implement pushack protocol

Author: Arian8j2

Cargo.lock

@@ -9,6 +9,7 @@ clap = { version = "4.4.18", features = ["derive"] }
 log = "0.4.20"
 simple_logger = "4.2.0"
 forwarder = { path = "../forwarder" }
+ctrlc = { version = "3.5.2", features = ["termination"] }
 
 [build-dependencies]
 vergen = { version = "8.2.8", features = ["git", "gitcl"] }

forwarder-cli/Cargo.toml

@@ -2,7 +2,7 @@ use super::Args;
 use forwarder::{
     create_socket_buffer,
     socket::{
-        icmp::{create_bfp_filter, IcmpEchoType, IcmpSocket, ICMP_RESERVED_BYTES_LEN},
+        icmp::{create_bfp_filter, IcmpEchoType, IcmpSocket},
         SocketTrait,
     },
 };

forwarder-cli/src/health_check.rs

@@ -1,4 +1,4 @@
-use anyhow::{ensure, Context};
+use anyhow::{bail, ensure, Context};
 use clap::Parser;
 use forwarder::uri::{Protocol, Uri};
 use log::{info, LevelFilter};
@@ -8,6 +8,7 @@ use std::{
 };
 
 mod health_check;
+mod pushack_firewall;
 
 /// Lightweight UDP forwarder and UDP over ICMP
 #[derive(Parser)]
@@ -37,7 +38,7 @@ pub struct Args {
     #[arg(long, hide = true)]
     pub child: bool,
 
-    /// Amount of seconds to wait when handshake failed
+    /// Amount of seconds to wait when icmp handshake failed in reverse mode
     #[arg(long, default_value = "2")]
     pub handshake_delay: u32,
 }
@@ -46,6 +47,23 @@ fn main() -> anyhow::Result<()> {
     let cli = Args::parse();
     setup_logger().with_context(|| "couldn't setup logger")?;
     log_version();
+
+    let iptables_guard = pushack_firewall::drop_rst(&cli)
+        .with_context(|| "couldn't add firewall rule to drop rst")?;
+    // TODO: this will not get called on panics of forwarder and ...
+    // maybe launch forwarder on new process and disable panic abort and remove panics in forwarder lib
+    ctrlc::set_handler(move || {
+        drop(iptables_guard.clone());
+        std::process::exit(1);
+    })
+    .unwrap();
+
+    if cli.listen_uri.addr.is_ipv6() && cli.listen_uri.protocol == Protocol::Pushack
+        || cli.remote_uri.addr.is_ipv6() && cli.remote_uri.protocol == Protocol::Pushack
+    {
+        bail!("pushack protocol does not support ipv6 yet");
+    }
+
     if cli.child || !cli.reverse {
         forwarder::run(cli.listen_uri, cli.remote_uri, cli.passphrase, cli.reverse)?;
     } else {

forwarder-cli/src/main.rs

@@ -0,0 +1,88 @@
+use super::Args;
+use anyhow::{bail, Context};
+use forwarder::uri::Protocol;
+use std::process::Command;
+
+#[derive(Default, Clone)]
+pub struct IptablesGuard {
+    filters: Vec<Filter>,
+}
+
+impl Drop for IptablesGuard {
+    fn drop(&mut self) {
+        for filter in self.filters.drain(..) {
+            run_iptables_rst_filter(Action::Remove, filter)
+                .with_context(|| "couldn't remove iptables filter")
+                .unwrap();
+        }
+    }
+}
+
+pub fn drop_rst(cli: &Args) -> anyhow::Result<IptablesGuard> {
+    let mut guard = IptablesGuard::default();
+    if cli.remote_uri.protocol == Protocol::Pushack {
+        let filter = Filter::DestPort(cli.remote_uri.addr.port());
+        run_iptables_rst_filter(Action::Add, filter)
+            .with_context(|| "couldn't add rst filter for remote")?;
+        guard.filters.push(filter);
+    }
+    if cli.listen_uri.protocol == Protocol::Pushack {
+        let filter = Filter::SourcePort(cli.listen_uri.addr.port());
+        run_iptables_rst_filter(Action::Add, filter)
+            .with_context(|| "couldn't add rst filter for listen")?;
+        guard.filters.push(filter);
+    }
+    Ok(guard)
+}
+
+#[derive(Debug, PartialEq, Eq, Clone, Copy)]
+enum Filter {
+    SourcePort(u16),
+    DestPort(u16),
+}
+
+#[derive(PartialEq, Eq, Clone, Copy)]
+enum Action {
+    Add,
+    Remove,
+}
+
+fn run_iptables_rst_filter(action: Action, filter: Filter) -> anyhow::Result<()> {
+    let (filter, value) = match filter {
+        Filter::DestPort(port) => ("--dport", port.to_string()),
+        Filter::SourcePort(port) => ("--sport", port.to_string()),
+    };
+    run_command(
+        "iptables",
+        &[
+            "-t",
+            "mangle",
+            if action == Action::Add { "-I" } else { "-D" },
+            "POSTROUTING",
+            "-p",
+            "tcp",
+            filter,
+            &value,
+            "--tcp-flags",
+            "RST",
+            "RST",
+            "-j",
+            "DROP",
+        ],
+    )
+    .with_context(|| "iptables command failed")?;
+    Ok(())
+}
+
+fn run_command(program: &str, args: &[&str]) -> anyhow::Result<String> {
+    let output = Command::new(program)
+        .args(args)
+        .output()
+        .with_context(|| format!("couldn't spawn '{program}' program"))?;
+    let stdout = String::from_utf8(output.stdout)?;
+    if !output.status.success() {
+        let stderr = String::from_utf8(output.stderr)?;
+        bail!("{stdout}\n{stderr}")
+    }
+    Ok(stdout)
+}