package kvas2 import ( "context" "errors" "fmt" "net" "os" "strings" "time" "kvas2/dns-mitm-proxy" "kvas2/group" "kvas2/models" "kvas2/netfilter-helper" "kvas2/records" "github.com/miekg/dns" "github.com/rs/zerolog/log" "github.com/vishvananda/netlink" "github.com/vishvananda/netlink/nl" ) var ( ErrAlreadyRunning = errors.New("already running") ErrGroupIDConflict = errors.New("group id conflict") ErrRuleIDConflict = errors.New("rule id conflict") ErrConfigUnsupportedVersion = errors.New("config unsupported version") ) var DefaultAppConfig = models.App{ DNSProxy: models.DNSProxy{ Host: models.DNSProxyServer{Address: "[::]", Port: 3553}, Upstream: models.DNSProxyServer{Address: "127.0.0.1", Port: 53}, DisableRemap53: false, DisableFakePTR: false, DisableDropAAAA: false, }, Netfilter: models.Netfilter{ IPTables: models.IPTables{ ChainPrefix: "KVAS2_", }, IPSet: models.IPSet{ TablePrefix: "kvas2_", AdditionalTTL: 3600, }, }, Link: []string{"br0"}, LogLevel: "info", } type App struct { config models.App unprocessedGroups []models.Group dnsMITM *dnsMitmProxy.DNSMITMProxy nfHelper4 *netfilterHelper.NetfilterHelper nfHelper6 *netfilterHelper.NetfilterHelper records *records.Records groups []*group.Group isRunning bool dnsOverrider4 *netfilterHelper.PortRemap dnsOverrider6 *netfilterHelper.PortRemap } func (a *App) handleLink(event netlink.LinkUpdate) { switch event.Change { case 0x00000001: log.Trace(). Str("interface", event.Link.Attrs().Name). Int("change", int(event.Change)). Msg("interface event") ifaceName := event.Link.Attrs().Name for _, group := range a.groups { if group.Interface != ifaceName { continue } err := group.LinkUpdateHook(event) if err != nil { log.Error().Str("group", group.ID.String()).Err(err).Msg("error while handling interface up") } } case 0xFFFFFFFF: switch event.Header.Type { case 16: log.Debug(). Str("interface", event.Link.Attrs().Name). Int("type", int(event.Header.Type)). Msg("interface add") case 17: log.Debug(). Str("interface", event.Link.Attrs().Name). Int("type", int(event.Header.Type)). Msg("interface del") } } } func (a *App) start(ctx context.Context) (err error) { a.dnsMITM = &dnsMitmProxy.DNSMITMProxy{ UpstreamDNSAddress: a.config.DNSProxy.Upstream.Address, UpstreamDNSPort: a.config.DNSProxy.Upstream.Port, RequestHook: func(clientAddr net.Addr, reqMsg dns.Msg, network string) (*dns.Msg, *dns.Msg, error) { if a.config.DNSProxy.DisableFakePTR { return nil, nil, nil } // TODO: Проверить на интерфейс if len(reqMsg.Question) == 1 && reqMsg.Question[0].Qtype == dns.TypePTR { respMsg := &dns.Msg{ MsgHdr: dns.MsgHdr{ Id: reqMsg.Id, Response: true, RecursionAvailable: true, Rcode: dns.RcodeNameError, }, Question: reqMsg.Question, } return nil, respMsg, nil } return nil, nil, nil }, ResponseHook: func(clientAddr net.Addr, reqMsg dns.Msg, respMsg dns.Msg, network string) (*dns.Msg, error) { defer a.handleMessage(respMsg, clientAddr, &network) if a.config.DNSProxy.DisableDropAAAA { return nil, nil } var idx int for _, answer := range respMsg.Answer { if answer.Header().Rrtype == dns.TypeAAAA { continue } respMsg.Answer[idx] = answer idx++ } respMsg.Answer = respMsg.Answer[:idx] return &respMsg, nil }, } a.records = records.New() nh4, err := netfilterHelper.New(false) if err != nil { return fmt.Errorf("netfilter helper init fail: %w", err) } err = nh4.CleanIPTables(a.config.Netfilter.IPTables.ChainPrefix) if err != nil { return fmt.Errorf("failed to clear iptables: %w", err) } a.nfHelper4 = nh4 nh6, err := netfilterHelper.New(true) if err != nil { return fmt.Errorf("netfilter helper init fail: %w", err) } err = nh6.CleanIPTables(a.config.Netfilter.IPTables.ChainPrefix) if err != nil { return fmt.Errorf("failed to clear iptables: %w", err) } a.nfHelper6 = nh6 newCtx, cancel := context.WithCancel(ctx) defer cancel() errChan := make(chan error) /* DNS Proxy */ go func() { addr, err := net.ResolveUDPAddr("udp", fmt.Sprintf("%s:%d", a.config.DNSProxy.Host.Address, a.config.DNSProxy.Host.Port)) if err != nil { errChan <- fmt.Errorf("failed to resolve udp address: %v", err) return } err = a.dnsMITM.ListenUDP(newCtx, addr) if err != nil { errChan <- fmt.Errorf("failed to serve DNS UDP proxy: %v", err) return } }() go func() { addr, err := net.ResolveTCPAddr("tcp", fmt.Sprintf("%s:%d", a.config.DNSProxy.Host.Address, a.config.DNSProxy.Host.Port)) if err != nil { errChan <- fmt.Errorf("failed to resolve tcp address: %v", err) return } err = a.dnsMITM.ListenTCP(newCtx, addr) if err != nil { errChan <- fmt.Errorf("failed to serve DNS TCP proxy: %v", err) return } }() var addrList []netlink.Addr for _, linkName := range a.config.Link { link, err := netlink.LinkByName(linkName) if err != nil { return fmt.Errorf("failed to find link %s: %w", linkName, err) } linkAddrList, err := netlink.AddrList(link, nl.FAMILY_ALL) if err != nil { return fmt.Errorf("failed to list address of interface: %w", err) } addrList = append(addrList, linkAddrList...) } if !a.config.DNSProxy.DisableRemap53 { a.dnsOverrider4 = a.nfHelper4.PortRemap(fmt.Sprintf("%sDNSOR", a.config.Netfilter.IPTables.ChainPrefix), 53, a.config.DNSProxy.Host.Port, addrList) err = a.dnsOverrider4.Enable() if err != nil { return fmt.Errorf("failed to override DNS (IPv4): %v", err) } defer func() { _ = a.dnsOverrider4.Disable() }() a.dnsOverrider6 = a.nfHelper6.PortRemap(fmt.Sprintf("%sDNSOR", a.config.Netfilter.IPTables.ChainPrefix), 53, a.config.DNSProxy.Host.Port, addrList) err = a.dnsOverrider6.Enable() if err != nil { return fmt.Errorf("failed to override DNS (IPv6): %v", err) } defer func() { _ = a.dnsOverrider6.Disable() }() } /* Groups */ for _, group := range a.unprocessedGroups { err := a.AddGroup(group) if err != nil { return err } } for _, group := range a.groups { err = group.Enable() if err != nil { return fmt.Errorf("failed to enable group: %w", err) } } defer func() { for _, group := range a.groups { _ = group.Destroy() } }() /* Socket (for netfilter.d events) */ socketPath := "/opt/var/run/kvas2.sock" err = os.Remove(socketPath) if err != nil && !errors.Is(err, os.ErrNotExist) { return fmt.Errorf("failed to remove existed UNIX socket: %w", err) } socket, err := net.Listen("unix", socketPath) if err != nil { return fmt.Errorf("error while serve UNIX socket: %v", err) } defer func() { _ = socket.Close() _ = os.Remove(socketPath) }() go func() { for { if newCtx.Err() != nil { return } conn, err := socket.Accept() if err != nil { if !strings.Contains(err.Error(), "use of closed network connection") { log.Error().Err(err).Msg("error while listening unix socket") } break } go func(conn net.Conn) { defer func() { _ = conn.Close() }() buf := make([]byte, 1024) n, err := conn.Read(buf) if err != nil { return } args := strings.Split(string(buf[:n]), ":") if len(args) == 3 && args[0] == "netfilter.d" { log.Debug().Str("table", args[2]).Msg("netfilter.d event") err = a.dnsOverrider4.NetfilterDHook(args[2]) if err != nil { log.Error().Err(err).Msg("error while fixing iptables after netfilter.d") } err = a.dnsOverrider6.NetfilterDHook(args[2]) if err != nil { log.Error().Err(err).Msg("error while fixing iptables after netfilter.d") } for _, group := range a.groups { err := group.NetfilterDHook(args[2]) if err != nil { log.Error().Err(err).Msg("error while fixing iptables after netfilter.d") } } } }(conn) } }() /* Interface updates */ linkUpdateChannel := make(chan netlink.LinkUpdate) linkUpdateDone := make(chan struct{}) err = netlink.LinkSubscribe(linkUpdateChannel, linkUpdateDone) if err != nil { return fmt.Errorf("failed to subscribe to link updates: %w", err) } defer close(linkUpdateDone) /* Global loop */ for { select { case event := <-linkUpdateChannel: a.handleLink(event) case err := <-errChan: return err case <-ctx.Done(): return nil } } } func (a *App) Start(ctx context.Context) (err error) { if a.isRunning { return ErrAlreadyRunning } a.isRunning = true defer func() { a.isRunning = false }() defer func() { if r := recover(); r != nil { var ok bool if err, ok = r.(error); !ok { err = fmt.Errorf("%v", r) } err = fmt.Errorf("recovered error: %w", err) } }() err = a.start(ctx) return err } func (a *App) AddGroup(groupModel models.Group) error { for _, group := range a.groups { if groupModel.ID == group.ID { return ErrGroupIDConflict } } dup := make(map[[4]byte]struct{}) for _, rule := range groupModel.Rules { if _, exists := dup[rule.ID]; exists { return ErrRuleIDConflict } dup[rule.ID] = struct{}{} } grp, err := group.NewGroup(groupModel, a.nfHelper4, a.config.Netfilter.IPTables.ChainPrefix, a.config.Netfilter.IPSet.TablePrefix) if err != nil { return fmt.Errorf("failed to create group: %w", err) } a.groups = append(a.groups, grp) log.Debug().Str("id", grp.ID.String()).Str("name", grp.Name).Msg("added group") if a.isRunning { return grp.Sync(a.records) } return nil } func (a *App) ListInterfaces() ([]net.Interface, error) { interfaceNames := make([]net.Interface, 0) interfaces, err := net.Interfaces() if err != nil { return nil, fmt.Errorf("failed to get interfaces: %w", err) } for _, iface := range interfaces { if iface.Flags&net.FlagPointToPoint == 0 { continue } interfaceNames = append(interfaceNames, iface) } return interfaceNames, nil } func (a *App) processARecord(aRecord dns.A, clientAddr net.Addr, network *string) { var clientAddrStr, networkStr string if clientAddr != nil { clientAddrStr = clientAddr.String() } if network != nil { networkStr = *network } log.Trace(). Str("name", aRecord.Hdr.Name). Str("address", aRecord.A.String()). Int("ttl", int(aRecord.Hdr.Ttl)). Str("clientAddr", clientAddrStr). Str("network", networkStr). Msg("processing a record") ttlDuration := aRecord.Hdr.Ttl + a.config.Netfilter.IPSet.AdditionalTTL a.records.AddARecord(aRecord.Hdr.Name[:len(aRecord.Hdr.Name)-1], aRecord.A, ttlDuration) names := a.records.GetAliases(aRecord.Hdr.Name[:len(aRecord.Hdr.Name)-1]) for _, group := range a.groups { Rule: for _, domain := range group.Rules { if !domain.IsEnabled() { continue } for _, name := range names { if !domain.IsMatch(name) { continue } // TODO: Check already existed err := group.AddIP(aRecord.A, ttlDuration) if err != nil { log.Error(). Str("address", aRecord.A.String()). Err(err). Msg("failed to add address") } else { log.Debug(). Str("address", aRecord.A.String()). Str("aRecordDomain", aRecord.Hdr.Name). Str("cNameDomain", name). Msg("add address") } break Rule } } } } func (a *App) processCNameRecord(cNameRecord dns.CNAME, clientAddr net.Addr, network *string) { var clientAddrStr, networkStr string if clientAddr != nil { clientAddrStr = clientAddr.String() } if network != nil { networkStr = *network } log.Trace(). Str("name", cNameRecord.Hdr.Name). Str("cname", cNameRecord.Target). Int("ttl", int(cNameRecord.Hdr.Ttl)). Str("clientAddr", clientAddrStr). Str("network", networkStr). Msg("processing cname record") ttlDuration := cNameRecord.Hdr.Ttl + a.config.Netfilter.IPSet.AdditionalTTL a.records.AddCNameRecord(cNameRecord.Hdr.Name[:len(cNameRecord.Hdr.Name)-1], cNameRecord.Target[:len(cNameRecord.Target)-1], ttlDuration) // TODO: Optimization now := time.Now() aRecords := a.records.GetARecords(cNameRecord.Hdr.Name[:len(cNameRecord.Hdr.Name)-1]) names := a.records.GetAliases(cNameRecord.Hdr.Name[:len(cNameRecord.Hdr.Name)-1]) for _, group := range a.groups { Rule: for _, domain := range group.Rules { if !domain.IsEnabled() { continue } for _, name := range names { if !domain.IsMatch(name) { continue } for _, aRecord := range aRecords { err := group.AddIP(aRecord.Address, uint32(now.Sub(aRecord.Deadline).Seconds())) if err != nil { log.Error(). Str("address", aRecord.Address.String()). Err(err). Msg("failed to add address") } else { log.Debug(). Str("address", aRecord.Address.String()). Str("cNameDomain", name). Msg("add address") } } continue Rule } } } } func (a *App) handleRecord(rr dns.RR, clientAddr net.Addr, network *string) { switch v := rr.(type) { case *dns.A: a.processARecord(*v, clientAddr, network) case *dns.CNAME: a.processCNameRecord(*v, clientAddr, network) default: } } func (a *App) handleMessage(msg dns.Msg, clientAddr net.Addr, network *string) { for _, rr := range msg.Answer { a.handleRecord(rr, clientAddr, network) } } func (a *App) ImportConfig(cfg models.Config) error { if !strings.HasPrefix(cfg.ConfigVersion, "0.1.") { return ErrConfigUnsupportedVersion } if cfg.App.DNSProxy.Upstream.Address != "" { a.config.DNSProxy.Upstream.Address = cfg.App.DNSProxy.Upstream.Address } if cfg.App.DNSProxy.Upstream.Port != 0 { a.config.DNSProxy.Upstream.Port = cfg.App.DNSProxy.Upstream.Port } if cfg.App.DNSProxy.Host.Address != "" { a.config.DNSProxy.Host.Address = cfg.App.DNSProxy.Host.Address } if cfg.App.DNSProxy.Host.Port != 0 { a.config.DNSProxy.Host.Port = cfg.App.DNSProxy.Host.Port } a.config.DNSProxy.DisableRemap53 = cfg.App.DNSProxy.DisableRemap53 a.config.DNSProxy.DisableFakePTR = cfg.App.DNSProxy.DisableFakePTR a.config.DNSProxy.DisableDropAAAA = cfg.App.DNSProxy.DisableDropAAAA if cfg.App.Netfilter.IPTables.ChainPrefix != "" { a.config.Netfilter.IPTables.ChainPrefix = cfg.App.Netfilter.IPTables.ChainPrefix } if cfg.App.Netfilter.IPSet.TablePrefix != "" { a.config.Netfilter.IPSet.TablePrefix = cfg.App.Netfilter.IPSet.TablePrefix } a.config.Netfilter.IPSet.AdditionalTTL = cfg.App.Netfilter.IPSet.AdditionalTTL a.unprocessedGroups = cfg.Groups return nil } func (a *App) ExportConfig() models.Config { groups := make([]models.Group, len(a.groups)) for idx, group := range a.groups { groups[idx] = group.Group } return models.Config{ ConfigVersion: "0.1.0", App: a.config, Groups: groups, } } func New() *App { return &App{config: DefaultAppConfig} }