search

subgraph / roflcoptor

Tor Control Port Filter and State Tracker Daemon
BSD 3-Clause "New" or "Revised" License
25 stars 8 forks source link

Write filter for onioncircuits #3

Closed xSmurf closed 8 years ago

david415 commented 8 years ago

i believe onioncircuits requires it's connection to the control port to be via unix domain socket. therefore this issue depends on first resolving -> https://github.com/subgraph/roflcoptor/issues/9

david415 commented 8 years ago

i patched onioncircuits here: https://github.com/david415/onioncircuits/tree/add_control_port_env.0

and filed this ticket with the tails dev team here: https://labs.riseup.net/code/issues/11402

i tested my patched onioncircuits with my dev branch of roflcoptor that can listen on a unix domian socket (if it's specified in the config): https://github.com/david415/roflcoptor/commits/1.add_unix_domain_socket.2

In watch mode I was able to see all the chatting onioncircuits did to what it thought was the tor control port... At this point I'm not sure how to filter this traffic without a regex because many of the server responses begin with a circuit ID. I'll have to think about this some more.

david415 commented 8 years ago

i landed the unix domain socket + multi-listener feature. we just need to figure out how best to filter onioncircuits. the responses start with the circuit id and we should allow this is the filter policy but so far our filter policies only work my either exact string match, prefix match... whereas we perhaps want a way to say allow all server responses.

david415 commented 8 years ago

the author of onioncircuits has added the requested feature addition of user specified control port allowing for a unix domain socket file. the latest onioncircuits testing package in debian may well contain the new feature.

leif commented 8 years ago

I have a filter for onioncircuits in the branch at https://github.com/subgraph/roflcoptor/pull/45 but it currently applies to all python3.5 apps because the per-app-socket functionality is broken (in both roflcoptor and oz, apparently).

david415 commented 8 years ago

per-app-socket functionality or policy listeners are now working correctly in roflcoptor. furthermore here's my pull-request for an onioncircuits oz profile: https://github.com/subgraph/oz/pull/73

my modification of leif's onioncircuits roflcoptor policy file specifies a unix socket listener for the roflcoptor onioncircuits policy listener: https://github.com/david415/roflcoptor/blob/add_onioncircuits_policy.0/filters/onioncircuits.json

this socket file /var/run/roflcoptor/onioncircuits.socket is used by the oz profile for onioncircuits in the above pull request.

david415 commented 8 years ago

this feature was merged!