#!/bin/bash # -*- mode: sh; tab-width: 8; coding: utf-8-unix -*- # shellcheck disable=SC2154 [ -z "$prog" ] && prog=proxy_ping_lib . /usr/local/bin/usr_local_tput.bash || exit 2 PREFIX=/usr/local ROLE=proxy base=proxy_ping_lib # shellcheck disable=SC2154 [ -z "$USER" ] && USER=$(id -un ) # /sbin/ifconfig on Debian morons and /bin/ifconfig on Gentoo BASE_SRC_ANSIBLE=/g/TestForge/src/ansible PROXY_GPG_KEYSERVER=keys.openpgp.org PROXY_IFCONFIG=/sbin/ifconfig [ -x /sbin/ifconfig ] && PROXY_IFCONFIG=/sbin/ifconfig [ -x /bin/ifconfig ] && PROXY_IFCONFIG=/bin/ifconfig proxy_ifconfig () { if [ $# -gt 0 ] && [[ $1 =~ .*DBUG:.* ]] ; then dbug PANIC: $PROXY_IFCONFIG $* exit 1 elif [ $# -gt 0 ] && [[ $1 =~ .*:.* ]] ; then dbug WARN: proxy_ifconfig $PROXY_IFCONFIG $* set -- $( echo $* |sed -e 's/:.*//' ) elif [ $# -eq 0 ] || [[ $1 =~ .*-a.* ]] ; then : elif [ $1 = wlan4 -o $1 = wlan6 -o $1 = wlan7 ] || [[ $1 =~ wlan[0-9] ]] ; then : else dbug proxy_ifconfig $PROXY_IFCONFIG $* # fixme - required set -- $( echo $1 |sed -e 's/:.*//' ) fi $PROXY_IFCONFIG $* } # shellcheck disable=SC2154 [ -z "$PROXY_HTTP_PROXY_PORT" ] || PROXY_HTTP_PROXY_PORT=3128 # shellcheck disable=SC2154 [ -z "$PROXY_HTTP_PROXY_HOST" ] || PROXY_HTTP_PROXY_HOST="127.0.0.1" # shellcheck disable=SC2154 [ -z "$PRIV_BIN_OWNER" ] && PRIV_BIN_OWNER=bin # shellcheck disable=SC2154 [ -z "$PRIV_BIN_GID" ] && PRIV_BIN_GID=$( grep ^$PRIV_BIN_OWNER /etc/passwd|cut -d: -f 4 ) # shellcheck disable=SC2154 [ -z "$PRIV_TOR_OWNER" ] && [ -d /etc/portage ] && PRIV_TOR_OWNER=tor # shellcheck disable=SC2154 [ -z "$PRIV_TOR_OWNER" ] && [ -d /etc/apt ] && PRIV_TOR_OWNER=debian-tor # shellcheck disable=SC2154 [ -z "$PRIV_TOR_GID" ] && PRIV_TOR_GID=$( grep ^$PRIV_TOR_OWNER /etc/passwd|cut -d: -f 4 ) set -o pipefail || { ERROR bash is required ; exit 1 ; } declare -a PROXY_WLAN_FILES PROXY_WLAN_FILES=( /etc/conf.d/hostapd /etc/conf.d/net /etc/connman/main.conf /etc/default/macchanger /etc/dnsmasq.conf /etc/firewall.conf /etc/pdnsd/pdnsd.conf /etc/wicd/manager-settings.conf /usr/local/etc/testforge/testforge.bash /usr/local/etc/testforge/testforge.ini /usr/local/etc/testforge/testforge.yml /etc/snort/snort.debian.conf ) # [ "$USER" != root ] && export PATH=/sbin:$PATH export PATH=/bin:$PATH grep -q 'Debian\|Devuan' /etc/os-release DEBIAN=$? DNS_HOST1="208.67.220.220" DNS_HOST2="8.8.8.8" HTTP_TARGET=172.217.169.14 CURL_ARGS="--connect-timeout 15 -s -S" TRIES=10 DELAY=10 export PATH=$PATH:$PREFIX/sbin declare -a PROXY_WHONIX_FILES PROXY_WHONIX_FILES=( $HOME/.gitconfig /etc/dirmngr/dirmngr.conf /etc/dnsmasq.conf /etc/firewall.conf /etc/freshclam.conf /etc/gnupg/gpgconf.conf /etc/java-11-openjdk/net.properties /etc/polipo/config /etc/privoxy/config /etc/resolv.conf /etc/tor/torsocks.conf /var/local/etc/testforge/firefox/proxy.js ) . /usr/local/etc/local.d/local.bash || { ERROR /usr/local/etc/local.d/local.bash ; exit 2 ; } ## proxy_rc_service proxy_rc_service () { DBUG proxy_rc_service MODE=$MODE $* ; local svc=$1 if [ -x /etc/init.d/$svc ] ; then shift /etc/init.d/$svc "$@" else local_rc_service $* fi return $? } proxy_rc_update () { local_rc_update MODE=$MODE $* ; } ## proxy_ping_online - true/0 iff ifconfig and nm-online proxy_ping_online () { proxy_whonix_get_gateway_dom_bad ; } GATEW_DOM= ## proxy_whonix_get_gateway_dom_bad proxy_whonix_get_gateway_dom_bad () { local host # shellcheck disable=SC2154 [ -n "$GATEW_DOM" ] && echo -n "$GATEW_DOM" && return 0 if [ -e /usr/local/bin/testforge_get_inventory.bash ] ; then host=$(/usr/local/bin/testforge_get_inventory.bash BOX_WHONIX_PROXY_HOST) || return 1 [ -n "$host" ] && GATEW_DOM=$host fi # shellcheck disable=SC2154 [ -z "$GATEW_DOM" ] && GATEW_DOM=Whonix-Gateway return 0 } proxy_test_dirmngr () { DBUG proxy_test_dirmngr MODE=$MODE $* ; [ $# -eq 0 ] && set -- \ hkp://$PROXY_GPG_KEYSERVER \ hkp://gpg.mit.edu hkp://keys.gnupg.net # shellcheck disable=SC2154 [ -z "$ELOG" ] && ELOG=/tmp/proxy_test_dirmngr$$.err # shellcheck disable=SC2154 [ -z "$WLOG" ] && WLOG=/tmp/proxy_test_dirmngr$$.log [ -h /usr/bin/dirmngr ] || { ERROR /usr/bin/dirmngr not a symlink return 2 } grep ^hkp-cacert /etc/dirmngr/dirmngr.conf | while read a b; do [ -f $b ] || WARN file not found $b done /usr/bin/dirmngr --version /tmp/GpgL$$.tmp 2>&1 retval=$? [ $retval -ne 0 ] && \ ERROR gpg-connect-agent 'loadswdb --force' /tmp/GpgL$$.tmp && \ cat /tmp/GpgL$$.tmp && \ return 5$retval ! grep -q OK /tmp/GpgL$$.tmp && \ ERROR gpg-connect-agent 'loadswdb --force' not OK `cat /tmp/GpgL$$.tmp` && \ rm -f /tmp/GpgL$$.tmp && \ return 6$retval DBUG gpg-connect-agent OK `cat /tmp/GpgL$$.tmp` rm -f /tmp/GpgL$$.tmp gpg-connect-agent /tmp/GpgG$$.tmp 2>&1 retval=$? [ $retval -ne 0 ] && \ ERROR gpg-connect-agent 'keyserver' `cat /tmp/GpgG$$.tmp` && \ rm -f /tmp/GpgG$$.tmp && \ return 7$retval grep -q ^S /tmp/GpgG$$.tmp || { \ ERROR gpg-connect-agent 'keyserver' no S `cat /tmp/GpgG$$.tmp` && \ rm -f /tmp/GpgG$$.tmp && \ return 8$retval } DBUG gpg-connect-agent 'keyserver' S `cat /tmp/GpgG$$.tmp` if [ -d /root/.emacs.d/elpa/gnupg ] && \ ps ax | grep -q -e '--homedir /root/.emacs.d/elpa/gnupg' ; then for elt in "$@" ; do echo keyserver --resolve $elt /bye > /tmp/GpgR$$.tmp gpg-connect-agent /tmp/GpgC$$.tmp 2>&1 retval=$? [ $retval -ne 0 ] && \ ERROR gpg-connect-agent $elt `cat /tmp/GpgC$$.tmp` | tee -a $ELOG && \ rm -f /tmp/GpgC$$.tmp && \ return 9$retval grep -q 'ERR\|failed:' /tmp/GpgC$$.tmp && \ ERROR gpg-connect-agent $elt `tail -1 $ELOG` && \ rm -f /tmp/GpgC$$.tmp && \ return 10 INFO gpg-connect-agent $elt done rm -f /tmp/GpgC$$.tmp fi return 0 } ## proxy_whonix_get_gateway_dom proxy_whonix_get_gateway_dom () { # shellcheck disable=SC2154 [ -n "$GATEW_DOM" ] && echo -n "$GATEW_DOM" && return 0 proxy_testforge_get_gateway_dom "$@" && return 0 GATEW_DOM=Whonix-Gateway echo -n "$GATEW_DOM" return 0 } ## proxy_testforge_get_gateway_dom proxy_testforge_get_gateway_dom () { local host # shellcheck disable=SC2154 [ -n "$GATEW_DOM" ] && echo -n "$GATEW_DOM" && return 0 [ -f /usr/local/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash # shellcheck disable=SC2154 if [ -n "$BASE_SRC_ANSIBLE" ] && \ [ -d $BASE_SRC_ANSIBLE ] && [ -x /usr/local/bin/testforge_get_inventory.bash ] ; then host=$(/usr/local/bin/testforge_get_inventory.bash BOX_WHONIX_PROXY_HOST) || return 1 [ $? -eq 0 -a -n "$host" ] && GATEW_DOM=$host fi echo -n "$GATEW_DOM" return 0 } #move later ## proxy_whonix_mode proxy_whonix_mode () { # proxy_ping_mode return $? } ## proxy_ping_mode proxy_ping_mode () { # # shellcheck disable=SC2154 [ -n "$MODE" ] && echo "$MODE" && return 0 proxy_ifconfig -a > /tmp/ipconfig-a.$$ if grep -q /dev/vda /proc/cmdline ; then MODE=vda elif ps ax | grep -v grep | grep -q 'tor -f /var/lib/tor/.SelekTOR/3xx' ; then # must come before ws gw MODE=selektor elif cat /tmp/ipconfig-a.$$ | grep -A 1 eth1| grep -q 10.152.152.11 ; then MODE=ws elif cat /tmp/ipconfig-a.$$ | grep -A 1 eth0| grep -q 10.0.2.15 ; then MODE=gateway elif cat /tmp/ipconfig-a.$$ | grep -A 1 eth0| grep -q 10.0.2. ; then MODE=nat elif [ -d /var/log/tor ] && proxy_rc_service tor status >/dev/null 2>/dev/null ; then # a runing tor takes precedence over whonix MODE=tor elif [ -f $PREFIX/bin/testforge_get_inventory.bash ] ; then mode=$( $PREFIX/bin/testforge_get_inventory.bash BOX_PROXY_MODE ) if [ -n "$mode" ] ; then MODE=$mode else host=$( $PREFIX/bin/testforge_get_inventory.bash BOX_WHONIX_PROXY_HOST ) [ -n "$host" ] && MODE=whonix fi fi rm -f /tmp/ipconfig-a.$$ echo -n $MODE return 0 } proxy_wlan_modules_reload () { local wlan7 wlan7=$1 # may be empty proxy_wlan_modules_unload $wlan7 || return 1$? proxy_wlan_modules_load $wlan7 || return 2$? return 0 } base_wlan_modules_load () { proxy_wlan_modules_load ; } ## proxy_wlan_modules_load proxy_wlan_modules_load () { DBUG proxy_wlan_modules_load MODE=$MODE $* ; local wlan7 wlan7=$1 proxy_ping_check_root || return 0 # shellcheck disable=SC2154 if [ -z "$wlan7" ] ; then wlan7=$PROXY_WLAN fi # shellcheck disable=SC2154 if [ -z "$wlan7" ] ; then WARN proxy_wlan_modules_load empty wlan7 PROXY_WLAN return 3 else # failsafe wlan7=$( echo $wlan7 | grep '^eth\|^wlan' |sed -e 's/[: ].*//' ) fi if [ $wlan7 = wlan7 ] ; then modprobe iwlmvm elif [ $wlan7 = wlan6 ] ; then modprobe iwlmvm elif [ $wlan7 = wlan4 ] ; then # this is right but sometimes does not pull in the rest # modprobe ath ath9k_hw ath9k_common ath9k_htc modprobe ath9k_htc else # no default return 3 fi sleep 5 proxy_ifconfig $wlan7 >/dev/null || { return 8 ; } proxy_ifconfig $wlan7 | grep -qi up && \ proxy_ifconfig $wlan7 down >/dev/null t=`python2 -c "from random import Random;print ':'.join(['%02x' % Random().randint(0,255) for i in range(6)])"` # macchanger $wlan7 -m $t macchanger $wlan7 -A >/dev/null || return 1 old="" macchanger -s $wlan7 | while read a b ; do [ "$old" = "" ] && old=$b && continue ; [ "$old" != "$b" ] && dbug "$old $b" && break ERROR "$old = $b" return 2 done return 0 } proxy_base_wlan_modules_unload () { proxy_wlan_modules_unload ; } base_wlan_modules_unload () { proxy_wlan_modules_unload ; } ## base_wlan_modules_unload proxy_wlan_modules_unload () { DBUG proxy_wlan_modules_unload ; local wlan7 wlan7=$1 proxy_ping_check_root || return 0 # shellcheck disable=SC2154 if [ -z "$wlan7" ] ; then [ $# -eq 0 ] && return 1 || wlan7=$1 fi if [ "$wlan7" = eth2 ] ; then PROXY_WLAN=$( proxy_set_if ) || return 1$? wlan7=$PROXY_WLAN fi # shellcheck disable=SC2154 [ -z "$wlan7" ] && return 2 macchanger=macchanger pkill /sbin/dhclient proxy_ifconfig $wlan7 down >/dev/null || true proxy_ifconfig $wlan7 | grep -qi "up" && proxy_ifconfig $wlan7 down >/dev/null a=`ps ax | grep -v grep | grep dnscrypt-proxy` if [ $? -eq 0 ] ; then b=`sed -e 's/^ *//' -e 's/ .*$//' <<< $a` # shellcheck disable=SC2154 [ -z "$b" ] || kill $b fi rm -f /var/lib/NetworkManager/*lease if [ "$wlan7" = wlan7 ] ; then rmmod iwlmvm iwlwifi # 2>/dev/null elif [ "$wlan7" = wlan4 ] ; then rmmod iwlmvm iwlwifi # 2>/dev/null else rmmod ath9k_htc ath9k_common ath9k_hw ath 2>/dev/null fi sleep 5 return 0 } ## proxy_get_if proxy_get_wlan_ip () { # shellcheck disable=SC2154 if [ -z "$PROXY_WLAN" ] ; then PROXY_WLAN=$( proxy_set_if ) [ $? -eq 0 -a -n "$PROXY_WLAN" ] || { return 1$? ; } fi # fixme - required PROXY_WLAN=$( echo $PROXY_WLAN | grep '^eth\|^wlan' |sed -e 's/:.*//' ) PROXY_WLAN_IP=$( proxy_ifconfig $PROXY_WLAN | grep -v '127.0.0.1\|grep' | grep 'inet.*broadcast' | sed -e 's/.*inet //' -e 's/ .*//' ) || return 2$? # REQUIRED! PROXY_WLAN=$( echo $PROXY_WLAN | grep '^eth\|^wlan\|^en' |sed -e 's/:.*//' ) # may be empty echo -n $PROXY_WLAN_IP return 0 } proxy_get_wlan_if () { proxy_get_if ; } ## proxy_get_if proxy_get_if () { # local wlan7 wlan7=$( proxy_set_if ) # shellcheck disable=SC2154 [ $? -ne 0 -o -z "$wlan7" ] && \ DEBUG=1 dbug proxy_get_if empty wlan7 && return 1 proxy_ifconfig $wlan7 >/dev/null || \ proxy_wlan_modules_load $wlan7 proxy_ifconfig $wlan7 >/dev/null || \ { DEBUG=1 dbug proxy_get_if errored proxy_ifconfig $wlan7 ; return 1 ; } # fixme - required PROXY_WLAN=$( echo $wlan7 | grep '^eth\|^wlan' |sed -e 's/:.*//' ) echo -n $PROXY_WLAN return 0 } ## proxy_route_check proxy_route_check () { DBUG proxy_route_check MODE=$MODE $* ; # PATH=$PATH:/sbin ip route|grep -q ^def || { retval=$? WARN $prog proxy_route_check retval=$retval return 2$retval } return 0 } ## proxy_route_test proxy_route_test () { DBUG proxy_route_test MODE=$MODE $* ; PATH=$PATH:/sbin ip route | grep -q ^def || { WARN no route exit 0 } proxy_route_check||return $? return 0 } ## proxy_set_if proxy_set_if () { # # stdout # shellcheck disable=SC2154 [ -n "$MODE" ] || MODE="$( proxy_ping_mode )" proxy_ifconfig -a > /tmp/ipconfig-a.$$ if [ "$MODE" = workstation -o "$MODE" = ws -o "$MODE" = vda ] ; then PROXY_WLAN=eth0 elif [ "$MODE" = nat ] || [ "$MODE" = gateway ] ; then PROXY_WLAN=eth0 # elif [ "$MODE" = whonix -o "$MODE" = tor -o "$MODE" = host -o "$MODE" = selektor -o "$MODE" = client ] ; then else if ip route | grep -q ^defa ; then PROXY_WLAN=$( ip route | grep ^defa|sed -e 's/.*dev //' -e 's/ .*//' ) fi if [ -z "$PROXY_WLAN" ] ; then PROXY_WLAN=`ifconfig|grep -B 1 inet.*broadcast|grep ^wlan|sed -e 's/ .*//'` fi # shellcheck disable=SC2154 if [ -z "$PROXY_WLAN" ] && [ -d "$BASE_SRC_ANSIBLE" ] ; then # do we really want this in inventory or live? # shellcheck disable=SC2154 if [ -z "$BOX_DEFAULT_OUTPUT_IF" ] ; then BOX_DEFAULT_OUTPUT_IF=$( /usr/local/bin/testforge_get_inventory.bash BOX_DEFAULT_OUTPUT_IF ) # shellcheck disable=SC2154 [ $? -ne 0 -o -z "$BOX_DEFAULT_OUTPUT_IF" ] && return 1 #? recurse fi PROXY_WLAN="$BOX_DEFAULT_OUTPUT_IF" fi # shellcheck disable=SC2154 if [ -z "$PROXY_WLAN" ] && cat /tmp/ipconfig-a.$$ | grep -q '^wlan\|^eth' ; then # there may be not a route yet # there may be 2!!! PROXY_WLAN=$( cat /tmp/ipconfig-a.$$ | grep '^eth\|^wlan' |head -1 |sed -e 's/:.*//' ) fi fi rm -f /tmp/ipconfig-a.$$ # shellcheck disable=SC2154 [ -z "$PROXY_WLAN" ] && return 2 # fixme - required PROXY_WLAN=$( echo $PROXY_WLAN | grep '^eth\|^wlan' |sed -e 's/:.*//' ) # shellcheck disable=SC2154 [ -z "$PROXY_WLAN" ] && return 3 echo -n $PROXY_WLAN return 0 } ## proxy_ping_get_https proxy_ping_get_https () { # shellcheck disable=SC2154 if [ -n "$https_proxy" ] ; then HTTPS_HOST=$( echo $https_proxy|sed -e 's@.*//@@' -e 's@:[0-9]*@@' ) HTTPS_PORT=$( echo $https_proxy|sed -e 's@.*//[^:]*:@@' ) # DBUG $prog $https_proxy HTTPS_PORT=$HTTPS_PORT HTTPS_HOST=$HTTPS_HOST # shellcheck disable=SC2154 [ -z "$HTTPS_HOST" ] && [ "$MODE" = whonix ] && HTTPS_HOST=10.0.2.15 if [ -z "$HTTPS_HOST" ] && [ "$MODE" = nat ] ; then [ -z "$external"] && \ external=`grep external$ /etc/hosts|sed -e 's/ .*//'` HTTPS_HOST=$external fi # shellcheck disable=SC2154 [ -z "$HTTPS_HOST" ] && HTTPS_HOST=127.0.0.1 # shellcheck disable=SC2154 [ -z "$HTTPS_PORT" ] && HTTPS_PORT=9128 fi echo -n "$HTTPS_HOST:$HTTPS_PORT" return 0 } ## proxy_ping_get_http proxy_ping_get_http () { # shellcheck disable=SC2154 if [ -n "$http_proxy" ] ; then HTTP_HOST=$( echo $http_proxy | sed -e 's@.*//@@' -e 's@:[0-9]*@@' ) HTTP_PORT=$( echo $http_proxy | sed -e 's@.*//[^:]*:@@' ) # DBUG $prog $http_proxy HTTP_PORT=$HTTP_PORT HTTP_HOST=$HTTP_HOST # shellcheck disable=SC2154 [ -z "$HTTP_HOST" -a "$MODE" = whonix ] && HTTP_HOST=127.0.0.1 # shellcheck disable=SC2154 [ -z "$HTTP_HOST" -a "$MODE" = tor ] && HTTP_HOST=127.0.0.1 if [ -z "$HTTP_HOST" ] && [ "$MODE" = nat ] ; then [ -z "$external"] && \ external=`grep external$ /etc/hosts|sed -e 's/ .*//'` HTTP_HOST=$external fi # shellcheck disable=SC2154 [ -z "$HTTP_PORT" ] && HTTP_PORT=3128 fi echo -n "$HTTP_HOST:$HTTP_PORT" return 0 } ## proxy_ping_get_socks_host proxy_ping_get_socks_host () { # shellcheck disable=SC2154 if [ -n "$socks_proxy" ] ; then SOCKS_HOST=$( echo $socks_proxy|sed -e 's@.*//@@' -e 's/.*@//' -e 's@:[0-9]*@@' ) # DBUG $prog $socks_proxy SOCKS_PORT=$SOCKS_PORT SOCKS_HOST=$SOCKS_HOST fi echo -n $SOCKS_HOST:9050 } ## proxy_ping_get_socks_port proxy_ping_get_socks_port () { # shellcheck disable=SC2154 if [ -n "$socks_proxy" ] ; then SOCKS_PORT=$( echo $socks_proxy|sed -e 's@.*//[^:]*:@@' ) # DBUG $prog $socks_proxy SOCKS_PORT=$SOCKS_PORT SOCKS_HOST=$SOCKS_HOST fi # echo -n $SOCKS_PORT } ## proxy_ping_get_socks proxy_ping_get_socks () { # let socks_proxy override proxy_ping_get_socks_host proxy_ping_get_socks_port # shellcheck disable=SC2154 [ -z "$SOCKS_HOST" ] || return 0 if [ "$MODE" = whonix ] ; then SOCKS_HOST=10.0.2.15 && SOCKS_PORT=9050 elif [ "$MODE" = gateway ] ; then SOCKS_HOST=10.0.2.15 && SOCKS_PORT=9050 elif [ "$MODE" = nat ] ; then SOCKS_HOST=10.0.2.2 && SOCKS_PORT=9050 elif [ "$MODE" = tor ] || [ "$MODE" = selektor ]; then SOCKS_HOST=127.0.0.1 && SOCKS_PORT=9050 elif [ "$MODE" = vda ] ; then SOCKS_HOST=10.152.152.10 && SOCKS_PORT=9050 elif [ "$MODE" = nat ] ; then [ -z "$external"] && \ external=`grep external$ /etc/hosts|sed -e 's/ .*//'` SOCKS_HOST=$external && SOCKS_PORT=9050 fi # shellcheck disable=SC2154 [ -z "$SOCKS_DNS" ] && SOCKS_DNS=9053 echo -n $SOCKS_HOST:$SOCKS_PORT return 0 } # proxy_ping_chattr proxy_ping_chattr () { DBUG proxy_ping_chattr MODE=$MODE $* ; local elt [ -f /etc/sysctl.d/70_testforge_ping.conf ] || \ { echo 'net.ipv4.ping_group_range=0 1000' > /etc/sysctl.d/70_testforge_ping.conf ; \ sysctl net.ipv4.ping_group_range="0 1000" >/dev/null ; } # setcap not supported on ext2? mount | grep -q ' / .*type ext2' && return 0 # https://github.com/DietPi/issues/1012 for elt in ping traceroute ; do EXE=$(which $elt) || continue # shellcheck disable=SC2154 [ -z "$EXE" ] && continue [ -h $EXE ] && EXE=$(readlink $EXE) [ -h $EXE ] && continue getcap $EXE | grep -q 'cap_net_admin' && continue setcap 'cap_net_admin,cap_net_raw+ep' $(which $elt) done return 0 } proxy_tor_update_wlan_ip () { DBUG proxy_tor_update_wlan_ip MODE=$MODE $* ; # shellcheck disable=SC2154 if [ -z "$PROXY_WLAN_IP" ] ; then PROXY_WLAN_IP=`proxy_get_wlan_ip` [ $? -ne 0 ] && return 1 fi # shellcheck disable=SC2154 [ -z "$PROXY_WLAN_IP" ] && return 2 [ -f /etc/tor/torrc-defaults ] || return 0 sed -e "s@^SocksPolicy accept 10.16.*@SocksPolicy accept $PROXY_WLAN_IP@" \ -i /etc/tor/torrc-defaults return 0 } ## proxy_tor_set_socks_accept proxy_tor_set_socks_accept () { DBUG proxy_tor_set_socks_accept MODE=$MODE $* ; # shellcheck disable=SC2154 [ -z "$PROXY_WLAN" ] && PROXY_WLAN=`proxy_ping_get_wlan` retval=$? [ $retval -eq 0 -a -n "$PROXY_WLAN" ] || { ERROR proxy_tor_set_socks_accept empty wlan retval=$retval return 2 } wlan7=$PROXY_WLAN if [ -n "$wlan7" ] ; then ip=`proxy_get_wlan_ip` anet="${ip:0:3}" for file in /etc/tor/torrc-defaults /etc/tor/torrc ; do [ -f $file ] || continue DBUG $file if grep -q "^SocksPolicy accept $anet" $file ; then sed -e "s@^SocksPolicy accept ${anet}.*@SocksPolicy accept $ip@" \ -i $file INFO updated $anet $file break fi done fi return 0 } ## proxy_ping_get_ip_gw proxy_ping_get_ip_gw () { proxy_ping_get_wlan_gw ; } ## proxy_ping_get_wlan_gw proxy_ping_get_wlan_gw () { PROXY_WLAN=`proxy_ping_get_wlan` retval=$? [ $retval -eq 0 -a -n "$PROXY_WLAN" ] || { ERROR proxy_ping_get_wlan_gw empty wlan retval=$retval return 2 } # can be up without having an address a=$( proxy_ifconfig $PROXY_WLAN | grep 'inet.*broadcast' ) [ $? -ne 0 -o -z "$a" ] && return 2 IP=$( echo $a | sed -e 's/.*inet //' -e 's/ .*//' ) # | grep -v '127.0.0.1\|grep' [ -z "$IP" ] && return 2 PROXY_WLAN_GW=$( echo -n $IP | sed -e 's/[0-9]*$//' )1 echo -n $PROXY_WLAN_GW return 0 } ## proxy_ping_get_wlan proxy_ping_get_wlan () { local retval PROXY_WLAN=$( proxy_get_if ) retval=$? [ $retval -eq 0 -a -n "$PROXY_WLAN" ] || { ERROR proxy_get_if empty wlan7 retval=$retval return 2$retval } # REQUIRED! PROXY_WLAN=$( echo $PROXY_WLAN | grep '^eth\|^wlan' |sed -e 's/:.*//' ) echo -n $PROXY_WLAN return 0 } ## proxy_ping_test_env proxy_ping_test_env () { DBUG proxy_ping_test_env MODE=$MODE $* ; # shellcheck disable=SC2154 [ -n "$https_proxy" ] && return 0 # shellcheck disable=SC2154 [ -n "$socks_proxy" ] && return 0 # shellcheck disable=SC2154 [ -n "$http_proxy" ] && return 0 return 1 } ## proxy_whonix_get_conn proxy_whonix_get_conn () { # shellcheck disable=SC2154 [ -n "$CONN" ] && echo -n $CONN && return 0 [ -f /etc/rc.local ] && return 0 for elt in Gateway Host Vda Workstation ; do if grep -q Whonix-$elt.rc /etc/rc.local && \ [ -f /usr/local/etc/local.d/Whonix-$elt.rc ] ; then CONN=$elt break fi done [ "$CONN" = Vda -o "$CONN" = Gateway -o "$CONN" = Workstation ] && CHORG=guest [ -e /dev/virtio-ports/org.qemu.guest_agent.0 ] || CHORG=guest [ -z "$CONN" -a "$CONN" = "Host" ] && CHORG=host # giggle host in host? #? [ -e /run/libvirt/libvirt-sock ] && CHORG=host echo -n $CONN return 0 } ## proxy_ping_curl_privoxy proxy_ping_curl_privoxy () { DBUG proxy_ping_curl_privoxy MODE=$MODE $* ; curl $CURL_ARGS --insecure \ --proxy http://"$PROXY_HTTP_PROXY_HOST":$PROXY_HTTP_PROXY_PORT \ --proxy-insecure https://$HTTP_TARGET } ## proxy_ping_curl_polipo proxy_ping_curl_polipo () { DBUG proxy_ping_curl_polipo MODE=$MODE $* ; curl $CURL_ARGS --insecure --proxy http://"$PROXY_HTTP_PROXY_HOST":$PROXY_HTTP_PROXY_PORT --proxy-insecure https://$HTTP_TARGET } ## proxy_ping_curl_bin proxy_ping_curl_bin () { DBUG proxy_ping_curl_bin MODE=$MODE $* ; su -c "curl $CURL_ARGS --insecure --noproxy '*' https://$HTTP_TARGET" -s /bin/sh $PRIV_BIN_OWNER } ## proxy_nmap_guid_$PRIV_BIN_OWNER proxy_nmap_guid_bin () { DBUG proxy_nmap_guid_bin MODE=$MODE $* ; # must be suid bin if [ -z "$( find /usr/bin/nmap -perm 2755 )" ] ; then chgrp $PRIV_BIN_OWNER /usr/bin/nmap chmod 2755 /usr/bin/nmap fi } ## proxy_ping_nmap_direct proxy_ping_nmap_direct () { DBUG proxy_ping_nmap_direct MODE=$MODE $* ; local i local target proxy_nmap_guid_bin [ "$#" -eq 1 ] && target=$1 || target="$DNS_HOST1" shift [ "$#" -eq 1 ] && p=$1 || p="U:53" i=0 while [ $i -lt $TRIES ] ; do #su -s /bin/bash -c 'ping -c 1 8.8.8.8' $PRIV_BIN_OWNER && break nmap -Pn -sU -p $p $target && break sleep $DELAY i=$( expr $i + 1 ) done [ $i -ge $TRIES ] && echo "ERROR: proxy_ping_nmap_direct nmap -Pn -sU -p U:53 $target failed" && return 5 return 0 } ## proxy_whonix_copy_dir_file proxy_whonix_copy_dir_file () { DBUG proxy_whonix_copy_dir_file PROXY_WLAN=$PROXY_WLAN MODE=$MODE $* ; [ "$#" -le 1 ] && { ERROR proxy_whonix_copy_dir_file from empty: MODE=$MODE $* ; return 1 ; } [ "$#" -eq 2 ] || { ERROR to empty ; return 2 ; } local file=$1 local to=$2 # shellcheck disable=SC2154 if [ -z "$PROXY_WLAN" ] ; then PROXY_WLAN=$( proxy_get_if ) [ $? -ne 0 -o -z "$PROXY_WLAN" ] && ERROR empty PROXY_WLAN && return 2 fi # fixme - required PROXY_WLAN=$( echo $PROXY_WLAN | grep '^eth\|^wlan' |sed -e 's/:.*//' ) [ -f $to ] || return 0 [ -f $file ] || return 0 diff -q $to $file && return 0 proxy_ping_check_root || return 0 if ! diff -q $to $file && false ; then INFO proxy_whonix_copy_files cp -p $to $file cp -p $to $file || { ERROR copying $file.dire ; } fi grep -q wlan $file || \ sed -e "s@wlan[0-9]@$PROXY_WLAN@" \ -i $file # -e "s@eth[0-9]@$PROXY_WLAN@" return 0 } ## proxy_whonix_copy_files proxy_whonix_copy_files () { DBUG proxy_whonix_copy_files PROXY_WLAN=$PROXY_WLAN MODE=$MODE $* ; local dire [ "$#" -eq 1 ] || { ERROR dire empty ; return 1 ; } dire=$1 proxy_ping_check_root || { WARN must be root to copy files && return 0 ; } # DBUG proxy_whonix_copy_files $dire ${PROXY_WHONIX_FILES[*]} for file in "${PROXY_WHONIX_FILES[@]}" ; do proxy_whonix_copy_dir_file $file.$dire $file done if [ -d /etc/apt/apt.conf.f ] ; then for file in /etc/apt/*.conf.$dire ; do to=`sed -e "s/.$dire//" <<< $file` proxy_whonix_copy_dir_file $file $to done fi return 0 } ## proxy_ping_firewall_check proxy_ping_firewall_check () { DBUG proxy_ping_firewall_check PROXY_WLAN=$PROXY_WLAN MODE=$MODE $* ; if [ "$MODE" = workstation -o "$MODE" = ws -o "$MODE" = vda ] ; then : elif [ "$MODE" = nat -o "$MODE" = gateway -o "$MODE" = host ] ; then : elif [ "$MODE" = tor -o "$MODE" = selektor ] ; then [ -s /etc/firewall.conf ] || { ERROR "proxy_ping_firewall_check /etc/firewall.conf empty " return 1 } grep -q -i reject /etc/firewall.conf || { ERROR "proxy_ping_firewall_check no reject in /etc/firewall.conf" return 2 } grep -q -e "--gid-owner $PRIV_BIN_GID .* ACCEPT" /etc/firewall.conf || { WARN "proxy_ping_firewall_check no bin --gid-owner $PRIV_BIN_GID in /etc/firewall.conf" # return 3 } grep -q -e "--gid-owner $PRIV_TOR_GID .* ACCEPT" /etc/firewall.conf || { WARN "proxy_ping_firewall_check no tor --gid-owner $PRIV_TOR_GID in /etc/firewall.conf" # return 4 } fi return 0 } ## proxy_ping_wlan_config proxy_ping_wlan_config () { DBUG proxy_ping_wlan_config MODE=$MODE $* ; local file gid # shellcheck disable=SC2154 [ -n "$PROXY_WLAN" ] || PROXY_WLAN=$( proxy_get_if ) || { ERROR proxy_whonix_wlan_config null interface && return 1 } for file in "${PROXY_WLAN_FILES[@]}" ; do [ -f "$file" ] || continue sed -e "s@wlan[0-9]@$PROXY_WLAN@" -i $file done if ! grep -q -e "-m owner --gid-owner $PRIV_BIN_GID -j ACCEPT" /etc/firewall.conf ; then sed -e "s@-m owner --gid-owner [1-9] -j ACCEPT@-m owner --gid-owner $PRIV_BIN_GID -j ACCEPT@" -i /etc/firewall.conf fi grep -q -e "-m owner --gid-owner $PRIV_BIN_GID -j ACCEPT" /etc/firewall.conf || { return 2 } return 0 } ## proxy_ping_firewall_sysctl_ipv6 proxy_ping_firewall_sysctl_ipv6 () { if [ ! -e /proc/net/if_inet6 ] ; then sed -i -e 's/^net.ipv6.conf/#net.ipv6.conf/' /etc/sysctl.d/70_testforge_harden_lynis.conf else sed -i -e 's/^#net.ipv6.conf/net.ipv6.conf/' /etc/sysctl.d/70_testforge_harden_lynis.conf fi return 0 } ## proxy_iptables_rename proxy_iptables_rename () { DBUG proxy_iptables_rename MODE=$MODE $* ; local wd=$PWD cd /usr/sbin/ for file in iptables* ; do base=$( basename $file .bin ) [ $base = $file ] || continue [ -e $file.bin ] || mv $file $file.bin [ ! -e $file.bash ] && \ echo "#!/bin/sh" > $file.bash && \ echo "exec $file.bin \"\$@\"" >> $file.bash && \ chmod 755 $file.bash done return 0 } IPT_LEGACY="iptables-legacy" ## proxy_iptables proxy_iptables () { DBUG proxy_iptables MODE=$MODE $* ; if [ "$IPT_LEGACY" = "" ] ;then # DEBIAN -eq 0 which iptables-legacy 2>/dev/null >/dev/null && \ IPT_LEGACY=iptables-legacy || IPT_LEGACY=iptables fi $IPT_LEGACY $* return $? } IPT_SAVE_LEGACY="iptables-legacy-save" ## proxy_iptables_save proxy_iptables_save () { DBUG proxy_iptables_save MODE=$MODE $* ; if [ "$IPT_SAVE_LEGACY" = "" ] ; then # DEBIAN -eq 0 which iptables-legacy-save 2>/dev/null >/dev/null && \ IPT_SAVE_LEGACY=iptables-legacy-save || IPT_SAVE_LEGACY=iptables-save fi $IPT_SAVE_LEGACY $* return $? } IPT_RESTORE_LEGACY="iptables-legacy-restore" ## proxy_iptables_restore proxy_iptables_restore () { DBUG proxy_iptables_restore MODE=$MODE $* ; local retval proxy_iptables -F -t filter ;proxy_iptables -F -t nat ; proxy_iptables -F -t mangle; if [ "$IPT_RESTORE_LEGACY" = "" ] ; then which iptables-legacy-restore 2>/dev/null >/dev/null && \ IPT_RESTORE_LEGACY=iptables-legacy-restore || \ IPT_RESTORE_LEGACY=iptables-restore fi $IPT_RESTORE_LEGACY $* retval=$? if [ $retval -eq 0 ] ; then DBUG proxy_iptables_restored $* else ERROR proxy_iptables_restore retval=$retval $* fi # /usr/local/bin/proxy_firewall_restore_iptable.bash return $? } ## proxy_ping_firewall_modules proxy_ping_firewall_modules () { DBUG proxy_ping_firewall_modules MODE=$MODE $* ; local elt kern proxy_ping_check_root || return 0 if [ $MODE = nat ] ; then lsmod|grep -q virtio_console || \ modprobe virtio_console return $? fi # /etc/modules-load.d/vda*.conf for file in /etc/modules-load.d/firewall.conf ; do grep -v '#\|floppy' $file | xargs modprobe --all done kern=$( uname -r ) if [ -d "/lib/modules/$kern" ] ; then # bpfilter for elt in xt_MASQUERADE nf_nat_ipv4 ; do if grep -q -i $elt "/lib/modules/$kern"/*der ; then lsmod | grep -qi $elt || modprobe $elt || return 5$? # else # 5.0.8 kernel # WARN $elt not in "/lib/modules/$kern"/*der # 2>&1|tee $WLOG fi done fi lsmod | grep -q nf_conntrack || modprobe nf_conntrack lsmod | grep -q nft_masq || modprobe nft_masq lsmod | grep -q bridge|| modprobe bridge return 0 } proxy_ping_check_root () { [ $USER = root ] || { # WARN proxy_ping_check_root - not root return 2 } return 0 } ## proxy_ping_firewall_start proxy_ping_firewall_start () { DBUG proxy_ping_firewall_start PROXY_WLAN=$PROXY_WLAN MODE=$MODE $* ; [ -n "$MODE" ] || MODE="$( proxy_ping_mode )" [ $MODE = direct -o $MODE = nat ] && { WARN no proxy_ping_firewall_start MODE=$MODE return 0 } proxy_ping_check_root || { WARN must be root to copy files && return 0 ; } proxy_ping_firewall_modules proxy_ping_firewall_check || { ret=$? ERROR failed proxy_ping_firewall_start ret=$ret return 1$ret } [ $MODE = tor -o $MODE = selektor -o $MODE = ws ] || { ERROR failed proxy_ping_firewall_check MODE=$MODE return 1$ret } proxy_ping_check_root || return 0 proxy_iptables_save 2>&1 | grep -iq reject && return 0 proxy_ping_firewall_restart || return 3$? return 0 } proxy_ping_firewall_set () { proxy_ping_firewall_restart ; } ## proxy_ping_firewall_restart proxy_ping_firewall_restart () { DBUG proxy_ping_firewall_restart MODE=$MODE $* ; local gid proxy_ping_check_root || return 2 # shellcheck disable=SC2154 [ -n "$MODE" ] || MODE="$( proxy_ping_mode )" proxy_ping_check_root || { WARN must be root to copy files && return 0 ; } proxy_ping_firewall_modules # shellcheck disable=SC2154 if [ -z "$PROXY_WLAN" ] ; then PROXY_WLAN=$( proxy_get_if ) retval=$? [ $retval -eq 0 -a -n "$PROXY_WLAN" ] || { ERROR proxy_ping_get_wlan empty wlan retval=$retval return 1 } fi proxy_ping_wlan_config proxy_iptables_restore /etc/firewall.conf || { ERROR $prog proxy_iptables_restore failed [ -x /usr/local/bin/proxy_wall.bash ] && \ /usr/local/bin/proxy_wall.bash ERROR: $prog proxy_iptables_restore failed return 3 } proxy_whonix_copy_files "$MODE" || { ERROR "proxy_ping_firewall_restart failed proxy_whonix_copy_files" return 4 } return 0 } ## proxy_ping_dnsmasq_config proxy_ping_dnsmasq_config () { DBUG proxy_ping_dnsmasq_config MODE=$MODE $* ; # fixme: NEEDS dire local dire local retval=0 if [ "$#" -gt 0 ] ; then dire=$1 DEBUG=1 dbug proxy_ping_dnsmasq_config "$@" else WARN proxy_ping_dnsmasq_config no args - defaulting $MODE dire=$MODE fi # shellcheck disable=SC2154 [ -z "$PROXY_WLAN" ] && PROXY_WLAN=`proxy_get_if` && retval=$? [ $retval -ne 0 -o -z "$PROXY_WLAN" ] && { ERROR proxy_ping_dnsmasq_config null PROXY_WLAN=$PROXY_WLAN return 3 } [ -e /etc/dnsmasq.conf ] || { ERROR proxy_ping_dnsmasq_config not /etc/dnsmasq.conf ; return 2 ; } if [ ! -f /etc/dnsmasq.conf.$dire ] ; then cp -p /etc/dnsmasq.conf /etc/dnsmasq.conf.$dire fi sed -e "s/wlan[0-9]/$PROXY_WLAN/" -e "s/eth[0-9]/$PROXY_WLAN/" \ -i /etc/dnsmasq.conf INFO proxy_ping_dnsmasq_config setting PROXY_WLAN=$PROXY_WLAN return 0 } ## proxy_ping_gw_check proxy_ping_gw_check () { DBUG proxy_ping_gw_check MODE=$MODE $* ; PROXY_WLAN_GW=`proxy_ping_get_ip_gw` # shellcheck disable=SC2154 [ -z "$ELOG" ] && ELOG=/tmp/proxy_test_gw$$.err # shellcheck disable=SC2154 [ -z "$WLOG" ] && WLOG=/tmp/proxy_test_gw$$.log if [ $? -eq 0 -a -n "$PROXY_WLAN_GW" ] ; then a=`traceroute -m 10 $PROXY_WLAN_GW | wc -l` [ $? -eq 0 -a -n "$a" -a "$a" -gt 4 ] && \ echo ERROR: traceroute $PROXY_WLAN_GW >> $ELOG && \ traceroute -m 10 $PROXY_WLAN_GW >> $ELOG && \ nmap -A -T4 $PROXY_WLAN_GW |tee -a $WLOG | grep -A 1 HOP | grep -v ^1 # /usr/local/bin/base_wall.bash $prog CRIT: traceroute $PROXY_WLAN_GW '>10' fi return 0 } ## proxy_ping_dnsd_check proxy_ping_dnsd_check () { DBUG proxy_ping_dnsd_check MODE=$MODE $* ; # fixme: decide which proxy_ping_dnsmasq_check $* return 0 } ## proxy_ping_dnsmasq_status proxy_ping_dnsmasq_status () { DBUG proxy_ping_dnsmasq_status MODE=$MODE $* ; proxy_rc_service dnsmasq status >/dev/null || return 2$? [ -s /var/log/dnsmasq.log ] || { WARN proxy_ping_dnsmasq_status no file /var/log/dnsmasq.log return 3 } tail /var/log/dnsmasq.log | grep 'using nameserver ' || \ WARN proxy_ping_dnsmasq_status no using in /var/log/dnsmasq.log return 0 } ## proxy_ping_dnsmasq_start proxy_ping_dnsmasq_start () { DBUG proxy_ping_dnsmasq_start MODE=$MODE $* ; local ret # fixme: need dire [ "$#" -eq 0 ] && set -- $MODE proxy_ping_dnsmasq_config $* || { ret=$? WARN proxy_ping_dnsmasq_start dnsmasq not configing $ret return 1$ret } proxy_ping_dnsmasq_status && return 0 cp /dev/null /var/log/dnsmasq.log proxy_rc_service dnsmasq start || { WARN proxy_ping_dnsmasq_start dnsmasq not starting tail /var/log/dnsmasq.log return 3$? } sleep $DELAY netstat -nlp4e | grep :53 || { WARN proxy_ping_dnsmasq_start dnsmasq not running tail /var/log/dnsmasq.log return 4 } return 0 } ## proxy_ping_dnsmasq_stop proxy_ping_dnsmasq_stop () { DBUG proxy_ping_dnsmasq_stop MODE=$MODE $* ; proxy_ping_dnsmasq_status || return 0 proxy_rc_service dnsmasq stop >/dev/null || return 2$? return 0 } ## proxy_ping_pdnsd_check proxy_ping_pdnsd_check () { DBUG proxy_ping_pdnsd_check MODE=$MODE $* ; ps ax | grep -v grep | grep -q pdnsd && return 0 [ -e /etc/pdnsd/pdnsd.conf ] || return 0 proxy_rc_service pdnsd start || return 1$? sleep $DELAY tail /var/log/pdnsd.log | grep -q 'All threads started successfully' || return 4 return 0 } ## proxy_ping_dnsmasq_check proxy_ping_dnsmasq_check () { DBUG proxy_ping_dnsmasq_check MODE=$MODE $* ; ps ax | grep -v grep | grep -q dnsmasq && return 0 [ -e /etc/dnsmasq.conf ] && return 0 proxy_rc_service dnsmasq start || return 1$? sleep $DELAY tail /var/log/dnsmasq.log | grep -q 'started, ' || return 4 return 0 } ## proxy_dest_port_wlan_config proxy_dest_port_wlan_config () { DBUG proxy_dest_port_wlan_config MODE=$MODE $* ; # shellcheck disable=SC2154 [ -z "$DEST" -a "$#" -gt 0 ] && DEST=$1 && shift # shellcheck disable=SC2154 [ -z "$DEST" ] && DEST=127.0.0.1 # shellcheck disable=SC2154 [ -z "$PORT" -a "$#" -gt 0 ] && PORT=$1 && shift # shellcheck disable=SC2154 [ -z "$PORT" ] && PORT=9053 # shellcheck disable=SC2154 [ -z "$PROXY_WLAN" -a "$#" -gt 0 ] && PROXY_WLAN=$1 && shift # shellcheck disable=SC2154 if [ -z "$PROXY_WLAN" ] ; then PROXY_WLAN=$( proxy_get_if ) retval=$? [ $retval -eq 0 -a -n "$PROXY_WLAN" ] || { ERROR proxy_get_if empty wlan7 retval=$retval return 2$retval } fi return 0 } ## proxy_whonix_polipo_config proxy_whonix_polipo_config () { DBUG proxy_whonix_polipo_config MODE=$MODE $* ; local dire local file dire=$1 ; shift file=/etc/polipo/config if [ $dire = whonix ]; then if [ ! -f $file.$dire ] ; then cp -p $file $file.$dire cat >> $file.conf <> $file.conf <> $file.conf <> $file.$dire < /usr/local/bin/proxy_testssl_lib.bash return 0 } ## proxy_ping_wait_for_tor proxy_ping_wait_for_tor () { DBUG proxy_ping_wait_for_tor MODE=$MODE $* ; local i i=0 while [ $i -lt $TRIES ] ; do sleep $DELAY tail -20 /var/log/tor/notice.log | grep 100% && break i=$( expr $i + 1 ) done [ $i -ge $TRIES ] && echo "ERROR: proxy_ping_wait_for_tor tor failed" && return 3 return 0 } ## proxy_ping_dig_test proxy_ping_dig_test () { DBUG proxy_ping_dig_test MODE=$MODE $* ; proxy_ping_wait_for_dig $* return $? } ## proxy_ping_wait_for_dig proxy_ping_wait_for_dig () { DBUG proxy_ping_wait_for_dig MODE=$MODE $* ; local i i=0 while [ $i -lt $TRIES ] ; do su -s /bin/bash -c 'dig google.com' $PRIV_BIN_OWNER 2>&1 | grep -v grep | grep -A 1 ANSWER && break sleep $DELAY i=$( expr $i + 1 ) done [ $i -ge $TRIES ] && echo "ERROR: proxy_ping_wait_for_dig dig failed" && return 2 } ## proxy_ping_set_resolv proxy_ping_set_resolv () { DBUG proxy_ping_set_resolv MODE=$MODE $* ; local dire [ "$#" -gt 0 ] && dire=$1 || dire=$MODE proxy_ping_test_resolv $dire ret=$? [ $ret -eq 0 ] && return 0 [ $ret -eq 1 ] && return 1 proxy_clobber_resolv_local $DEST return 0 } ## proxy_ping_test_resolv proxy_ping_test_resolv () { DBUG proxy_ping_test_resolv MODE=$MODE $* ; local dire [ "$#" -gt 0 ] && dire=$1 || dire=$MODE [ -z "$dire" ] && return 1 # fixme - has polipo? #? proxy_whonix_polipo_config $dire if [ $dire = whonix ] ; then # PROXY_DNS_IP="10.0.2.15#9053" PROXY_DNS_IP=127.0.0.1 elif [ $dire = gateway ] ; then PROXY_DNS_IP=10.0.2.15 elif [ $dire = nat ] ; then PROXY_DNS_IP=10.0.2.2 elif [ $dire = vda -o $dire = ws -o $dire = workstation ] ; then PROXY_DNS_IP=10.152.152.10 elif [ $dire = tor -o $dire = selektor -o $dire = host ] ; then PROXY_DNS_IP=127.0.0.1 else WARN proxy_ping_test_resolv unexpected dire=$dire PROXY_DNS_IP=127.0.0.1 #? return 1 fi grep -q $PROXY_DNS_IP /etc/resolv.conf && return 0 #? grep '^nameserver *[2-9]' /etc/resolv.conf && return 2 if [ "$USER" = root ] ; then [ -f /etc/resolv.conf.$dire ] && \ sed -e "s@nameserver.*@nameserver $PROXY_DNS_IP@" -i /etc/resolv.conf.$dire \ || echo nameserver $PROXY_DNS_IP > /etc/resolv.conf.$dire fi return 0 } ## proxy_clobber_resolv_local proxy_clobber_resolv_local () { DBUG proxy_clobber_resolv_local MODE=$MODE $* ; local ip [ "$#" -eq 0 ] && ip=127.0.0.1 || ip=$1 # FixMe: /etc/resolv.conf resolvconf grep -q "^nameserver $ip" /etc/resolv.conf && return 0 proxy_ping_check_root || return 0 grep -q "^nameserver" /etc/resolv.conf && \ sed -e "s/^nameserver.*/nameserver $ip/" -i /etc/resolv.conf || \ echo "nameserver $ip" >> /etc/resolv.conf return 0 } ## proxy_ping_status proxy_ping_status () { DBUG proxy_ping_status MODE=$MODE $* ; /usr/local/bin/proxy_libvirt_lib.bash proxy_libvirt_status return 0 } ## proxy_virsh proxy_virsh () { DBUG proxy_virsh MODE=$MODE $* ; timeout --kill-after=10 20 virsh $* # timeout=124 return $? } ## proxy_ping_update_cacert proxy_ping_update_cacert () { # echos filename answer local WD=$PWD local DIR=/usr/local/etc/ssl local URL=https://curl.se/ca/cacert.pem local curls='curl.bash' local RARGS local retval=0 [ -d $DIR ] || return 0 cd $DIR if [ -w $DIR ] ; then if [ -f cacert-curl.se.pem ] ; then $curls -o $DIR/cacert-curl.se.pem -z cacert-curl.se.pem $RARGS $URL \ >/dev/null else $curls -o $DIR/cacert-curl.se.pem $RARGS $URL \ >/dev/null fi retval=$? # [ $? -ne 0 ] && exit $? fi for file in cacert-curl.se.pem cacert-testforge.pem; do if [ -s $DIR/$file ] ; then echo -n $DIR/$file break fi done cd $WD return $retval } starbucks_pdnsd () { # shellcheck disable=SC2154 [ -z "$pdnsd" ] && return 0 if [ "$pdnsd" = "dnscrypt" ] && \ ! ps ax | grep -v grep | grep -q /dnscrypt-proxy ; then cp /dev/null /var/local/var/log/dnscrypt-proxy.log $HARDEN_VAR_LOCAL/bin/dnscrypt-proxy --config $HARDEN_VAR_LOCAL/etc/dnscrypt-proxy.toml & sleep $DELAY [ ! -s /var/local/var/log/dnscrypt-proxy.log ] || \ ! grep -q 'No servers configured' $HARDEN_VAR_LOCAL/var/log/dnscrypt-proxy.log || return 11 ps ax | grep -v grep | grep -q /dnscrypt-proxy || return 12 elif [ "$pdnsd" = "pdnsd" ] && ! ps ax | grep -v grep | grep -q /pdnsd ; then if [ -x /bin/systemctl ] ; then [ -e /etc/pdnsd.conf ] && /bin/systemctl stop pdnsd >/dev/null else [ -e /etc/pdnsd.conf ] && /etc/init.d/pdnsd stop fi fi } base=proxy_ping_lib # DBUG 0=$0 if [ -x /usr/bin/basename ] && \ [ $( basename -- "$0" .bash ) = $base \ -o $( basename -- "$0" .sh ) = $base ] ; then [ "$#" -eq 1 ] && [ "$1" = '-h' -o "$1" = '--help' ] && \ echo USAGE: $0 && grep '^[a-z].*()\|^## ' $0 | sed -e 's/().*//' && exit 0 "$@" exit $? fi