Managing programs without Tor DNS Support / orjail

Patrick · February 11, 2018, 12:03pm

Jason suggested to modify
Whonix Default Application Policy in order to
not be adamant about properly working socks support for stream isolation.

Like not installing electrum by default because of this (
https://phabricator.whonix.org/T215 ) we let the perfect be the ennemy
of the good and let users stand in the rain.

HulaHoop:

Meanwhile I have a suggestion on how Gajim’s traffic can be forced to use stream isolation. What if it is installed under its own user account and then you can use bindp to force all traffic for that user over its own isolated stream? Does that make sense? Can it fix things?

bindp use case: ricochet or onionshare open a server port on 127.0.0.1 to be accessible from the hidden service incoming connection. This won’t work in Whonix since the hidden service incoming connection is coming from Whonix-Gateway which is a non-localhost connection. bindp is used to force that application to listen on another interface so it can accept the connection. So bindp has nothing to do with it here since gajim doesn’t open server ports / needs no unsolicited incoming connections.

Once we’re using iptables redirection, no torsocks or anything is required. Perhaps we could have this a generic solution. Applications running under their own linux operating system user name, and then redirected… Wait… Redirect how and where? Could only be redirected to Tor’s DnsPort / Tor’s TransPort, so wouldn’t solve any stream isolation issue. I wouldn’t know any translation from operating system networking default traffic (and iptables) to socks that’s why iptables can help with leak prevention but then connectivity just breaks since iptables is not a socksifier. Would be cool to have some iptables to socks tool. Dunno if that exists.

HulaHoop · February 11, 2018, 4:37pm

Indeed it might be the wisest thing to do if no other choice exists. At least it will make it easier for users to have safely configured apps, especially if they are intent on manually installing them anyway.

I did some digging. Its possible with redsocks to redirect DNS over TCP. Here is a detailed outline of the options you have with redsocks:

github.com/darkk/redsocks

DNS queries through a SOCKS5 proxy

opened 08:59AM - 30 Aug 17 UTC

closed 08:22PM - 01 Feb 18 UTC

CROSP

Hi, I know that this topic have been discussed several times already, but I stil…l having troubles with setting it up. I have tried different approaches here they are First of I redirected all DNS (UDP queries to port 53) to my proxy machine like that `iptables -t nat -A PREROUTING -s 192.168.0.113 -p udp --dport 53 -j DNAT --to-destination 192.168.0.145:5300` Then I tried ``` redudp { local_ip = 0.0.0.0; local_port = 10053; // `ip' and `port' of socks5 proxy server. ip = 22.22.22.22; port = 2222; login = login; password = pass; dest_ip = 8.8.8.8; dest_port = 53; udp_timeout = 30; udp_timeout_stream = 180; } ``` But it doesn't work, packets are just dropped. ``` 1504080987.699956 debug redudp.c:474 redudp_relay_connected(...) [192.168.0.113:52730->8.8.8.8:53]: via 23.249.216.107:56776 1504080987.812315 debug redudp.c:430 redudp_read_auth_methods(...) [192.168.0.113:52730->8.8.8.8:53]: <trace> 1504080987.845857 debug redudp.c:288 redudp_enqeue_pkt(...) [192.168.0.113:51871->8.8.8.8:53]: <trace> 1504080987.924875 debug redudp.c:394 redudp_read_auth_reply(...) [192.168.0.113:52730->8.8.8.8:53]: <trace> 1504080988.850860 debug redudp.c:288 redudp_enqeue_pkt(...) [192.168.0.113:50662->8.8.8.8:53]: <trace> 1504080989.845690 debug redudp.c:288 redudp_enqeue_pkt(...) [192.168.0.113:51871->8.8.8.8:53]: <trace> 1504080992.846606 debug redudp.c:288 redudp_enqeue_pkt(...) [192.168.0.113:50662->8.8.8.8:53]: <trace> 1504080993.855851 debug redudp.c:288 redudp_enqeue_pkt(...) [192.168.0.113:51871->8.8.8.8:53]: <trace> 1504080996.371397 notice redudp.c:500 redudp_relay_error(...) [192.168.0.113:50662->8.8.8.8:53]: redudp_relay_error 1504080996.371452 info redudp.c:217 redudp_drop_client(...) [192.168.0.113:50662->8.8.8.8:53]: Dropping... 1504080997.302259 notice redudp.c:500 redudp_relay_error(...) [192.168.0.113:51871->8.8.8.8:53]: redudp_relay_error 1504080997.302313 info redudp.c:217 redudp_drop_client(...) [192.168.0.113:51871->8.8.8.8:53]: Dropping... ``` Could you explain what it is the purpose of **dest_ip** and **dest_port** here ? The next option I have tried is to use truncated DNS responses as you have mentioned in your README ``` 1504082310.695400 info dnstc.c:94 dnstc_pkt_from_client(...) [192.168.0.113:63094->0.0.0.0:5300]: sent truncated DNS reply 1504082311.699424 info dnstc.c:94 dnstc_pkt_from_client(...) [192.168.0.113:63094->0.0.0.0:5300]: sent truncated DNS reply 1504082313.699975 info dnstc.c:94 dnstc_pkt_from_client(...) [192.168.0.113:63094->0.0.0.0:5300]: sent truncated DNS reply 1504082313.962738 info dnstc.c:94 dnstc_pkt_from_client(...) [192.168.0.113:61305->0.0.0.0:5300]: sent truncated DNS reply 1504082317.704753 info dnstc.c:94 dnstc_pkt_from_client(...) [192.168.0.113:63094->0.0.0.0:5300]: sent truncated DNS reply ``` However it seems according to TCP dump and connections in the kernel on my router after getting the truncated response the resolver doesn't try to use TCP, as I can assume an RFC compliant resolver should send DNS request via the TCP request on the port 53 ? To be honest I am not a professional in a low level packet analysis. I have tried to understand the implementation of DNS resolution in different applications like firefox, winproxy, but there are a lot of stuff to read and debug in order to get this. According the RFC SOCKS5 accepts UDP packets with the **0x03: associate a UDP port** I have successfully managed to use DNS resolution over SOCKS5 with this small application https://github.com/jtripper/dns-tcp-socks-proxy . As far as I can understand this application just parses predefined list of DNS servers that work over TCP chooses a random one and sends a simple TCP request to a proxy server. Here is the part of the implementation ``` // select random dns server in_addr_t remote_dns = inet_addr(dns_servers[rand() % (NUM_DNS - 1)]); memcpy(tmp, "\x05\x01\x00\x01", 4); memcpy(tmp + 4, &remote_dns, 4); memcpy(tmp + 8, "\x00\x35", 2); ``` However using the DNS resolution in this way will not pretend that a local DNS server is used. This configuration is equal to the statically set DNS server, for example in a router as far as the name resolution is made through the public DNS servers, am I right ? Could you please suggest the direction to follow and answer my question ? I would be grateful for any help

OP has combined it with iptables though in his case, the software he’s using isn’t working but its a useful example of how it hcan be done:

github.com/darkk/redsocks

DNS queries through a SOCKS5 proxy

opened 08:59AM - 30 Aug 17 UTC

closed 08:22PM - 01 Feb 18 UTC

CROSP

Hi, I know that this topic have been discussed several times already, but I stil…l having troubles with setting it up. I have tried different approaches here they are First of I redirected all DNS (UDP queries to port 53) to my proxy machine like that `iptables -t nat -A PREROUTING -s 192.168.0.113 -p udp --dport 53 -j DNAT --to-destination 192.168.0.145:5300` Then I tried ``` redudp { local_ip = 0.0.0.0; local_port = 10053; // `ip' and `port' of socks5 proxy server. ip = 22.22.22.22; port = 2222; login = login; password = pass; dest_ip = 8.8.8.8; dest_port = 53; udp_timeout = 30; udp_timeout_stream = 180; } ``` But it doesn't work, packets are just dropped. ``` 1504080987.699956 debug redudp.c:474 redudp_relay_connected(...) [192.168.0.113:52730->8.8.8.8:53]: via 23.249.216.107:56776 1504080987.812315 debug redudp.c:430 redudp_read_auth_methods(...) [192.168.0.113:52730->8.8.8.8:53]: <trace> 1504080987.845857 debug redudp.c:288 redudp_enqeue_pkt(...) [192.168.0.113:51871->8.8.8.8:53]: <trace> 1504080987.924875 debug redudp.c:394 redudp_read_auth_reply(...) [192.168.0.113:52730->8.8.8.8:53]: <trace> 1504080988.850860 debug redudp.c:288 redudp_enqeue_pkt(...) [192.168.0.113:50662->8.8.8.8:53]: <trace> 1504080989.845690 debug redudp.c:288 redudp_enqeue_pkt(...) [192.168.0.113:51871->8.8.8.8:53]: <trace> 1504080992.846606 debug redudp.c:288 redudp_enqeue_pkt(...) [192.168.0.113:50662->8.8.8.8:53]: <trace> 1504080993.855851 debug redudp.c:288 redudp_enqeue_pkt(...) [192.168.0.113:51871->8.8.8.8:53]: <trace> 1504080996.371397 notice redudp.c:500 redudp_relay_error(...) [192.168.0.113:50662->8.8.8.8:53]: redudp_relay_error 1504080996.371452 info redudp.c:217 redudp_drop_client(...) [192.168.0.113:50662->8.8.8.8:53]: Dropping... 1504080997.302259 notice redudp.c:500 redudp_relay_error(...) [192.168.0.113:51871->8.8.8.8:53]: redudp_relay_error 1504080997.302313 info redudp.c:217 redudp_drop_client(...) [192.168.0.113:51871->8.8.8.8:53]: Dropping... ``` Could you explain what it is the purpose of **dest_ip** and **dest_port** here ? The next option I have tried is to use truncated DNS responses as you have mentioned in your README ``` 1504082310.695400 info dnstc.c:94 dnstc_pkt_from_client(...) [192.168.0.113:63094->0.0.0.0:5300]: sent truncated DNS reply 1504082311.699424 info dnstc.c:94 dnstc_pkt_from_client(...) [192.168.0.113:63094->0.0.0.0:5300]: sent truncated DNS reply 1504082313.699975 info dnstc.c:94 dnstc_pkt_from_client(...) [192.168.0.113:63094->0.0.0.0:5300]: sent truncated DNS reply 1504082313.962738 info dnstc.c:94 dnstc_pkt_from_client(...) [192.168.0.113:61305->0.0.0.0:5300]: sent truncated DNS reply 1504082317.704753 info dnstc.c:94 dnstc_pkt_from_client(...) [192.168.0.113:63094->0.0.0.0:5300]: sent truncated DNS reply ``` However it seems according to TCP dump and connections in the kernel on my router after getting the truncated response the resolver doesn't try to use TCP, as I can assume an RFC compliant resolver should send DNS request via the TCP request on the port 53 ? To be honest I am not a professional in a low level packet analysis. I have tried to understand the implementation of DNS resolution in different applications like firefox, winproxy, but there are a lot of stuff to read and debug in order to get this. According the RFC SOCKS5 accepts UDP packets with the **0x03: associate a UDP port** I have successfully managed to use DNS resolution over SOCKS5 with this small application https://github.com/jtripper/dns-tcp-socks-proxy . As far as I can understand this application just parses predefined list of DNS servers that work over TCP chooses a random one and sends a simple TCP request to a proxy server. Here is the part of the implementation ``` // select random dns server in_addr_t remote_dns = inet_addr(dns_servers[rand() % (NUM_DNS - 1)]); memcpy(tmp, "\x05\x01\x00\x01", 4); memcpy(tmp + 4, &remote_dns, 4); memcpy(tmp + 8, "\x00\x35", 2); ``` However using the DNS resolution in this way will not pretend that a local DNS server is used. This configuration is equal to the statically set DNS server, for example in a router as far as the name resolution is made through the public DNS servers, am I right ? Could you please suggest the direction to follow and answer my question ? I would be grateful for any help

Another tool that des something similar is GitHub - jtripper/dns-tcp-socks-proxy: Simple daemon to tunnel DNS requests over SOCKS

HulaHoop · February 11, 2018, 5:25pm

Other useful tools in case the previous were duds:

https://gitweb.torproject.org/ioerror/ttdnsd.git

ttdnsd accepts DNS requests via UDP and forwards the to a resolving nameserver via TCP. The actual requests are really just forwarded so one has complete access to the nameserver ttdnsd is talking to.

ttdnsd only connects to the resolving nameserver after receiving a request via UDP. For each connection ttdnsd randomly selects one of the nameservers it knows about (see OPTIONS below). The connection will be used for forwarding multiple requests in a pipelined fashion and is kept open only until no more requests are received via UDP. This pipelining is required to overcome the initial connection overhead time which is quite long when using TOR.

Simple Linux epoll-based single thread SOCKS5 client. Supports getting destination address with SO_ORIGINAL_DST (for use with -j REDIRECT iptables target) and telling that address to SOCKS server.

Alternative, more complete libevent-based implementation: redsocks

No licensing info found

python script setting up a transparent proxy to forward all TCP and DNS traffic through a SOCKS / SOCKS5 or HTTP(CONNECT) proxy using iptables -j REDIRECT target

Free license

Patrick · February 12, 2018, 9:49am

redsocks might work to restrict applications running under a specific user so these get stream isolated with better guarantee. Better than torsocks, but worse less guarantee than a split network architecture (isolating proxy). Anyhow. Worthwhile.

Perhaps the whole thing could be automated with linux network namespaces. I.e. run some command, that creates a (temporary?) linux user account (and/or linux network namespace), forces all connections to redsocks which then forwards to a Tor SocksPort. We could use the same Tor SocksPort and then have configure redsocks to use a different socks user name so Tor will stream isolate it. It’s like inventing a new tool.

Patrick · February 12, 2018, 3:32pm

Related to redsocks:

github.com/QubesOS/qubes-issues

Transparent SSH SOCKS proxy for Qubes

opened 01:44PM - 22 Dec 15 UTC

hdevalence

T: enhancement C: other P: major community dev S: in progress

**Community Dev:** @zrubi **PoC:** https://groups.google.com/d/msgid/qubes-deve…l/d9731ee0-e89b-75e2-f024-83e59d02d8c8%40zrubi.hu ----- Hi. I'd like to implement a transparent SOCKS proxy for Qubes using SSH. This way a user can transparently tunnel all traffic from a particular AppVM through another server, without having to configure a VPN or worry about a fail-open setup. I think it should work roughly as follows: 1. The user creates the proxyvm and enables the qubes-ssh-proxy service: ``` qvm-create -p sys-ssh-proxy qvm-service sys-ssh-proxy -e qubes-ssh-proxy ``` 2. In the template, the user installs the ssh proxy: ``` sudo dnf install qubes-ssh-proxy ``` 3. In the proxyVM, the user configures the ssh proxy: ``` sudo ssh-keygen -q -N "" -C qubes-ssh-proxy -t ed25519 -f /rw/config/id_qubes_ssh sudo sed -i 's/XXXX/user@host/' /rw/config/qubes-ssh-proxy.service cat /rw/config/id_qubes_ssh.pub ``` 4. The user adds the ssh public key from the previous step to their `.authorized_keys` file on the server. 5. The user sets the new ProxyVM as the NetVM for some AppVM. All TCP traffic from the AppVM is sent through the ssh tunnel and all UDP traffic is dropped. Internally, ssh is run as a systemd service, so that restarting on failure, logging, etc. all happens automatically, and iptables sends incoming traffic through the tunnel. Next, it would be good to automate the setup using the configuration management, so that a user just has to input `user@hostname` and they're given the generated ssh key to add to the server.

Even mentioned in Whonix wiki:

HulaHoop · February 12, 2018, 4:35pm

Now we’re talkin

Sounds good. I’ll look into it. Many Whonix programs are very specialized for our own purposes anyhow. At least you write once, run everywhere later. It will really give us flexibility to expand our software selection without having to compromise on stream isolation or butt heads against upstream limitations.

HulaHoop · February 12, 2018, 8:05pm

Aside from the author’s opinion and the fact that badvpn is not packed in Debian, he gives a clue on how to use namespaces to redirect inidiviual processes with redsocks.

github.com

phillipberndt/scripts/blob/master/tunsocks/tunsocks.cc

// tunsocks -- Tunnel a process through a socks server
// Copyright (c) 2016, Phillip Berndt
//
// This is a new approach: The program sets up a TUN device inside an anonymous
// network namespace and relays all traffic through that device to the proxy.
// The device is set as the namespace's default route. The target process is
// then started within said namespace.
//
// This has some benefits over existing solutions:
//
// tsocks uses LD_PRELOAD to patch the socket() etc. calls. This can be easily
// circumvented.
//
// redsocks does transparent proxying by using iptables' REDIRECT. This is
// feasible for system-wide redirection, but it is hard to isolate a single
// process. The only options to to that were either to use a different UID,
// which is pretty secure, but also restricts what you can to with the
// process in other ways, or to use network namespaces with virtual devices,
// and to set up the rule only for traffic from the endpoint in the global
// namespace. It is a pain to configure this.

This file has been truncated. show original

// redsocks does transparent proxying by using iptables’ REDIRECT. This is
// feasible for system-wide redirection, but it is hard to isolate a single
// process. The only options to to that were either to use a different UID,
// which is pretty secure, but also restricts what you can to with the
// process in other ways, or to use network namespaces with virtual devices,
// and to set up the rule only for traffic from the endpoint in the global
// namespace. It is a pain to configure this.

EDIT:

Found an intro on network namespaces

Patrick · February 12, 2018, 10:04pm

Yes.

Also did you mention another torification tool lately? That had even a bit shorter code. Was written in C and used iptables commands internally if I remember right.

I guess such a tool could be written in bash or python. At the moment I see no reason to go for C.

HulaHoop · February 13, 2018, 6:02pm

You mean ttdnsd : The TOR TCP DNS Daemon ? It uses LD_PRELOAD instead of iptables AFAICT. I am not sure it can do application specific routing by itself. solutions that use LD_PRELOAD are said to be easily circumvented by the tunsocks author. I don’t know if he meant accidental or deliberate malicious actions. If we are talking malfeasance then we have bigger problems. Also we wouldn’t ever install a malicious program on purpose so it s a moot point.

IMO tunsocks is our best bet since it does all the program specific namespace redirection leg work. Though it does not support UDP, it is able to encapsulate DNS with TCP and forward it to the socks server you want.

(tunsocks should not be confused with tun2socks - the latter a part of a feature rich suite known as badvpn)

Depending on the re-write difficulty, I wouldn’t worry much about language safety because it runs in the WS.

Patrick · February 14, 2018, 10:41am

No, I meant AORTA a transparent Tor proxy for Linux programs.

It uses iptables internally.

In Source code search for

"-t nat -A aorta -d 127.0.0.0/8 -p udp -m udp ! --dport 53 -j RETURN",

etc.

Patrick · February 28, 2018, 5:08pm

That might require to modify $HOME variable and allowing the other linux user account name to write to user user’s folder. Probably solvable.

Patrick · May 22, 2018, 2:03am

Solution: multiple Tor TransPorts and DnsPorts pre-configured.

Patrick · May 22, 2018, 2:07am

Summary way forward:

As uwt/torsocks replacement…

Run application either

a) under its own linux user name (problematic linux access rights) OR
b) under its own linux network namespace (strongly preferred)

then redirect to pre-configured Tor TransPorts or DnsPorts.

(Similar to how we currently pre-configure multiple Tor SocksPorts currently.)

Patrick · August 7, 2018, 11:31am

Looks like the following does almost that. Untested. Looks interesting.

https://orjail.github.io/

https://lists.torproject.org/pipermail/tor-talk/2018-July/044330.html

Patrick · August 7, 2018, 11:57am

orjail doesn’t have stream isolation support yet but that should be doable to add.

.

HulaHoop · August 8, 2018, 1:39am

Bonus: it integrates with firejail too

Patrick · August 8, 2018, 7:53am

github.com/orjail/orjail

add stream isolation support

opened 07:53AM - 08 Aug 18 UTC

closed 12:36AM - 13 Aug 18 UTC

adrelanos

enhancement

* `TransPort` is currently hardcoded to `9040` * `DnsPort` is currently hardcod…ed to `5354` It would be good to make that configurable. By using distinct `TransPort` / `DnsPort` ports per application you would gain stream isolation. `torsocks` supports `IsolatePID`. ``` # Set Torsocks to use an automatically generated SOCKS5 username/password based # on the process ID and current time, that makes the connections to Tor use a # different circuit from other existing streams in Tor on a per-process basis. # If set, the SOCKS5Username and SOCKS5Password options must not be set. # (Default: 0) IsolatePID 1 ``` Which then results in using Tor's [`IsolateSOCKSAuth`](https://www.torproject.org/docs/tor-manual.html.en). >Don’t share circuits with streams for which different SOCKS authentication was provided. (For HTTPTunnelPort connections, this option looks at the Proxy-Authorization and X-Tor-Stream-Isolation headers. On by default; you can disable it with NoIsolateSOCKSAuth.) `TransPort` / `DnsPort` doesn't support user auth credentials which would lead to stream isolation so the only way is to use distinct ports.

.

Patrick · August 14, 2018, 6:54pm

.

Patrick · August 19, 2018, 3:03pm

github.com/orjail/orjail

Debian packaging

orjail:master ← adrelanos:initial-deb-packaging

opened 03:01PM - 19 Aug 18 UTC

adrelanos

+982 -5

In future, would like to see orjail ending up in: * 1) Whonix's deb repositor…y, (so it can be installed in Whonix, likely installed by default, [...]) * 2) in debian.org's repository, (so as much people as possible start using this) * 3) elsewhere as other distributions and their packagers are welcome to step up To aid this, I created the Debian packaging. One additional dependency, [genmkfile](https://github.com/Whonix/genmkfile). Implements #24. ----- Just run ``` make deb-pkg ``` and a `../orjail_1.0-1_all.deb` will be created . Then you can install it using: ``` sudo dpkg -i ../orjail_1.0-1_all.deb ``` Will then be installed to `/usr/sbin/orjail`. And remove: ``` sudo apt-get purge orjail ``` Then everything will be removed. Lintian warning free, so Debian policy conform. --- Other makefile features: ``` make help ``` ``` make help Show this help. make dist Create package-version.tar.gz from source files in $DISTDIR (default ".."). make undist Delete package-version.tar.gz from source files in $DISTDIR (default ".."). make debdist Create debian.tar.gz from source files in $DISTDIR (default ".."). make undebdist Delete debian.tar.gz from source files in $DISTDIR (default ".."). make manpages Create man page from man source folder, which will be stored in debian/tmp-man folder. make uch Store upstream changelog from git log in debian/changelog.upstream. make install Copying the files from the source tree to system-wide directories. make installsim Simulate copying the files from the source tree to system-wide directories. make deb-pkg Create a deb, which will be stored in parent folder. make deb-pkg-install Create a deb, which will be stored in parent folder, and install it. make deb-install Install deb from parent folder. make deb-icup Combination of make deb-pkg, make deb-pkg-install and make deb-pkg-cleanup. make deb-remove apt-get remove make_source_package_name make deb-purge apt-get purge make_source_package_name make deb-clean Delete temporary debhelper files. make deb-cleanup Same as make deb-clean and deletes debuild artifacts from parent folder. make dput-ubuntu-ppa Upload to Ubuntu ppa. Requires functional .dput.cf. make clean Currently same as make deb-clean. make distclean Currently same as make clean. make checkout Fetch from git. make installcheck Check if source files match installed files. make uninstallcheck Check if make uninstall removed all files. make uninstall Delete all installed files. make uninstallsim Simulate what make uninstall would do. make deb-chl-bumpup Bump upstream version number in debian/changelog. make git-tag-sign git tag (-s) sign latest pkg_version_with_revision from debian/changelog. Only a repository sanity check. Not for security purposes! make git-tag-verify git tag (-v) verify latest pkg_version_with_revision from debian/changelog. Only a repository sanity check. Not for security purposes! make git-tag-check Check if current git head is a signed git tag. Only a repository sanity check. Not for security purposes! make git-commit-verify Check if current git head is a signed git commit. Only a repository sanity check. Not for security purposes! make git-verify Combination of tag-check and commit-verify. Only a repository sanity check. Not for security purposes! ```

.

Patrick · August 19, 2018, 3:25pm

github.com/orjail/orjail

exit with exit code of the application / use cleanup trap

opened 03:18PM - 19 Aug 18 UTC

closed 09:06PM - 25 Aug 18 UTC

adrelanos

``` # use firejail as security container if [ $USEFIREJAIL = y ]; then if [… "$SUDOBIN" ]; then $SUDOBIN -u "$USERNAME" "$FIREJAILBIN" "${FIREJAILARGS[@]}" --dns="$IPHOST" --netns="$NAME" "$@" else su "$USERNAME" -c "$FIREJAILBIN ${FIREJAILARGS[*]} --dns=$IPHOST --netns=$NAME $*" fi else #or without ip netns exec "$NAME" \ unshare --ipc --fork --pid --mount --mount-proc \ "$0" --inside "$USERNAME" "$RESOLVEFILE" "$VERBOSE" "$@" || \ die "Failed to execute the inside part of this script" fi # clean some shit cleanup # All done! ``` Running `cleanup` by writing `cleanup` at the end leads to the exit code of the application being forgotten. Using... trap "cleanup" EXIT would be much nicer. That way your cleanup code gets run on any termination as well as you don't need something like `exit_code=$?`, `exit $exit_code`. Why? This would be useful for use use in scripts. A wrapper should interfere with the wrapped application as little as possible, i.e. no extraneous output in most cases (unless debug, unless some special error) and forwarding the exit code of the wrapped application.

github.com/orjail/orjail

check iptables exit codes

opened 03:23PM - 19 Aug 18 UTC

closed 11:05PM - 28 Aug 18 UTC

adrelanos

``` # REJECT all traffic coming from orjail # this is needed to avoid reac…hing other interfaces iptables -I INPUT -i in-"$NAME" -p udp --destination "$IPHOST" --dport "$DNSPORT" -j ACCEPT && iptables -I INPUT -i in-"$NAME" -p tcp --destination "$IPHOST" --dport "$TRANSPORT" -j ACCEPT && if [[ $HIDDENSERVICE = y ]]; then iptables -I INPUT -i in-"$NAME" -p tcp --source "$IPNETNS" --sport "$HSERVICEPORT" -j ACCEPT && iptables -I INPUT -i in-"$NAME" -p tcp --destination "$IPNETNS" --dport "$HSERVICEPORT" -j ACCEPT fi ``` Usually you're using `die "Failed to configure the iptable for accepting connection"` but there you don't. For consistency would it be better to cover these as well?

.