIX=/usr/local
|
||||||
|
ROLE=proxy
|
||||||
|
|
||||||
|
# The idea here is to run ansible_local.bash --tags daily
|
||||||
|
# and then use this to do the parsing and throwing errors based on the output.
|
||||||
|
# This was the ansible run can be free from erroring and this can be
|
||||||
|
# run repeatedly anytime outside of ansible to deal with the issues raised.
|
||||||
|
# It is also run at the end of ansible_local.bash --tags daily to raise the issues.
|
||||||
|
|
||||||
|
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
||||||
|
[ -f /usr/local/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash
|
||||||
|
|
||||||
|
MYID=$( id -u )
|
||||||
|
[ $MYID -eq 0 ] || { ERROR $prog must be run as root $MYID ; exit 1 ; }
|
||||||
|
|
||||||
|
# . $PREFIX/src/var_local_src.bash
|
||||||
|
which ansifilter >/dev/null 2>&1 && ansifilter=ansifilter || ansifilter=cat
|
||||||
|
|
||||||
|
ly=daily
|
||||||
|
errs=0
|
||||||
|
warns=0
|
||||||
|
|
||||||
|
elt=proxy
|
||||||
|
LOG_DIR=/usr/local/tmp
|
||||||
|
ELOG=$LOG_DIR/E${prog}_${ly}$$.log
|
||||||
|
WLOG=$LOG_DIR/W${prog}_${ly}$$.log
|
||||||
|
OUT=$LOG_DIR/O${prog}_${ly}$$.log
|
||||||
|
rm -f $LOG_DIR/*${prog}_${ly}*.log
|
||||||
|
|
||||||
|
elt=doctest3
|
||||||
|
if [ $MYID -ne 0 ] && [ -f /var/local/bin/testforge_python_doctest3.bash ] ; then
|
||||||
|
/var/local/bin/testforge_python_doctest3.bash \
|
||||||
|
/var/local/share/doc/txt/proxy3.txt \
|
||||||
|
> "$LOG_DIR"/$ly/$elt$$.log 2>> $ELOG || ERROR $elt >> $ELOG
|
||||||
|
fi
|
||||||
|
|
||||||
|
[ -f $WLOG ] && warns=$( wc -l $WLOG | cut -f 1 -d ' ' )
|
||||||
|
[ $? -eq 0 -a $warns -ne 0 ] && \
|
||||||
|
WARN "$prog $warns $ly $prog warnings in $WLOG"
|
||||||
|
|
||||||
|
[ -f $ELOG ] && errs=$( wc -l $ELOG | cut -f 1 -d ' ' )
|
||||||
|
[ $? -eq 0 -a $errs -ne 0 ] && \
|
||||||
|
ERROR "$prog $errs $ly $prog errors in $ELOG" && cat $ELOG
|
||||||
|
|
||||||
|
[ $errs -eq 0 ] && \
|
||||||
|
[ $warns -eq 0 ] && \
|
||||||
|
INFO "$prog No $ly errors" && \
|
||||||
|
rm -f $WLOG $ELOG $OUT
|
||||||
|
|
||||||
|
exit $errs
|
64
overlay/Linux/usr/local/bin/proxy_dirmngr.bash
Executable file
64
overlay/Linux/usr/local/bin/proxy_dirmngr.bash
Executable file
@ -0,0 +1,64 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
|
||||||
|
PREFIX=/usr/local
|
||||||
|
ROLE=proxy
|
||||||
|
|
||||||
|
. /usr/local/bin/usr_local_base.bash || exit 2
|
||||||
|
|
||||||
|
# NO allow-version-check CALLS ANYWAY versions.gnupg.org
|
||||||
|
|
||||||
|
# echo "DEBUG: $0 GNUPGHOME=$GNUPGHOME $*" >> /tmp/$$.out
|
||||||
|
PROXY_GPG_KEYSERVER=keys.openpgp.org
|
||||||
|
|
||||||
|
[ -f /usr/local/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash >/dev/null
|
||||||
|
[ -z "$PROXY_GPG_KEYERVER_URL" ] && PROXY_GPG_KEYERVER_URL=hkps://$PROXY_GPG_KEYSERVER
|
||||||
|
|
||||||
|
# ONLY disabling on the command line or
|
||||||
|
[ -e /proc/sys/net/ipv6/conf/default/disable_ipv6 ] && \
|
||||||
|
[ `cat /proc/sys/net/ipv6/conf/default/disable_ipv6` -eq 0 ] && \
|
||||||
|
echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6
|
||||||
|
|
||||||
|
PROXY_WLAN=$( /usr/local/bin/proxy_ping_lib.bash proxy_set_if ) # || return 1$?
|
||||||
|
if [ -n "$PROXY_WLAN" ] ; then
|
||||||
|
wlan7=$PROXY_WLAN
|
||||||
|
|
||||||
|
[ -e /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6 ] && \
|
||||||
|
[ `cat /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6` -eq 0 ] && \
|
||||||
|
echo 1 > /proc/sys/net/ipv6/conf/$wlan7/disable_ipv6
|
||||||
|
fi
|
||||||
|
|
||||||
|
route | grep -q ^default || { ERROR no route ; exit 1; }
|
||||||
|
|
||||||
|
[ -z "$USER" ] && USER=$(id -un )
|
||||||
|
if [ $USER = root ] ; then
|
||||||
|
[ -x /usr/bin/dirmngr -a ! -x /usr/bin/dirmngr.bin ] && \
|
||||||
|
mv /usr/bin/dirmngr /usr/bin/dirmngr.bin
|
||||||
|
[ -x /usr/bin/dirmngr.bin -a ! -x /usr/bin/dirmngr ] && \
|
||||||
|
ln -s /usr/local/bin/proxy_dirmngr.bash /usr/bin/dirmngr
|
||||||
|
fi
|
||||||
|
|
||||||
|
[ ! -x /usr/bin/dirmngr -o ! -x /usr/bin/dirmngr.bin ] && exit 2
|
||||||
|
[ -f /etc/dirmngr/dirmngr.conf ] || exit 3
|
||||||
|
[ -x /usr/bin/dirmngr.bin ] || exit 4
|
||||||
|
|
||||||
|
[ ! -x /usr/bin/netstat ] || \
|
||||||
|
netstat -nlp|grep -q 127.0.0.1:53 || { ERROR no nameserver ; exit 5; }
|
||||||
|
[ ! -x /usr/bin/netstat ] || \
|
||||||
|
netstat -nlp|grep -q 127.0.0.1:3128 || { ERROR no proxy 3128 ; exit 6; }
|
||||||
|
|
||||||
|
# This is not enough: --disable-ipv6
|
||||||
|
# --keyserver hkps://keys.gentoo.org is required
|
||||||
|
# --http-proxy http://127.0.0.1:3128
|
||||||
|
# --keyserver $PROXY_GPG_KEYERVER_URL
|
||||||
|
# --no-use-tor is REQUIRED if you are running tor
|
||||||
|
# EVEN IF YOU DOT USE use-tor - silent dns failure
|
||||||
|
|
||||||
|
exec /usr/bin/dirmngr.bin --server -vvv --debug-all \
|
||||||
|
--options /etc/dirmngr/dirmngr.conf \
|
||||||
|
--nameserver 127.0.0.1 \
|
||||||
|
--disable-ipv6 \
|
||||||
|
--disable-ldap \
|
||||||
|
--no-use-tor \
|
||||||
|
--log-file /var/log/dirmngr.log --debug-level 4 \
|
||||||
|
"$@"
|
63
overlay/Linux/usr/local/bin/proxy_dirmngr_test.bash
Executable file
63
overlay/Linux/usr/local/bin/proxy_dirmngr_test.bash
Executable file
@ -0,0 +1,63 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
|
||||||
|
# Dual Linux or msys64
|
||||||
|
|
||||||
|
prog=$( basename $0 .bash )
|
||||||
|
ROLE=proxy
|
||||||
|
|
||||||
|
PREFIX=/usr/local
|
||||||
|
[ -n "$MSYSTEM" ] && EXET=msys || EXET=sh
|
||||||
|
|
||||||
|
[ -f $PREFIX/etc/testforge/testforge.bash ] \
|
||||||
|
&& . /usr/local/etc/testforge/testforge.bash
|
||||||
|
|
||||||
|
# Dual Linux or msys64
|
||||||
|
|
||||||
|
PROXIES=""
|
||||||
|
if [ -d /etc/pacman.d/gnupg ] ; then
|
||||||
|
ROLE=msys64
|
||||||
|
HOMEDIR=/etc/pacman.d/gnupg
|
||||||
|
# proxy or striaght through
|
||||||
|
PROXIES="10.152.152.12"
|
||||||
|
elif [ -d /q/Pg64/Msys64/etc/pacman.d/gnupg ] ; then
|
||||||
|
ROLE=q
|
||||||
|
HOMEDIR=/q/Pg64/Msys64/etc/pacman.d/gnupg
|
||||||
|
ppl=/usr/local/bin/proxy_ping_lib.bash
|
||||||
|
# /sbin/ifconfig on Debian morons and /bin/ifconfig on Gentoo
|
||||||
|
[ "$USER" != root ] && export PATH=/sbin:$PATH
|
||||||
|
[ -z "$MODE" ] && MODE=$( $ppl proxy_ping_mode )
|
||||||
|
if [ "$MODE" = tor ] ; then
|
||||||
|
PROXIES="127.0.0.1:3128"
|
||||||
|
elif [ "$MODE" = whonix ] ; then
|
||||||
|
PROXIES="10.0.2.15:9128"
|
||||||
|
elif [ "$MODE" = gateway ] ; then
|
||||||
|
PROXIES="10.0.2.15:9128"
|
||||||
|
elif ps ax | grep -q polipo ; then
|
||||||
|
PROXIES="127.0.0.1:3128"
|
||||||
|
else
|
||||||
|
echo ERROR: unknown proxy
|
||||||
|
exit 2
|
||||||
|
fi
|
||||||
|
|
||||||
|
fi
|
||||||
|
GPG="gpg --verbose --home $HOMEDIR"
|
||||||
|
|
||||||
|
[ -f /etc/dirmngr/dirmngr.conf ] || { echo ERROR: no ^keyserver in /etc/dirmngr/dirmngr.conf ; exit 1 ; }
|
||||||
|
|
||||||
|
$GPG --refresh-keys --verbose
|
||||||
|
|
||||||
|
ps ax | grep /usr/bin/dirmngr.bin|grep -v grep|sed -e 's/ .*//'|xargs kill
|
||||||
|
|
||||||
|
grep '^keyserver hkp' /etc/dirmngr/dirmngr.conf| \
|
||||||
|
sed -e 's@keyserver hkp://@@' | \
|
||||||
|
while read elt;do
|
||||||
|
for proxy in $PROXIES; do
|
||||||
|
echo 1 | http_proxy=$proxy $GPG --yes \
|
||||||
|
--debug-level guru \
|
||||||
|
--keyserver hkp://$elt \
|
||||||
|
--search-keys abcdefghij || exit 3$?
|
||||||
|
echo INFO: $proxy $elt
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
42
overlay/Linux/usr/local/bin/proxy_dirmngr_test.exp
Executable file
42
overlay/Linux/usr/local/bin/proxy_dirmngr_test.exp
Executable file
@ -0,0 +1,42 @@
|
|||||||
|
#!/usr/bin/expect --
|
||||||
|
# -*- mode: tcl; tab-width: 8; encoding: utf-8-unix -*-
|
||||||
|
|
||||||
|
set timeout 60
|
||||||
|
|
||||||
|
set elt $env(keyserver)
|
||||||
|
|
||||||
|
spawn gpg --verbose \
|
||||||
|
--homedir $env(HOMEDIR) \
|
||||||
|
--debug-level guru \
|
||||||
|
--keyserver hkp://$elt \
|
||||||
|
--search-keys $env(KEY_ID)
|
||||||
|
|
||||||
|
# keyserver search failed: Not found
|
||||||
|
# 0x6923CE7991ABF7338DB1C9AA5F0142A080E4A9A0
|
||||||
|
|
||||||
|
expect "1-1*"
|
||||||
|
send_user "Sending 1\r"
|
||||||
|
send "1\r"
|
||||||
|
|
||||||
|
expect -re .+ {
|
||||||
|
exp_continue
|
||||||
|
} 0x6923CE7991ABF7338DB1C9AA5F0142A080E4A9A0 {
|
||||||
|
send_user "Quitting 0x6923CE7991ABF7338DB1C9AA5F0142A080E4A9A0\r"
|
||||||
|
exit 0
|
||||||
|
} AbCdEfGhIj {
|
||||||
|
send_user "Quitting AbCdEfGhIj\r"
|
||||||
|
exit 0
|
||||||
|
} BYE {
|
||||||
|
send_user "Quitting BYE\r"
|
||||||
|
exit 0
|
||||||
|
} "6923 CE79 91AB F733 8DB1 C9AA 5F01 42A0 80E4 A9A0" {
|
||||||
|
send_user "Quitting FP\r"
|
||||||
|
exit 0
|
||||||
|
} timeout {
|
||||||
|
exit 1
|
||||||
|
} eof {
|
||||||
|
exit 0
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# expect -r .+ {send "\r"}
|
22
overlay/Linux/usr/local/bin/proxy_dns_forward.bash
Executable file
22
overlay/Linux/usr/local/bin/proxy_dns_forward.bash
Executable file
@ -0,0 +1,22 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
# https://unix.stackexchange.com/questions/293304/using-netcat-for-port-forwarding
|
||||||
|
|
||||||
|
prog=$( basename $0 .bash )
|
||||||
|
PREFIX=/usr/local
|
||||||
|
ROLE=proxy
|
||||||
|
. /usr/local/bin/usr_local_tput.bash || exit 2
|
||||||
|
|
||||||
|
netstat -nlpe4 | grep -q 127.0.0.1:53 && {
|
||||||
|
ERROR 127.0.0.1:53 already bound
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
MODE=$( /usr/local/bin/proxy_ping_lib.bash proxy_ping_mode )
|
||||||
|
|
||||||
|
if [ "$MODE" = tor -o "$MODE" = gateway -o "$MODE" = selektor ] ; then
|
||||||
|
socat -L/run/socat.lck udp-l:53,bind=127.0.0.1,fork,reuseaddr udp:127.0.0.1:9053 >/dev/null
|
||||||
|
elif a[ "$MODE" = whonix ] ; then
|
||||||
|
socat -L/run/socat.lck udp-l:53,bind=127.0.0.1,fork,reuseaddr udp:10.0.2.2:9053 >/dev/null
|
||||||
|
fi
|
||||||
|
|
166
overlay/Linux/usr/local/bin/proxy_export.bash
Executable file
166
overlay/Linux/usr/local/bin/proxy_export.bash
Executable file
@ -0,0 +1,166 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
|
||||||
|
ROLE=proxy
|
||||||
|
#NO prog=proxy_export
|
||||||
|
. /usr/local/bin/usr_local_tput.bash || exit 2
|
||||||
|
|
||||||
|
[ -f /usr/local/bin/proxy_ping_lib.bash ] || \
|
||||||
|
{ ERROR missing /usr/local/bin/proxy_ping_lib.bash ; exit 1; }
|
||||||
|
# /sbin/ifconfig on Debian morons and /bin/ifconfig on Gentoo
|
||||||
|
|
||||||
|
# [ "$USER" != root ] && export PATH=/sbin:$PATH
|
||||||
|
|
||||||
|
## proxy_to_virbr1_15
|
||||||
|
proxy_to_virbr1_15 () {
|
||||||
|
if ifconfig | grep -q virbr1 ; then
|
||||||
|
PROXY_VIREXT_IP=$( ifconfig virbr1 | grep inet | sed -e 's/.*inet //' -e 's/ .*//' )
|
||||||
|
[ $? -eq 0 -a -n "$PROXY_VIREXT_IP" ] && \
|
||||||
|
PROXY_VIREXT_HOST=$( echo $PROXY_VIREXT_IP | sed -e 's/2$/15/' ) && \
|
||||||
|
[ -n "$PROXY_VIREXT_HOST" ] && \
|
||||||
|
export no_proxy="localhost,127.0.0.1,$PROXY_VIREXT_HOST" && \
|
||||||
|
export https_proxy=http://$PROXY_VIREXT_HOST:9128 && \
|
||||||
|
export socks_proxy=socks5://$PROXY_VIREXT_HOST:9050 && \
|
||||||
|
export TOR_SOCKS_HOST=$PROXY_VIREXT_HOST && \
|
||||||
|
export TOR_SOCKS_PORT=9050
|
||||||
|
|
||||||
|
fi
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
## proxy_http_host_httpproxy
|
||||||
|
proxy_http_host_httpproxy () {
|
||||||
|
if netstat -nle4 | grep -q 127.0.0.1:3128 >/dev/null ; then
|
||||||
|
export http_proxy=http://127.0.0.1:3128
|
||||||
|
export https_proxy=http://127.0.0.1:3128
|
||||||
|
export RSYNC_PROXY=127.0.0.1:3128
|
||||||
|
fi
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
proxy_https_host_selektor () { proxy_https_host_tor $* ; }
|
||||||
|
proxy_https_host_tor () {
|
||||||
|
if netstat -nle4 | grep -q 127.0.0.1:9128 >/dev/null ; then
|
||||||
|
export https_proxy=http://127.0.0.1:9128
|
||||||
|
fi
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
proxy_socks_host_tor () {
|
||||||
|
local file=/etc/tor/torrc
|
||||||
|
if [ -f $file ] ; then
|
||||||
|
port=`grep -hi ^socksport /etc/tor/torrc /etc/tor/torrc-defaults | sed -e 's/SocksPort //' -e 's/.*://'`
|
||||||
|
[ -z "$port" ] && port=9050
|
||||||
|
export socks_proxy=socks5://127.0.0.1:$port
|
||||||
|
return 0
|
||||||
|
else
|
||||||
|
[ -n "$DEBUG" ] && [ "$DEBUG" -ne 0 ] && \
|
||||||
|
echo >&2 WARN: $prog $file not found
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
if netstat -nle4 | grep -q 127.0.0.1:$port >/dev/null ; then
|
||||||
|
export socks_proxy=socks5://127.0.0.1:$port
|
||||||
|
fi
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
proxy_socks_host_selektor () {
|
||||||
|
local file=/var/lib/tor/.SelekTOR/3xx/SelekTOR.xml
|
||||||
|
if [ -f $file ] ; then
|
||||||
|
port=`grep PREF_LISTENPORT $file | sed -e 's/.*">//' -e 's/<.*//'`
|
||||||
|
[ -z "$port" ] && port=9050
|
||||||
|
export socks_proxy=socks5://127.0.0.1:$port
|
||||||
|
return 0
|
||||||
|
else
|
||||||
|
[ -n "$DEBUG" ] && [ "$DEBUG" -ne 0 ] && \
|
||||||
|
echo >&2 WARN: $prog $file not found
|
||||||
|
fi
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
# proxy_export_mode
|
||||||
|
proxy_export_mode () {
|
||||||
|
ppl=/usr/local/bin/proxy_ping_lib.bash
|
||||||
|
|
||||||
|
[ -z "$MODE" ] && MODE=$( $ppl proxy_ping_mode )
|
||||||
|
[ -z "$MODE" ] && MODE=host
|
||||||
|
|
||||||
|
# $0=bash
|
||||||
|
[ -n "$DEBUG" ] && [ "$DEBUG" -ne 0 ] && \
|
||||||
|
debug $prog MODE=$MODE ONE=$MODE 0=$0 "$#" "$@"
|
||||||
|
|
||||||
|
if [ "$MODE" = from -o "$MODE" = whonix ] ; then
|
||||||
|
export no_proxy="localhost,127.0.0.1,10.0.2.15"
|
||||||
|
proxy_http_host_httpproxy
|
||||||
|
proxy_to_virbr1_15
|
||||||
|
|
||||||
|
elif [ "$MODE" = client ] ; then
|
||||||
|
# inherit the environment
|
||||||
|
proxy_http_host_httpproxy
|
||||||
|
proxy_https_host_tor
|
||||||
|
proxy_socks_host_tor
|
||||||
|
|
||||||
|
elif [ "$MODE" = nat ] ; then
|
||||||
|
export no_proxy="localhost,127.0.0.1,10.0.2.2,10.0.2.0/24"
|
||||||
|
# get external
|
||||||
|
external=`grep external$ /etc/hosts|sed -e 's/ .*//'`
|
||||||
|
if [ $? -eq 0 ] && [ -n "$external" ] ; then
|
||||||
|
# get the ports and PROXY_MODE of the host
|
||||||
|
export socks_proxy=socks5://$external:9050
|
||||||
|
export http_proxy=http://$external:3128
|
||||||
|
export https_proxy=http://$external:9128
|
||||||
|
fi
|
||||||
|
|
||||||
|
elif [ "$MODE" = vda -o "$MODE" = workstation ] ; then
|
||||||
|
export no_proxy="localhost,127.0.0.1,10.152.152.10"
|
||||||
|
export socks_proxy=socks5://10.152.152.10:9050
|
||||||
|
proxy_http_host_httpproxy
|
||||||
|
export https_proxy=http://10.152.152.10:9128
|
||||||
|
|
||||||
|
elif [ "$MODE" = gateway ] ; then
|
||||||
|
|
||||||
|
export no_proxy="localhost,127.0.0.1,10.0.2.2,10.0.2.15"
|
||||||
|
export socks_proxy=socks5://10.0.2.15:9050
|
||||||
|
proxy_http_host_httpproxy
|
||||||
|
export https_proxy=http://10.0.2.15:9128
|
||||||
|
|
||||||
|
elif [ "$MODE" = selektor ] ; then
|
||||||
|
export http_proxy=http://127.0.0.1:3128
|
||||||
|
export https_proxy=http://127.0.0.1:9128
|
||||||
|
export no_proxy="localhost,127.0.0.1"
|
||||||
|
|
||||||
|
proxy_http_host_httpproxy
|
||||||
|
proxy_https_host_selektor
|
||||||
|
proxy_socks_host_selektor
|
||||||
|
|
||||||
|
elif true || [ "$MODE" = to -o "$MODE" = to_tor -o "$MODE" = tor ] ; then
|
||||||
|
|
||||||
|
export http_proxy=http://127.0.0.1:3128
|
||||||
|
export https_proxy=http://127.0.0.1:9128
|
||||||
|
export socks_proxy=http://127.0.0.1:9050
|
||||||
|
export no_proxy="localhost,127.0.0.1"
|
||||||
|
proxy_http_host_httpproxy
|
||||||
|
proxy_https_host_tor
|
||||||
|
proxy_socks_host_tor
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# echo $0 $* "$0" = 'tostop' -o
|
||||||
|
if [ "$0" = '-bash' -o "$0" = '/bin/bash' -o "$0" = 'bash' ] ; then
|
||||||
|
proxy_export_mode
|
||||||
|
[ -n "$DEBUG" ] && [ "$DEBUG" -ne 0 ] && \
|
||||||
|
env | grep proxy | while read line ; do debug $line ; done
|
||||||
|
elif [ -x /usr/bin/basename ] && \
|
||||||
|
[ `basename -- "$0"` = 'proxy_export.bash' -o \
|
||||||
|
"$( basename -- "`readlink $0`" )" = 'proxy_export.bash' ] ; then
|
||||||
|
|
||||||
|
if [ "$#" -eq 1 ] && [ "$1" = '-h' -o "$1" = '--help' ] ; then
|
||||||
|
echo USAGE: $0 && grep '^## ' $0 | sed -e 's/^## //'|sort
|
||||||
|
|
||||||
|
elif [ "$#" -eq 0 ] || [ "$#" -eq 1 -a $1 = mode ]; then
|
||||||
|
set -- proxy_export_mode
|
||||||
|
fi
|
||||||
|
|
||||||
|
eval "$@"
|
||||||
|
exit $?
|
||||||
|
fi
|
8
overlay/Linux/usr/local/bin/proxy_firewall_start.bash
Executable file
8
overlay/Linux/usr/local/bin/proxy_firewall_start.bash
Executable file
@ -0,0 +1,8 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
|
||||||
|
PREFIX=/usr/local
|
||||||
|
ROLE=proxy
|
||||||
|
|
||||||
|
. /usr/local/bin/proxy_ping_lib.bash || { echo ERROR: loading /usr/local/bin/proxy_ping_lib.bash ; exit 3; }
|
||||||
|
proxy_ping_firewall_restart $*
|
16
overlay/Linux/usr/local/bin/proxy_get_if.bash
Executable file
16
overlay/Linux/usr/local/bin/proxy_get_if.bash
Executable file
@ -0,0 +1,16 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# -*- mode: sh; tab-width: 8; encoding: utf-8-unix -*-
|
||||||
|
|
||||||
|
# on stdout - messages on stderr
|
||||||
|
|
||||||
|
prog=$( basename $0 .bash )
|
||||||
|
PREFIX=/usr/local
|
||||||
|
ROLE=proxy
|
||||||
|
|
||||||
|
export PATH=$PATH:/usr/local/bin
|
||||||
|
|
||||||
|
PROXY_WLAN=$( /usr/local/bin/proxy_ping_lib.bash proxy_get_if )
|
||||||
|
retval=$?
|
||||||
|
echo -n $PROXY_WLAN
|
||||||
|
|
||||||
|
exit $retval
|
25
overlay/Linux/usr/local/bin/proxy_hosts_test.bash
Executable file
25
overlay/Linux/usr/local/bin/proxy_hosts_test.bash
Executable file
@ -0,0 +1,25 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
|
||||||
|
# Dual Linux or msys64
|
||||||
|
|
||||||
|
prog=$( basename $0 .bash )
|
||||||
|
ROLE=proxy
|
||||||
|
|
||||||
|
PREFIX=/usr/local
|
||||||
|
[ -n "$MSYSTEM" ] && EXET=msys || EXET=sh
|
||||||
|
|
||||||
|
. /usr/local/bin/usr_local_tput.bash
|
||||||
|
|
||||||
|
[ -f $PREFIX/etc/testforge/testforge.bash ] \
|
||||||
|
&& . /usr/local/etc/testforge/testforge.bash
|
||||||
|
|
||||||
|
grep -v '#\|127.0.0.1' /etc/hosts | while read ip b ; do
|
||||||
|
[ -z "$ip" ] && continue
|
||||||
|
[ -z "$b" ] && continue
|
||||||
|
dig -x $ip | grep "$b" && \
|
||||||
|
INFO $ip $b || \
|
||||||
|
WARN $ip $b `dig -x $ip | grep 'IN.*\.'`
|
||||||
|
dig $b | grep 'IN.*\.'
|
||||||
|
dig @8.8.8.8 $b | grep 'IN.*\.'
|
||||||
|
done
|
192
overlay/Linux/usr/local/bin/proxy_hourly.bash
Executable file
192
overlay/Linux/usr/local/bin/proxy_hourly.bash
Executable file
@ -0,0 +1,192 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
|
||||||
|
PREFIX=/usr/local
|
||||||
|
ROLE=proxy
|
||||||
|
DEBUG=1
|
||||||
|
|
||||||
|
# The idea here is to run ansible_local.bash --tags daily
|
||||||
|
# and then use this to do the parsing and throwing errors based on the output.
|
||||||
|
# This was the ansible run can be free from erroring and this can be
|
||||||
|
# run repeatedly anytime outside of ansible to deal with the issues raised.
|
||||||
|
# It is also run at the end of ansible_local.bash --tags daily to raise the issues.
|
||||||
|
|
||||||
|
prog=$( basename $0 .bash )
|
||||||
|
. /usr/local/bin/usr_local_tput.bash || exit 2
|
||||||
|
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
||||||
|
[ -f /usr/local/etc/testforge/testforge.bash ] && \
|
||||||
|
. /usr/local/etc/testforge/testforge.bash >/dev/null
|
||||||
|
|
||||||
|
PL=/usr/local/bin/proxy_ping_lib.bash
|
||||||
|
. $PL
|
||||||
|
PL=
|
||||||
|
|
||||||
|
[ -z "$USER" ] && USER=$(id -un )
|
||||||
|
MYID=$( id -u )
|
||||||
|
[ $MYID -eq 0 ] || { ERROR $prog must be run as root $MYID ; exit 1 ; }
|
||||||
|
|
||||||
|
# . $PREFIX/src/var_local_src.bash
|
||||||
|
which ansifilter >/dev/null 2>&1 && ansifilter=ansifilter || ansifilter=cat
|
||||||
|
|
||||||
|
[ -d /dev/virtio-ports ] && ONE_GUEST=1 || ONE_GUEST=0
|
||||||
|
|
||||||
|
ly=hourly
|
||||||
|
errs=0
|
||||||
|
warns=0
|
||||||
|
|
||||||
|
elt=proxy
|
||||||
|
LOG_DIR=/usr/local/tmp
|
||||||
|
ELOG=$LOG_DIR/E${prog}_${ly}$$.log
|
||||||
|
WLOG=$LOG_DIR/W${prog}_${ly}$$.log
|
||||||
|
OUT=$LOG_DIR/O${prog}_${ly}$$.log
|
||||||
|
|
||||||
|
[ -f /usr/local/etc/testforge/testforge.bash ] && \
|
||||||
|
. /usr/local/etc/testforge/testforge.bash
|
||||||
|
export PATH=$PATH:/usr/local/bin
|
||||||
|
|
||||||
|
[ -z "$MODE" ] && MODE=$( $PL proxy_ping_mode )
|
||||||
|
[ -n "$DEBUG" ] && echo >&2 DEBUG: $prog $ly MODE=$MODE 0=$0 "$#" "$@"
|
||||||
|
[ -z "$MODE" ] && exit 2
|
||||||
|
|
||||||
|
# ubuntu / devuan oddball
|
||||||
|
route | grep -q 'lo$' || \
|
||||||
|
ip route add 127.0.0.0/8 dev lo scope host
|
||||||
|
|
||||||
|
/usr/local/bin/proxy_ping_test.bash $MODE 2> $ELOG
|
||||||
|
|
||||||
|
if [ $ONE_GUEST -eq 0 ] ; then
|
||||||
|
|
||||||
|
IP=`ifconfig |grep -A1 wlan|grep inet|sed -e 's/.*inet //' -e 's/ .*//'`
|
||||||
|
# 10.24.216.64
|
||||||
|
if [ -n "$IP" ] ; then
|
||||||
|
grep -q " external" /etc/hosts && \
|
||||||
|
sed -e "s/.* external/$IP external/" -i /etc/hosts || \
|
||||||
|
echo "$IP external" >> /etc/hosts
|
||||||
|
fi
|
||||||
|
|
||||||
|
a=`grep nameserver /etc/resolv.conf | grep -v 'nameserver 127.0.0.1'| wc -l`
|
||||||
|
if [ $? -eq 0 -a -n "$a" -a "$a" -gt 0 ] ; then
|
||||||
|
/usr/local/bin/base_wall.bash "CRIT: $prog /etc/resolv.conf" `grep nameserver /etc/resolv.conf`
|
||||||
|
echo 'nameserver 127.0.0.1' > /etc/resolv.conf
|
||||||
|
fi
|
||||||
|
|
||||||
|
[ -d $LOG_DIR/ ] || mkdir -p $LOG_DIR/ || true
|
||||||
|
find $LOG_DIR/*${prog}_${ly}*.log -ctime +2 -delete || true
|
||||||
|
if [ -d /etc/ssl/certs/ ] ; then
|
||||||
|
find -L /etc/ssl/certs/ -type l >> $WLOG
|
||||||
|
find -L /etc/ssl/certs/ -type l -delete
|
||||||
|
else
|
||||||
|
WARN /etc/ssl/certs/ missing
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$MODE" = whonix ] ; then
|
||||||
|
[ -n "$BASE_SRC_ANSIBLE" ] || BASE_SRC_ANSIBLE=/g/TestForge/src/ansible
|
||||||
|
|
||||||
|
BOX_WHONIX_PROXY_HOST=$( /usr/local/bin/testforge_get_inventory.bash BOX_WHONIX_PROXY_HOST )
|
||||||
|
if [ -n "$BOX_WHONIX_PROXY_HOST" ] && \
|
||||||
|
which virsh 2>/dev/null >/dev/null && \
|
||||||
|
virsh list | grep -q "$BOX_WHONIX_PROXY_HOST" ; then
|
||||||
|
# sh proxy_whonix_host_tor.bash whonix
|
||||||
|
/usr/local/sbin/proxy_whonix_host.bash proxy_whonix_host_add_block >>$OUT 2>>$ELOG
|
||||||
|
fi
|
||||||
|
$PL proxy_libvirt_test >$OUT 2>&1
|
||||||
|
retval=$?
|
||||||
|
[ $retval -gt 1 ] && ERROR $prog proxy_libvirt_test retval=$retval >> $ELOG
|
||||||
|
fi
|
||||||
|
|
||||||
|
[ -f /etc/firewall.conf ] || {
|
||||||
|
ERROR $prog NO FIREWALL /etc/firewall.conf | tee -a $ELOG | \
|
||||||
|
xargs /usr/local/bin/base_wall.bash
|
||||||
|
}
|
||||||
|
ifconfig | grep -q ^wlan
|
||||||
|
if [ $? -eq 0 ] ; then
|
||||||
|
wlan7=`ifconfig|grep ^wlan|tail -1| sed -e 's/:.*//'`
|
||||||
|
grep -q $wlan7 /etc/firewall.conf || {
|
||||||
|
ERROR $prog NO $wlan7 in /etc/firewall.conf | tee -a $ELOG | \
|
||||||
|
xargs /usr/local/bin/base_wall.bash
|
||||||
|
/usr/local/bin/firewall.bash
|
||||||
|
}
|
||||||
|
fi
|
||||||
|
|
||||||
|
[ -f /var/log/privoxy/logfile ] && \
|
||||||
|
grep -i fatal /var/log/privoxy/logfile >> $WLOG && \
|
||||||
|
echo ERROR: Fatal in /var/log/privoxy/logfile |tee -a $ELOG
|
||||||
|
|
||||||
|
if route | grep -q ^def ; then
|
||||||
|
$PL proxy_ping_gw_check || {
|
||||||
|
ERROR proxy_ping_gw_check >> $ELOG
|
||||||
|
}
|
||||||
|
$PL proxy_ping_dnsmasq_check || {
|
||||||
|
x ERROR proxy_ping_dnsmasq_check >> $ELOG
|
||||||
|
}
|
||||||
|
$PL proxy_ping_firewall_check || {
|
||||||
|
ERROR proxy_ping_firewall_check >> $ELOG
|
||||||
|
}
|
||||||
|
|
||||||
|
$PL proxy_iptables_save >$OUT 2>&1
|
||||||
|
if [ $? -ne 0 ] || ! grep -q DROP $OUT ; then
|
||||||
|
ERROR $prog NO FIREWALL - DROP `cat $OUT` | tee -a $ELOG
|
||||||
|
/usr/local/bin/base_wall.bash ERROR $prog NO FIREWALL - DROP
|
||||||
|
#? /usr/local/bin/proxy_firewall_restore_iptable.bash /etc/firewall.conf
|
||||||
|
fi
|
||||||
|
$PL proxy_test_dirmngr $OUT || \
|
||||||
|
{ retval=$? ; ERROR proxy_test_dirmngr $retval >> $ELOG ; }
|
||||||
|
|
||||||
|
if dmesg | grep --text -A 1 'martian' ; then
|
||||||
|
dmesg | grep --text -A 1 'martian' | \
|
||||||
|
xargs echo WARN: martians >> $WLOG
|
||||||
|
dmesg | grep --text -A 1 'martian' | \
|
||||||
|
sed -e 's/DST=.*//' -e 's/.*martian_//' -e 's/ OUT=.*SRC=/ /' >> $WLOG
|
||||||
|
fi
|
||||||
|
|
||||||
|
/usr/local/bin/proxy_ping_test.bash dns || {
|
||||||
|
ERROR $prog no dns >> $ELOG ;
|
||||||
|
}
|
||||||
|
/usr/local/bin/proxy_ping_test.bash 3128 || {
|
||||||
|
# can be false
|
||||||
|
WARN $prog no 3128 >> $WLOG
|
||||||
|
}
|
||||||
|
PROXY_WLAN=$( $PL proxy_get_if )
|
||||||
|
[ -n "$PROXY_WLAN" -a -f /etc/wicd/wireless-settings.conf ] && \
|
||||||
|
ps ax | grep -q wpa_supplicant && \
|
||||||
|
grep -A 1 bad$ /etc/wicd/wireless-settings.conf | \
|
||||||
|
grep bssid | sed -e 's/.*= //' | \
|
||||||
|
while read elt ; do \
|
||||||
|
wpa_cli -i "$PROXY_WLAN" blacklist $elt
|
||||||
|
done
|
||||||
|
|
||||||
|
$PL proxy_ping_firewall_check || \
|
||||||
|
/usr/local/bin/base_wall.bash $prog 'CRIT: proxy_ping_firewall_check' retval=$?
|
||||||
|
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
[ -s $OUT ] && grep WARN: $OUT >> $WLOG
|
||||||
|
|
||||||
|
if [ -s $ELOG ] ; then
|
||||||
|
errs=$( wc -l $ELOG | cut -f 1 -d ' ' )
|
||||||
|
if [ $? -eq 0 -a $errs -ne 0 ] ; then
|
||||||
|
ERROR $prog $errs $ly $prog errors in $ELOG
|
||||||
|
cat $ELOG
|
||||||
|
/usr/local/bin/base_wall.bash "ERROR: $prog $errs errors in $ELOG"
|
||||||
|
exit $errs
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
[ -f $WLOG ] && warns=`wc -l $WLOG | cut -f 1 -d ' '`
|
||||||
|
[ $? -eq 0 -a $warns -ne 0 ] && \
|
||||||
|
WARN "$warns $ly $prog warnings in $WLOG"
|
||||||
|
|
||||||
|
[ -f $ELOG ] && errs=`wc -l $ELOG | cut -f 1 -d ' '`
|
||||||
|
if [ $? -eq 0 -a $errs -ne 0 ] ; then
|
||||||
|
ERROR "$errs $ly $prog errors in $ELOG"
|
||||||
|
cat $ELOG
|
||||||
|
exit $errs
|
||||||
|
fi
|
||||||
|
|
||||||
|
[ $errs -eq 0 ] && \
|
||||||
|
ols_clean_testforge_logs $HARDEN_LOG_DIR && \
|
||||||
|
[ $warns -eq 0 ] && \
|
||||||
|
INFO "$prog No $ly errors in $HARDEN_LOG_DIR"
|
||||||
|
|
||||||
|
exit 0
|
35
overlay/Linux/usr/local/bin/proxy_jnettop.bash
Executable file
35
overlay/Linux/usr/local/bin/proxy_jnettop.bash
Executable file
@ -0,0 +1,35 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# -*- mode: sh; tab-width: 8; encoding: utf-8-unix -*-
|
||||||
|
|
||||||
|
prog=$( basename $0 .bash )
|
||||||
|
. /usr/local/bin/usr_local_tput.bash || exit 2
|
||||||
|
PREFIX=/usr/local
|
||||||
|
ROLE=proxy
|
||||||
|
|
||||||
|
route | grep -q ^default || exit 0
|
||||||
|
|
||||||
|
[ -f $PREFIX/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash \
|
||||||
|
|| { echo >&2 ERROR: $prog "$PREFIX/etc/testforge/testforge.bash" ; exit 1 ; }
|
||||||
|
|
||||||
|
error () { retval=$1 ; shift; echo "ERROR: $prog" $* ; exit $retval ; }
|
||||||
|
warn () { WARN "$prog " $* ; }
|
||||||
|
info () { echo "INFO: $prog " $* ; }
|
||||||
|
usage () { echo "USAGE: $prog chroot-dir [command args] -" $* ; exit 1 ; }
|
||||||
|
|
||||||
|
# must be run as root
|
||||||
|
[ "$( id -u )" -ne "0" ] && error 1 "must be run as root"
|
||||||
|
|
||||||
|
PROXY_WLAN=$( /usr/local/bin/proxy_get_if.bash )
|
||||||
|
[ $? -eq 0 ] || error 2 " error getting device $?"
|
||||||
|
PROXY_WLAN_IP=$( proxy_ping_lib.bash proxy_get_wlan_ip )
|
||||||
|
|
||||||
|
LARGS="-i $PROXY_WLAN"
|
||||||
|
CONF=/usr/local/etc/jnettop.conf
|
||||||
|
if [ -f $CONF ] ; then
|
||||||
|
LARGS="$LARGS --config-file $CONF"
|
||||||
|
|
||||||
|
# sed -e 's/^#* *interface.*/interface "'$PROXY_WLAN'"/' -i $CONF
|
||||||
|
[ -n "$PROXY_WLAN_IP" ] && sed -e 's/"me"\t.*/"me" "net '$PROXY_WLAN_IP'"/' -i $CONF && grep -q $PROXY_WLAN_IP $CONF
|
||||||
|
fi
|
||||||
|
|
||||||
|
exec jnettop $LARGS $* # 2>/dev/null
|
35
overlay/Linux/usr/local/bin/proxy_libvirt_forward.bash
Normal file
35
overlay/Linux/usr/local/bin/proxy_libvirt_forward.bash
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
# https://unix.stackexchange.com/questions/293304/using-netcat-for-port-forwarding
|
||||||
|
|
||||||
|
prog=$( basename $0 .bash )
|
||||||
|
PREFIX=/usr/local
|
||||||
|
ROLE=proxy
|
||||||
|
. /usr/local/bin/usr_local_tput.bash || exit 2
|
||||||
|
|
||||||
|
if [ ! -d /run/tmp ] ; then
|
||||||
|
sudo mkdir /run/tmp
|
||||||
|
sudo chown 1777 /run/tmp
|
||||||
|
fi
|
||||||
|
|
||||||
|
[ -z "$MODE" ] && MODE=$(/usr/local/bin/proxy_ping_lib.bash proxy_ping_mode )
|
||||||
|
IP=`grep ' external$' /etc/hosts|sed -e 's/ .*//'`
|
||||||
|
retval=$?
|
||||||
|
if [ $retval -ne 0 ] || [ -z "$IP" ] ; then
|
||||||
|
exit $retval
|
||||||
|
fi
|
||||||
|
if [ "$MODE" = tor -o "$MODE" = gateway -o "$MODE" = selektor ] ; then
|
||||||
|
socat -L/run/socat.lck udp-l:53,bind=$IP,fork,reuseaddr udp:127.0.0.1:9053 >/dev/null || \
|
||||||
|
WARN 53,bind=$IP in use
|
||||||
|
for elt in 9050 9128 ; do
|
||||||
|
netstat -nle4 | grep -q $IP:$elt && {
|
||||||
|
ERROR $IP:$elt already bound
|
||||||
|
continue # exit 1
|
||||||
|
}
|
||||||
|
DBUG socat -L/run/tmp/socat$elt.lck tcp-l:$elt,bind=${IP},fork,reuseaddr tcp:127.0.0.1:$elt
|
||||||
|
socat -L/run/tmp/socat$elt.lck tcp-l:$elt,bind=${IP},fork,reuseaddr tcp:127.0.0.1:$elt &
|
||||||
|
done
|
||||||
|
#else
|
||||||
|
# WARN $MODE
|
||||||
|
#fi
|
||||||
|
|
64
overlay/Linux/usr/local/bin/proxy_libvirt_ga_test.bash
Executable file
64
overlay/Linux/usr/local/bin/proxy_libvirt_ga_test.bash
Executable file
@ -0,0 +1,64 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
ROLE=proxy
|
||||||
|
MODE=host
|
||||||
|
|
||||||
|
#[ $# -eq 0 ] && set -- Whonix-Gateway /bin/cat /proc/cmdline
|
||||||
|
[ $# -eq 0 ] && set -- Whonix-Gateway /bin/netstat -lnp4
|
||||||
|
[ $# -lt 2 ] && echo USAGE: $0 domain command arguments
|
||||||
|
|
||||||
|
HOST=$1
|
||||||
|
shift
|
||||||
|
CMD=$1
|
||||||
|
shift
|
||||||
|
# FixMe
|
||||||
|
if [ $? -gt 1 ] ; then
|
||||||
|
ARGS=""
|
||||||
|
elif [ $? -gt 1 ] ; then
|
||||||
|
ARGS=`sed -e 's/ /","/g' <<< $@`
|
||||||
|
else
|
||||||
|
ARGS="$1"
|
||||||
|
fi
|
||||||
|
|
||||||
|
[ "$HOST" = WWork106 ] && HOST=Whonix-Workstation || true
|
||||||
|
[ "$HOST" = WGate106 ] && HOST=Whonix-Gateway || true
|
||||||
|
|
||||||
|
echo INFO: $0 $HOST $CMD $ARGS
|
||||||
|
|
||||||
|
false && echo DEBUG: virsh qemu-agent-command $HOST \
|
||||||
|
'{"execute":"guest-exec", "arguments": {"capture-output": true,"path":"'$CMD'","arg":["'$ARGS'"]}}'
|
||||||
|
virsh qemu-agent-command $HOST \
|
||||||
|
'{"execute":"guest-exec", "arguments": {"capture-output": true,"path":"'$CMD'","arg":["'$ARGS'"]}}' \
|
||||||
|
>/tmp/Q$$.out || exit 1$?
|
||||||
|
|
||||||
|
grep -q return /tmp/Q$$.out || exit 2
|
||||||
|
pid=`sed -e 's/.*://' -e 's/}.*//' /tmp/Q$$.out`
|
||||||
|
[ $? -eq 0 ] || exit 3
|
||||||
|
|
||||||
|
# echo DEBUG: virsh qemu-agent-command $HOST \
|
||||||
|
# '{"execute":"guest-exec-status", "arguments": {"pid": '$pid'}}'
|
||||||
|
virsh qemu-agent-command $HOST \
|
||||||
|
'{"execute":"guest-exec-status", "arguments": {"pid": '$pid'}}' \
|
||||||
|
>/tmp/R$$.out || exit 4$?
|
||||||
|
|
||||||
|
TRIES=10
|
||||||
|
i=0
|
||||||
|
while [ $i -lt $TRIES ] ; do
|
||||||
|
i=`expr $i + 1`
|
||||||
|
virsh qemu-agent-command $HOST \
|
||||||
|
'{"execute":"guest-exec-status", "arguments": {"pid": '$pid'}}' \
|
||||||
|
>/tmp/R$$.out || exit 4$i$?
|
||||||
|
grep -q '"exitcode":0' /tmp/R$$.out && break
|
||||||
|
sleep 5
|
||||||
|
echo DEBUG: $i
|
||||||
|
done
|
||||||
|
[ $i -lt $TRIES ] || \
|
||||||
|
{ echo ERROR: $i no exitcode in /tmp/R$$.out; exit 5 ; }
|
||||||
|
|
||||||
|
b64=`sed -e 's/{"return":{"exitcode":0,"out-data":"//' -e 's/",".*//' /tmp/R$$.out`
|
||||||
|
[ $? -eq 0 ] || exit 6
|
||||||
|
[ -n "$b64" ] || exit 7
|
||||||
|
|
||||||
|
echo $b64 | base64 -d -
|
||||||
|
rm -f /tmp/{Q,R}$$.out
|
||||||
|
exit 0
|
42
overlay/Linux/usr/local/bin/proxy_libvirt_hook_network.bash
Executable file
42
overlay/Linux/usr/local/bin/proxy_libvirt_hook_network.bash
Executable file
@ -0,0 +1,42 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
|
||||||
|
# Aruments ignored: dom plugged begin
|
||||||
|
# so must be idempotemt - as its called by things it calls?
|
||||||
|
|
||||||
|
prog=$( basename $0 .bash )
|
||||||
|
[ -z "$TERM" ] || . /usr/local/bin/usr_local_tput.bash || exit 2
|
||||||
|
PREFIX=/usr/local
|
||||||
|
ROLE=proxy
|
||||||
|
[ -z "$USER" ] && USER=$(id -un )
|
||||||
|
|
||||||
|
[ -n "$USER" -a "$USER" = root ] && \
|
||||||
|
for file in /usr/local/etc/modules-load.d/vda*.conf ; do
|
||||||
|
base=$( basename $file )
|
||||||
|
[ -e /etc/modules-load.d/$base ] && continue
|
||||||
|
cp -p $file /etc/modules-load.d/$base
|
||||||
|
done
|
||||||
|
|
||||||
|
/etc/init.d/virtlogd status || /etc/init.d/virtlogd start
|
||||||
|
/etc/init.d/libvirtd status
|
||||||
|
retval=$?
|
||||||
|
[ $retval -eq 32 ] && WARN libvirtd crashed - zapping && /etc/init.d/libvirtd zap
|
||||||
|
[ $retval -eq 0 ] || /etc/init.d/libvirtd start
|
||||||
|
grep "`date +%Y-%m-%d`.* error :" /var/log/libvirt/libvirtd.log
|
||||||
|
|
||||||
|
. /usr/local/bin/proxy_ping_lib.bash
|
||||||
|
proxy_ping_firewall_restart
|
||||||
|
retval=$?
|
||||||
|
if [ $retval -eq 0 ] ; then
|
||||||
|
[ "$DEBUG" = 1 ] && logger INFO: $prog proxy_ping_firewall_restart $*
|
||||||
|
else
|
||||||
|
logger ERROR: $prog proxy_ping_firewall_restart retval=$retval $*
|
||||||
|
exit $retval
|
||||||
|
fi
|
||||||
|
|
||||||
|
[ -n "$HTTPPROXY" ] || HTTPPROXY=privoxy
|
||||||
|
/etc/init.d/$HTTPPROXY status || /etc/init.d/$HTTPPROXY start
|
||||||
|
/etc/init.d/dnsmasq status || /etc/init.d/dnsmasq start
|
||||||
|
|
||||||
|
# clean
|
||||||
|
exit 0
|
11
overlay/Linux/usr/local/bin/proxy_libvirt_hook_qemu.bash
Executable file
11
overlay/Linux/usr/local/bin/proxy_libvirt_hook_qemu.bash
Executable file
@ -0,0 +1,11 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
|
||||||
|
prog=$( basename $0 .bash )
|
||||||
|
PREFIX=/usr/local
|
||||||
|
ROLE=proxy
|
||||||
|
|
||||||
|
logger INFO: $0 $PWD $*
|
||||||
|
|
||||||
|
exit 0
|
||||||
|
|
285
overlay/Linux/usr/local/bin/proxy_libvirt_lib.bash
Executable file
285
overlay/Linux/usr/local/bin/proxy_libvirt_lib.bash
Executable file
@ -0,0 +1,285 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
|
||||||
|
PREFIX=/usr/local
|
||||||
|
ROLE=proxy
|
||||||
|
base=proxy_libvirt_lib
|
||||||
|
# shellcheck disable=SC2154
|
||||||
|
[ -z "$USER" ] && USER=$(id -un )
|
||||||
|
# /sbin/ifconfig on Debian morons and /bin/ifconfig on Gentoo
|
||||||
|
. /usr/local/bin/usr_local_tput.bash || exit 2
|
||||||
|
|
||||||
|
|
||||||
|
. /usr/local/bin/proxy_ping_lib.bash || exit 2
|
||||||
|
|
||||||
|
## proxy_libvirt_test_dnsmasq
|
||||||
|
proxy_libvirt_test_dnsmasq () { DBUG proxy_libvirt_test_dnsmasq $* ;
|
||||||
|
proxy_rc_service libvirtd status </dev/null >/dev/null || {
|
||||||
|
DBUG $prog libvirtd not running ; return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
if ls /var/lib/libvirt/dnsmasq/*conf >/dev/null 2>/dev/null ; then
|
||||||
|
dbug $prog checking libvirtd dnsmasq conf
|
||||||
|
PROXY_WLAN=$( proxy_get_if )
|
||||||
|
retval=$?
|
||||||
|
[ $retval -eq 0 -a -n "$PROXY_WLAN" ] || {
|
||||||
|
ERROR proxy_get_if empty wlan7 retval=$retval
|
||||||
|
return 2$retval
|
||||||
|
}
|
||||||
|
for elt in bind-interfaces except-interface=$PROXY_WLAN no-dhcp-interface=$PROXY_WLAN ; do
|
||||||
|
for file in /var/lib/libvirt/dnsmasq/*conf ; do
|
||||||
|
if ! grep -q $elt $file ; then
|
||||||
|
[ -f $file.$$ ] || cp -p $file $file.$$
|
||||||
|
echo $elt >> $file
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
done
|
||||||
|
if ls /var/lib/libvirt/dnsmasq/*conf.$$ >/dev/null 2>/dev/null ; then
|
||||||
|
dbug $prog restarting libvirtd dnsmasq conf
|
||||||
|
# FixMe: use virsh net-update net-edit
|
||||||
|
# ps ax | grep dnsmasq|grep -v grep|while read pid rest ; do kill -HUP $pid; done
|
||||||
|
for file in /var/lib/libvirt/dnsmasq/*conf.$$ ; do
|
||||||
|
pid=$( grep ^pid-file= $file|sed -e 's/.*=//' )
|
||||||
|
[ $? -ne 0 -o -z "$pid" ] && WARN $prog not pid-file in $file && continue
|
||||||
|
[ -f $pid ] || dbug $prog no pid-file in $file && continue
|
||||||
|
pid=$( cat $pid )
|
||||||
|
dbug $prog HUPing libvirtd dnsmasq $pid
|
||||||
|
kill -HUP $pid || WARN $prog error killing $file $pid && continue
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
## proxy_libvirt_clean_virbr1_rules
|
||||||
|
proxy_libvirt_clean_virbr1_rules () {
|
||||||
|
local line
|
||||||
|
proxy_iptables_save | \
|
||||||
|
grep -e '-A LIBVIRT_[OUTINP]* -i virbr[12] .* --dport [56][378] -j ACCEPT' | \
|
||||||
|
sed -e 's/-A/-D/' | while read line ; do
|
||||||
|
proxy_iptables $line
|
||||||
|
done
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
## proxy_libvirt_no_autostart
|
||||||
|
proxy_libvirt_no_autostart () { DBUG proxy_libvirt_no_autostart $* ;
|
||||||
|
proxy_libvirt_hung || return 1
|
||||||
|
|
||||||
|
proxy_virsh net-list --autostart | while read n s a p ; do
|
||||||
|
[ "$a" = yes ] || continue
|
||||||
|
virsh net-autostart $n --disable || { ERROR $prog net-autostart $n --disable ; return 1 ; }
|
||||||
|
dbug $prog net-autostart $n --disable
|
||||||
|
[ "$s" = active ] || continue
|
||||||
|
virsh net-destroy $n || { dbug $prog net-destroy $n ; return 2 ; }
|
||||||
|
dbug $prog net-destroy $n
|
||||||
|
done
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
## proxy_libvirt_status tests and checks logs - noisy
|
||||||
|
proxy_libvirt_status () { proxy_libvirt_status_host $* ; return $? ; }
|
||||||
|
proxy_libvirt_status_host () { DBUG proxy_libvirt_status $* ;
|
||||||
|
/etc/init.d/virtlogd status >/dev/null || /etc/init.d/virtlogd start || return 1$?
|
||||||
|
/etc/init.d/libvirtd status >/dev/null || /etc/init.d/libvirtd start || return 2$?
|
||||||
|
|
||||||
|
if ! proxy_rc_service libvirtd status >/dev/null ; then
|
||||||
|
DBUG proxy_libvirt_status proxy_rc_service libvirtd start
|
||||||
|
proxy_rc_service libvirtd start || return 3$?
|
||||||
|
fi
|
||||||
|
|
||||||
|
if ! proxy_rc_service libvirtd status >/dev/null ; then
|
||||||
|
ERROR proxy_libvirt_status proxy_rc_service libvirtd not started
|
||||||
|
return 4
|
||||||
|
fi
|
||||||
|
if [ ! -e /run/libvirt/libvirt-sock ] ; then
|
||||||
|
WARN proxy_libvirt_status no /run/libvirt/libvirt-sock
|
||||||
|
fi
|
||||||
|
if [ ! -e /run/libvirt/virtlogd-sock ] ; then
|
||||||
|
WARN proxy_libvirt_status no /run/libvirt/virtlogd-sock
|
||||||
|
fi
|
||||||
|
# virtlockd-sock
|
||||||
|
|
||||||
|
# shellcheck disable=SC2154
|
||||||
|
[ -z "$GATEW_DOM" ] && GATEW_DOM="$( proxy_testforge_get_gateway_dom )"
|
||||||
|
if [ -n "$GATEW_DOM" ] ; then
|
||||||
|
proxy_libvirt_list | grep -q $GATEW_DOM
|
||||||
|
[ $? -ne 0 ] && DBUG proxy_libvirt_status $GATEW_DOM not in virsh list
|
||||||
|
#? && return 3
|
||||||
|
else
|
||||||
|
WARN proxy_libvirt_status null GATEW_DOM
|
||||||
|
fi
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
## proxy_libvirt_restart
|
||||||
|
proxy_libvirt_restart () { DBUG proxy_libvirt_restart $* ;
|
||||||
|
# tests restarts
|
||||||
|
|
||||||
|
proxy_libvirt_start || return 3$?
|
||||||
|
proxy_libvirt_test || return 4$?
|
||||||
|
|
||||||
|
[ -x /etc/libvirt/hooks/network ] || return 7$?
|
||||||
|
/etc/libvirt/hooks/network || return 8$?
|
||||||
|
|
||||||
|
proxy_ping_firewall_restart
|
||||||
|
# /etc/modules-load.d/firewall.conf
|
||||||
|
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
## proxy_libvirt_start_guest
|
||||||
|
proxy_libvirt_start_guest () {
|
||||||
|
local dire=$1
|
||||||
|
|
||||||
|
[ ! -f /etc/init.d/qemu-guest-agent ] && return 0
|
||||||
|
proxy_rc_service qemu-guest-agent status >/dev/null \
|
||||||
|
|| proxy_rc_service qemu-guest-agent start || return 2$?
|
||||||
|
|
||||||
|
return $?
|
||||||
|
}
|
||||||
|
|
||||||
|
# proxy_libvirt_test_host
|
||||||
|
proxy_libvirt_test_host () {
|
||||||
|
local dire=$1
|
||||||
|
[ -z "$dire" ] && MODE="$( proxy_whonix_mode )" && dire=$MODE
|
||||||
|
[ -n "$MODE" ] || MODE=host
|
||||||
|
if [ $MODE = tor ] ; then
|
||||||
|
proxy_rc_service tor status >/dev/null || \
|
||||||
|
{ echo ERROR: $prog tor is not running ; return 2 ; }
|
||||||
|
# different for selector
|
||||||
|
fi
|
||||||
|
$PREFIX/bin/proxy_ping_test.bash to_tor || return 6$?
|
||||||
|
return $?
|
||||||
|
}
|
||||||
|
|
||||||
|
# proxy_libvirt_test_guest
|
||||||
|
proxy_libvirt_test_guest () {
|
||||||
|
[ -e /dev/virtio-ports/org.qemu.guest_agent.0 ] || \
|
||||||
|
echo WARN: /dev/virtio-ports/org.qemu.guest_agent.0 not created
|
||||||
|
proxy_rc_service qemu-guest-agent status
|
||||||
|
return $?
|
||||||
|
}
|
||||||
|
|
||||||
|
## proxy_libvirt_status tests and checks logs - noisy
|
||||||
|
proxy_libvirt_test () { DBUG proxy_libvirt_test $* ;
|
||||||
|
[ -e /dev/virtio-ports ] && proxy_libvirt_test_guest || \
|
||||||
|
proxy_libvirt_test_host
|
||||||
|
return $?
|
||||||
|
}
|
||||||
|
|
||||||
|
## proxy_libvirt_status tests and checks logs - noisy
|
||||||
|
proxy_libvirt_test_host () { DBUG proxy_libvirt_test_host $* ;
|
||||||
|
proxy_libvirt_status || return 1$?
|
||||||
|
|
||||||
|
[ -f /var/log/libvirt/libvirtd.log ] && \
|
||||||
|
INFO proxy_libvirt_test /var/log/libvirt/libvirtd.log && \
|
||||||
|
tail /var/log/libvirt/libvirtd.log
|
||||||
|
# shellcheck disable=SC2154
|
||||||
|
[ -z "$GATEW_DOM" ] && GATEW_DOM="$( proxy_testforge_get_gateway_dom )"
|
||||||
|
if [ -n "$GATEW_DOM" ] ; then
|
||||||
|
if [ -f /var/log/libvirt/qemu/$GATEW_DOM.log ] ; then
|
||||||
|
INFO proxy_libvirt_test /var/log/libvirt/qemu/$GATEW_DOM.log
|
||||||
|
tail /var/log/libvirt/qemu/$GATEW_DOM.log
|
||||||
|
else
|
||||||
|
WARN proxy_libvirt_test missing /var/log/libvirt/qemu/$GATEW_DOM.log
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
WARN proxy_libvirt_test null GATEW_DOM
|
||||||
|
fi
|
||||||
|
proxy_libvirt_test_dnsmasq || return 6$?
|
||||||
|
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
## proxy_libvirt_start
|
||||||
|
proxy_libvirt_start () { DBUG proxy_libvirt_start $* ;
|
||||||
|
proxy_ping_firewall_modules
|
||||||
|
proxy_libvirt_hung || return 2
|
||||||
|
|
||||||
|
proxy_rc_service libvirtd status >/dev/null 2>/dev/null || \
|
||||||
|
proxy_rc_service libvirtd start || return 3$?
|
||||||
|
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
## proxy_libvirt_hung
|
||||||
|
proxy_libvirt_hung () { DBUG proxy_libvirt_hung $* ;
|
||||||
|
# 1 means hung
|
||||||
|
[ -f /etc/init.d/libvirtd ] || return 0
|
||||||
|
if [ ! -e /run/libvirt/libvirt-sock ] || ! proxy_rc_service libvirtd status >/dev/null ; then
|
||||||
|
INFO proxy_libvirt_hung proxy_rc_service libvirtd start
|
||||||
|
proxy_rc_service libvirtd start || return 1
|
||||||
|
sleep $DELAY
|
||||||
|
fi
|
||||||
|
/etc/init.d/libvirtd status 2>/dev/null >/dev/null || return 1
|
||||||
|
a=$( /etc/init.d/libvirtd status |grep '├─' |grep -c -v '/usr/s.*bin' )
|
||||||
|
# hung processes will hang proxy_virsh list
|
||||||
|
[ $? -eq 0 -a $a -gt 1 ] && {
|
||||||
|
WARN proxy_libvirt_hung - too many subprocesses $a
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
# ├─ 820 /usr/sbin/libvirtd
|
||||||
|
# ├─ 2221 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/Whonix-External.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper
|
||||||
|
# ├─28153 /bin/sh /etc/libvirt/hooks/network Whonix-External plugged begin -
|
||||||
|
# ├─28154 bash /usr/local/bin/proxy_libvirt_hook_network.bash Whonix-External plugged begin -
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
## proxy_libvirt_list
|
||||||
|
proxy_libvirt_list () { DBUG proxy_libvirt_list $* ;
|
||||||
|
local a
|
||||||
|
proxy_libvirt_hung || return 10
|
||||||
|
proxy_virsh list
|
||||||
|
return $?
|
||||||
|
}
|
||||||
|
|
||||||
|
## proxy_libvirt_clean_iptables
|
||||||
|
proxy_libvirt_clean_iptables () {
|
||||||
|
local i int dir dcp prot port
|
||||||
|
|
||||||
|
for dir in i ; do
|
||||||
|
for int in virbr2 virbr1; do
|
||||||
|
dcp=67
|
||||||
|
[ $dir = i ] || dcp=68
|
||||||
|
for port in 53 $dcp ; do
|
||||||
|
[ $dir = i ] && table=INP || table=OUT
|
||||||
|
for prot in udp tcp; do
|
||||||
|
proxy_iptables_save | grep -q -e "-A LIBVIRT_$table -i $int -p $prot -m $prot --dport $port -j ACCEPT" || continue
|
||||||
|
iptables -D LIBVIRT_$table -$dir $int -p $prot -m $prot --dport $port -j ACCEPT || \
|
||||||
|
echo WARN: $? -D LIBVIRT_$table -$dir $int -p $prot -m $prot --dport $port -j ACCEPT
|
||||||
|
done
|
||||||
|
done
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
||||||
|
for dir in o ; do
|
||||||
|
for int in virbr2 virbr1; do
|
||||||
|
dcp=68
|
||||||
|
[ $dir = o ] || dcp=67
|
||||||
|
for port in 53 68 ; do
|
||||||
|
table=OUT
|
||||||
|
[ $dir = i ] && table=INP
|
||||||
|
for prot in udp tcp; do
|
||||||
|
proxy_iptables_save | grep -q -e "-A LIBVIRT_$table -i $int -p $prot -m $prot --dport $port -j ACCEPT" || continue
|
||||||
|
iptables -D LIBVIRT_$table -$dir $int -p $prot -m $prot --dport $port -j ACCEPT || \
|
||||||
|
echo WARN: $? -D LIBVIRT_$table -$dir $int -p $prot -m $prot --dport $port -j ACCEPT
|
||||||
|
done
|
||||||
|
done
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
# DBUG 0=$0
|
||||||
|
base=proxy_libvirt_lib
|
||||||
|
if [ -x /usr/bin/basename ] && \
|
||||||
|
[ $( basename -- "$0" .bash ) = $base \
|
||||||
|
-o $( basename -- "$0" .sh ) = $base ] ; then
|
||||||
|
[ "$#" -eq 1 ] && [ "$1" = '-h' -o "$1" = '--help' ] && \
|
||||||
|
echo USAGE: $0 && grep '^[a-z].*()\|^## ' $0 | sed -e 's/().*//' && exit 0
|
||||||
|
"$@"
|
||||||
|
exit $?
|
||||||
|
fi
|
51
overlay/Linux/usr/local/bin/proxy_nm_wireless_clean.bash
Executable file
51
overlay/Linux/usr/local/bin/proxy_nm_wireless_clean.bash
Executable file
@ -0,0 +1,51 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
|
||||||
|
ROLE=proxy
|
||||||
|
prog=$( basename $0 .bash )
|
||||||
|
. /usr/local/bin/usr_local_tput.bash
|
||||||
|
PREFIX=/usr/local
|
||||||
|
|
||||||
|
[ $( id -u ) -eq 0 ] || { ERROR "this must be run as root" ; exit 1 ; }
|
||||||
|
|
||||||
|
LOG=/tmp/I$$.log
|
||||||
|
JSON=/tmp/I$$.json
|
||||||
|
|
||||||
|
. /usr/local/bin/proxy_ping_lib.bash || \
|
||||||
|
{ echo ERROR: loading /usr/local/bin/proxy_ping_lib.bash ; exit 3; }
|
||||||
|
. /usr/local/bin/usr_local_base.bash || exit 2
|
||||||
|
|
||||||
|
PROXY_WLAN=$(route |grep ^def |sed -e 's/.* //') || { echo ERROR: " no route $?" ; exit 4 ; }
|
||||||
|
if [ -z "$PROXY_WLAN" ] ; then
|
||||||
|
PROXY_WLAN=$( proxy_get_if )
|
||||||
|
[ $? -eq 0 ] || { echo ERROR: " error getting device $?" ; exit 5 ; }
|
||||||
|
fi
|
||||||
|
|
||||||
|
[ -d /etc/NetworkManager/system-connections ] || exit 0
|
||||||
|
cd /etc/NetworkManager/system-connections/ || exit 6
|
||||||
|
|
||||||
|
pgrep NetworkManager >/dev/null || \
|
||||||
|
/etc/init.d/network-manager start # || exit 7
|
||||||
|
|
||||||
|
iwlist $PROXY_WLAN scan > $LOG 2>&1 || { echo ERROR: failed iwlist scan ; exit 2 ; }
|
||||||
|
|
||||||
|
which yq 2>/dev/null >/dev/null && \
|
||||||
|
for file in *.nmconnection; do
|
||||||
|
elt=$( basename "$file" .nmconnection )
|
||||||
|
grep -q "$elt" "$LOG" || continue
|
||||||
|
L=$( cat $LOG | grep -B 5 "$elt" | sed -e 's@/.*@@' -e 's@[=:]@: @' -e 's/.*Addre/- Addre/' -e '/^--\|Frequency:\|Encryption/d' -e 's/^ */ /' | yq 'sort_by(.Quality)|reverse|map(del(.Channel))|.[0:4]'|grep Address|sed -e 's/,/;/' -e 's/ *.Address.: //'|xargs echo|sed -e 's/ //g' )
|
||||||
|
[ -z "$L" ] && continue
|
||||||
|
sed -e "s@^seen-bssids=.*@seen-bssids=$L@" -i "$file"
|
||||||
|
|
||||||
|
grep -q lldp=0 "$file" || echo WARN: nmcli con modify $elt connection.lldp 0
|
||||||
|
grep -q llmnr=0 "$file" || echo WARN: nmcli con modify $elt connection.llmnr 0
|
||||||
|
grep -q mdns=0 "$file" || echo WARN: nmcli con modify $elt connection.mdns 0
|
||||||
|
|
||||||
|
INFO $prog $PWD/$file
|
||||||
|
|
||||||
|
done
|
||||||
|
rm -f /tmp/I$$.log
|
||||||
|
|
||||||
|
[ "$#" -eq 0 ] && exit 0
|
||||||
|
[ $1 = connect ] && nmtui-connect
|
||||||
|
[ $1 = edit ] && nmtui-edit
|
55
overlay/Linux/usr/local/bin/proxy_pacman_gpg_test.bash
Executable file
55
overlay/Linux/usr/local/bin/proxy_pacman_gpg_test.bash
Executable file
@ -0,0 +1,55 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
|
||||||
|
# Dual Linux or msys64
|
||||||
|
|
||||||
|
prog=$( basename $0 .bash )
|
||||||
|
ROLE=proxy
|
||||||
|
PREFIX=/usr/local
|
||||||
|
|
||||||
|
[ -n "$MSYSTEM" ] && EXET=msys || EXET=sh
|
||||||
|
|
||||||
|
[ -f $PREFIX/etc/testforge/testforge.bash ] \
|
||||||
|
&& . /usr/local/etc/testforge/testforge.bash
|
||||||
|
. /usr/local/bin/usr_local_tput.bash || exit 2
|
||||||
|
|
||||||
|
PROXIES=""
|
||||||
|
if [ -d /etc/pacman.d/gnupg ] ; then
|
||||||
|
ROLE=msys64
|
||||||
|
HOMEDIR=/etc/pacman.d/gnupg
|
||||||
|
# proxy or striaght through
|
||||||
|
PROXIES="10.152.152.12"
|
||||||
|
elif [ -d /q/Pg64/Msys64/etc/pacman.d/gnupg ] ; then
|
||||||
|
ROLE=q
|
||||||
|
HOMEDIR=/q/Pg64/Msys64/etc/pacman.d/gnupg
|
||||||
|
ppl=/usr/local/bin/proxy_ping_lib.bash
|
||||||
|
# /sbin/ifconfig on Debian morons and /bin/ifconfig on Gentoo
|
||||||
|
[ "$USER" != root ] && export PATH=/sbin:$PATH
|
||||||
|
[ -z "$MODE" ] && MODE=$( $ppl proxy_ping_mode )
|
||||||
|
if [ "$MODE" = tor ] ; then
|
||||||
|
PROXIES="127.0.0.1:3128"
|
||||||
|
elif [ "$MODE" = whonix ] ; then
|
||||||
|
PROXIES="10.0.2.15:9128"
|
||||||
|
elif [ "$MODE" = gateway ] ; then
|
||||||
|
PROXIES="10.0.2.15:9128"
|
||||||
|
elif ps ax | grep -q polipo ; then
|
||||||
|
PROXIES="127.0.0.1:3128"
|
||||||
|
else
|
||||||
|
echo ERROR: unknown proxy
|
||||||
|
exit 2
|
||||||
|
fi
|
||||||
|
|
||||||
|
fi
|
||||||
|
GPG="gpg --verbose --home $HOMEDIR"
|
||||||
|
|
||||||
|
a=`ls $HOMEDIR/private-keys-v1.d/|wc -l`
|
||||||
|
if [ $? -ne 0 -o "$a" -eq 0 ] ; then
|
||||||
|
ERROR you need a private kepair with $GPG --quick-gen-key
|
||||||
|
exit 3
|
||||||
|
fi
|
||||||
|
|
||||||
|
# shellcheck disable=SC2154
|
||||||
|
$GPG --list-keys | grep -B 1 unknown && \
|
||||||
|
WARN un-signed keys in pacman && \
|
||||||
|
DBUG "$GPG --list-keys 2>/dev/null |grep -B1 unknown|grep '^ ' |while read elt;do \$GPG --edit-key $elt ;done"
|
||||||
|
|
1500
overlay/Linux/usr/local/bin/proxy_ping_lib.bash
Executable file
1500
overlay/Linux/usr/local/bin/proxy_ping_lib.bash
Executable file
File diff suppressed because it is too large
Load Diff
974
overlay/Linux/usr/local/bin/proxy_ping_test.bash
Executable file
974
overlay/Linux/usr/local/bin/proxy_ping_test.bash
Executable file
@ -0,0 +1,974 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
|
||||||
|
. /usr/local/bin/usr_local_tput.bash || exit 2
|
||||||
|
PREFIX=/usr/local
|
||||||
|
ROLE=proxy
|
||||||
|
PYVER=3
|
||||||
|
|
||||||
|
# DEBUG=1
|
||||||
|
|
||||||
|
. /usr/local/bin/proxy_ping_lib.bash || \
|
||||||
|
{ ERROR loading /usr/local/bin/proxy_ping_lib.bash ; exit 6; }
|
||||||
|
PL=/usr/local/bin/proxy_libvirt_lib.bash
|
||||||
|
declare -a tests
|
||||||
|
|
||||||
|
which traceroute 2>/dev/null >/dev/null && HAVE_TRACEROUTE=1 || HAVE_TRACEROUTE=0
|
||||||
|
which dig 2>/dev/null >/dev/null && HAVE_DIG=1 || HAVE_DIG=0
|
||||||
|
which nslookup 2>/dev/null >/dev/null && HAVE_NSLOOKUP=1 || HAVE_NSLOOKUP=0
|
||||||
|
which tor-resolve 2>/dev/null >/dev/null && HAVE_TOR_RESOLVE=1 || HAVE_TOR_RESOLVE=0
|
||||||
|
|
||||||
|
[ -z "$prog" ] || prog=proxy_ping_test
|
||||||
|
proxy_ping_get_socks
|
||||||
|
[ -z "$SOCKS_HOST" ] && SOCKS_HOST=127.0.0.1
|
||||||
|
[ -z "$SOCKS_PORT" ] && SOCKS_PORT=9050
|
||||||
|
[ -z "$SOCKS_DNS" ] && SOCKS_DNS=9053
|
||||||
|
HTTPS_PORT=9128
|
||||||
|
HTTPS_HOST=127.0.0.1
|
||||||
|
proxy_ping_get_https
|
||||||
|
[ -z "$HTTPS_HOST" ] && HTTPS_HOST=127.0.0.1
|
||||||
|
HTTP_PORT=3128
|
||||||
|
HTTP_PROXY_HOST=127.0.0.1
|
||||||
|
proxy_ping_get_http
|
||||||
|
[ -z "$HTTP_HOST" ] && HTTP_HOST=127.0.0.1
|
||||||
|
|
||||||
|
[ -f $PREFIX/etc/testforge/testforge.bash ] && \
|
||||||
|
. /usr/local/etc/testforge/testforge.bash >/dev/null || exit 1
|
||||||
|
|
||||||
|
P="BASE_PYTHON${PYVER}_MINOR"
|
||||||
|
PYTHON_MINOR="$(eval echo \$$P)"
|
||||||
|
[ -n "$PYTHON_MINOR" ] || \
|
||||||
|
PYTHON_MINOR=$( python$PYVER --version 2>&1| sed -e 's@^.* @@' -e 's@\.[0-9]*$@@' )
|
||||||
|
[ -n "$PYTHON_MINOR" ] || exit 4
|
||||||
|
|
||||||
|
if [ -z "$LIB" -a -d /usr/lib/python$PYTHON_MINOR ] ; then
|
||||||
|
LIB=lib
|
||||||
|
elif [ -z "$LIB" -a -d /usr/lib64/python$PYTHON_MINOR ] ; then
|
||||||
|
LIB=lib64
|
||||||
|
elif [ -n "$LIB" -a ! -d /usr/$LIB/python$PYTHON_MINOR ] ; then
|
||||||
|
#? ERROR LIB=$LIB but no /usr/$LIB/python$PYTHON_MINOR
|
||||||
|
exit 5
|
||||||
|
fi
|
||||||
|
|
||||||
|
THOPS=40
|
||||||
|
NEEDED_BINS="ping traceroute nmap dig nslookup tor-resolve"
|
||||||
|
NEEDED_SCRIPTS="
|
||||||
|
/usr/local/bin/proxy_ping_lib.bash
|
||||||
|
/usr/local/bin/proxy_ping_test.bash
|
||||||
|
"
|
||||||
|
|
||||||
|
grep -q Debian /etc/os-release
|
||||||
|
DEBIAN=$?
|
||||||
|
TIMEOUT=30
|
||||||
|
[ -n "$GATEW_DOM" ] || GATEW_DOM="$( proxy_testforge_get_gateway_dom )"
|
||||||
|
[ -n "$GATEW_DOM" ] || GATEW_DOM="Whonix-Gateway"
|
||||||
|
|
||||||
|
DNS_HOST1="208.67.220.220"
|
||||||
|
DNS_HOST2="8.8.8.8"ggggg
|
||||||
|
[ -n "$DNS_TARGET" ] || DNS_TARGET=www.whatismypublicip.com # 108.160.151.39
|
||||||
|
[ -n "$HTTP_TARGET" ] || HTTP_TARGET=www.whatismypublicip.com # 108.160.151.39
|
||||||
|
HTTP_TARGET=www.whatismypublicip.com
|
||||||
|
|
||||||
|
# time.nist.gov 132.163.97.3
|
||||||
|
NTP_HOST1=132.163.97.3
|
||||||
|
# pool.ntp.org 78.46.53.2
|
||||||
|
NTP_HOST2=78.46.53.2
|
||||||
|
# --no-check-certificate
|
||||||
|
WGET="wget --tries=1 --max-redirect=0 --timeout=$TIMEOUT -O /dev/null"
|
||||||
|
CURL="curl -o /dev/null $CURL_ARGS"
|
||||||
|
SCURL="/usr/local/bin/scurl.bash --output /dev/null"
|
||||||
|
NSL='nslookup -querytype=A -debug'
|
||||||
|
NETS='netstat -nl4e'
|
||||||
|
ALL=""
|
||||||
|
|
||||||
|
[ -z "$USER" ] && USER=$(id -un )
|
||||||
|
[ $USER = root ] && DMESG_LINES=1 || DMESG_LINES=0
|
||||||
|
[ -n "$PROXY_WLAN" ] || PROXY_WLAN=`proxy_ping_get_wlan`
|
||||||
|
# fixme - required
|
||||||
|
PROXY_WLAN=$( echo $PROXY_WLAN | grep ^wlan |sed -e 's/:.*//' )
|
||||||
|
|
||||||
|
[ -n "$PROXY_WLAN_GW" ] || PROXY_WLAN_GW=`proxy_ping_get_wlan_gw`
|
||||||
|
# fixme - required
|
||||||
|
PROXY_WLAN_GW=$( echo $PROXY_WLAN_GW | grep ^wlan |sed -e 's/:.*//' )
|
||||||
|
MODE=$( proxy_ping_mode )
|
||||||
|
USAGE="$prog without arguments tests the current MODE=$MODE,
|
||||||
|
or 0 to list the tests by number,
|
||||||
|
or one or more of the groups:
|
||||||
|
|
||||||
|
"
|
||||||
|
|
||||||
|
DNS_HOST=$SOCKS_HOST
|
||||||
|
[ -z "$PRIV_BIN_OWNER" ] && PRIV_BIN_OWNER=bin
|
||||||
|
[ -z "$PRIV_BIN_GID" ] && PRIV_BIN_GID=$( grep ^$PRIV_BIN_OWNER /etc/passwd|cut -d: -f 4 )
|
||||||
|
|
||||||
|
## proxy_test_netstat_dns
|
||||||
|
proxy_test_netstat_dns () { DBUG proxy_test_netstat_dns $* ;
|
||||||
|
$NETS | grep -q ":53"
|
||||||
|
retval=$?
|
||||||
|
[ $retval -eq 0 ] && return 0
|
||||||
|
ERROR $prog test=$ARG "${tests[$ARG]}" dns not running
|
||||||
|
[ -z "$ALL" ] && exit $ARG$retval || return 1
|
||||||
|
}
|
||||||
|
|
||||||
|
## proxy_test_traceroute_icmp_gw
|
||||||
|
proxy_test_traceroute_icmp_gw () { DBUG proxy_test_traceroute_icmp_gw $* ;
|
||||||
|
[ -n "$PROXY_WLAN_GW" ] || PROXY_WLAN_GW=`proxy_ping_get_wlan_gw` || return 1
|
||||||
|
traceroute --icmp $PROXY_WLAN_GW
|
||||||
|
retval=$?
|
||||||
|
[ $retval -eq 0 ] && return 0
|
||||||
|
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval traceroute --icmp $PROXY_WLAN_GW
|
||||||
|
[ -z "$ALL" ] && exit $ARG$retval || return 1
|
||||||
|
# works
|
||||||
|
GREP="-i icmp"
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
## proxy_test_dig_direct
|
||||||
|
proxy_test_dig_direct () { DBUG proxy_test_dig_direct $* ;
|
||||||
|
|
||||||
|
dig @$DNS_HOST1 pool.ntp.org +timeout=$TIMEOUT >/dev/null
|
||||||
|
retval=$?
|
||||||
|
[ $retval -eq 0 ] && return 0
|
||||||
|
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval dig @$DNS_HOST1
|
||||||
|
[ -z "$ALL" ] && exit $ARG$retval || return 1
|
||||||
|
|
||||||
|
INFO $prog test=$ARG "${tests[$ARG]}" dig @$DNS_HOST1
|
||||||
|
# works
|
||||||
|
GREP="53"
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
## proxy_test_curl_firewall_bin
|
||||||
|
proxy_test_curl_firewall_bin () { DBUG proxy_test_curl_firewall_bin $* ;
|
||||||
|
su -c "$CURL -k --noproxy '*' https://$HTTP_TARGET" -s /bin/sh $PRIV_BIN_OWNER >/dev/null
|
||||||
|
retval=$?
|
||||||
|
[ $retval -eq 0 ] && return 0
|
||||||
|
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval \
|
||||||
|
su -c "$CURL -k --noproxy '*' https://$HTTP_TARGET" -s /bin/sh $PRIV_BIN_OWNER
|
||||||
|
proxy_iptables_save|tail|grep PTABLES_filter_DROP-o
|
||||||
|
[ -z "$ALL" ] && exit $ARG$retval || return $retval
|
||||||
|
}
|
||||||
|
|
||||||
|
## proxy_ping_curl
|
||||||
|
proxy_ping_curl () { DBUG proxy_ping_curl $* ;
|
||||||
|
local retval
|
||||||
|
timeout -k $TIMEOUT $TIMEOUT $CURL "$@"
|
||||||
|
retval=$?
|
||||||
|
# "DEBUG: wierd failure curl: (35) Encountered end of file"
|
||||||
|
[ $retval -eq 0 -o $retval -eq 35 ] && return 0
|
||||||
|
return $retval
|
||||||
|
}
|
||||||
|
|
||||||
|
## proxy_ping_make_help
|
||||||
|
proxy_ping_make_help () {
|
||||||
|
grep 'tests\[[0-9][0-9]*\]=' /usr/local/bin/proxy_ping_test.bash \
|
||||||
|
> /tmp/proxy_ping_test.hlp
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
## proxy_ping_test_virbr
|
||||||
|
proxy_ping_test_virbr () {
|
||||||
|
local n=$1
|
||||||
|
[ -z "$n" ] && n=1
|
||||||
|
[ -z "$CONN" ] || proxy_whonix_get_conn
|
||||||
|
[ "$CONN" = guest ] && return 0
|
||||||
|
[ -e /proc/sys/net/ipv4/conf/virbr$n ] || return 0
|
||||||
|
proxy_ifconfig virbr$n >/dev/null && return 0
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
## proxy_ping_broken
|
||||||
|
proxy_ping_broken () { DBUG proxy_ping_broken PROXY_WLAN=$PROXY_WLAN $* ;
|
||||||
|
# 0 is true
|
||||||
|
local a=$MODE
|
||||||
|
if [ "$a" = vda -o "$a" = ws ]; then
|
||||||
|
# grep 10.152.152.10 /etc/resolv.conf &&
|
||||||
|
PING_BROKEN=0
|
||||||
|
return 0
|
||||||
|
elif [ "$a" = gateway ]; then
|
||||||
|
PING_BROKEN=0
|
||||||
|
return 0
|
||||||
|
elif [ -z "$PROXY_WLAN_GW" ] ; then
|
||||||
|
PING_BROKEN=0
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
[ -n "$PING_BROKEN" ] && return $PING_BROKEN
|
||||||
|
|
||||||
|
DBUG $prog proxy_ping_mode=$a PROXY_WLAN=$PROXY_WLAN PROXY_WLAN_GW=$PROXY_WLAN_GW
|
||||||
|
ping -4 -I $PROXY_WLAN -c 1 -W $TIMEOUT $PROXY_WLAN_GW # 10.16.238.1
|
||||||
|
if [ $? -ne 0 ] ; then
|
||||||
|
PING_BROKEN=0
|
||||||
|
else
|
||||||
|
PING_BROKEN=1
|
||||||
|
fi
|
||||||
|
return $PING_BROKEN
|
||||||
|
}
|
||||||
|
|
||||||
|
## proxy_do_ping
|
||||||
|
proxy_do_ping () { DBUG proxy_do_ping $* ;
|
||||||
|
proxy_route_check || { ERROR $prog route not connected ; return 1$? ; }
|
||||||
|
|
||||||
|
proxy_ping_broken && return 0
|
||||||
|
|
||||||
|
[ -n "$PROXY_WLAN" ] || PROXY_WLAN=`proxy_get_if` || {
|
||||||
|
ERROR $prog unable to get wlan $? ; return 2 ;
|
||||||
|
}
|
||||||
|
|
||||||
|
ping -4 -I $PROXY_WLAN -c 1 -W $TIMEOUT $DNS_HOST2 >/tmp/P$$.log 2>&1
|
||||||
|
retval=$?
|
||||||
|
if [ $retval -eq 1 ] ; then
|
||||||
|
# false negatives
|
||||||
|
sleep 4
|
||||||
|
ping -4 -I $PROXY_WLAN -c 1 -W $TIMEOUT $DNS_HOST2 >/tmp/P$$.log 2>&1
|
||||||
|
retval=$?
|
||||||
|
fi
|
||||||
|
[ $retval -lt 1 ] || {
|
||||||
|
ERROR $prog do_ping $PROXY_WLAN retval=$retval
|
||||||
|
rm /tmp/P$$.log
|
||||||
|
PING_BROKEN=0
|
||||||
|
return 3$retval
|
||||||
|
}
|
||||||
|
grep -q ' 0% ' /tmp/P$$.log || \
|
||||||
|
{ ERROR $prog retval=$? test=$1 ping retval=$retval ; rm /tmp/P$$.log ; return 4 ; }
|
||||||
|
PING=1
|
||||||
|
grep 'packet\|bytes from' /tmp/P$$.log
|
||||||
|
rm /tmp/P$$.log
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
proxy_run_as_root () { DBUG proxy_run_as_root $* ;
|
||||||
|
[ $( id -u ) -eq 0 ] && return 0
|
||||||
|
ERROR must be root
|
||||||
|
[ -z "$ALL" ] && exit 9
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
|
||||||
|
## proxy_test_pretests
|
||||||
|
proxy_test_pretests () {
|
||||||
|
if [ "$1" = panic ] ; then
|
||||||
|
: dont ping on panic
|
||||||
|
proxy_ping_broken || proxy_do_ping || \
|
||||||
|
{ WARN ping failed for panic so skipping ; exit 0 ; }
|
||||||
|
elif [ "$1" = direct -o "$1" = gateway -o "$1" = vda -o "$1" = kick ] ; then
|
||||||
|
proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; }
|
||||||
|
proxy_ping_broken || proxy_do_ping || exit 3$?
|
||||||
|
proxy_ping_test_resolv $MODE ||\
|
||||||
|
{ WARN $prog proxy_ping_test_resolv=$? 'echo nameserver 127.0.0.1 > /etc/resolv.conf' ; exit 4 ; }
|
||||||
|
proxy_ping_firewall_start || { ERROR "proxy_ping_firewall_start ret=$?" ; exit 5 ; }
|
||||||
|
elif [ "$1" = nat ] ; then
|
||||||
|
proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; }
|
||||||
|
else
|
||||||
|
proxy_do_ping || exit 4$?
|
||||||
|
proxy_ping_test_resolv $MODE || \
|
||||||
|
{ WARN "$prog proxy_ping_test_resolv=$? /etc/resolv.conf.$dire" MODE=$MODE
|
||||||
|
exit 4 ; }
|
||||||
|
|
||||||
|
fi
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
## proxy_test_help_args
|
||||||
|
proxy_test_help_args () {
|
||||||
|
declare -a ret=()
|
||||||
|
ret=( $(grep " -.* $1 " /tmp/proxy_ping_test.hlp | \
|
||||||
|
sed -e 's/.=.*//' -e 's/.*tests.//') )
|
||||||
|
echo "${ret[@]}"
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
ALL=0
|
||||||
|
## proxy_ping_test_set_args
|
||||||
|
proxy_ping_test_set_args () {
|
||||||
|
local args="$@"
|
||||||
|
local val="$@"
|
||||||
|
declare -a aret=()
|
||||||
|
rm -f /tmp/proxy_ping_test.hlp
|
||||||
|
[ -f /tmp/proxy_ping_test.hlp ] || proxy_ping_make_help
|
||||||
|
## to_tor - tor with the firewall host side client setup tor server - call tor,dns,ntp in addition
|
||||||
|
[ "$1" = to_tor -o "$1" = test_tor -o "$1" = test_to ] &&
|
||||||
|
aret=( 6 13 16 ) && \
|
||||||
|
! proxy_ping_test_env && WARN to_tor and no proxy in env - use noenv
|
||||||
|
|
||||||
|
## vda - through the Gateway with the firewall - also polipo,panic - uses env
|
||||||
|
[ "$1" = vda ] &&
|
||||||
|
aret=( 35 3 20 ) #
|
||||||
|
## tor - tor with the firewall to test the host side tor server - call to_tor,dns,ntp in addition
|
||||||
|
[ "$1" = tor ] &&
|
||||||
|
aret=( 21 30 20 4 5 36 3 )
|
||||||
|
## kick - open firewall with tor running - call dns,polipo +tor in addition
|
||||||
|
[ "$1" = kick -o "$1" = host ] &&
|
||||||
|
aret=( 24 31 13 16 6 )# 30 24 31 6 13 16
|
||||||
|
## gateway - on the Gateway, trans firewall with tor running - call dns in addition
|
||||||
|
[ "$1" = gateway ] &&
|
||||||
|
aret=( 23 25 4 5 30 24 17 3 21 ) # 31 6 16
|
||||||
|
|
||||||
|
# aliases
|
||||||
|
[ "$1" = "$SOCKS_PORT" ] && set -- socks
|
||||||
|
[ "$1" = "$HTTP_PORT" ] && set -- http
|
||||||
|
[ "$1" = "$HTTPS_PORT" ] && set -- https
|
||||||
|
[ "$1" = "53" ] && set -- dns
|
||||||
|
[ "$1" = "9053" ] && set -- tordns
|
||||||
|
|
||||||
|
[ "$1" = scan ] && set -- iwlist
|
||||||
|
[ "$1" = panic ] && set -- firewall
|
||||||
|
[ "$1" = tor ] && set -- torhost
|
||||||
|
[ "$1" = to_gateway ] && set -- whonix
|
||||||
|
[ "$1" = from_tor ] && set -- whonix
|
||||||
|
[ "$1" = from_gateway ] && set -- gateway
|
||||||
|
[ "$1" = traceroute ] && set -- = trace
|
||||||
|
[ "$1" = connected ] && set -- wifi
|
||||||
|
[ "$1" = clear ] && set -- direct
|
||||||
|
|
||||||
|
# scenarios - modes: nat selektor
|
||||||
|
## nat - through the Gateway via the nat
|
||||||
|
[ "$1" = nat ] && \
|
||||||
|
set -- ping dns socks http https tordns firefail libvirtguest
|
||||||
|
# wifi?
|
||||||
|
[ "$1" = whonix ] && \
|
||||||
|
set -- ping tordns dns socks http https torhost tordns firefail gw
|
||||||
|
[ "$1" = tor ] && \
|
||||||
|
set -- ping tordns dns trace socks http https torhost tordns firefail nmap gw
|
||||||
|
[ "$1" = selektor ] && \
|
||||||
|
set -- ping tordns dns trace socks http https torhost tordns firefail nmap gw
|
||||||
|
[ "$1" = direct -o "$1" = '' ] && \
|
||||||
|
set -- ping dns trace nmap gw
|
||||||
|
|
||||||
|
## all - all tests not stopping on the first error
|
||||||
|
[ "$1" = all ] && ALL=1
|
||||||
|
# aret="${#tests[@]}"
|
||||||
|
|
||||||
|
## gw - test if we are connected to the gateway
|
||||||
|
## torhost - running tor with the firewall
|
||||||
|
## env - from the cmdline with a properly setup env
|
||||||
|
## firefail - test the proxy without env vars to expect failure
|
||||||
|
## http - assumes torhost or whonix and env setup
|
||||||
|
## https - assumes torhost or whonix and env setup
|
||||||
|
## socks - assumes torhost or whonix and env setup
|
||||||
|
## ping - connected routed test the ping to DNS hosts
|
||||||
|
## ntp - ntpdate through the firewall
|
||||||
|
## nmap - nmap sgid through the firewall - does not assume env
|
||||||
|
## iwlist - wlan scan
|
||||||
|
## firewall - test that the firewall blocks
|
||||||
|
## virbr1 - assumes tor or whonix
|
||||||
|
## gateway - ssh to the whonix gateway
|
||||||
|
## trace - traceroute to DNSHOST - icmp is allowed by the firewall, except on vda
|
||||||
|
## wifi - test if we are connected - call scan in addition
|
||||||
|
## libvirthost - hosting a libvirt container
|
||||||
|
## libvirtguest - in a libvirt container
|
||||||
|
## tordns - test 9053 for dns using tor-resolve
|
||||||
|
## dns - dns using tor or the gateway, with the firewall - does not assume env
|
||||||
|
## whonix - whonix to the Gateway with the firewall - also panic - not assume env
|
||||||
|
## whonix - whonix gateway host side client setup with the firewall was from_to## direct - assume no firewall and no proxy - but may work depend on env
|
||||||
|
r
|
||||||
|
for elt in "$@" ; do
|
||||||
|
if [ "$elt" = gw -o "$elt" = '' -o "$elt" = env -o \
|
||||||
|
"$elt" = https -o "$elt" = http -o "$elt" = socks -o "$elt" = dns -o \
|
||||||
|
"$elt" = torhost -o "$elt" = tordns -o "$elt" = whonix -o \
|
||||||
|
"$elt" = libvirthost -o "$elt" = libvirtguest -o "$elt" = virbr1 -o \
|
||||||
|
"$elt" = ping -o "$elt" = trace -o "$elt" = ntp -o "$elt" = nmap -o \
|
||||||
|
"$elt" = iwlist -o "$elt" = firefail -o "$elt" = direct -o \
|
||||||
|
"$elt" = trace -o "$elt" = wifi -o "$elt" = '' -o "$elt" = '' \
|
||||||
|
] ; then
|
||||||
|
aret+=( `proxy_test_help_args $elt` )
|
||||||
|
else
|
||||||
|
WARN unrecognized: $elt >&2
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
DBUG "${aret[@]}" >&2
|
||||||
|
echo "${aret[@]}"
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
# -I $PROXY_WLAN -c 1 $DNS_HOST2
|
||||||
|
if [ "$#" = 0 ] ; then
|
||||||
|
# default to mode
|
||||||
|
set -- $MODE
|
||||||
|
fi
|
||||||
|
if [ $1 = '-h' -o $1 = '--help' ] ; then
|
||||||
|
echo USAGE: $USAGE | sed -e 's/[0-9][0-9]*)/\n&/g'
|
||||||
|
grep '^## [a-oq-z]' $0 | sed -e 's/^## / /'
|
||||||
|
exit 0
|
||||||
|
elif [ "$1" = 0 ] ; then
|
||||||
|
INFO $prog PROXY_WLAN=$PROXY_WLAN MODE=$MODE
|
||||||
|
echo 0 help /tmp/proxy_ping_test.hlp
|
||||||
|
[ -f /tmp/proxy_ping_test.hlp ] || proxy_ping_make_help
|
||||||
|
. /tmp/proxy_ping_test.hlp
|
||||||
|
for elt in "${!tests[@]}" ; do
|
||||||
|
echo $elt "${tests[$elt]}"
|
||||||
|
done
|
||||||
|
exit 0
|
||||||
|
elif [[ $1 =~ ^[0-9] ]] ; then
|
||||||
|
: passthrough
|
||||||
|
else
|
||||||
|
set -- `proxy_ping_test_set_args "$@"`
|
||||||
|
DBUG running tests numbered "$@"
|
||||||
|
fi
|
||||||
|
proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; }
|
||||||
|
|
||||||
|
proxy_test_pretests "$1"
|
||||||
|
|
||||||
|
# https://stackoverflow.com/questions/8290046/icmp-sockets-linux/20105379#20105379
|
||||||
|
if [ $( id -u ) -eq 0 ] ; then
|
||||||
|
proxy_ping_chattr
|
||||||
|
fi
|
||||||
|
|
||||||
|
DBUG $prog PROXY_WLAN=$PROXY_WLAN MODE=$MODE $*
|
||||||
|
# $( sysctl net.ipv4.ping_group_range )
|
||||||
|
|
||||||
|
# proxy_iptables_save|grep 216
|
||||||
|
|
||||||
|
while [ "$#" -gt 0 ] ; do
|
||||||
|
# DBUG $prog $1
|
||||||
|
ARG=$1 ; shift
|
||||||
|
|
||||||
|
GREP=""
|
||||||
|
if [ -z "$ARG" ] ; then
|
||||||
|
continue
|
||||||
|
|
||||||
|
elif ! [ "$ARG" -ge 0 ] ; then
|
||||||
|
ERROR $prog called with an unrecognized argument $ARG from $0
|
||||||
|
exit 9
|
||||||
|
|
||||||
|
elif [ $ARG -le 0 ] ; then
|
||||||
|
# do the ping and resov.conf
|
||||||
|
true
|
||||||
|
|
||||||
|
elif [ $ARG -eq 1 ] ; then
|
||||||
|
tests[1]="wget_https_as_user wget ${HTTPS_PORT} - https "
|
||||||
|
[ -n "$https_proxy" ] && LARGS="" || \
|
||||||
|
LARGS="env https_proxy=https://${HTTPS_HOST}:${HTTPS_PORT}"
|
||||||
|
$LARGS $WGET https://$HTTP_TARGET
|
||||||
|
retval=$?
|
||||||
|
if [ $retval -eq 8 -o $retval -eq 0 ] ; then
|
||||||
|
INFO $prog test=$ARG "${tests[$ARG]}"
|
||||||
|
else
|
||||||
|
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval test=$ARG
|
||||||
|
[ -z "$ALL" ] && continue
|
||||||
|
fi
|
||||||
|
# works with fix
|
||||||
|
GREP="${HTTPS_PORT}"
|
||||||
|
|
||||||
|
elif [ $ARG -eq 2 ] ; then
|
||||||
|
[ -n "$https_proxy" ] && LARGS="--proxy $https_proxy" || \
|
||||||
|
LARGS="--proxy https://${HTTPS_HOST}:${HTTPS_PORT}"
|
||||||
|
tests[2]="curl_https_as_user curl $LARGS https://$HTTP_TARGET - https "
|
||||||
|
proxy_ping_curl $LARGS https://$HTTP_TARGET >/dev/null || { \
|
||||||
|
retval=$?
|
||||||
|
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl $LARGS https://$HTTP_TARGET
|
||||||
|
[ -z "$ALL" ] && exit $ARG$retval || continue
|
||||||
|
}
|
||||||
|
INFO $prog test=$ARG "${tests[$ARG]}"
|
||||||
|
# works with fix
|
||||||
|
GREP="${HTTPS_PORT}"
|
||||||
|
|
||||||
|
elif [ $ARG -eq 3 ] ; then
|
||||||
|
tests[3]="curl_socks_virbr1_as_user $SOCKS_HOST $SOCKS_PORT - torhost "
|
||||||
|
# proxy_dest_port_wlan_config || { ERROR DEST=$DEST ; continue ; }
|
||||||
|
|
||||||
|
# curl: (4) A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision
|
||||||
|
[ $DEBIAN -eq 0 ] && continue
|
||||||
|
|
||||||
|
[ -z "$socks_proxy" ] && socks_proxy=socks5h://${SOCKS_HOST}:$SOCKS_PORT
|
||||||
|
if [ $MODE = whonix ] ; then
|
||||||
|
ssh -o ForwardX11=no user@10.0.2.15 netstat -nl4e| grep 15:$SOCKS_PORT || {
|
||||||
|
retval=$?
|
||||||
|
ERROR ssh -o ForwardX11=no user@10.0.2.15 netstat
|
||||||
|
[ -z "$ALL" ] && exit $ARG$retval || continue ;
|
||||||
|
}
|
||||||
|
socks_proxy=socks5h://${SOCKS_HOST}:$SOCKS_PORT
|
||||||
|
proxy_ping_curl -x $socks_proxy \
|
||||||
|
--interface virbr1 n--dns-interface virbr1 https://$HTTP_TARGET >/dev/null || {
|
||||||
|
retval=$?
|
||||||
|
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl -x $socks_proxy --interface virbr1 --dns-interface virbr1 https://$HTTP_TARGET
|
||||||
|
[ -z "$ALL" ] && exit $ARG$retval || continue
|
||||||
|
}
|
||||||
|
else
|
||||||
|
socks_proxy=socks5h://${SOCKS_HOST}:$SOCKS_PORT
|
||||||
|
proxy_ping_curl -x $socks_proxy https://$HTTP_TARGET >/dev/null \
|
||||||
|
|| { retval=$? ; ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl ${SOCKS_HOST} $SOCKS_PORT
|
||||||
|
[ -z "$ALL" ] && exit $ARG$retval || continue ; }
|
||||||
|
fi
|
||||||
|
|
||||||
|
INFO $prog test=$ARG "${tests[$ARG]}"
|
||||||
|
# works with user/pass
|
||||||
|
GREP="$SOCKS_PORT"
|
||||||
|
|
||||||
|
elif [ $ARG -eq 4 ] ; then
|
||||||
|
tests[4]="dig_socks_through_as_user @${SOCKS_HOST} -p $SOCKS_DNS www.whatismypublicip.com - tordns "
|
||||||
|
[ $HAVE_DIG = 1 ] || continue
|
||||||
|
if [ $MODE = whonix ] ; then
|
||||||
|
ssh -o ForwardX11=no user@10.0.2.15 netstat -nl4e | grep 15:$SOCKS_DNS
|
||||||
|
fi
|
||||||
|
dig @${SOCKS_HOST} -p $SOCKS_DNS www.whatismypublicip.com +timeout=$TIMEOUT >/dev/null || { \
|
||||||
|
retval=$?
|
||||||
|
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval dig @${SOCKS_HOST} -p $SOCKS_DNS www.whatismypublicip.com
|
||||||
|
[ -z "$ALL" ] && exit $ARG$retval || continue
|
||||||
|
}
|
||||||
|
INFO $prog test=$ARG "${tests[$ARG]}"
|
||||||
|
# works with fix
|
||||||
|
GREP="$SOCKS_DNS"
|
||||||
|
|
||||||
|
elif [ $ARG -eq 5 ] ; then
|
||||||
|
tests[5]="nslookup_socks_as_user - tordns "
|
||||||
|
[ $HAVE_NSLOOKUP = 1 ] || continue
|
||||||
|
desc="$NSL -port=$SOCKS_DNS www.whatismypublicip.com ${DNS_HOST}"
|
||||||
|
$desc >/dev/null || { \
|
||||||
|
retval=$?
|
||||||
|
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval $desc
|
||||||
|
[ -z "$ALL" ] && exit $ARG$retval || continue
|
||||||
|
}
|
||||||
|
INFO $prog test=$ARG "${tests[$ARG]}" $desc
|
||||||
|
# works with fix
|
||||||
|
GREP="$SOCKS_DNS"
|
||||||
|
|
||||||
|
elif [ $ARG -eq 6 ] ; then
|
||||||
|
proxy=`proxy_ping_get_https`
|
||||||
|
desc="curl --proxy http://${proxy}"
|
||||||
|
tests[6]="curl_https_as_user - https "
|
||||||
|
proxy_ping_curl --proxy http://${proxy} \
|
||||||
|
--proxy-insecure https://$HTTP_TARGET || { \
|
||||||
|
retval=$?
|
||||||
|
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval $desc
|
||||||
|
[ -z "$ALL" ] && exit $ARG$retval || continue
|
||||||
|
}
|
||||||
|
INFO $prog test=$ARG "${tests[$ARG]}" $desc
|
||||||
|
# works
|
||||||
|
GREP="$HTTP_PORT"
|
||||||
|
|
||||||
|
elif [ $ARG -eq 7 ] ; then
|
||||||
|
tests[8]="traceroute_icmp_dns_as_root --icmp - trace "
|
||||||
|
[ $USER = root ] || continue
|
||||||
|
[ -n "$PROXY_WLAN" ] || proxy_get_if || continue
|
||||||
|
[ $HAVE_TRACEROUTE = 1 ] || continue
|
||||||
|
traceroute -i $PROXY_WLAN --icmp $DNS_TARGET -m $THOPS || { \
|
||||||
|
retval=$?
|
||||||
|
ERROR $retval traceroute --icmp -m $THOPS
|
||||||
|
[ -z "$ALL" ] && exit 7$retval
|
||||||
|
}
|
||||||
|
INFO $prog test=$ARG "${tests[$ARG]}"
|
||||||
|
GREP="-i icmp"
|
||||||
|
|
||||||
|
elif [ $ARG -eq 8 ] ; then
|
||||||
|
tests[8]="traceroute_tcp_dns_as_root -i $PROXY_WLAN -p 53 -T4 - trace "
|
||||||
|
[ $USER = root ] || continue
|
||||||
|
[ -n "$PROXY_WLAN" ] || proxy_get_if || continue
|
||||||
|
[ $HAVE_TRACEROUTE = 1 ] || continue
|
||||||
|
traceroute -i $PROXY_WLAN -p 53 -T4 $DNS_TARGET -m $THOPS || { \
|
||||||
|
retval=$?
|
||||||
|
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval traceroute -T4 -p 53 -m $THOPS
|
||||||
|
[ -z "$ALL" ] && exit $ARG$retval || continue
|
||||||
|
}
|
||||||
|
INFO $prog test=$ARG "${tests[$ARG]}"
|
||||||
|
GREP="53"
|
||||||
|
|
||||||
|
elif [ $ARG -eq 9 ] ; then
|
||||||
|
tests[9]="traceroute_icmp_dns_as_user -p 53 - trace "
|
||||||
|
[ $USER = root ] || continue
|
||||||
|
[ -n "$PROXY_WLAN" ] || proxy_get_if || continue
|
||||||
|
[ $HAVE_TRACEROUTE = 1 ] || continue
|
||||||
|
traceroute -i $PROXY_WLAN --icmp $DNS_TARGET -p 53 -m $THOPS || { \
|
||||||
|
retval=$?
|
||||||
|
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval traceroute -i $PROXY_WLAN --icmp -m $THOPS
|
||||||
|
[ -z "$ALL" ] && exit $ARG$retval || continue
|
||||||
|
}
|
||||||
|
INFO $prog test=$ARG "${tests[$ARG]}"
|
||||||
|
GREP="53"
|
||||||
|
|
||||||
|
elif [ $ARG -eq 10 ] ; then
|
||||||
|
tests[10]="wget_http_as_user $HTTP_PORT - http "
|
||||||
|
proxy=`proxy_ping_get_http`
|
||||||
|
env http_proxy=http://${proxy} \
|
||||||
|
$WGET -S http://$HTTP_TARGET 2>/dev/null
|
||||||
|
retval=$?
|
||||||
|
# 8 is an oddball
|
||||||
|
if [ $retval -eq 8 -o $retval -eq 0 ] ; then
|
||||||
|
INFO $prog test=$ARG "${tests[$ARG]}" wget $HTTP_PORT
|
||||||
|
else
|
||||||
|
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval wget $HTTP_PORT
|
||||||
|
[ -z "$ALL" ] && exit $ARG$retval || continue
|
||||||
|
fi
|
||||||
|
GREP="$HTTP_PORT"
|
||||||
|
|
||||||
|
elif [ $ARG -eq 11 ] ; then
|
||||||
|
tests[11]="curl_https_as_user - https "
|
||||||
|
proxy=`proxy_ping_get_https`
|
||||||
|
proxy_ping_curl --proxy http://${proxy} \
|
||||||
|
--proxy-insecure https://$HTTP_TARGET || { \
|
||||||
|
retval=$?
|
||||||
|
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl $HTTP_PORT
|
||||||
|
[ -z "$ALL" ] && exit $ARG$retval || continue
|
||||||
|
}
|
||||||
|
INFO $prog test=$ARG "${tests[$ARG]}"
|
||||||
|
GREP="$HTTP_PORT"
|
||||||
|
|
||||||
|
elif [ $ARG -eq 12 ] ; then
|
||||||
|
tests[12]="nmap_dns_as_root --privileged --send-eth -Pn -sU -p U:53 $DNS_HOST1 - nmap direct "
|
||||||
|
[ $USER = root ] || continue
|
||||||
|
which nmap 2>/dev/null >/dev/null || continue
|
||||||
|
[ -z "$DNS_HOST1" ] && DNS_HOST1="208.67.220.220"
|
||||||
|
nmap --privileged --send-eth -Pn -sU -p U:53 "$DNS_HOST1" || { \
|
||||||
|
retval=$?
|
||||||
|
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval nmap 53
|
||||||
|
[ -z "$ALL" ] && exit $ARG$retval || continue
|
||||||
|
}
|
||||||
|
INFO $prog test=$ARG "${tests[$ARG]}"
|
||||||
|
# works
|
||||||
|
GREP="53"
|
||||||
|
|
||||||
|
elif [ $ARG -eq 13 ] ; then
|
||||||
|
tests[13]="curl_firewall_bin - wifi "
|
||||||
|
[ $USER = root ] || continue
|
||||||
|
proxy_test_curl_firewall_bin || continue
|
||||||
|
INFO $prog test=$ARG "${tests[$ARG]}" curl bin
|
||||||
|
# works
|
||||||
|
GREP="443"
|
||||||
|
|
||||||
|
elif [ $ARG -eq 14 ] ; then
|
||||||
|
tests[14]="traceroute_icmp_gw_as_root --icmp $PROXY_WLAN_GW - gw wifi "
|
||||||
|
[ $USER = root ] || continue
|
||||||
|
[ $HAVE_TRACEROUTE = 1 ] || continue
|
||||||
|
proxy_test_traceroute_icmp_gw || continue
|
||||||
|
# works
|
||||||
|
INFO $prog test=$ARG "${tests[$ARG]}"
|
||||||
|
GREP="-i icmp"
|
||||||
|
|
||||||
|
elif [ $ARG -eq 15 ] ; then
|
||||||
|
tests[15]="test_dig_direct - direct "
|
||||||
|
[ $HAVE_DIG = 1 ] || continue
|
||||||
|
proxy_test_dig_direct || continue
|
||||||
|
INFO $prog test=$ARG "${tests[$ARG]}" proxy_test_dig_direct
|
||||||
|
|
||||||
|
elif [ $ARG -eq 16 ] ; then
|
||||||
|
tests[16]="nslookup_as_root nslookup $PRIV_BIN_OWNER - torhost "
|
||||||
|
[ $USER = root ] || continue
|
||||||
|
[ $HAVE_NSLOOKUP = 1 ] || continue
|
||||||
|
su -c "$NSL $DNS_TARGET $DNS_HOST1" -s /bin/sh $PRIV_BIN_OWNER >/dev/null || { \
|
||||||
|
retval=$?
|
||||||
|
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval "$NSL $DNS_TARGET $DNS_HOST1" -s /bin/sh $PRIV_BIN_OWNER
|
||||||
|
[ -z "$ALL" ] && exit $ARG$retval || continue
|
||||||
|
}
|
||||||
|
INFO $prog test=$ARG "${tests[$ARG]}"
|
||||||
|
# works /fails but maybe a noop
|
||||||
|
GREP="53"
|
||||||
|
|
||||||
|
elif [ $ARG -eq 17 ] ; then
|
||||||
|
tests[17]="ntpdate_as_root ntpdate without service - ntp "
|
||||||
|
proxy_run_as_root || exit 9
|
||||||
|
[ -x /usr/sbin/ntpdate ] || continue
|
||||||
|
# Curious: even though sgid 2755 ntp it fails as su ntp
|
||||||
|
# 12 Nov 23:28:35 ntpdate[17341]: bind() fails: Permission denied
|
||||||
|
/usr/sbin/ntpdate "$NTP_HOST1" || { \
|
||||||
|
retval=$?
|
||||||
|
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval ntpdate
|
||||||
|
[ -z "$ALL" ] && exit $ARG$retval || continue
|
||||||
|
}
|
||||||
|
INFO $prog test=$ARG "${tests[$ARG]}"
|
||||||
|
GREP="123"
|
||||||
|
elif [ $ARG -eq 18 ] ; then
|
||||||
|
tests[18]="ntpdate_as_root ntpdate with servie - ntp "
|
||||||
|
proxy_run_as_root || exit 9
|
||||||
|
proxy_rc_service ntpd status >/dev/null && \
|
||||||
|
proxy_rc_service ntpd stop >/dev/null && sleep 2
|
||||||
|
/usr/sbin/ntpdate $NTP_HOST1 || { \
|
||||||
|
retval=$?
|
||||||
|
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval ntpdate
|
||||||
|
[ -z "$ALL" ] && exit $ARG$retval || continue
|
||||||
|
}
|
||||||
|
INFO $prog test=$ARG "${tests[$ARG]}"
|
||||||
|
# works
|
||||||
|
proxy_rc_service ntpd status >/dev/null || proxy_rc_service ntpd start
|
||||||
|
GREP="123"
|
||||||
|
elif [ $ARG -eq 19 ] ; then
|
||||||
|
tests[19]="curl_noproxy_http_as_user curl raw noproxy - firefail "
|
||||||
|
proxy_ping_curl --noproxy "'*.*'" --connect-timeout $TIMEOUT \
|
||||||
|
http://$HTTP_TARGET >/dev/null && {
|
||||||
|
retval=$?
|
||||||
|
ERROR PANIC: $prog test=$ARG "${tests[$ARG]}" curl raw --noproxy
|
||||||
|
[ -z "$ALL" ] && exit $ARG$retval || continue
|
||||||
|
}
|
||||||
|
INFO $prog test=$ARG "${tests[$ARG]}"
|
||||||
|
GREP=80
|
||||||
|
|
||||||
|
elif [ $ARG -eq 20 ] ; then
|
||||||
|
tests[20]="curl_socksproxy_as_user curl $SOCKS_PORT - socks "
|
||||||
|
# needs dns
|
||||||
|
[ $DEBIAN -eq 0 ] && continue
|
||||||
|
|
||||||
|
socks_proxy=socks5h://${SOCKS_HOST}:$SOCKS_PORT
|
||||||
|
proxy_ping_curl -x $socks_proxy https://$HTTP_TARGET >/dev/null \
|
||||||
|
|| { retval=$? ; ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl $SOCKS_PORT
|
||||||
|
[ -z "$ALL" ] && exit $ARG$retval || continue
|
||||||
|
}
|
||||||
|
INFO $prog test=$ARG "${tests[$ARG]}"
|
||||||
|
# works with user/pass
|
||||||
|
GREP="$SOCKS_PORT"
|
||||||
|
|
||||||
|
elif [ $ARG -eq 21 ] ; then
|
||||||
|
tests[21]="curl_httpsproxy_as_user - https "
|
||||||
|
[ -z "$https_proxy" ] && https_proxy=http://${HTTPS_PROXY_HOST}:${HTTPS_PORT}
|
||||||
|
proxy_ping_curl -x $https_proxy https://$HTTP_TARGET >/dev/null || { \
|
||||||
|
if [ "$MODE" = gateway ] ; then
|
||||||
|
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval curl ${HTTPS_HOST} ${HTTPS_PORT}
|
||||||
|
continue
|
||||||
|
else
|
||||||
|
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl ${HTTPS_HOST} HTTPS_PORT=${HTTPS_PORT}
|
||||||
|
[ -z "$ALL" ] && exit $ARG$retval || continue
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
INFO $prog test=$ARG "${tests[$ARG]}" curl ${HTTPS_HOST} ${HTTPS_PORT}
|
||||||
|
GREP="${HTTPS_PORT}"
|
||||||
|
|
||||||
|
elif [ $ARG -eq 22 ] ; then
|
||||||
|
tests[22]="iwlist_scan_as_user iwlist $PROXY_WLAN scan - iwlist "
|
||||||
|
[ $USER = root ] || continue
|
||||||
|
which iwlist 2>/dev/null || continue
|
||||||
|
[ -n "$PROXY_WLAN" ] || proxy_get_if || continue
|
||||||
|
iwlist $PROXY_WLAN scan >/dev/null || {
|
||||||
|
ERROR $prog retval=$? test=$ARG $PROXY_WLAN scan
|
||||||
|
[ -z "$ALL" ] && exit $ARG$1 || continue
|
||||||
|
}
|
||||||
|
INFO $prog test=$ARG "${tests[$ARG]}"
|
||||||
|
# works
|
||||||
|
|
||||||
|
elif [ $ARG -eq 23 ] ; then
|
||||||
|
tests[23]="curl_proxy_as_user - direct "
|
||||||
|
proxy_ping_curl --insecure https://$HTTP_TARGET >/dev/null || { \
|
||||||
|
retval=$?
|
||||||
|
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl direct
|
||||||
|
[ -z "$ALL" ] && exit $ARG$retval || continue
|
||||||
|
}
|
||||||
|
INFO $prog test=$ARG "${tests[$ARG]}"
|
||||||
|
|
||||||
|
elif [ $ARG -eq 24 ] ; then
|
||||||
|
tests[24]="dig_direct_or_dnsmasq dig -b $IP www.whatismypublicip.com - direct "
|
||||||
|
[ $HAVE_DIG = 1 ] || continue
|
||||||
|
[ -n "$PROXY_WLAN" -a -n "$IP" ] || proxy_ping_get_wlan_gw || continue
|
||||||
|
[ -n "$IP" ] || continue
|
||||||
|
dig -b $IP www.whatismypublicip.com +timeout=$TIMEOUT >/dev/null || { \
|
||||||
|
retval=$?
|
||||||
|
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval dig -b $IP
|
||||||
|
[ -z "$ALL" ] && exit $ARG$retval || continue
|
||||||
|
}
|
||||||
|
INFO $prog test=$ARG "${tests[$ARG]}" dig -b $IP
|
||||||
|
|
||||||
|
elif [ $ARG -eq 25 ] ; then
|
||||||
|
tests[25]="nslookup_as_user - direct "
|
||||||
|
[ $HAVE_NSLOOKUP = 1 ] || continue
|
||||||
|
# noenv with or without proxy
|
||||||
|
# @$DNS_HOST1 should fail for firewall unless dnsmasq is working
|
||||||
|
$NSL >/dev/null www.whatismypublicip.com || { \
|
||||||
|
retval=$?
|
||||||
|
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval nslookup www.whatismypublicip.com
|
||||||
|
[ -z "$ALL" ] && exit $ARG$retval || continue
|
||||||
|
}
|
||||||
|
INFO $prog test=$ARG "${tests[$ARG]}" nslookup
|
||||||
|
|
||||||
|
elif [ $ARG -eq 26 ] ; then
|
||||||
|
tests[26]="route_connected_ping_scan - direct "
|
||||||
|
[ $HAVE_DIG = 1 ] || continue
|
||||||
|
#? proxy_test_pretests
|
||||||
|
proxy_do_ping && \
|
||||||
|
INFO $prog test=$ARG "${tests[$ARG]}" retval=$retval dig -b $IP || \
|
||||||
|
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval dig -b $IP
|
||||||
|
|
||||||
|
elif [ $ARG -eq 27 ] ; then
|
||||||
|
tests[27]="dns_as_user dig -b 127.0.0.1 - direct "
|
||||||
|
[ $HAVE_DIG = 1 ] || continue
|
||||||
|
[ -n "$PROXY_WLAN" -a -n "$IP" ] || proxy_ping_get_wlan_gw || continue
|
||||||
|
dig -b 127.0.0.1 www.whatismypublicip.com +timeout=$TIMEOUT >/dev/null || { \
|
||||||
|
retval=$?
|
||||||
|
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval dig -b $IP
|
||||||
|
[ -z "$ALL" ] && exit $ARG$retval || continue
|
||||||
|
}
|
||||||
|
INFO $prog test=$ARG "${tests[$ARG]}"
|
||||||
|
|
||||||
|
elif [ $ARG -eq 28 ] ; then
|
||||||
|
tests[28]="wget_as_user - direct "
|
||||||
|
proxy_ping_test_env || { WARN $prog test=$ARG "${tests[$ARG]}" no proxy in env ; }
|
||||||
|
$WGET -S https://$HTTP_TARGET 2>/dev/null
|
||||||
|
retval=$?
|
||||||
|
if [ $retval -eq 8 -o $retval -eq 0 ] ; then
|
||||||
|
INFO $prog test=$ARG "${tests[$ARG]}" wget
|
||||||
|
else
|
||||||
|
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval wget
|
||||||
|
[ -z "$ALL" ] && exit $ARG$retval || continue
|
||||||
|
fi
|
||||||
|
|
||||||
|
elif [ $ARG -eq 29 ] ; then
|
||||||
|
tests[29]="curl_as_user - direct "
|
||||||
|
proxy_ping_test_env || { WARN $prog test=$ARG "${tests[$ARG]}" no proxy in env ; }
|
||||||
|
proxy_ping_curl https://$HTTP_TARGET >/dev/null || { \
|
||||||
|
retval=$?
|
||||||
|
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl
|
||||||
|
[ -z "$ALL" ] && exit $ARG$retval || continue
|
||||||
|
}
|
||||||
|
INFO $prog test=$ARG "${tests[$ARG]}"
|
||||||
|
|
||||||
|
elif [ $ARG -eq 30 ] ; then
|
||||||
|
tests[30]="tor_bootstrap_check_as_root tor_bootstrap_check.py - torhost "
|
||||||
|
[ $MODE = tor -o $MODE = selektor ] || {
|
||||||
|
ERROR $prog MODE != tor test=$ARG
|
||||||
|
[ -z "$ALL" ] && exit $ARG$retval || continue
|
||||||
|
}
|
||||||
|
port=$SOCKS_PORT
|
||||||
|
$NETS | grep -q :$port || {
|
||||||
|
ERROR $prog retval=$? test=$ARG tor not running on $port
|
||||||
|
[ -z "$ALL" ] && exit $ARG || continue
|
||||||
|
}
|
||||||
|
[ $USER = root ] || continue
|
||||||
|
|
||||||
|
# was /usr/local/bin/tor_bootstrap_check.bash
|
||||||
|
[ -f /usr/local/src/helper-scripts/tor_bootstrap_check.py ] || return 1
|
||||||
|
python3.sh /usr/local/src/helper-scripts/tor_bootstrap_check.py
|
||||||
|
# morons 100%
|
||||||
|
retval=$?
|
||||||
|
[ $retval -eq 0 -o $retval -eq 100 ] || { \
|
||||||
|
retval=$?
|
||||||
|
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval tor_bootstrap_check
|
||||||
|
}
|
||||||
|
INFO $prog test=$ARG "${tests[$ARG]}"
|
||||||
|
|
||||||
|
elif [ $ARG -eq 31 ] ; then
|
||||||
|
tests[31]="curl_noproxy_as_root polipo http pages $HTTP_PORT - direct http "
|
||||||
|
proxy_ping_curl --noproxy http://${HTTP_HOST}:$HTTP_PORT && { \
|
||||||
|
retval=$?
|
||||||
|
ERROR PANIC: $prog test=$ARG "${tests[$ARG]}" retval=$retval polipo http pages $HTTP_PORT
|
||||||
|
[ -z "$ALL" ] && exit $ARG$retval || continue
|
||||||
|
}
|
||||||
|
INFO $prog test=$ARG "${tests[$ARG]}"
|
||||||
|
# works
|
||||||
|
GREP="$HTTP_PORT"
|
||||||
|
|
||||||
|
elif [ $ARG -eq 32 ] ; then
|
||||||
|
tests[32]="ping_nmap_direct_as_root nmap 53 - direct "
|
||||||
|
[ $USER = root ] || continue
|
||||||
|
which nmap 2>/dev/null >/dev/null || continue
|
||||||
|
[ -n "$PROXY_WLAN" -a -n "$PROXY_WLAN_GW" ] || proxy_ping_get_wlan_gw || continue
|
||||||
|
proxy_ping_nmap_direct $DNS_HOST1 "$PROXY_WLAN_GW" U:67 || {
|
||||||
|
retval=$?
|
||||||
|
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval nmapd 53
|
||||||
|
[ -z "$ALL" ] && exit $ARG$retval || continue
|
||||||
|
}
|
||||||
|
INFO $prog test=$ARG "${tests[$ARG]}"
|
||||||
|
# works
|
||||||
|
GREP="53"
|
||||||
|
|
||||||
|
elif [ $ARG -eq 33 ] ; then
|
||||||
|
tests[33]="host_virbr_as_user proxy_ping_test_virbr 1 - libvirthost "
|
||||||
|
proxy_ping_test_virbr 1 || {
|
||||||
|
retval=$?
|
||||||
|
ERROR $CONN virbr1 not running
|
||||||
|
[ -z "$ALL" ] && exit 1 || continue
|
||||||
|
}
|
||||||
|
# * Immediate connect fail for 10.0.2.15: Connection refused
|
||||||
|
INFO $prog test=$ARG "${tests[$ARG]}"
|
||||||
|
|
||||||
|
elif [ $ARG -eq 34 ] ; then
|
||||||
|
tests[34]="python_ping_as_root traceroute --icmp $PROXY_WLAN_GW - wifi "
|
||||||
|
[ $USER = root ] || continue
|
||||||
|
[ -n "$PROXY_WLAN_GW" -a -n "$IP" ] || PROXY_WLAN_GW=`proxy_ping_get_wlan_gw` || continue
|
||||||
|
[ -f /usr/local/bin/ping2.py ] || continue
|
||||||
|
/usr/local/bin/ping2.py $IP $DNS_HOST1 $PROXY_WLAN_GW || { \
|
||||||
|
retval=$?
|
||||||
|
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval ping2.py $DNS_HOST1
|
||||||
|
[ -z "$ALL" ] && exit $ARG$retval || continue
|
||||||
|
}
|
||||||
|
# works
|
||||||
|
INFO $prog test=$ARG "${tests[$ARG]}"
|
||||||
|
GREP="-i icmp"
|
||||||
|
|
||||||
|
elif [ $ARG -eq 35 ] ; then
|
||||||
|
tests[35]="dig_as_root - firewall dig @$DNS_HOST1 - torhost dns "
|
||||||
|
[ $USER = root ] || continue
|
||||||
|
[ $HAVE_DIG = 1 ] || continue
|
||||||
|
# @$DNS_HOST1
|
||||||
|
su -c "dig pool.ntp.org +timeout=$TIMEOUT" -s /bin/sh $PRIV_BIN_OWNER >/dev/null || { \
|
||||||
|
retval=$?
|
||||||
|
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval dig pool.ntp.org $PRIV_BIN_OWNER
|
||||||
|
[ -z "$ALL" ] && exit $ARG$retval || continue
|
||||||
|
}
|
||||||
|
INFO $prog test=$ARG "${tests[$ARG]}"
|
||||||
|
# works
|
||||||
|
GREP="53"
|
||||||
|
|
||||||
|
elif [ $ARG -eq 36 ] ; then
|
||||||
|
tests[36]="tor_resolve_as_user tor-resolve pool.ntp.org - tordns "
|
||||||
|
[ $HAVE_TOR_RESOLVE = 1 ] || continue
|
||||||
|
tor-resolve pool.ntp.org >/dev/null || { \
|
||||||
|
retval=$?
|
||||||
|
# dunno Failed parsing SOCKS5 response conf?
|
||||||
|
WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval tor-resolve pool.ntp.org
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
INFO $prog test=$ARG "${tests[$ARG]}"
|
||||||
|
# works
|
||||||
|
GREP="9053"
|
||||||
|
|
||||||
|
elif [ $ARG -eq 37 ] ; then
|
||||||
|
tests[37]="qemu-guest-agent and ports - libvirtguest "
|
||||||
|
ser=qemu-guest-agent
|
||||||
|
proxy_rc_service $ser status >/dev/null || proxy_rc_service $ser start
|
||||||
|
proxy_rc_service $ser status >/dev/null || { \
|
||||||
|
retval=$?
|
||||||
|
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval $ser status
|
||||||
|
[ -z "$ALL" ] && exit $ARG$retval || continue
|
||||||
|
}
|
||||||
|
[ -d /dev/virtio-ports ] || { \
|
||||||
|
retval=$?
|
||||||
|
ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval /dev/virtio-ports
|
||||||
|
[ -z "$ALL" ] && exit $ARG$retval || continue
|
||||||
|
}
|
||||||
|
INFO $prog test=$ARG "${tests[$ARG]}"
|
||||||
|
GREP=""
|
||||||
|
elif [ $ARG -eq 38 ] ; then
|
||||||
|
tests[38]="qemu-guest-agent and ports - libvirthost whonix "
|
||||||
|
[ $USER = root ] || continue
|
||||||
|
$PL proxy_libvirt_list
|
||||||
|
aret=$?
|
||||||
|
if [ $aret -eq 10 ] ;then
|
||||||
|
WARN proxy_libvirt_status hung
|
||||||
|
elif [ $aret -ne 10 -a $aret -ne 0 ] ; then
|
||||||
|
DBUG proxy_libvirt_status aret=$aret
|
||||||
|
else
|
||||||
|
$PL proxy_libvirt_list | grep -q "$GATEW_DOM" || {
|
||||||
|
ERROR MODE=$MODE and $GATEW_DOM not running ;
|
||||||
|
[ -z "$ALL" ] && exit $ARG$retval || continue
|
||||||
|
}
|
||||||
|
INFO $prog test=$ARG "${tests[$ARG]}"
|
||||||
|
fi
|
||||||
|
elif false ; then
|
||||||
|
if ! grep -q '10.152.152.10\|127.0.0.1' /etc/resolv.conf ; then
|
||||||
|
$NETS | grep -q :53 || {
|
||||||
|
ERROR $prog retval=$? test=$ARG local resolv.conf but :53 not running
|
||||||
|
[ -z "$ALL" ] && exit 1 || continue
|
||||||
|
}
|
||||||
|
fi
|
||||||
|
|
||||||
|
fi
|
||||||
|
[ -n "$GREP" ] && [ $DMESG_LINES -gt 0 ] && \
|
||||||
|
DBUG `dmesg|tail|grep $GREP|tail -$DMESG_LINES`
|
||||||
|
|
||||||
|
done
|
||||||
|
exit 0
|
||||||
|
|
||||||
|
1)
|
||||||
|
env https_proxy=http://${SOCKS_HOST}:${HTTPS_PORT} wget $D -O - --no-check-certificate
|
||||||
|
2)
|
||||||
|
curl $D -k --proxy
|
||||||
|
3)
|
||||||
|
curl $D -k --proxy socks5://${SOCKS_HOST}:$SOCKS_PORT --proxy-insecure
|
||||||
|
5)
|
||||||
|
nslookup -port=$SOCKS_DNS www.whatismypublicip.com ${SOCKS_HOST} \
|
||||||
|
6)
|
||||||
|
curl -k --proxy $HTTP_PORT
|
||||||
|
16)
|
||||||
|
nslookup $PRIV_BIN_OWNER
|
||||||
|
18)
|
||||||
|
ntpdate as sroot
|
||||||
|
19)
|
||||||
|
curl raw noproxy
|
||||||
|
0)
|
||||||
|
usage
|
||||||
|
|
10
overlay/Linux/usr/local/bin/proxy_sdwdate.bash
Executable file
10
overlay/Linux/usr/local/bin/proxy_sdwdate.bash
Executable file
@ -0,0 +1,10 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# -*- mode: sh; tab-width: 8; encoding: utf-8-unix -*-
|
||||||
|
|
||||||
|
PREFIX=/usr/local
|
||||||
|
ROLE=proxy
|
||||||
|
|
||||||
|
sh $PREFIX/bin/proxy_ping_test.bash wifi || exit 1
|
||||||
|
sh $PREFIX/bin/proxy_ping_test.bash tor || exit 2
|
||||||
|
|
||||||
|
exec $PREFIX/bin/python3.7.sh $PREFIX/bin/sdwdate_.py "$@"
|
69
overlay/Linux/usr/local/bin/proxy_ssl_certs.bash
Executable file
69
overlay/Linux/usr/local/bin/proxy_ssl_certs.bash
Executable file
@ -0,0 +1,69 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
|
||||||
|
# https://medium.com/@appmattus/android-security-ssl-pinning-1db8acb6621e
|
||||||
|
|
||||||
|
prog=$( basename $0 .bash )
|
||||||
|
PREFIX=/usr/local
|
||||||
|
ROLE=proxy
|
||||||
|
|
||||||
|
. /usr/local/bin/proxy_ping_lib.bash || \
|
||||||
|
{ ERROR loading /usr/local/bin/proxy_ping_lib.bash ; exit 2; }
|
||||||
|
. /usr/local/bin/usr_local_base.bash || exit 2
|
||||||
|
|
||||||
|
proxy_ping_mode
|
||||||
|
#? . /usr/local/bin/proxy_export.bash $MODE
|
||||||
|
|
||||||
|
. /usr/local/bin/usr_local_base.bash || exit 2
|
||||||
|
CERT=$( proxy_ping_update_cacert )
|
||||||
|
[ "$?" -ne 0 -o -n "$CERT" ] && CAFILE=$CERT || \
|
||||||
|
CAFILE=/usr/local/etc/ssl/cacert-testforge.pem
|
||||||
|
|
||||||
|
openssl=openssl
|
||||||
|
OPENSSL_ARGS="-4 --CAfile $CAFILE -bugs -showcerts"
|
||||||
|
if [ -n "$https_proxy" ] ; then
|
||||||
|
HTTPS_HOST=$( echo $https_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/https* //' -e 's/ .*//' )
|
||||||
|
HTTPS_PORT=$( echo $https_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/.* //' )
|
||||||
|
|
||||||
|
OPENSSL_ARGS="$OPENSSL_ARGS -proxy ${HTTPS_HOST}:$HTTPS_PORT"
|
||||||
|
elif [ -n "$socks_proxy" ] ; then
|
||||||
|
SOCKS_HOST=$( echo $socks_proxy|sed -e 's/.*@//' -e 's@/@@g' -e 's/:/ /g' -e 's/socks5* //' -e 's/ .*//' )
|
||||||
|
SOCKS_PORT=$( echo $socks_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/.* //' )
|
||||||
|
# check /etc/tor/torsocks.conf
|
||||||
|
openssl='torsocks openssl'
|
||||||
|
fi
|
||||||
|
|
||||||
|
OUTR=/tmp/$prog$$
|
||||||
|
for item in "$@" ; do
|
||||||
|
i=0
|
||||||
|
OUTRF=$OUTR.$item
|
||||||
|
|
||||||
|
INFO openssl s_client -connect ${item}:443 -servername $item $OPENSSL_ARGS
|
||||||
|
$openssl s_client -connect ${item}:443 -servername $item $OPENSSL_ARGS \
|
||||||
|
</dev/null 2>$OUTRF.err >$OUTRF.out
|
||||||
|
[ $? -eq 0 ] || {
|
||||||
|
retval=$?
|
||||||
|
ERROR $prog $retval see $OUTRF.err
|
||||||
|
cat $OUTRF.err
|
||||||
|
exit 1$retval
|
||||||
|
}
|
||||||
|
[ -s $OUTRF.out ] || { ERROR $prog empty $OUTRF.out ; exit 2 ; }
|
||||||
|
|
||||||
|
sed -n '/Certificate chain/,/Server certificate/p' $OUTRF.out >$OUTRF.chain
|
||||||
|
DBUG $prog Certificate chain:
|
||||||
|
grep '^ [0-9][0-9]* ' $OUTRF.chain
|
||||||
|
INFO $prog Base64 Certificate sha256 digests:
|
||||||
|
rest=$( cat $OUTRF.chain )
|
||||||
|
while [[ "$rest" =~ '-----BEGIN CERTIFICATE-----' ]] ; do
|
||||||
|
cert="${rest%%-----END CERTIFICATE-----*}-----END CERTIFICATE-----"
|
||||||
|
rest=${rest#*-----END CERTIFICATE-----}
|
||||||
|
echo $( echo "$cert" | grep 's:' | sed 's/.*s:\(.*\)/\1/' ) echo "$cert" |
|
||||||
|
openssl x509 -pubkey -noout |
|
||||||
|
openssl rsa -pubin -outform der 2>/dev/null |
|
||||||
|
openssl dgst -sha256 -binary | openssl enc -base64
|
||||||
|
done
|
||||||
|
|
||||||
|
# rm -f $OUTRF.chain $OUTRF.out $OUTRF.err
|
||||||
|
done
|
||||||
|
|
||||||
|
exit 0
|
351
overlay/Linux/usr/local/bin/proxy_test_ssl.bash
Executable file
351
overlay/Linux/usr/local/bin/proxy_test_ssl.bash
Executable file
@ -0,0 +1,351 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
|
||||||
|
. /usr/local/bin/usr_local_tput.bash || exit 2
|
||||||
|
PREFIX=/usr/local
|
||||||
|
ROLE=proxy
|
||||||
|
NOW=$( date -u +%y-%m-%d_%H%m )
|
||||||
|
DEBUG=1
|
||||||
|
PROXY_WLAN=wlan4
|
||||||
|
prog=$( basename $0 .bash )
|
||||||
|
|
||||||
|
# SocksPolicy Accept in /etc/tor/torrc - required and works with sslscan
|
||||||
|
|
||||||
|
ip route | grep ^default || { ERROR "not connected" ; exit 1 ; }
|
||||||
|
PATH=$PATH:/sbin
|
||||||
|
BADSSL_SITES=(
|
||||||
|
self-signed.badssl.com
|
||||||
|
expired.badssl.com
|
||||||
|
mixed.badssl.com
|
||||||
|
rc4.badssl.com
|
||||||
|
hsts.badssl.com
|
||||||
|
)
|
||||||
|
|
||||||
|
badssl=0
|
||||||
|
[ "$#" -eq 0 ] && badssl=1
|
||||||
|
# tests="$MODE"
|
||||||
|
tests=""
|
||||||
|
nodig=1
|
||||||
|
verbosity=2
|
||||||
|
outdir=/tmp
|
||||||
|
timeout=20
|
||||||
|
|
||||||
|
#[ -f /usr/local/etc/testforge/testforge.bash ] && \
|
||||||
|
# . /usr/local/etc/testforge/testforge.bash
|
||||||
|
|
||||||
|
. /usr/local/bin/proxy_ping_lib.bash || \
|
||||||
|
{ ERROR loading /usr/local/bin/proxy_ping_lib.bash ; exit 2; }
|
||||||
|
|
||||||
|
|
||||||
|
if [ -f /usr/local/etc/ssl/cacert-testforge.pem ] ; then
|
||||||
|
CAFILE=/usr/local/etc/ssl/cacert-testforge.pem
|
||||||
|
else
|
||||||
|
CERT=$( proxy_ping_update_cacert )
|
||||||
|
[ "$?" -ne 0 -o -n "$CERT" ] && CAFILE=$CERT || \
|
||||||
|
CAFILE=/usr/local/etc/ssl/cacert-testforge.pem
|
||||||
|
fi
|
||||||
|
|
||||||
|
[ -z "$MODE" ] || MODE=`proxy_ping_mode`
|
||||||
|
|
||||||
|
if [ "$MODE" = tor ] ; then
|
||||||
|
|
||||||
|
[ -z "PROXY_WLAN" ] && PROXY_WLAN=`proxy_get_if`
|
||||||
|
[ -z "PROXY_WLAN" ] && { ERROR " error getting device $?" ; exit 3 ; }
|
||||||
|
|
||||||
|
if ip route | grep ^def ; then
|
||||||
|
PROXY_WLAN_IP=$( proxy_get_wlan_ip )
|
||||||
|
[ -n "$PROXY_WLAN_IP" ] || { ERROR "no PROXY_WLAN_IP" ; exit 4 ; }
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
usage() {
|
||||||
|
echo "Usage: $0 [OPTIONS] dirs-or-files"
|
||||||
|
echo
|
||||||
|
echo " -B | --badssl - test badssl.org sites"
|
||||||
|
echo " -D | --nodig - no dig sites"
|
||||||
|
echo " -T | --tests - ping tests to run first"
|
||||||
|
echo " -o | --outdir=/tmp - output directory"
|
||||||
|
echo " -v | --verbosity=$verbosity - verbosity 0 least 5 most"
|
||||||
|
echo
|
||||||
|
echo " -V | --version - print version of this script"
|
||||||
|
echo " -h | --help - print this help"
|
||||||
|
}
|
||||||
|
|
||||||
|
SHORTOPTS="hVBDT:v:"
|
||||||
|
LONGOPTS="help,version:,badssl,nodig,tests:,verbosity:"
|
||||||
|
HOSTS=
|
||||||
|
|
||||||
|
ARGS=$(getopt --options $SHORTOPTS --longoptions $LONGOPTS -- "$@")
|
||||||
|
[ $? != 0 ] && { ERROR "error parsing getopt" ; exit 5 ; }
|
||||||
|
|
||||||
|
eval set -- "$ARGS"
|
||||||
|
|
||||||
|
while true; do
|
||||||
|
case "$1" in
|
||||||
|
# -t --tests
|
||||||
|
-o|--outdir)
|
||||||
|
shift
|
||||||
|
outdir="$1"
|
||||||
|
;;
|
||||||
|
-v|--verbosity)
|
||||||
|
shift
|
||||||
|
verbosity="$1"
|
||||||
|
;;
|
||||||
|
-B|--badssl)
|
||||||
|
badssl=1
|
||||||
|
;;
|
||||||
|
-D|--nodig)
|
||||||
|
nodig=1
|
||||||
|
;;
|
||||||
|
-T|--tests)
|
||||||
|
shift
|
||||||
|
tests="$1"
|
||||||
|
;;
|
||||||
|
-V|--version)
|
||||||
|
usage
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
-h|--help)
|
||||||
|
usage
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
'--')
|
||||||
|
shift
|
||||||
|
HOSTS="$*"
|
||||||
|
break
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
{ ERROR "unrecognized arguments $*" ; exit 6 ; }
|
||||||
|
break
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
shift
|
||||||
|
done
|
||||||
|
|
||||||
|
[ $badssl -ne 0 ] && HOSTS="${BADSSL_SITES[*]}"
|
||||||
|
[ -z "$HOSTS" ] && { ERROR "no arguments $*" ; exit 0 ; }
|
||||||
|
[ -d "$outdir" ] || mkdir -p "$outdir" || { ERROR "mkdir $outdir" ; exit 7 ; }
|
||||||
|
kill_time=$( expr $timeout + 10 )
|
||||||
|
|
||||||
|
[ -z "$tests" ] || \
|
||||||
|
for elt in $tests ; do
|
||||||
|
/usr/local/bin/proxy_ping_test.bash $elt || exit 9$?
|
||||||
|
done
|
||||||
|
|
||||||
|
if which sslscan 2>/dev/null ; then
|
||||||
|
sslscan='sslscan'
|
||||||
|
SSLSCAN_ARGS="-4 --show-client-cas --show-certificate --bugs --timeout $timeout --tlsall --show-ciphers --no-colour --verbose"
|
||||||
|
else
|
||||||
|
# no proxy support
|
||||||
|
sslscan=''
|
||||||
|
fi
|
||||||
|
# sslscan --show-client-cas - no proxy
|
||||||
|
|
||||||
|
openssl=openssl
|
||||||
|
OPENSSL_ARGS="-4 -bugs -showcerts"
|
||||||
|
|
||||||
|
if [ -e /dev/tcp ] && which testssl.bash 2>/dev/null ; then
|
||||||
|
testssl='testssl.bash'
|
||||||
|
TESTSSL_ARGS="--connect-timeout $timeout --openssl-timeout $timeout --standard --vulnerable"
|
||||||
|
#? --ssl-native
|
||||||
|
TESTSSL_ARGS="$TESTSSL_ARGS --add-ca $CAFILE --assume-http --hints --color=0 --append"
|
||||||
|
else
|
||||||
|
# no proxy support
|
||||||
|
testssl=''
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -f /usr/local/bin/scurl.bash ] ; then
|
||||||
|
curl="/usr/local/bin/scurl.bash -- -s -S"
|
||||||
|
else
|
||||||
|
curl='curl -s -S'
|
||||||
|
fi
|
||||||
|
CURL_ARGS="-vvv --cacert $CAFILE --cert-status --connect-timeout $timeout"
|
||||||
|
|
||||||
|
if [ -f /var/local/bin/analyze-ssl.pl.bash ] ; then
|
||||||
|
analyze=/var/local/bin/analyze-ssl.pl.bash
|
||||||
|
ANALYZE_ARGS="-v --timeout $timeout --CApath $CAFILE --all-ciphers"
|
||||||
|
else
|
||||||
|
analyze=""
|
||||||
|
fi
|
||||||
|
|
||||||
|
warns=0
|
||||||
|
OUTR=$outdir/$prog-$NOW
|
||||||
|
if [ $nodig -eq 0 ] ; then
|
||||||
|
for item in $HOSTS ; do
|
||||||
|
i=0
|
||||||
|
OUTRF=$OUTR.$item
|
||||||
|
if [ $MODE = tor ] ; then
|
||||||
|
torresolve $item > $OUTRF.dig.out 2>&1
|
||||||
|
retval=$?
|
||||||
|
[ $retval -ne 0 ] && ERROR "torresolve $item $? - see $OUTRF.dig.out" && exit 1$?
|
||||||
|
elif false ; then
|
||||||
|
nslookup $item > $OUTRF.nslookup.out 2>&1
|
||||||
|
#?[ $? -eq 0 ] || WARN "nslookup $item $? - see $OUTRF.nslookup.out"
|
||||||
|
#?grep NXDOMAIN "$OUTRF.nslookup.out" && WARN "nslookup $item NXDOMAIN - see $OUTRF.nslookup.out"
|
||||||
|
else
|
||||||
|
dig $item > $OUTRF.dig.out 2>&1
|
||||||
|
[ $? -ne 0 ] && ERROR "dig $item $? - see $OUTRF.dig.out" && exit 1$?
|
||||||
|
grep 'ANSWER: 1' "$OUTRF.dig.out" || ERROR "dig $item no ANSWER - see $OUTRF.dig.out" && exit 2$?
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
|
||||||
|
# [ -r /etc/tor/torrc ]
|
||||||
|
# was https take precedence over socks
|
||||||
|
if [ -n "$socks_proxy" ] ; then
|
||||||
|
SOCKS_HOST=$( echo $socks_proxy|sed -e 's/.*@//' -e 's@/@@g' -e 's/:/ /g' -e 's/socks5* //' -e 's/ .*//' )
|
||||||
|
SOCKS_PORT=$( echo $socks_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/.* //' )
|
||||||
|
|
||||||
|
openssl='torsocks openssl'
|
||||||
|
|
||||||
|
# --interface lo --dns-interface lo
|
||||||
|
[ -n "$analyze" ] && analyze="torsocks $analyze"
|
||||||
|
[ -n "$testssl" ] && testssl="torsocks $testssl"
|
||||||
|
[ -n "$sslscan" ] && sslscan="torsocks $sslscan"
|
||||||
|
if [ $MODE = tor -o $MODE = selektor ] ; then
|
||||||
|
sudo grep -q "SocksPolicy *accept *$PROXY_WLAN_IP" /etc/tor/torrc || \
|
||||||
|
{ WARN "need SocksPolicy accept $PROXY_WLAN_IP in /etc/tor/torrc" ; }
|
||||||
|
fi
|
||||||
|
CURL_ARGS="$CURL_ARGS --proxy $socks_proxy "
|
||||||
|
if [ ${HTTPS_HOST} = 127.0.0.1 ] ; then
|
||||||
|
CURL_ARGS="$CURL_ARGS --interface"
|
||||||
|
fi
|
||||||
|
if netstat -nle4 | grep 127.0.1:53 ; then
|
||||||
|
CURL_ARGS="$CURL_ARGS --dns-interface lo"
|
||||||
|
fi
|
||||||
|
elif [ -n "$https_proxy" ] ; then
|
||||||
|
HTTPS_HOST=$( echo $https_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/https* //' -e 's/ .*//' )
|
||||||
|
HTTPS_PORT=$( echo $https_proxy|sed -e 's@/@@g' -e 's/:/ /g' -e 's/.* //' )
|
||||||
|
|
||||||
|
OPENSSL_ARGS="$OPENSSL_ARGS -proxy ${HTTPS_HOST}:$HTTPS_PORT"
|
||||||
|
TESTSSL_ARGS="$TESTSSL_ARGS --proxy=auto"
|
||||||
|
CURL_ARGS="$CURL_ARGS --proxy http://${HTTPS_HOST}:$HTTPS_PORT"
|
||||||
|
ANALYZE_ARGS="$ANALYZE_ARGS --starttls http_proxy:${HTTPS_HOST}:$HTTPS_PORT"
|
||||||
|
[ -n "$testssl" ] && testssl="torsocks $testssl"
|
||||||
|
[ -n "$sslscan" ] && sslscan="torsocks $sslscan"
|
||||||
|
|
||||||
|
|
||||||
|
else
|
||||||
|
: direct
|
||||||
|
fi
|
||||||
|
|
||||||
|
TENVS="DNS_VIA_PROXY=true"
|
||||||
|
errs=0
|
||||||
|
for CAFILE in /etc/ssl/certs/ca-certificates.crt /usr/local/etc/ssl/cacert-testforge.pem ; do
|
||||||
|
[ -f $CAFILE ] || { ERROR "CAfile not found $CAFILE" ; exit 8; }
|
||||||
|
for item in $HOSTS ; do
|
||||||
|
i=0
|
||||||
|
OUTRF=$OUTR.$item
|
||||||
|
|
||||||
|
if [ -n "$openssl" ] ; then
|
||||||
|
INFO "$openssl s_client -connect ${item}:443 -servername $item $OPENSSL_ARGS --CAfile $CAFILE"
|
||||||
|
echo $openssl s_client \
|
||||||
|
-connect ${item}:443 -servername $item $OPENSSL_ARGS --CAfile $CAFILE \
|
||||||
|
< /dev/null > $OUTRF.s_client.out
|
||||||
|
timeout ${kill_time}s \
|
||||||
|
$openssl s_client \
|
||||||
|
-connect ${item}:443 -servername $item $OPENSSL_ARGS --CAfile $CAFILE \
|
||||||
|
< /dev/null >> $OUTRF.s_client.out 2>&1
|
||||||
|
# :error:\|
|
||||||
|
if [ $? -eq 124 ] ; then
|
||||||
|
echo "DEBUG: timeout openssl s_client failed $? see $OUTRF.s_client.out"
|
||||||
|
elif [ $? -ne 0 ] ; then
|
||||||
|
WARN "openssl s_client failed $? see $OUTRF.s_client.out"
|
||||||
|
i=$( expr $i + 1 )
|
||||||
|
elif str='unable to get local issuer certificate' && \
|
||||||
|
grep "$str" $OUTRF.s_client.out; then
|
||||||
|
WARN "openssl s_client failed - $str see $OUTRF.s_client.out"
|
||||||
|
i=$( expr $i + 1 )
|
||||||
|
elif str='Cipher is (NONE)' && \
|
||||||
|
grep "$str" $OUTRF.s_client.out; then
|
||||||
|
WARN "openssl s_client failed - $str see $OUTRF.s_client.out"
|
||||||
|
i=$( expr $i + 1 )
|
||||||
|
elif str='SSL handshake has read 0 bytes' && \
|
||||||
|
grep "$str" $OUTRF.s_client.out; then
|
||||||
|
WARN "openssl s_client failed - $str see $OUTRF.s_client.out"
|
||||||
|
i=$( expr $i + 1 )
|
||||||
|
else
|
||||||
|
echo "DEBUG: openssl s_client -showcerts $OPENSSL_ARGS --CAfile $CAFILE $item"
|
||||||
|
timeout ${kill_time}s \
|
||||||
|
$openssl s_client -showcerts \
|
||||||
|
-connect ${item}:443 -servername $item $OPENSSL_ARGS --CAfile $CAFILE < /dev/null \
|
||||||
|
> $OUTRF.s_client.certs 2>&1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -n "$sslscan" ] ; then
|
||||||
|
echo $sslscan $SSLSCAN_ARGS --certs $CAFILE --sni-name $item $item > $OUTRF.sslscan.out
|
||||||
|
timeout ${kill_time}s \
|
||||||
|
$sslscan $SSLSCAN_ARGS --sni-name $item $item >> $OUTRF.sslscan.out 2>&1
|
||||||
|
if [ $? -eq 124 ] ; then
|
||||||
|
echo "DEBUG: timeout sslscan failed $? see $OUTRF.sslscan.out "
|
||||||
|
elif [ $? -ne 0 ] ; then
|
||||||
|
WARN "sslscan failed $? see $OUTRF.sslscan.out "
|
||||||
|
i=$( expr $i + 1 )
|
||||||
|
elif grep 'SSL Certificate' $OUTRF.sslscan.out ; then
|
||||||
|
WARN "sslscan failed see $OUTRF.sslscan.out "
|
||||||
|
i=$( expr $i + 1 )
|
||||||
|
elif grep 'Connection failed' $OUTRF.sslscan.out ; then
|
||||||
|
# tail -1 $OUTRF.sslscan.out | grep 'Supported Server Cipher'
|
||||||
|
WARN "sslscan failed see $OUTRF.sslscan.out "
|
||||||
|
i=$( expr $i + 1 )
|
||||||
|
else
|
||||||
|
INFO "$sslscan $SSLSCAN_ARGS $item"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -n "$testssl" -a -n "$https_proxy" ] ; then
|
||||||
|
# rDNS (140.82.114.3): lb-140-82-114-3-iad.github.com.testssl.sh: line 10330: /dev/tcp/140.82.114.3/443: No such file or directory
|
||||||
|
echo $TENVS $testssl $TESTSSL_ARGS $item > $OUTRF.testssl.out
|
||||||
|
env $TENVS $testssl $TESTSSL_ARGS $item >> $OUTRF.testssl.out 2>&1
|
||||||
|
if [ $? -ne 0 ] ; then
|
||||||
|
WARN "testssl failed $? see $OUTRF.testssl.out"
|
||||||
|
i=$( expr $i + 1 )
|
||||||
|
elif grep ': unable to\| error:\|doesn.t seem to be a TLS/SSL enabled server' $OUTRF.testssl.out; then
|
||||||
|
WARN "testssl failure see $OUTRF.testssl.out"
|
||||||
|
i=$( expr $i + 1 )
|
||||||
|
else
|
||||||
|
INFO "$testssl $TESTSSL_ARGS $item"
|
||||||
|
echo "DEBUG: $testssl $TESTSSL_ARGS --jsonfile-pretty $OUTRF.testssl.json $item"
|
||||||
|
env $TENVS $testssl $TESTSSL_ARGS --jsonfile-pretty $OUTRF.testssl.json $item > $OUTRF.testssl-json.out 2>&1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -n "$curl" ] ; then
|
||||||
|
DBUG $TENVS $curl $CURL_ARGS -o /dev/null https://$item/
|
||||||
|
env $TENVS $curl $CURL_ARGS -o /dev/null https://$item/ > $OUTRF.curl-vvv.out 2>&1
|
||||||
|
if [ $? -eq 0 ] ; then
|
||||||
|
grep 'SSL certificate problem:' $OUTRF.curl-vvv.out && \
|
||||||
|
{ WARN "curl -vvv failed $? see $OUTRF.curl-vvv.out" ;
|
||||||
|
i=$( expr $i + 1 ) ; } || \
|
||||||
|
INFO $curl $CURL_ARGS $item
|
||||||
|
else
|
||||||
|
INFO $curl $CURL_ARGS $item
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -n "$analyze" ] ; then
|
||||||
|
timeout ${kill_time}s \
|
||||||
|
$analyze $ANALYZE_ARGS --name $item ${item}:443 \
|
||||||
|
> $OUTRF.analyze-ssl.out 2>&1
|
||||||
|
# certificate verified : ok
|
||||||
|
if [ $? -eq 124 ] ; then
|
||||||
|
echo "DEBUG: timeout $analyze $ANALYZE_ARGS $item"
|
||||||
|
elif [ $? -eq 0 ] ; then
|
||||||
|
INFO "$analyze $ANALYZE_ARGS $item"
|
||||||
|
else
|
||||||
|
WARN "$analyze failed $? see $OUTRF.analyze-ssl.out"
|
||||||
|
i=$( expr $i + 1 )
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
[ $i -eq 0 ] && continue
|
||||||
|
WARN "$i failures for $item"
|
||||||
|
errs=$(expr $errs + $i )
|
||||||
|
DBUG $OUTRF.*.out
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
||||||
|
find $OUTRF.* -type f -empty -delete
|
||||||
|
|
||||||
|
exit $errs
|
137
overlay/Linux/usr/local/bin/proxy_whonix.bash
Executable file
137
overlay/Linux/usr/local/bin/proxy_whonix.bash
Executable file
@ -0,0 +1,137 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
|
||||||
|
prog=$( basename $0 .bash )
|
||||||
|
PREFIX=/usr/local
|
||||||
|
ROLE=proxy
|
||||||
|
|
||||||
|
USAGE="host|to_tor|tor|from_tor|client|whonix|gateway|vda|nat|workstation|ping|ssl|status|test|refresh|update|up|down"
|
||||||
|
|
||||||
|
[ -f /usr/local/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash
|
||||||
|
[ $( id -u ) -eq 0 ] || { ERROR $prog should be run as root ; exit 1 ; }
|
||||||
|
|
||||||
|
. /usr/local/sbin/proxy_whonix_lib.bash || \
|
||||||
|
{ ERROR loading /usr/local/sbin/proxy_whonix_host_lib.bash ; exit 2; }
|
||||||
|
#. /usr/local/bin/proxy_ping_lib.bash || \
|
||||||
|
# { ERROR loading /usr/local/bin/proxy_ping_lib.bash ; exit 2; }
|
||||||
|
. /usr/local/bin/usr_local_base.bash || exit 2
|
||||||
|
proxy_whonix_mode
|
||||||
|
|
||||||
|
## proxy_whonix_test_mode - proxy_whonix_host.bash test
|
||||||
|
proxy_whonix_test_mode () { DBUG proxy_whonix_test_mode $* ;
|
||||||
|
if [ $MODE = tor -o $MODE = whonix -o $MODE = host ]; then
|
||||||
|
/usr/local/sbin/proxy_whonix_host.bash test || return 1$?
|
||||||
|
fi
|
||||||
|
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
## proxy_whonix_status - proxy_ping_test.bash "$MODE"
|
||||||
|
proxy_whonix_status () { DBUG proxy_whonix_status $* ;
|
||||||
|
$PREFIX/bin/proxy_ping_test.bash "$MODE" || return 1$?
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
## proxy_whonix_refresh
|
||||||
|
proxy_whonix_refresh () { DBUG proxy_whonix_refresh $* ;
|
||||||
|
local USAGE="python|pip"
|
||||||
|
|
||||||
|
if [ "$#" -eq 0 ] ; then
|
||||||
|
echo USAGE: $prog $USAGE
|
||||||
|
elif [ "$1" = '-h' ] || [ "$1" = '--help' ] ; then
|
||||||
|
echo USAGE: $prog $USAGE or:
|
||||||
|
elif [ "$1" = 'python' ] ; then
|
||||||
|
/usr/local/bin/testforge_clean_usr_local_lib.bash
|
||||||
|
elif [ "$1" = 'pip' ] ; then
|
||||||
|
/usr/local/bin/base_pip_upgrade.bash -p 2 -i 0
|
||||||
|
/usr/local/bin/base_pip_upgrade.bash -p 3 -i 0
|
||||||
|
base_sheebang_after_pip.bash
|
||||||
|
else
|
||||||
|
:
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
UPGRADE_USAGE="python|pip"
|
||||||
|
## proxy_whonix_update - $UPGRADE_USAGE
|
||||||
|
proxy_whonix_update() {
|
||||||
|
|
||||||
|
if [ "$#" -eq 0 ] ; then
|
||||||
|
echo USAGE: $prog $UPGRADE_USAGE
|
||||||
|
elif [ "$1" = '-h' ] || [ "$1" = '--help' ] ; then
|
||||||
|
echo USAGE: $prog $USAGE or:
|
||||||
|
elif [ "$1" = 'python' ] ; then
|
||||||
|
:
|
||||||
|
elif [ "$1" = 'pip' ] ; then
|
||||||
|
:
|
||||||
|
else
|
||||||
|
:
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
TEST_USAGE="ssl|ping|mode|libvirt|ga"
|
||||||
|
## proxy_whonix_test - test $TEST_USAGE
|
||||||
|
proxy_whonix_test () { DBUG proxy_whonix_test $* ;
|
||||||
|
if [ "$#" -eq 0 ] ; then
|
||||||
|
echo USAGE: $prog $TEST_USAGE
|
||||||
|
elif [ "$1" = '-h' ] || [ "$1" = '--help' ] ; then
|
||||||
|
echo USAGE: $prog $USAGE or:
|
||||||
|
elif [ "$1" = 'ssl' ] ; then
|
||||||
|
$PREFIX/sbin/proxy_test_ssl.bash "$@" || exit 3$?
|
||||||
|
elif [ "$1" = 'mode' ] ; then
|
||||||
|
proxy_whonix_test_mode || exit 4$?
|
||||||
|
elif [ "$1" = 'ping' ] ; then
|
||||||
|
$PREFIX/sbin/proxy_ping_test.bash "$@" || exit 4$?
|
||||||
|
elif [ "$1" = 'libvirt' ] ; then
|
||||||
|
$PREFIX/bin/proxy_ping_lib.bash proxy_libvirt_test || exit 5$?
|
||||||
|
elif [ "$1" = 'ga' ] ; then
|
||||||
|
$PREFIX/bin/proxy_libvirt_ga_test.bash || exit 5$?
|
||||||
|
else
|
||||||
|
:
|
||||||
|
fi
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
WD=$PWD
|
||||||
|
if [ "$#" -eq 0 ] ; then
|
||||||
|
echo USAGE: $prog $USAGE
|
||||||
|
exit 0
|
||||||
|
|
||||||
|
elif [ "$1" = '-h' ] || [ "$1" = '--help' ] ; then
|
||||||
|
echo USAGE: $prog $USAGE or:
|
||||||
|
grep '^## ' $0 | sed -e 's/^## //'
|
||||||
|
exit 0
|
||||||
|
|
||||||
|
elif [ "$1" = client ] ; then
|
||||||
|
shift
|
||||||
|
|
||||||
|
elif [ "$1" = ws -o "$1" = 'workstation' -o "$1" = 'gateway' ] ; then
|
||||||
|
[ $1 = ws ] && arg=workstation || arg=$1
|
||||||
|
shift
|
||||||
|
$PREFIX/sbin/proxy_whonix_guest_$arg.bash "$*" || exit 3$?
|
||||||
|
|
||||||
|
elif [ 'to_tor' -o "$1" = 'tor' -o "$1" = 'from_tor' -o "$1" = 'whonix' ] ; then
|
||||||
|
$PREFIX/sbin/proxy_whonix_host.bash "$@" || exit $?
|
||||||
|
|
||||||
|
elif [ "$1" = host ] ; then
|
||||||
|
shift
|
||||||
|
$PREFIX/sbin/proxy_whonix_host.bash "$@" || exit $?
|
||||||
|
|
||||||
|
elif [ "$1" = refresh -o "$1" = update -o "$1" = 'test' -o "$1" = 'status' ] ; then
|
||||||
|
arg=$1;shift
|
||||||
|
proxy_whonix_$arg "$@"
|
||||||
|
|
||||||
|
elif [ "$1" = 'down' -o "$1" = 'up' ] ; then
|
||||||
|
arg=$1;shift
|
||||||
|
proxy_whonix_$arg "$@"
|
||||||
|
|
||||||
|
elif [ "$1" = hourly -o "$1" = 'refresh' ] ; then
|
||||||
|
:
|
||||||
|
|
||||||
|
else
|
||||||
|
DBUG $prog $*
|
||||||
|
eval "$@"
|
||||||
|
exit $?
|
||||||
|
|
||||||
|
fi
|
||||||
|
|
||||||
|
exit 0
|
254
overlay/Linux/usr/local/bin/scurl.bash
Executable file
254
overlay/Linux/usr/local/bin/scurl.bash
Executable file
@ -0,0 +1,254 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
|
||||||
|
# must not use stdout
|
||||||
|
|
||||||
|
prog=$( basename $0 .bash )
|
||||||
|
PREFIX=/usr/local
|
||||||
|
ROLE=proxy
|
||||||
|
prog=scurl
|
||||||
|
umask 022
|
||||||
|
|
||||||
|
RETRIES=2
|
||||||
|
SSL_VER=3
|
||||||
|
|
||||||
|
. /usr/local/bin/proxy_ping_lib.bash
|
||||||
|
[ -f /usr/local/bin/proxy_curl_lib.bash ] && \
|
||||||
|
. /usr/local/bin/proxy_curl_lib.bash
|
||||||
|
if ! route | grep -q ^def ; then
|
||||||
|
WARN $prog we are not connected >&2
|
||||||
|
exit -1
|
||||||
|
fi
|
||||||
|
|
||||||
|
usage="curls with some wget options
|
||||||
|
|
||||||
|
Usage: $prog options -- curl-options
|
||||||
|
|
||||||
|
Options:
|
||||||
|
-P, --directory-prefix
|
||||||
|
-X, --force-directories create directories to download to
|
||||||
|
-C, --cacert CA certs in .pem
|
||||||
|
-M, --mode proxy_ping_mode
|
||||||
|
-S, --ssl ssl version 2=tls1.2 3=tls1.3
|
||||||
|
-Y, --ciphers comma sep list of ciphers
|
||||||
|
-Q, --quiet --silent --show-error
|
||||||
|
-h, --help display this help and exit
|
||||||
|
"
|
||||||
|
if [[ $? -ne 0 ]]; then
|
||||||
|
echo "$usage"
|
||||||
|
exit 2
|
||||||
|
fi
|
||||||
|
|
||||||
|
declare -a LARGS
|
||||||
|
# --location is required to follow redirects
|
||||||
|
# im not sure about --http2
|
||||||
|
LARGS+=( --remote-time --location --max-redirs 10 --continue-at - )
|
||||||
|
LARGS+=( --retry-delay 10 --show-error --fail )
|
||||||
|
# --proto-redir https --proto =https is required to prevent protocol downgrades
|
||||||
|
LARGS+=( --proto-redir https --proto-default https --proto =https )
|
||||||
|
|
||||||
|
[ -z "$MODE" ] && MODE=$( /usr/local/bin/proxy_ping_lib.bash proxy_ping_mode )
|
||||||
|
[ -z "$socks_proxy" ] && . /usr/local/bin/proxy_export.bash
|
||||||
|
|
||||||
|
SSL_LIB=openssl # nss
|
||||||
|
if [ -x /var/local/bin/curl.bash ] ; then
|
||||||
|
EXE=/var/local/bin/curl.bash
|
||||||
|
elif which scurl ; then
|
||||||
|
EXE=`which scurl`
|
||||||
|
else
|
||||||
|
EXE=curl
|
||||||
|
fi
|
||||||
|
|
||||||
|
SHORT=M:QP:XC:F:hS:
|
||||||
|
LONG=mode:,quiet,directory-prefix:,force-directories,cacert,ca-cert:,help,ssl:
|
||||||
|
|
||||||
|
#? export POSIXLY_CORRECT=1
|
||||||
|
|
||||||
|
PARSED=$(getopt --options $SHORT --longoptions $LONG --name "$prog" -- "$@")
|
||||||
|
eval set -- "$PARSED"
|
||||||
|
|
||||||
|
P="$PWD"
|
||||||
|
X="0"
|
||||||
|
# echo DEBUG: WD=$WD rest=$*
|
||||||
|
LOGF=/tmp/$prog$$.err
|
||||||
|
SSL_CIPHERS=""
|
||||||
|
|
||||||
|
while true; do
|
||||||
|
case "$1" in
|
||||||
|
-P|--directory-prefix)
|
||||||
|
shift
|
||||||
|
P="$1"
|
||||||
|
shift
|
||||||
|
# echo DEBUG: P=$WD rest=$*
|
||||||
|
;;
|
||||||
|
-X|--force-directories)
|
||||||
|
X=1
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
-S|--ssl)
|
||||||
|
shift
|
||||||
|
SSL_VER="$1"
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
-Y|--ciphers)
|
||||||
|
shift
|
||||||
|
SSL_CIPHERS="$1"
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
-C|--cacert|-Z|--ca-cert)
|
||||||
|
shift
|
||||||
|
CA_CERT="$1"
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
-M|--mode)
|
||||||
|
shift
|
||||||
|
MODE="$1"
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
-Q|--quiet)
|
||||||
|
shift
|
||||||
|
LARGS="$LARGS --silent --show-error"
|
||||||
|
;;
|
||||||
|
-h|--help)
|
||||||
|
echo USAGE: "$usage"
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
--)
|
||||||
|
shift
|
||||||
|
break
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
# echo ERROR: unhandled arguments $* - use -- after -P $PWD or -X ; exit 3
|
||||||
|
break
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
[ "$SSL_VER" -ge 2 -a "$SSL_VER" -le 3 ] || { ERROR "SSL_VER $SSL_VER" ; exit 6 ; }
|
||||||
|
LARGS+=( --tlsv1.$SSL_VER )
|
||||||
|
|
||||||
|
if [ -n "$SSL_CIPHERS" -a "$SSL_VER" = 2 ] ; then
|
||||||
|
[ $SSL_LIB = openssl ] && \
|
||||||
|
SSL_CIPHERS="ECDHE-RSA-AES256-SHA" # ECDHE-RSA-AES256-GCM-SHA384
|
||||||
|
[ $SSL_LIB = nss ] && \
|
||||||
|
SSL_CIPHERS="ecdhe_rsa_aes_256_sha"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -n "$SSL_CIPHERS" -a "$SSL_VER" = 3 ] ; then
|
||||||
|
[ $SSL_LIB = openssl ] && \
|
||||||
|
SSL_CIPHERS="TLS_AES_256_GCM_SHA384" # TLS_CHACHA20_POLY1305_SHA256
|
||||||
|
[ $SSL_LIB = nss ] && \
|
||||||
|
SSL_CIPHERS="aes_256_gcm_sha_384"
|
||||||
|
fi
|
||||||
|
[ -n "$SSL_CIPHERS" ] && LARGS+=( --ciphers "$SSL_CIPHERS" )
|
||||||
|
|
||||||
|
if [ "$MODE" = tor -o "$MODE" = selektor -o "$MODE" = whonix ] && \
|
||||||
|
netstat -nle4 | grep -q 127.0.0.1:53 ; then
|
||||||
|
LARGS+=( --dns-ipv4-addr 127.0.0.1 --dns-servers 127.0.0.1 )
|
||||||
|
elif [ "$MODE" = whonix ] && ifconfig virbr1 | grep -q 10.0.2.2 ; then
|
||||||
|
LARGS+=( --dns-ipv4-addr 10.0.2.15:9053 --dns-servers 10.0.2.15:9053 )
|
||||||
|
else
|
||||||
|
debug 127.0.0.1:53 not running MODE=$MODE
|
||||||
|
fi
|
||||||
|
|
||||||
|
if ! uname -a | grep -q 'Devuan\|Debian' ; then
|
||||||
|
if [ -f $HOME/.local/ ] ; then
|
||||||
|
[ -f $HOME/.local/alt.svc ] || touch $HOME/.local/alt.svc
|
||||||
|
LARGS+=( --alt-svc $HOME/.local/alt.svc )
|
||||||
|
# #define CURLALTSVC_H2 (1<<4)
|
||||||
|
fi
|
||||||
|
export CURLOPT_ALTSVC_CTRL=16
|
||||||
|
fi
|
||||||
|
|
||||||
|
declare -a RARGS
|
||||||
|
RARGS=("$@")
|
||||||
|
DBUG "$#" "${RARGS[*]}" >&2
|
||||||
|
|
||||||
|
i=0
|
||||||
|
while [ $i -le $RETRIES ] ; do
|
||||||
|
# assumes one URL
|
||||||
|
if [ "${#RARGS[@]}" -eq 1 ] ; then
|
||||||
|
the_url=`sed -e 's@http://@https://@g' -e 's@https*://distfiles.gentoo.org@https://gentoo.osuosl.org@g' -e 's@https*://gentoo.osuosl.org@https://mirror.leaseweb.com/gentoo@g' <<< "${RARGS[*]}"`
|
||||||
|
else
|
||||||
|
the_url=`sed -e 's@http://@https://@' -e 's@https*://distfiles.gentoo.org@https://gentoo.osuosl.org@g' -e 's@https*://gentoo.osuosl.org@https://mirror.leaseweb.com/gentoo@g' <<< "${RARGS[-1]}"`
|
||||||
|
fi
|
||||||
|
RARGS[-1]="$the_url"
|
||||||
|
site=`sed -e 's@https*://@@g' -e 's@/.*@@' <<< $the_url`
|
||||||
|
|
||||||
|
i=`expr $i + 1`
|
||||||
|
if [ "$X" = 1 ] ; then
|
||||||
|
rel_file=$( sed -e 's@^file://*@@' -e 's@^https*://*@@' -e 's@[&?#].*@@' <<< $the_url )
|
||||||
|
rel_dir=$( sed -e 's@/$@@' <<< $rel_file )
|
||||||
|
rel_dir=$( sed -e 's@/[^/]*$@@' <<< $rel_dir )
|
||||||
|
[ -d "$P/$rel_dir" ] || mkdir -p "$P/$rel_dir"
|
||||||
|
output=`sed -e 's/[!:?#]/_/g' <<< "$P/$rel_file"`
|
||||||
|
LARGS+=( --output "$output" --create-dirs )
|
||||||
|
fi
|
||||||
|
|
||||||
|
DBUG $EXE "${LARGS[@]}" "${RARGS[@]}" >&2
|
||||||
|
echo $EXE "${LARGS[@]}" "${RARGS[@]}" > $LOGF
|
||||||
|
$EXE "${LARGS[@]}" "${RARGS[@]}" >> $LOGF 2>&1
|
||||||
|
retval=$?
|
||||||
|
|
||||||
|
if [ "$retval" -eq 22 ] || \
|
||||||
|
tail -4 $LOGF | grep -q 'The requested URL returned error:'; then
|
||||||
|
# on 22 - change to HTTP code
|
||||||
|
code=`tail -4 $LOGF | grep 'The requested URL returned error:' | sed -e 's/.*returned error: //' -e 's/ *$//'`
|
||||||
|
if [ "$code" = 416 ] ; then
|
||||||
|
INFO "$prog retval=$retval code=$code ${HTTP_RESPONSE[416]} $the_url = $LOGF" >&2
|
||||||
|
retval=$code
|
||||||
|
elif [ "$code" = 429 ] ; then
|
||||||
|
ERROR "$prog retval=$retval code=$code ${HTTP_RESPONSE[$code]} $the_url = $LOGF" >&2
|
||||||
|
retval=$code
|
||||||
|
exit $retval
|
||||||
|
elif [ -n "$code" ] && [ "$code" -ge 400 ] ; then
|
||||||
|
# 403 Cloudflare
|
||||||
|
ERROR "$prog retval=$retval code=$code ${HTTP_RESPONSE[$code]} $the_url = $LOGF" >&2
|
||||||
|
retval=$code
|
||||||
|
elif [ -n "$code" ] && [ "$code" -lt 400 ] ; then
|
||||||
|
INFO "$prog retval=$retval code=$code ${HTTP_RESPONSE[$code]} $the_url = $LOGF" >&2
|
||||||
|
else
|
||||||
|
WARN "$prog retval=$retval \"$code\" $the_url = $LOGF" >&2
|
||||||
|
fi
|
||||||
|
|
||||||
|
elif [ "$retval" = 35 ] ; then
|
||||||
|
# 35 CURLE_SSL_CONNECT_ERROR
|
||||||
|
ERROR "$prog retval=$retval CURLE_SSL_CONNECT_ERROR $the_url = $LOGF" >&2
|
||||||
|
# feedback to scurl_urls.sh
|
||||||
|
NOTLSV3+=( $site )
|
||||||
|
|
||||||
|
elif [ "$retval" = 1 ] ; then
|
||||||
|
# retval=1 CURLE=CURLE_UNSUPPORTED_PROTOCOL - seems to be a transient error
|
||||||
|
WARN "$prog retval=$retval CURLE=${CURLE[$retval]} $the_url = $LOGF" >&2
|
||||||
|
continue
|
||||||
|
|
||||||
|
elif [ "$retval" = 92 ] ; then
|
||||||
|
# curl: (92) HTTP/2 stream 0 was not closed cleanly: INTERNAL_ERROR (err 2)
|
||||||
|
WARN "$prog retval=$retval CURLE=${CURLE[$retval]} $the_url = $LOGF" >&2
|
||||||
|
continue
|
||||||
|
|
||||||
|
elif [ "$retval" -ne 0 ] ; then
|
||||||
|
# curl: (3) URL using bad/illegal format or missing URL - worked
|
||||||
|
WARN "$prog retval=$retval CURLE=${CURLE[$retval]} $the_url = $LOGF" >&2
|
||||||
|
|
||||||
|
elif tail -3 $LOGF | grep -q "HTTP code 504 from proxy after CONNECT" ; then
|
||||||
|
WARN "$prog HTTP code 504 from proxy after CONNECT $the_url = $LOGF" >&2
|
||||||
|
continue
|
||||||
|
|
||||||
|
elif tail -3 $LOGF | grep -q "503 - Forwarding failure" ; then
|
||||||
|
WARN "$prog 503 - Forwarding failure $the_url = $LOGF" >&2
|
||||||
|
continue
|
||||||
|
|
||||||
|
else
|
||||||
|
INFO "$prog $output = $LOGF" >&2
|
||||||
|
# rm -f $LOGF
|
||||||
|
fi
|
||||||
|
break
|
||||||
|
# "$P/$rel_file"
|
||||||
|
# if [ $retval -gt 0 ] ; then
|
||||||
|
# The requested URL returned error: 416
|
||||||
|
# if [ $retval = 22 ] && [ "$code" = 416 ] && [ -f "$P/$rel_file" ] ; then
|
||||||
|
# fi
|
||||||
|
done
|
||||||
|
|
||||||
|
exit $retval
|
18
overlay/Linux/usr/local/bin/sdwdate.bash
Executable file
18
overlay/Linux/usr/local/bin/sdwdate.bash
Executable file
@ -0,0 +1,18 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
PREFIX=/usr/local
|
||||||
|
PREFIX=/usr/local
|
||||||
|
ROLE=proxy
|
||||||
|
|
||||||
|
if [ -x $PREFIX/bin/proxy_ping_test.bash ] ; then
|
||||||
|
if virsh|grep Whonix-Gateway ; then
|
||||||
|
sh $PREFIX/bin/proxy_ping_test.bash whonix || exit 1
|
||||||
|
else
|
||||||
|
sh $PREFIX/bin/proxy_ping_test.bash wifi || exit 1
|
||||||
|
sh $PREFIX/bin/proxy_ping_test.bash 30 || exit 2
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
export PYTHONPATH=$PREFIX/lib64/python3.7/site-packages
|
||||||
|
|
||||||
|
exec python3.sh $PREFIX/bin/sdwdate_.py "$@"
|
1
overlay/Linux/usr/local/etc/firewall.conf.gateway
Symbolic link
1
overlay/Linux/usr/local/etc/firewall.conf.gateway
Symbolic link
@ -0,0 +1 @@
|
|||||||
|
../../../../../templates/etc/firewall.conf.gateway
|
1
overlay/Linux/usr/local/etc/firewall.conf.selektor
Symbolic link
1
overlay/Linux/usr/local/etc/firewall.conf.selektor
Symbolic link
@ -0,0 +1 @@
|
|||||||
|
../../../../../templates/etc/firewall.conf.selektor
|
1
overlay/Linux/usr/local/etc/firewall.conf.tor
Symbolic link
1
overlay/Linux/usr/local/etc/firewall.conf.tor
Symbolic link
@ -0,0 +1 @@
|
|||||||
|
../../../../../templates/etc/firewall.conf.tor
|
1
overlay/Linux/usr/local/etc/firewall.conf.whonix
Symbolic link
1
overlay/Linux/usr/local/etc/firewall.conf.whonix
Symbolic link
@ -0,0 +1 @@
|
|||||||
|
../../../../../templates/etc/firewall.conf.whonix
|
1
overlay/Linux/usr/local/etc/firewall.conf.ws
Symbolic link
1
overlay/Linux/usr/local/etc/firewall.conf.ws
Symbolic link
@ -0,0 +1 @@
|
|||||||
|
../../../../../templates/etc/firewall.conf.ws
|
20
overlay/Linux/usr/local/etc/hosts
Normal file
20
overlay/Linux/usr/local/etc/hosts
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
151.101.122.132 deb.debian.org
|
||||||
|
216.58.204.110 google.com
|
||||||
|
151.80.211.8 pool.ntp.org
|
||||||
|
78.46.53.2 pool.ntp.org
|
||||||
|
207.34.49.172 pool.ntp.org
|
||||||
|
205.206.70.7 pool.ntp.org
|
||||||
|
206.108.0.131 pool.ntp.org
|
||||||
|
162.159.200.1 pool.ntp.org
|
||||||
|
140.82.112.4 github.com
|
||||||
|
37.58.58.140 mirror.leaseweb.com
|
||||||
|
5.79.75.37 novg.net
|
||||||
|
193.150.121.24 reseed.i2p2.no
|
||||||
|
167.71.120.31 reseed.onion.im
|
||||||
|
34.201.225.154 i2pseed.creativecowpat.net
|
||||||
|
80.74.145.70 reseed.diva.exchange
|
||||||
|
167.71.120.31 reseed.onion.im
|
||||||
|
68.183.196.133 reseed.i2pgit.org
|
||||||
|
193.150.121.24 reseed.i2p2.no
|
||||||
|
81.7.7.4 reseed.i2p-projekt.de
|
||||||
|
132.163.97.3 time.nist.gov
|
33
overlay/Linux/usr/local/etc/init.d/libvirtd.openrc
Executable file
33
overlay/Linux/usr/local/etc/init.d/libvirtd.openrc
Executable file
@ -0,0 +1,33 @@
|
|||||||
|
#!/sbin/openrc-run
|
||||||
|
# Copyright 1999-2020 Gentoo Authors
|
||||||
|
# Distributed under the terms of the GNU General Public License v2
|
||||||
|
|
||||||
|
description="Virtual Machine Management daemon (libvirt)"
|
||||||
|
|
||||||
|
LIBVIRTD_OPTS=${LIBVIRTD_OPTS:-"${LIBVIRTD_OPTS}"}
|
||||||
|
LIBVIRTD_TIMEOUT=${LIBVIRTD_TERMTIMEOUT:-"TERM/25/KILL/5"}
|
||||||
|
|
||||||
|
command="/usr/sbin/libvirtd"
|
||||||
|
command_args="${LIBVIRTD_OPTS}"
|
||||||
|
start_stop_daemon_args="-b --env KRB5_KTNAME=/etc/libvirt/krb5.tab"
|
||||||
|
pidfile="/run/libvirtd.pid"
|
||||||
|
retry="${LIBVIRTD_TERMTIMEOUT}"
|
||||||
|
|
||||||
|
depend() {
|
||||||
|
need virtlogd
|
||||||
|
use ceph dbus iscsid virtlockd
|
||||||
|
after cgconfig corosync ebtables iptables ip6tables nfs nfsmount ntp-client ntpdportmap rpc.statd sanlock xenconsoled
|
||||||
|
USE_FLAG_FIREWALLD
|
||||||
|
}
|
||||||
|
|
||||||
|
start_pre() {
|
||||||
|
# Test configuration directories in /etc/libvirt/ to be either not
|
||||||
|
# present or a directory, i.e. not a regular file, bug #532892
|
||||||
|
|
||||||
|
checkpath --directory /etc/libvirt/lxc || return 1
|
||||||
|
checkpath --directory /etc/libvirt/nwfilter || return 1
|
||||||
|
[ -L /etc/libvirt/qemu ] ||
|
||||||
|
checkpath --directory /etc/libvirt/qemu || return 1
|
||||||
|
[ -L /etc/libvirt/storage ] ||
|
||||||
|
checkpath --directory /etc/libvirt/storage || return 1
|
||||||
|
}
|
41
overlay/Linux/usr/local/etc/jnettop.conf
Normal file
41
overlay/Linux/usr/local/etc/jnettop.conf
Normal file
@ -0,0 +1,41 @@
|
|||||||
|
#
|
||||||
|
# jnettop, network online traffic visualiser
|
||||||
|
# Copyright (C) 2002-2005 Jakub Skopal
|
||||||
|
#
|
||||||
|
# This program is free software; you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation; either version 2 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program; if not, write to the Free Software
|
||||||
|
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||||
|
#
|
||||||
|
# $Header: /cvsroot/jnettop/jnettop/.jnettop,v 1.7 2006/04/11 15:59:59 merunka Exp $
|
||||||
|
#
|
||||||
|
|
||||||
|
# interface "eth1"
|
||||||
|
variable "intranet" "net 192.168.0.0/16 or 10.0.0.0/8 or 172.16.0.0/12"
|
||||||
|
variable "me" "net 10.16.238.53"
|
||||||
|
variable "lo" "net 127.0.0.1/32"
|
||||||
|
variable "virbr1" "net 10.0.2.2"
|
||||||
|
variable "whonix" "net 10.0.2.0/24"
|
||||||
|
rule "Intranet<->Extranet" "((src ${intranet}) and not (dst ${intranet})) or ((dst ${intranet}) and not (src ${intranet}))"
|
||||||
|
rule "Me<->Whonix" "((src ${me}) and ((dst ${whonix}) or (dst ${lo}))) or (((dst ${me}) or (dst ${lo})) and (src ${whonix}))"
|
||||||
|
rule "Me<->Extranet" "((src ${me}) and not (dst ${me})) or ((dst ${me}) and not (src ${me}))"
|
||||||
|
rule "Google" "host www.google.com"
|
||||||
|
rule "IPv6" "ip6"
|
||||||
|
local_aggregation none
|
||||||
|
remote_aggregation none
|
||||||
|
local_network "192.168.0.0" "255.255.0.0"
|
||||||
|
local_network "10.0.0.0" "255.0.0.0"
|
||||||
|
# select_rule "Me<->Whonix"
|
||||||
|
# resolve_rule "192.168.0.0" "255.255.0.0" normal
|
||||||
|
# resolve_rule "192.168.0.0" "255.255.0.0" external "/usr/share/jnettop/jnettop-lookup-nmb"
|
||||||
|
resolve off
|
||||||
|
|
42
overlay/Linux/usr/local/etc/jnettop.conf.vda
Normal file
42
overlay/Linux/usr/local/etc/jnettop.conf.vda
Normal file
@ -0,0 +1,42 @@
|
|||||||
|
#
|
||||||
|
# jnettop, network online traffic visualiser
|
||||||
|
# Copyright (C) 2002-2005 Jakub Skopal
|
||||||
|
#
|
||||||
|
# This program is free software; you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation; either version 2 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program; if not, write to the Free Software
|
||||||
|
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||||
|
#
|
||||||
|
# $Header: /cvsroot/jnettop/jnettop/.jnettop,v 1.7 2006/04/11 15:59:59 merunka Exp $
|
||||||
|
#
|
||||||
|
|
||||||
|
interface "eth0"
|
||||||
|
variable "intranet" "net 192.168.0.0/16 or 10.0.0.0/8 or 172.16.0.0/12"
|
||||||
|
variable "me" "net 10.16.238.53"
|
||||||
|
variable "vda" "net 10.152.152.11"
|
||||||
|
variable "lo" "net 127.0.0.1/32"
|
||||||
|
variable "virbr1" "net 10.0.2.2"
|
||||||
|
variable "whonix" "net 10.0.2.0/24"
|
||||||
|
rule "Intranet<->Extranet" "((src ${intranet}) and not (dst ${intranet})) or ((dst ${intranet}) and not (src ${intranet}))"
|
||||||
|
rule "Me<->Whonix" "((src ${me}) and ((dst ${whonix}) or (dst ${lo}))) or (((dst ${me}) or (dst ${lo})) and (src ${whonix}))"
|
||||||
|
rule "Vda<->Intranet" "((src ${vda}) and not (dst ${vda})) or ((dst ${vda}) and not (src ${vda}))"
|
||||||
|
rule "Google" "host www.google.com"
|
||||||
|
rule "IPv6" "ip6"
|
||||||
|
local_aggregation none
|
||||||
|
remote_aggregation none
|
||||||
|
local_network "192.168.0.0" "255.255.0.0"
|
||||||
|
local_network "10.0.0.0" "255.0.0.0"
|
||||||
|
select_rule "Vda<->Intranet"
|
||||||
|
# resolve_rule "192.168.0.0" "255.255.0.0" normal
|
||||||
|
# resolve_rule "192.168.0.0" "255.255.0.0" external "/usr/share/jnettop/jnettop-lookup-nmb"
|
||||||
|
resolve off
|
||||||
|
|
6
overlay/Linux/usr/local/etc/libvirt/hooks/network
Executable file
6
overlay/Linux/usr/local/etc/libvirt/hooks/network
Executable file
@ -0,0 +1,6 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK proxy whonix_host.yml
|
||||||
|
[ ! -f /usr/local/sbin/proxy_libvirt_hook_network.bash ] || \
|
||||||
|
/usr/local/sbin/proxy_libvirt_hook_network.bash
|
||||||
|
# END ANSIBLE MANAGED BLOCK proxy whonix_host.yml
|
381
overlay/Linux/usr/local/etc/local.bash
Executable file
381
overlay/Linux/usr/local/etc/local.bash
Executable file
@ -0,0 +1,381 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
|
||||||
|
# prog=rc.local
|
||||||
|
PREFIX=/usr/local
|
||||||
|
ROLE=local
|
||||||
|
|
||||||
|
export PATH=$PATH:/usr/local/sbin:/usr/local/bin
|
||||||
|
|
||||||
|
if [ -x /sbin/rc-service ] ; then
|
||||||
|
local_rc_service () { rc-service "$@" ; }
|
||||||
|
local_rc_update () { rc-update "$@" ; }
|
||||||
|
elif [ -x /bin/systemctl ] ; then
|
||||||
|
local_rc_service () {
|
||||||
|
systemctl list-units --no-pager | grep -q $1 && \
|
||||||
|
echo INFO: /usr/sbin/service "$@" || \
|
||||||
|
echo WARN: /usr/sbin/service "$@"
|
||||||
|
/usr/sbin/service "$@" 2>/dev/null
|
||||||
|
return $?
|
||||||
|
}
|
||||||
|
local_rc_update () {
|
||||||
|
if [ "$#" -eq 0 ] ; then
|
||||||
|
systemctl list-units --no-pager
|
||||||
|
return $?
|
||||||
|
fi
|
||||||
|
dir=$1 ; shift ;
|
||||||
|
svc=$1 ; shift ;
|
||||||
|
if [ $dir = add ] ; then
|
||||||
|
dire=enable
|
||||||
|
elif [ $dir = del ] ; then
|
||||||
|
dire=disable
|
||||||
|
else
|
||||||
|
dire=$dir
|
||||||
|
fi
|
||||||
|
echo INFO: $prog systemctl --no-pager $dire $svc "$@"
|
||||||
|
systemctl --no-pager $dire $svc "$@"
|
||||||
|
return $?
|
||||||
|
}
|
||||||
|
elif [ -x /usr/sbin/service ] ; then
|
||||||
|
local_rc_service () {
|
||||||
|
/usr/sbin/service --status-all 2>&1 | grep -q $1 && \
|
||||||
|
echo INFO: /usr/sbin/service "$@" || \
|
||||||
|
echo WARN: /usr/sbin/service "$@"
|
||||||
|
/usr/sbin/service "$@" 2>/dev/null
|
||||||
|
return $?
|
||||||
|
}
|
||||||
|
local_rc_update () {
|
||||||
|
if [ "$#" -eq 0 ] ; then
|
||||||
|
/usr/sbin/service --status-all 2>&1 | sed -e 's/.* //'
|
||||||
|
return $?
|
||||||
|
fi
|
||||||
|
dir=$1 ; shift ;
|
||||||
|
svc=$1 ; shift ;
|
||||||
|
# disable|enable |remove
|
||||||
|
if [ $dir = add ] ; then
|
||||||
|
dire=enable
|
||||||
|
elif [ $dir = del ] ; then
|
||||||
|
dire=disable
|
||||||
|
else
|
||||||
|
dire=$dir
|
||||||
|
fi
|
||||||
|
update-rc.d $svc $dire || echo WARN: update-rc.d $svc $dir $dire
|
||||||
|
}
|
||||||
|
fi
|
||||||
|
proxy_rc_service () { local_rc_service $* ; }
|
||||||
|
proxy_rc_update () { local_rc_update $* ; }
|
||||||
|
|
||||||
|
grep -q root=/dev/vda /proc/cmdline
|
||||||
|
PROXY_IS_VDA=$?
|
||||||
|
|
||||||
|
## local_disable_lid
|
||||||
|
local_disable_lid () {
|
||||||
|
# https://bbs.archlinux.org/viewtopic.php?id=72779
|
||||||
|
echo LID0 > /proc/acpi/wakeup
|
||||||
|
# https://forums.linuxmint.com/viewtopic.php?f=208&t=106532
|
||||||
|
if [ -f /etc/UPower/UPower.conf ] ; then
|
||||||
|
[ -f /etc/UPower/UPower.conf.bak ] || \
|
||||||
|
cp -p /etc/UPower/UPower.conf /etc/UPower/UPower.conf.bak
|
||||||
|
grep -q '^IgnoreLid=true' /etc/UPower/UPower.conf || \
|
||||||
|
sed -e 's@#*IgnoreLid=.*@IgnoreLid=true@' -i /etc/UPower/UPower.conf
|
||||||
|
fi
|
||||||
|
if [ -f /etc/systemd/logind.conf ] ; then
|
||||||
|
[ -f /etc/systemd/logind.conf.bak ] || \
|
||||||
|
cp -p /etc/systemd/logind.conf /etc/systemd/logind.conf.bak
|
||||||
|
grep -q '^HandleLidSwitch=ignore' /etc/systemd/logind.conf || \
|
||||||
|
sed -e 's@^#*HandleLidSwitch=.*@HandleLidSwitch=ignore@' -i /etc/systemd/logind.conf
|
||||||
|
fi
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
## local_guest_start_services
|
||||||
|
local_guest_start_services () {
|
||||||
|
for file in /usr/local/etc/modules-load.d/vda*conf ; do
|
||||||
|
[ -s $file ] || continue
|
||||||
|
base=`basename $file`
|
||||||
|
[ -e /etc/modules-load.d/$base ] && continue
|
||||||
|
echo "# from $file" > /etc/modules-load.d/$base
|
||||||
|
grep -v '^#' $file >> /etc/modules-load.d/$base
|
||||||
|
done
|
||||||
|
|
||||||
|
grep -hv '#' /etc/modules-load.d/vda*.conf | xargs modprobe --all
|
||||||
|
|
||||||
|
local_start_services $*
|
||||||
|
|
||||||
|
exit 0
|
||||||
|
}
|
||||||
|
|
||||||
|
local_guest_add_xorg_conf () {
|
||||||
|
[ -f /etc/X11/xorg.conf.d/80_qxl.conf ] || \
|
||||||
|
grep -q Drive.*qxl /etc/X11/xorg.conf.d/*.conf || \
|
||||||
|
cat > /etc/X11/xorg.conf.d/80_qxl.conf << EOF
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK proxy whonix_guest.yml
|
||||||
|
Section "Device"
|
||||||
|
Identifier "qxl"
|
||||||
|
Driver "qxl"
|
||||||
|
Option "DPI" "96 x 96"
|
||||||
|
Option "ENABLE_IMAGE_CACHE" "True"
|
||||||
|
Option "ENABLE_FALLBACK_CACHE" "False"
|
||||||
|
Option "ENABLE_SURFACES" "False"
|
||||||
|
EndSection
|
||||||
|
# END ANSIBLE MANAGED BLOCK proxy whonix_guest.yml
|
||||||
|
EOF
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
## local_guest_config
|
||||||
|
local_guest_config () {
|
||||||
|
|
||||||
|
[ -d /etc/qemu ] || mkdir /etc/qemu
|
||||||
|
[ -f /etc/qemu/qemu-ga.conf ] || cat > /etc/qemu/qemu-ga.conf <<EOF
|
||||||
|
[general]
|
||||||
|
daemon=false
|
||||||
|
method=virtio-serial
|
||||||
|
path=/dev/virtio-ports/org.qemu.guest_agent.0
|
||||||
|
pidfile=/run/qemu-ga.pid
|
||||||
|
statedir=/run
|
||||||
|
verbose=true
|
||||||
|
retry-path=false
|
||||||
|
blacklist=
|
||||||
|
logfile=/var/log/libvirtd/qemu-ga.log
|
||||||
|
EOF
|
||||||
|
[ -d /var/log/libvirtd/ ] || mkdir /var/log/libvirtd/
|
||||||
|
|
||||||
|
[ -f /etc/default/qemu-guest-agent.diff ] || cat > /etc/default/qemu-guest-agent.diff <<EOF
|
||||||
|
*** /etc/default/qemu-guest-agent.dst 2021-01-05 03:28:20.579117119 +0000
|
||||||
|
--- /etc/default/qemu-guest-agent 2021-08-27 20:26:36.234739996 +0000
|
||||||
|
***************
|
||||||
|
*** 1 ****
|
||||||
|
! DAEMON_ARGS="--logfile /var/log/libvirtd/qemu-ga.log"
|
||||||
|
--- 1 ----
|
||||||
|
! DAEMON_ARGS="--logfile /var/log/libvirtd/qemu-ga.log --verbose --pidfile /run/qemu-ga.pid"
|
||||||
|
EOF
|
||||||
|
|
||||||
|
[ -f /etc/default/qemu-guest-agent.dst ] || \
|
||||||
|
patch -z .st -b /etc/default/qemu-guest-agent \
|
||||||
|
< /etc/default/qemu-guest-agent.diff
|
||||||
|
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
## local_guest_status
|
||||||
|
local_guest_status () {
|
||||||
|
if [ ! -f /var/log/libvirtd/qemu-ga.log ] ; then
|
||||||
|
echo WARN: missing /var/log/libvirtd/qemu-ga.log
|
||||||
|
elif grep -q critical: /var/log/libvirtd/qemu-ga.log ; then
|
||||||
|
echo ERROR: critical /var/log/libvirtd/qemu-ga.log
|
||||||
|
fi
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
## local_guest_neutersystemd
|
||||||
|
local_guest_neutersystemd () {
|
||||||
|
[ ! -f /lib/lsb/init-functions.d/40-systemd ] || \
|
||||||
|
mv /lib/lsb/init-functions.d/40-systemd /lib/lsb/.40-systemd
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
# vda
|
||||||
|
## local_host_symlink_usr_src
|
||||||
|
local_host_symlink_etc_fstab () {
|
||||||
|
# guest
|
||||||
|
[ -h /etc/fstab ] && [ -f /etc/fstab.vda ] && \
|
||||||
|
rm -f /etc/fstab && ln -s /etc/fstab.vda /etc/fstab
|
||||||
|
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
## local_host_make_dmcrypt_swap
|
||||||
|
local_host_make_dmcrypt_swap () {
|
||||||
|
local two five
|
||||||
|
|
||||||
|
if ! grep -q '/dev/mapper\|/dev/sd\|/dev/dm' /proc/swaps ; then
|
||||||
|
blkid > ~/blkid.txt
|
||||||
|
five=`grep _05E ~/blkid.txt | head -1`
|
||||||
|
if [ $? -eq 0 -a -n "$five" ] ; then
|
||||||
|
two=`echo $five | sed -e 's/_.*//' -e 's/.*="//'`_02SWAP
|
||||||
|
if ! grep $two ~/blkid.txt ; then
|
||||||
|
dev=`echo $five | sed -e 's/:.*//' -e 's/5/2/'`
|
||||||
|
[ $? -eq 0 -a -n "$dev" ] && mkswap -L $two $dev
|
||||||
|
fi
|
||||||
|
grep $two /etc/conf.d/dmcrypt && local_rc_service dmcrypt restart || echo WARN: $two not in /etc/conf.d/dmcrypt
|
||||||
|
grep -q '/dev/mapper\|/dev/sd\|/dev/dm' /proc/swaps || local_rc_service swap restart
|
||||||
|
# if its not in fstab
|
||||||
|
grep -q '/dev/mapper\|/dev/sd\|/dev/dm' /proc/swaps || swapon /dev/mapper/cryptswap*
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
# all
|
||||||
|
## local_start_services
|
||||||
|
local_start_services () {
|
||||||
|
for elt in $*; do
|
||||||
|
local_rc_service $elt status >/dev/null || local_rc_service $elt start
|
||||||
|
local_rc_update | grep -q $elt || local_rc_update add $elt
|
||||||
|
done
|
||||||
|
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# all
|
||||||
|
## nlocal_manual_stop_services
|
||||||
|
local_manual_stop_services () {
|
||||||
|
# set these to stop now and restart them manually as we configure them
|
||||||
|
# rsync on debian
|
||||||
|
for elt in $* ; do
|
||||||
|
local_rc_service $elt status >/dev/null && local_rc_service $elt stop
|
||||||
|
local_rc_update | grep -q $elt && local_rc_update del $elt
|
||||||
|
done
|
||||||
|
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# all
|
||||||
|
## local_host_symlink_usr_src
|
||||||
|
local_host_symlink_usr_src () {
|
||||||
|
local dir
|
||||||
|
|
||||||
|
dir=`cat /proc/cmdline|sed -e 's/.*BOOT_IMAGE=kernel-pentoo-x86_64/linux/' -e 's/_.*//'`
|
||||||
|
WD=$PWD
|
||||||
|
cd /usr/src
|
||||||
|
if [ -d $dir ] ; then
|
||||||
|
rm -f linux
|
||||||
|
ln -s $dir linux || echo WARN: $PWD/$dir not found
|
||||||
|
fi
|
||||||
|
cd $WD
|
||||||
|
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
# all
|
||||||
|
## local_lightdm_on_text
|
||||||
|
local_lightdm_on_text () {
|
||||||
|
return 0
|
||||||
|
[ ! -f /usr/sbin/lightdm ] && return 0
|
||||||
|
if [ ! -f /usr/sbin/lightdm.bin ] ; then
|
||||||
|
[ -f /usr/sbin/lightdm.bad ] && mv /usr/sbin/lightdm.bad /usr/sbin/lightdm.bin
|
||||||
|
[ ! -f /usr/sbin/lightdm.bin ] && mv /usr/sbin/lightdm /usr/sbin/lightdm.bin
|
||||||
|
if [ -f /usr/sbin/lightdm.bin ] && [ -f /usr/sbin/lightdm ] ; then
|
||||||
|
cat > /usr/sbin/lightdm << EOF
|
||||||
|
#!/bin/sh
|
||||||
|
grep -q ' text ' /proc/cmdline && exit 0
|
||||||
|
exec /usr/sbin/lightdm.bin "$@"
|
||||||
|
EOF
|
||||||
|
chmod 755 /usr/sbin/lightdm
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
## local_host_restart_psmouse
|
||||||
|
local_host_restart_psmouse () {
|
||||||
|
local_rc_service gpm status && local_rc_service gpm stop
|
||||||
|
rmmod psmouse; sleep 1; modprobe psmouse proto=exps
|
||||||
|
local_rc_service gpm start
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
## local_host_restart_intel_sound
|
||||||
|
local_host_restart_intel_sound () {
|
||||||
|
which aplay >/dev/null 2>/dev/null || return 0
|
||||||
|
|
||||||
|
# both
|
||||||
|
if ! aplay -L | grep -q default:CARD=PCH ; then
|
||||||
|
rmmod snd_hda_intel ;
|
||||||
|
sleep 5
|
||||||
|
modprobe snd_hda_intel enable=1 ;
|
||||||
|
sleep 1
|
||||||
|
aplay -L >/dev/null || exit 2
|
||||||
|
fi
|
||||||
|
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
## local_all
|
||||||
|
local_all () {
|
||||||
|
local_disable_lid
|
||||||
|
|
||||||
|
touch /var/log/boot
|
||||||
|
|
||||||
|
chmod 775 /usr/local/*bin/*sh /var/local/*bin/*sh
|
||||||
|
|
||||||
|
# grep -q text /proc/cmdline && local_lightdm_on_text
|
||||||
|
|
||||||
|
( cd /var/tmp && rm -rf ansible-local-* Temp-* ssh-* pulse-* .xfsm-ICE-* )
|
||||||
|
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
## local_manual_mask_services
|
||||||
|
local_manual_mask_services () {
|
||||||
|
if [ -d /usr/local/etc/systemd/ ] ; then
|
||||||
|
local_systemd_stop_and_mask $* || return 1$?
|
||||||
|
elif [ -x /usr/sbin/update-rc.d ] ; then
|
||||||
|
/usr/sbin/invoke-rc.d $1 stop
|
||||||
|
/usr/sbin/update-rc.d $1 remove || return 2$?
|
||||||
|
elif [ /sbin/rc-update ] ; then
|
||||||
|
/sbin/rc-service $1 stop
|
||||||
|
/sbin/rc-update $1 del || return 3$?
|
||||||
|
fi
|
||||||
|
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
## local_systemd_stop_and_mask
|
||||||
|
local_systemd_stop_and_mask () {
|
||||||
|
[ $# -eq 0 ] && [ -d /usr/local/etc/systemd/ ] && \
|
||||||
|
set - `grep -v '@\.service' /usr/local/etc/systemd/*.mask`
|
||||||
|
for file in $* ; do
|
||||||
|
[ -e /lib/systemd/system/$file ] || continue
|
||||||
|
elt=`basename $file`
|
||||||
|
systemctl is-enabled $elt 2>/dev/null >/dev/null || continue
|
||||||
|
echo INFO: local_systemd_stop_and_mask systemctl disable $elt
|
||||||
|
systemctl disable --now $elt && systemctl mask $elt
|
||||||
|
# [ -h /etc/systemd/system/$file ]
|
||||||
|
# [ `readlink /etc/systemd/system/$file ` = /dev/null ]
|
||||||
|
done
|
||||||
|
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
## local_neuter_gvfs
|
||||||
|
local_neuter_gvfs () {
|
||||||
|
[ -d /usr/local/share/dbus-1/services ] || exit 0
|
||||||
|
cd /usr/local/share/dbus-1/services
|
||||||
|
for file in /usr/share/dbus-1/services/*vfs* ; do
|
||||||
|
sed -e 's@^Exec=.*@Exec=/bin/false@' > `basename $file`
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
local_link_linux () {
|
||||||
|
|
||||||
|
sed < /proc/cmdline -e 's@.*BOOT_IMAGE=vmlinuz-@linux-@' -e 's/[_ ].*//'| \
|
||||||
|
while read line ; do
|
||||||
|
[ -z "$line" ] && continue
|
||||||
|
[ -d "/usr/src/$line" ] || { echo WARN: /usr/src/$line ; continue ; }
|
||||||
|
rm -f /usr/src/linux
|
||||||
|
echo INFO: /usr/src/$line /usr/src/linux
|
||||||
|
ln -s /usr/src/$line /usr/src/linux
|
||||||
|
done
|
||||||
|
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
local_null_machineid () {
|
||||||
|
[ -s /etc/machine-id ] && cp /dev/null /etc/machine-id
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
base=local
|
||||||
|
if [ -x /usr/bin/basename ] && [ `/usr/bin/basename -- $0` = $base'.bash' ] ; then
|
||||||
|
[ "$#" -eq 1 ] && [ "$1" = '-h' -o "$1" = '--help' ] && \
|
||||||
|
echo USAGE: $0 && grep '^[a-z].*()\|^## ' $0 | sed -e 's/().*//'| sort \
|
||||||
|
&& exit 0
|
||||||
|
eval "$@"
|
||||||
|
exit $?
|
||||||
|
fi
|
43
overlay/Linux/usr/local/etc/local.d/Whonix-All.rc
Executable file
43
overlay/Linux/usr/local/etc/local.d/Whonix-All.rc
Executable file
@ -0,0 +1,43 @@
|
|||||||
|
#!/bin/bash -e
|
||||||
|
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
#
|
||||||
|
# rc.local
|
||||||
|
|
||||||
|
#
|
||||||
|
# This script is executed at the end of each multiuser runlevel.
|
||||||
|
# Make sure that the script will "exit 0" on success or any other
|
||||||
|
# value on error.
|
||||||
|
#
|
||||||
|
# In order to enable or disable this script just change the execution
|
||||||
|
# bits.
|
||||||
|
#
|
||||||
|
# By default this script does nothing.
|
||||||
|
|
||||||
|
# run this first
|
||||||
|
|
||||||
|
ROLE=local
|
||||||
|
MODE=all
|
||||||
|
CONN=all
|
||||||
|
BIN=/usr/local/sbin
|
||||||
|
|
||||||
|
. /usr/local/etc/local.d/local.bash || exit 1
|
||||||
|
|
||||||
|
local_all
|
||||||
|
|
||||||
|
local_manual_mask_services pdnsd ntpd tor polipo dnsmasq \
|
||||||
|
NetworkManager-wait-online apt-daily-upgrade apt-daily
|
||||||
|
|
||||||
|
# support the console
|
||||||
|
local_start_services gpm
|
||||||
|
|
||||||
|
# adjust to your taste here
|
||||||
|
|
||||||
|
[ -e /dev/autofs ] && rm /dev/autofs
|
||||||
|
if false && which systemctl 2>/dev/null >/dev/null ; then
|
||||||
|
systemctl | grep -q proc-sys-fs-binfmt_misc.automount && \
|
||||||
|
systemctl mask proc-sys-fs-binfmt_misc.automount
|
||||||
|
fi
|
||||||
|
|
||||||
|
exit 0
|
||||||
|
|
||||||
|
#? systemctl unmask -- -.mount run-msgcollector.mount run-user-1000.mount
|
19
overlay/Linux/usr/local/etc/local.d/Whonix-Gateway.local
Executable file
19
overlay/Linux/usr/local/etc/local.d/Whonix-Gateway.local
Executable file
@ -0,0 +1,19 @@
|
|||||||
|
#!/bin/sh -e
|
||||||
|
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
#
|
||||||
|
# rc.local
|
||||||
|
#
|
||||||
|
# This script is executed at the end of each multiuser runlevel.
|
||||||
|
# Make sure that the script will "exit 0" on success or any other
|
||||||
|
# value on error.
|
||||||
|
#
|
||||||
|
# In order to enable or disable this script just change the execution
|
||||||
|
# bits.
|
||||||
|
#
|
||||||
|
# By default this script does nothing.
|
||||||
|
|
||||||
|
sh /usr/local/etc/local.d/Whonix-All.rc
|
||||||
|
sh /usr/local/etc/local.d/Whonix-Guest.rc
|
||||||
|
sh /usr/local/etc/local.d/Whonix-Gateway.rc
|
||||||
|
[ -f /usr/local/etc/local.d/Whonix-Local.rc ] && \
|
||||||
|
sh /usr/local/etc/local.d/Whonix-Local.rc
|
29
overlay/Linux/usr/local/etc/local.d/Whonix-Gateway.rc
Executable file
29
overlay/Linux/usr/local/etc/local.d/Whonix-Gateway.rc
Executable file
@ -0,0 +1,29 @@
|
|||||||
|
#!/bin/bash -e
|
||||||
|
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
#
|
||||||
|
# rc.local
|
||||||
|
#
|
||||||
|
# This script is executed at the end of each multiuser runlevel.
|
||||||
|
# Make sure that the script will "exit 0" on success or any other
|
||||||
|
# value on error.
|
||||||
|
|
||||||
|
ROLE=proxy
|
||||||
|
MODE=gateway
|
||||||
|
CONN=guest
|
||||||
|
BIN=/usr/local/sbin
|
||||||
|
|
||||||
|
. /usr/local/etc/local.d/local.bash || exit 1
|
||||||
|
|
||||||
|
local_guest || exit 3$?
|
||||||
|
|
||||||
|
# leave this for later when online
|
||||||
|
if false ; then
|
||||||
|
if ! $BIN/proxy_whonix_guest_gateway.bash config ; then
|
||||||
|
echo WARN: proxy_whonix_guest_gateway.bash config retval=$?
|
||||||
|
fi
|
||||||
|
if ! $BIN/proxy_whonix_guest_gateway.bash start ; then
|
||||||
|
echo WARN: proxy_whonix_guest_gateway.bash start retval=$?
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
exit 0
|
35
overlay/Linux/usr/local/etc/local.d/Whonix-Guest.rc
Normal file
35
overlay/Linux/usr/local/etc/local.d/Whonix-Guest.rc
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
#!/bin/bash -e
|
||||||
|
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
#
|
||||||
|
# rc.local
|
||||||
|
#
|
||||||
|
# This script is executed at the end of each multiuser runlevel.
|
||||||
|
# Make sure that the script will "exit 0" on success or any other
|
||||||
|
# value on error.
|
||||||
|
#
|
||||||
|
# In order to enable or disable this script just change the execution
|
||||||
|
# bits.
|
||||||
|
#
|
||||||
|
# By default this script does nothing.
|
||||||
|
|
||||||
|
ROLE=proxy
|
||||||
|
MODE=gateway
|
||||||
|
CONN=guest
|
||||||
|
|
||||||
|
. /usr/local/etc/local.d/local.bash || exit 1
|
||||||
|
|
||||||
|
local_start_services qemu-guest-agent # spice-vdagent
|
||||||
|
|
||||||
|
if ! [ -e /dev/virtio-ports/org.qemu.guest_agent.0 ] ; then
|
||||||
|
echo WARN: $prog /dev/virtio-ports/org.qemu.guest_agent.0 not found
|
||||||
|
echo WARN: $prog Add "<channel type='unix'><target type='virtio' name='org.qemu.guest_agent.0'/></channel>"
|
||||||
|
echo 'WARN: to the /etc/libvirtd/qemu/*.xml file on the host'
|
||||||
|
fi
|
||||||
|
|
||||||
|
local_guest_config
|
||||||
|
local_guest_neutersystemd
|
||||||
|
|
||||||
|
local_guest_start_services qemu-guest-agent # spice-vdagent
|
||||||
|
# local_guest_add_xorg_conf
|
||||||
|
|
||||||
|
local_guest_status
|
25
overlay/Linux/usr/local/etc/local.d/Whonix-Host.local
Normal file
25
overlay/Linux/usr/local/etc/local.d/Whonix-Host.local
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
#!/bin/sh -e
|
||||||
|
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
#
|
||||||
|
# rc.local
|
||||||
|
#
|
||||||
|
# This script is executed at the end of each multiuser runlevel.
|
||||||
|
# Make sure that the script will "exit 0" on success or any other
|
||||||
|
# value on error.
|
||||||
|
#
|
||||||
|
# In order to enable or disable this script just change the execution
|
||||||
|
# bits.
|
||||||
|
#
|
||||||
|
# By default this script does nothing.
|
||||||
|
dmesg>/var/log/dmesg.log
|
||||||
|
|
||||||
|
[ -d /usr/local/tmp/rc ] || mkdir -p /usr/local/tmp/rc
|
||||||
|
chmod 1777 /usr/local/tmp/rc
|
||||||
|
|
||||||
|
for elt in All Host Local ; do
|
||||||
|
sh /usr/local/etc/local.d/Whonix-$elt.rc
|
||||||
|
done > /usr/local/tmp/rc/rc.local.log 2>&1
|
||||||
|
#[ -f /usr/local/etc/local.d/Whonix-Lati.rc ] && \
|
||||||
|
# sh /usr/local/etc/local.d/Whonix-Lati.rc
|
||||||
|
timeout 20s tail -f /usr/local/tmp/rc/rc.local.log
|
||||||
|
exit 0
|
138
overlay/Linux/usr/local/etc/local.d/Whonix-Host.rc
Executable file
138
overlay/Linux/usr/local/etc/local.d/Whonix-Host.rc
Executable file
@ -0,0 +1,138 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
#
|
||||||
|
# rc.local
|
||||||
|
#
|
||||||
|
# This script is executed at the end of each multiuser runlevel.
|
||||||
|
# Make sure that the script will "exit 0" on success or any other
|
||||||
|
# value on error.
|
||||||
|
. /usr/local/etc/local.d/local.bash
|
||||||
|
|
||||||
|
chmod 775 /usr/local/sbin/*sh /usr/local/bin/*sh
|
||||||
|
export PATH=$PATH:/usr/local/bin:/usr/local/sbin
|
||||||
|
|
||||||
|
grep -q root=/dev/vda /proc/cmdline
|
||||||
|
PROXY_IS_VDA=$?
|
||||||
|
if [ $PROXY_IS_VDA -eq 0 ] ; then
|
||||||
|
/usr/local/sbin/proxy_whonix_lib.bash proxy_vda_config
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Host and Vda
|
||||||
|
[ -d /etc/apt ] && \
|
||||||
|
local_manual_stop_services openvpn exim4 apt-daily-upgrade udisks2 \
|
||||||
|
sdwdate tb-updater-first-boot lvm2-monitor
|
||||||
|
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK base initctl
|
||||||
|
if [ ! -e /dev/initctl -a -e /run/initctl ] ; then
|
||||||
|
ln -s /run/initctl /dev/initctl
|
||||||
|
elif [ ! -e /dev/initctl ] ; then
|
||||||
|
mknod -m=0600 /dev/initctl p
|
||||||
|
fi
|
||||||
|
# END ANSIBLE MANAGED BLOCK base initctl
|
||||||
|
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK base
|
||||||
|
( cd /var/tmp && rm -rf ansible-local-* Temp-* ssh-* pulse-* .xfsm-ICE-* )
|
||||||
|
# END ANSIBLE MANAGED BLOCK base
|
||||||
|
|
||||||
|
# sh "/var/local/etc/local.d/testforge.start"
|
||||||
|
|
||||||
|
# redis
|
||||||
|
# WARNING you have Transparent Huge Pages (THP) support enabled in your kernel. This will create latency and memory usage issues with Redis. To fix this issue run the command 'echo never > /sys/kernel/mm/transparent_hugepage/enabled' as root, and add it to your /etc/rc.local in order to retain the setting after a reboot. Redis must be restarted after THP is disabled.
|
||||||
|
#? echo never > /sys/kernel/mm/transparent_hugepage/enabled
|
||||||
|
|
||||||
|
if false;then
|
||||||
|
# failsafe but independent of whether wlan exists
|
||||||
|
[ -f /usr/local/sbin/proxy_whonix_host_libvirt.bash ] && \
|
||||||
|
sh /usr/local/sbin/proxy_whonix_host_libvirt.bash proxy_whonix_libvirt_start
|
||||||
|
|
||||||
|
if ! /usr/local/sbin/proxy_whonix_host.bash config ; then
|
||||||
|
echo WARN: Whonix-Host.rc proxy_whonix_host.bash config failed $?
|
||||||
|
fi
|
||||||
|
if ! /usr/local/sbin/proxy_whonix_host.bash start ; then
|
||||||
|
echo WARN: Whonix-Host.rc proxy_whonix_host.bash start failed $?
|
||||||
|
fi
|
||||||
|
if ! /usr/local/sbin/proxy_whonix_host.bash test ; then
|
||||||
|
echo WARN: Whonix-Host.rc proxy_whonix_host.bash test failed $?
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
exit 0
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml text
|
||||||
|
local_systemd_stop_services display-manager
|
||||||
|
# END ANSIBLE MANAGED BLOCK update lati_unix.yml text
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml fstab
|
||||||
|
for eltin h i j o q v q w l ; do
|
||||||
|
[ -d /mnt/$elt/tmp ] || mount /mnt/$elt
|
||||||
|
done
|
||||||
|
exit 0
|
||||||
|
# END ANSIBLE MANAGED BLOCK update lati_unix.yml fstab
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml mask
|
||||||
|
# local_manual_stop_services
|
||||||
|
SYSTEMD_STOP_AND_MASK="
|
||||||
|
debug-shell.service
|
||||||
|
systemd-backlight@.service
|
||||||
|
phpsessionclean.service
|
||||||
|
phpsessionclean.timer
|
||||||
|
apt-daily-upgrade.service
|
||||||
|
apt-daily-upgrade.timer
|
||||||
|
dbus-org.freedesktop.nm-dispatcher.service
|
||||||
|
tb-updater-first-boot.service
|
||||||
|
openvpn.service
|
||||||
|
systemd-backlight@.service
|
||||||
|
systemd-backlight@backlight.service
|
||||||
|
vboxadd-service.service
|
||||||
|
vboxautostart-service.service
|
||||||
|
vboxballoonctrl-service.service
|
||||||
|
vboxdrv.service
|
||||||
|
vboxweb-service.service
|
||||||
|
"
|
||||||
|
# /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask $SYSTEMD_STOP_AND_MASK
|
||||||
|
for file in /usr/local/etc/systemd/*.mask ; do
|
||||||
|
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
|
||||||
|
done
|
||||||
|
# END ANSIBLE MANAGED BLOCK update lati_unix.yml mask
|
||||||
|
/var/local/bin/harden_dbus_neuter.bash
|
||||||
|
which brightnessctl 2>/dev/null >/dev/null && brightnessctl set 90%
|
||||||
|
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK update
|
||||||
|
/usr/local/etc/local.d/local.bash local_disable_lid
|
||||||
|
# END ANSIBLE MANAGED BLOCK update
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK update local_disable_lid
|
||||||
|
/usr/local/etc/local.d/local.bash local_disable_lid
|
||||||
|
# END ANSIBLE MANAGED BLOCK update local_disable_lid
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK base lati_unix.yml mask
|
||||||
|
ROLE=base
|
||||||
|
for file in /usr/local/etc/systemd/$ROLE.mask ; do
|
||||||
|
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
|
||||||
|
done
|
||||||
|
# END ANSIBLE MANAGED BLOCK base lati_unix.yml mask
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK gpgkey lati_unix.yml mask
|
||||||
|
ROLE=gpgkey
|
||||||
|
for file in /usr/local/etc/systemd/$ROLE.mask ; do
|
||||||
|
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
|
||||||
|
done
|
||||||
|
# END ANSIBLE MANAGED BLOCK gpgkey lati_unix.yml mask
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK hostvms lati_unix.yml mask
|
||||||
|
ROLE=hostvms
|
||||||
|
for file in /usr/local/etc/systemd/$ROLE.mask ; do
|
||||||
|
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
|
||||||
|
done
|
||||||
|
# END ANSIBLE MANAGED BLOCK hostvms lati_unix.yml mask
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK privacy lati_unix.yml mask
|
||||||
|
ROLE=privacy
|
||||||
|
for file in /usr/local/etc/systemd/$ROLE.mask ; do
|
||||||
|
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
|
||||||
|
done
|
||||||
|
# END ANSIBLE MANAGED BLOCK privacy lati_unix.yml mask
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK proxy lati_unix.yml mask
|
||||||
|
ROLE=proxy
|
||||||
|
for file in /usr/local/etc/systemd/$ROLE.mask ; do
|
||||||
|
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
|
||||||
|
done
|
||||||
|
# END ANSIBLE MANAGED BLOCK proxy lati_unix.yml mask
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK testforge lati_unix.yml mask
|
||||||
|
ROLE=testforge
|
||||||
|
for file in /usr/local/etc/systemd/$ROLE.mask ; do
|
||||||
|
cat $file | /usr/local/etc/local.d/local.bash local_systemd_stop_and_mask
|
||||||
|
done
|
||||||
|
# END ANSIBLE MANAGED BLOCK testforge lati_unix.yml mask
|
19
overlay/Linux/usr/local/etc/local.d/Whonix-Kicksecure.local
Normal file
19
overlay/Linux/usr/local/etc/local.d/Whonix-Kicksecure.local
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
#!/bin/sh -e
|
||||||
|
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
#
|
||||||
|
# rc.local
|
||||||
|
#
|
||||||
|
# This script is executed at the end of each multiuser runlevel.
|
||||||
|
# Make sure that the script will "exit 0" on success or any other
|
||||||
|
# value on error.
|
||||||
|
#
|
||||||
|
# In order to enable or disable this script just change the execution
|
||||||
|
# bits.
|
||||||
|
#
|
||||||
|
# By default this script does nothing.
|
||||||
|
|
||||||
|
sh /usr/local/etc/local.d/Whonix-All.rc
|
||||||
|
sh /usr/local/etc/local.d/Whonix-Host.rc
|
||||||
|
sh /usr/local/etc/local.d/Whonix-Kicksecure.rc
|
||||||
|
#[ -f /usr/local/etc/local.d/Whonix-Local.rc ] && \
|
||||||
|
# sh /usr/local/etc/local.d/Whonix-Local.rc
|
19
overlay/Linux/usr/local/etc/local.d/Whonix-Kicksecure.rc
Executable file
19
overlay/Linux/usr/local/etc/local.d/Whonix-Kicksecure.rc
Executable file
@ -0,0 +1,19 @@
|
|||||||
|
#!/bin/bash -e
|
||||||
|
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
#
|
||||||
|
# rc.local
|
||||||
|
#
|
||||||
|
# This script is executed at the end of each multiuser runlevel.
|
||||||
|
# Make sure that the script will "exit 0" on success or any other
|
||||||
|
# value on error.
|
||||||
|
|
||||||
|
ROLE=proxy
|
||||||
|
|
||||||
|
CONN=guest
|
||||||
|
BIN=/usr/local/sbin
|
||||||
|
|
||||||
|
. /usr/local/etc/local.d/local.bash || exit 1
|
||||||
|
|
||||||
|
local_kicksecure || exit 3$?
|
||||||
|
|
||||||
|
exit 0
|
140
overlay/Linux/usr/local/etc/local.d/Whonix-Lati.rc
Executable file
140
overlay/Linux/usr/local/etc/local.d/Whonix-Lati.rc
Executable file
@ -0,0 +1,140 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
#
|
||||||
|
# rc.local
|
||||||
|
#
|
||||||
|
# This script is executed at the end of each multiuser runlevel.
|
||||||
|
# Make sure that the script will "exit 0" on success or any other
|
||||||
|
# value on error.
|
||||||
|
#
|
||||||
|
# In order to enable or disable this script just change the execution
|
||||||
|
# bits.
|
||||||
|
#
|
||||||
|
# By default this script does nothing.
|
||||||
|
# local_host_sys_scaling
|
||||||
|
ROLE=local
|
||||||
|
MODE=all
|
||||||
|
CONN=all
|
||||||
|
BIN=/usr/local/sbin
|
||||||
|
|
||||||
|
. /usr/local/etc/local.d/local.bash || exit 1
|
||||||
|
|
||||||
|
loadkeys /etc/keymaps/us.map
|
||||||
|
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK proxy main.yml start
|
||||||
|
grep -q root=/dev/vda /proc/cmdline
|
||||||
|
PROXY_IS_VDA=$?
|
||||||
|
# END ANSIBLE MANAGED BLOCK proxy main.yml start
|
||||||
|
|
||||||
|
if [ $PROXY_IS_VDA -eq 0 ] ; then
|
||||||
|
:
|
||||||
|
elif [ -n "$CHROOT" ] ; then
|
||||||
|
:
|
||||||
|
else
|
||||||
|
# host
|
||||||
|
:
|
||||||
|
fi
|
||||||
|
|
||||||
|
local_host_sys_scaling () {
|
||||||
|
local file
|
||||||
|
|
||||||
|
if [ $PROXY_IS_VDA -ne 0 -a -z "$CHROOT" ] ; then
|
||||||
|
for file in /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor ; do
|
||||||
|
echo performance >>$file
|
||||||
|
done
|
||||||
|
for file in /sys/devices/system/cpu/cpu*/cpufreq/scaling_min_freq ; do
|
||||||
|
echo 1600000 >>$file
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK proxy whonix_host.yml
|
||||||
|
local_host_sys_scaling
|
||||||
|
# END ANSIBLE MANAGED BLOCK proxy whonix_host.yml
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK base Debian
|
||||||
|
[ -f /etc/init.d/console-setup.sh ] && \
|
||||||
|
/etc/init.d/console-setup.sh start
|
||||||
|
# END ANSIBLE MANAGED BLOCK base Debian
|
||||||
|
|
||||||
|
local_host_restart_psmouse
|
||||||
|
local_host_restart_intel_sound
|
||||||
|
|
||||||
|
if [ "$PROXY_IS_VDA" -ne 0 ] ; then
|
||||||
|
local_manual_stop_services redis postgresql-11
|
||||||
|
fi
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK base Debian
|
||||||
|
/etc/init.d/console-setup.sh start
|
||||||
|
# END ANSIBLE MANAGED BLOCK base Debian
|
||||||
|
mount /mnt/o
|
||||||
|
mount /mnt/i
|
||||||
|
mount /mnt/j
|
||||||
|
mount /mnt/e
|
||||||
|
mount /mnt/q
|
||||||
|
mount /mnt/w
|
||||||
|
|
||||||
|
exit 0
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml sound
|
||||||
|
( cd /var/tmp && rm -rf ansible-local-* Temp-* ssh-* pulse-* .xfsm-ICE-* )
|
||||||
|
ls /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor 2>/dev/null >/dev/null && \
|
||||||
|
for file in /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor ; do
|
||||||
|
echo performance >>$file
|
||||||
|
done
|
||||||
|
for file in /sys/devices/system/cpu/cpu*/cpufreq/scaling_min_freq ; do
|
||||||
|
echo 1600000 >>$file
|
||||||
|
done
|
||||||
|
[ -e /usr/share/netsurf/DejaVuSans.ttf ] || \
|
||||||
|
sudo ln -s /usr/share/fonts/truetype/dejavu/DejaVuSans.ttf /usr/share/netsurf
|
||||||
|
true
|
||||||
|
# END ANSIBLE MANAGED BLOCK update lati_unix.yml sound
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml sysrq
|
||||||
|
# On x86 - You press the key combo ALT-SysRq-<command key>.
|
||||||
|
# Some keyboards may not have a key labeled ?SysRq?. The ?SysRq? key is also known as the ?Print Screen? key.
|
||||||
|
# Also some keyboards cannot handle so many keys being pressed at the same time, so you might have better
|
||||||
|
# luck with press Alt, press SysRq, release SysRq, press <command key>, release everything.
|
||||||
|
echo 1> /proc/sys/kernel/sysrq 2>/dev/null
|
||||||
|
# END ANSIBLE MANAGED BLOCK update lati_unix.yml sysrq
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml dmcrypt
|
||||||
|
grep -q root=/dev/vda /proc/cmdline ; PROXY_IS_VDA=$?
|
||||||
|
if [ "$PROXY_IS_VDA" -ne 0 ] ; then
|
||||||
|
local_host_make_dmcrypt_swap
|
||||||
|
fi
|
||||||
|
exit 0
|
||||||
|
# END ANSIBLE MANAGED BLOCK update lati_unix.yml dmcrypt
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml fstab
|
||||||
|
for elt in h i j o q w l ; do
|
||||||
|
[ -d /mnt/$elt/tmp ] || mount /mnt/$elt
|
||||||
|
done
|
||||||
|
# END ANSIBLE MANAGED BLOCK update lati_unix.yml fstab
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml scheduler
|
||||||
|
for elt in b c ; do
|
||||||
|
[ -d /sys/block/sd$elt ] || continue
|
||||||
|
echo deadline > /sys/block/sd$elt/queue/scheduler
|
||||||
|
done
|
||||||
|
# END ANSIBLE MANAGED BLOCK update lati_unix.yml scheduler
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK base initctl
|
||||||
|
[ ! -e /dev/initctl -a -e /run/initctl ] && ln -s /run/initctl /dev/initctl && exit 0
|
||||||
|
[ ! -e /dev/initctl ] || mknod -m=0600 /dev/initctl p
|
||||||
|
# END ANSIBLE MANAGED BLOCK base initctl
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK testforge npm
|
||||||
|
[ -f /usr/lib/node_modules/npm/node_modules/update-notifier/check.js ] && \
|
||||||
|
chmod 000 /usr/lib/node_modules/npm/node_modules/update-notifier/check.js
|
||||||
|
# END ANSIBLE MANAGED BLOCK testforge npm
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK update Pentoo linux
|
||||||
|
dir=`cat /proc/cmdline|sed -e 's/BOOT_IMAGE=kernel-pentoo-x86_64/linux/' -e 's/_.*//'`
|
||||||
|
pushd /usr/src
|
||||||
|
rm -f linux
|
||||||
|
[ -d $dir ] && ln -s $dir linux || echo WARN: $PWD/$dir not found
|
||||||
|
popd
|
||||||
|
|
||||||
|
# END ANSIBLE MANAGED BLOCK update Pentoo linux
|
||||||
|
|
||||||
|
which brightnessctl 2>/dev/null >/dev/null && brightnessctl -c backlight set 95%
|
||||||
|
|
||||||
|
local_neuter_gvfs
|
||||||
|
local_link_linux
|
||||||
|
local_null_machineid
|
||||||
|
|
||||||
|
pkill gvfs
|
||||||
|
|
||||||
|
loadkeys /etc/keymaps/us.map
|
110
overlay/Linux/usr/local/etc/local.d/Whonix-Local.rc
Executable file
110
overlay/Linux/usr/local/etc/local.d/Whonix-Local.rc
Executable file
@ -0,0 +1,110 @@
|
|||||||
|
#!/bin/bash -e
|
||||||
|
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
#
|
||||||
|
# rc.local
|
||||||
|
#
|
||||||
|
# This script is executed at the end of each multiuser runlevel.
|
||||||
|
# Make sure that the script will "exit 0" on success or any other
|
||||||
|
# value on error.
|
||||||
|
#
|
||||||
|
# In order to enable or disable this script just change the execution
|
||||||
|
# bits.
|
||||||
|
#
|
||||||
|
# By default this script does nothing.
|
||||||
|
|
||||||
|
ROLE=local
|
||||||
|
MODE=all
|
||||||
|
CONN=all
|
||||||
|
BIN=/usr/local/sbin
|
||||||
|
|
||||||
|
. /usr/local/etc/local.d/local.bash || exit 1
|
||||||
|
|
||||||
|
# run this last
|
||||||
|
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK update lati dmcrypt
|
||||||
|
if [ "$PROXY_IS_VDA" -ne 0 ] ; then
|
||||||
|
local_host_make_dmcrypt_swap
|
||||||
|
fi
|
||||||
|
# END ANSIBLE MANAGED BLOCK update lati dmcrypt
|
||||||
|
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK update lati scheduler
|
||||||
|
## local_host_sys_set_scheduler
|
||||||
|
local_host_sys_set_scheduler () {
|
||||||
|
local elt
|
||||||
|
if [ "$PROXY_IS_VDA" -ne 0 ] ; then
|
||||||
|
for elt in b c ; do
|
||||||
|
[ -d /sys/block/sd$elt ] || continue
|
||||||
|
echo deadline > /sys/block/sd$elt/queue/scheduler
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
local_host_sys_set_scheduler
|
||||||
|
# END ANSIBLE MANAGED BLOCK update lati scheduler
|
||||||
|
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK update lati sysrq
|
||||||
|
# On x86 - You press the key combo ALT-SysRq-<command key>.
|
||||||
|
# Some keyboards may not have a key labeled ?SysRq?. The ?SysRq? key is also known as the ?Print Screen? key.
|
||||||
|
# Also some keyboards cannot handle so many keys being pressed at the same time, so you might have better
|
||||||
|
# luck with press Alt, press SysRq, release SysRq, press <command key>, release everything.
|
||||||
|
echo 1> /proc/sys/kernel/sysrq 2>/dev/null
|
||||||
|
# END ANSIBLE MANAGED BLOCK update lati sysrq
|
||||||
|
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK update Pentoo linux
|
||||||
|
if [ "$PROXY_IS_VDA" -ne 0 ] ; then
|
||||||
|
local_host_symlink_usr_src
|
||||||
|
fi
|
||||||
|
# END ANSIBLE MANAGED BLOCK update Pentoo linux
|
||||||
|
## local_host_restart_intel_sound
|
||||||
|
local_host_restart_intel_sound () {
|
||||||
|
which aplay >/dev/null 2>/dev/null || return 0
|
||||||
|
|
||||||
|
# both
|
||||||
|
if ! aplay -L | grep -q default:CARD=PCH ; then
|
||||||
|
rmmod snd_hda_intel ;
|
||||||
|
sleep 5
|
||||||
|
modprobe snd_hda_intel enable=1 ;
|
||||||
|
sleep 1
|
||||||
|
aplay -L ;
|
||||||
|
fi
|
||||||
|
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK update lati
|
||||||
|
#? rmmod pata_pcmcia pcmcia pcmcia_core 2>/dev/null
|
||||||
|
|
||||||
|
local_host_restart_intel_sound
|
||||||
|
|
||||||
|
# END ANSIBLE MANAGED BLOCK update lati
|
||||||
|
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK testforge npm
|
||||||
|
[ -f /usr/lib64/node_modules/npm/node_modules/update-notifier/check.js ] && \
|
||||||
|
chmod 000 /usr/lib64/node_modules/npm/node_modules/update-notifier/check.js
|
||||||
|
# END ANSIBLE MANAGED BLOCK testforge npm
|
||||||
|
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK update lati fstab
|
||||||
|
# END ANSIBLE MANAGED BLOCK update lati fstab
|
||||||
|
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml sysrq
|
||||||
|
# On x86 - You press the key combo ALT-SysRq-<command key>.
|
||||||
|
# Some keyboards may not have a key labeled ?SysRq?. The ?SysRq? key is also known as the ?Print Screen? key.
|
||||||
|
# Also some keyboards cannot handle so many keys being pressed at the same time, so you might have better
|
||||||
|
# luck with press Alt, press SysRq, release SysRq, press <command key>, release everything.
|
||||||
|
echo 1> /proc/sys/kernel/sysrq 2>/dev/null
|
||||||
|
# END ANSIBLE MANAGED BLOCK update lati_unix.yml sysrq
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml fstab
|
||||||
|
grep '/mnt/[a-z][ ]' /etc/fstab| \
|
||||||
|
sed -e 's@.*/mnt/@/mnt/@' -e 's/[ ].*//' | \
|
||||||
|
while read elt ;do
|
||||||
|
[ -d $elt/tmp ] || mount $elt
|
||||||
|
done
|
||||||
|
exit 0
|
||||||
|
# END ANSIBLE MANAGED BLOCK update lati_unix.yml fstab
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK update lati_unix.yml stop
|
||||||
|
local_systemd_stop_services display-manager
|
||||||
|
# END ANSIBLE MANAGED BLOCK update lati_unix.yml stop
|
||||||
|
# BEGIN ANSIBLE MANAGED BLOCK hostvms libvirt.yml libvirtd.log
|
||||||
|
cp /dev/null /var/local/var/log/libvirtd.log
|
||||||
|
# END ANSIBLE MANAGED BLOCK hostvms libvirt.yml libvirtd.log
|
23
overlay/Linux/usr/local/etc/local.d/Whonix-Vda.local
Normal file
23
overlay/Linux/usr/local/etc/local.d/Whonix-Vda.local
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
#!/bin/sh -e
|
||||||
|
# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-
|
||||||
|
#
|
||||||
|
# rc.local
|
||||||
|
#
|
||||||
|
# This script is executed at the end of each multiuser runlevel.
|
||||||
|
# Make sure that the script will "exit 0" on success or any other
|
||||||
|
# value on error.
|
||||||
|
#
|
||||||
|
# In order to enable or disable this script just change the execution
|
||||||
|
# bits.
|
||||||
|
#
|
||||||
|
# By default this script does nothing.
|
||||||
|
|
||||||
|
for elt in All Guest Vda ; do
|
||||||
|
sh /usr/local/etc/local.d/Whonix-$elt.rc
|
||||||
|
done > /usr/local/tmp/rc.local.log 2>&1 &
|
||||||
|
#[ -f /usr/local/etc/local.d/Whonix-Local.rc ] && \
|
||||||
|
# sh /usr/local/etc/local.d/Whonix-Local.rc
|
||||||
|
#[ -f /usr/local/etc/local.d/Whonix-Lati.rc ] && \
|
||||||
|
# sh /usr/local/etc/local.d/Whonix-Lati.rc
|
||||||
|
timeout 20s tail -f /usr/local/tmp/rc.local.log
|
||||||
|
exit 0
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user