mpsocks_lib

#!/bin/bash

IMG=${IMG:-"mpsocks.img"}
DIR="mount_${IMG}"

SUBNET16=${SUBNET16:-"10.66"}
SUBNETSTART=${SUBNETSTART:-"6"}

TABLESTART=665

TAP_PREFIX=${TAP_PREFIX:-"mptcp"}

SOCK_PORT=${SOCK_PORT:-6666}

subnet24() {
	local n=${1:-0}
	echo "${SUBNET16}.$(($n + $SUBNETSTART))"
}

# $1 24's subnet idx, $2 nth subnet's ip
nth_ip() {
	echo "$(subnet24 ${1}).${2}"
}

subnet() {
	echo "$(nth_ip ${1:-0} 0)/24"
}

host_ip() {
	nth_ip ${1:-0} 1
}

host_cidr() {
	echo "$(host_ip ${1:-0})/24"
}

guest_ip() {
	nth_ip ${1:-0} 2
}

guest_cidr() {
	echo "$(guest_ip ${1:-0})/24"
}

build_image() {
	qemu-img create $IMG 10g
	mkfs.ext3 $IMG
	mkdir $DIR
	sudo mount -o loop $IMG $DIR

	git clone https://salsa.debian.org/installer-team/debootstrap.git
	sudo DEBOOTSTRAP_DIR=$(pwd)/debootstrap ./debootstrap/debootstrap --arch amd64 stretch $DIR

	sudo chroot $DIR passwd root

	# auto up our mgmt interface
	#TODO check EOF when rerun, due to align change
	sudo bash -c "grep -q enp0s3 $DIR/etc/network/interfaces ||
	cat >> $DIR/etc/network/interfaces <<EOF

auto enp0s3
allow-hotplug enp0s3
iface enp0s3 inet dhcp
EOF"

	# install SSH and our key.

	sudo chroot $DIR apt-get install -y openssh-server --allow-unauthenticated
	sudo mkdir $DIR/root/.ssh
	sudo chmod 700 $DIR/root/.ssh
	sudo bash -c "cat $HOME/.ssh/id_rsa.pub >> $DIR/root/.ssh/authorized_keys"
	sudo chmod 600 $DIR/root/.ssh/authorized_keys

	# TODO integrate this, i did this to cancel the default route learn over dhcp for mgmt
	# we won't use it.
	# cat /etc/dhcp/dhclient-exit-hooks.d/drop_default
	# if [ "${reason}" = "BOUND" -a "${interface}" = "enp0s3" ] ; then
	#         if [ "$(ip r | grep default | awk '{print $3}')" = "${new_routers}" ] ; then
	#                 ip route del default
	#         fi
	# fi
	sudo umount $DIR
	rmdir $DIR
}

build_kernel() {
	git clone https://github.com/multipath-tcp/mptcp.git
	cd mptcp
	make O=build-kvm x86_64_defconfig
	make O=build-kvm kvmconfig

	scripts/config --file build-kvm/.config --enable MPTCP
	scripts/config --file build-kvm/.config --enable MPTCP_PM_ADVANCED
	scripts/config --file build-kvm/.config --enable MPTCP_FULLMESH
	scripts/config --file build-kvm/.config --enable MPTCP_NDIFFPORTS
	scripts/config --file build-kvm/.config --enable MPTCP_BINDER
	scripts/config --file build-kvm/.config --enable MPTCP_NETLINK
	scripts/config --file build-kvm/.config --enable DEFAULT_FULLMESH
	scripts/config --file build-kvm/.config --set-str DEFAULT_MPTCP_PM "fullmesh"
	scripts/config --file build-kvm/.config --enable MPTCP_SCHED_ADVANCED
	scripts/config --file build-kvm/.config --enable MPTCP_BLEST
	scripts/config --file build-kvm/.config --enable MPTCP_ROUNDROBIN
	scripts/config --file build-kvm/.config --enable MPTCP_REDUNDANT
	scripts/config --file build-kvm/.config --enable DEFAULT_SCHEDULER
	scripts/config --file build-kvm/.config --set-str DEFAULT_MPTCP_SCHED "default"

	scripts/config --file build-kvm/.config --disable RETPOLINE

	scripts/config --file build-kvm/.config --enable NETFILTER_ADVANCED
	scripts/config --file build-kvm/.config --module IP_NF_TARGET_REDIRECT

	make O=build-kvm olddefconfig
	make O=build-kvm -j 8
	cd -

	build_kernel_modules
}

build_kernel_modules() {
	cd mptcp
	make O=build-kvm -j 8 modules
	make O=build-kvm INSTALL_MOD_PATH=$PWD/build-kvm/mymodules/ -j 8 modules_install
	cd -
}

tap_name() {
	echo "${TAP_PREFIX}${1:-0}"
}

configure_host_tap() {
	local n=${1:-0}
	local tap=$(tap_name $n)

	sudo ip tuntap add mode tap user $(whoami) name $tap
	sudo ip address add $(host_cidr $n) dev $tap
	sudo ip l set dev $tap up
}

clean_host_tap() {
	local tap=$(tap_name ${1:-0})
	sudo ip link del $tap
}

ssh_vm() {
	ssh -o "UserKnownHostsFile /dev/null" -o "StrictHostKeyChecking no" -p 6222 root@localhost $@
}

ssh_vm_pseudoterm() {
	ssh -t -o "UserKnownHostsFile /dev/null" -o "StrictHostKeyChecking no" -p 6222 root@localhost $@
}

guest_itf() {
	echo "enp0s$((4 + ${1:-0}))"
}

guest_table() {
	local n=${1:-0}

	if [ "$n" = 0 ] ; then
		echo "main"
	else
		echo $(($TABLESTART + $n))
	fi
}

host_table() {
	local n=${1:-0}
	echo $(($TABLESTART + $n))
}

configure_guest_nw() {
	local n=${1:-0}
	local itf=$(guest_itf $n)
	local table=$(guest_table $n)

	ssh_vm ip addr add $(guest_cidr $n) dev $itf
	ssh_vm ip link set dev $itf up

	ssh_vm ip rule add from $(guest_ip $n) table $table
	ssh_vm ip route del default table $table
	ssh_vm ip route add default via $(host_ip $n) table $table
}

configure_host_nat() {
	local n=${1:-0}
	sudo iptables -t nat -A POSTROUTING -s $(guest_ip $n)/32 -j MASQUERADE
	sudo iptables -A FORWARD -i $(tap_name $n) -j ACCEPT
	sudo iptables -A FORWARD -o $(tap_name $n) -j ACCEPT
}

clean_host_nat() {
	local n=${1:-0}
	sudo iptables -t nat -D POSTROUTING -s $(guest_ip $n)/32 -j MASQUERADE
	sudo iptables -D FORWARD -i $(tap_name $n) -j ACCEPT
	sudo iptables -D FORWARD -o $(tap_name $n) -j ACCEPT
}

# $1 where to get out from src routing
configure_host_source_routing() {
	local itf=${1?Which itf should I use to go out ???}
	local n=${2:-1}
	local tap=$(tap_name $n)
	local table=$(host_table $n)

	sudo ip rule add iif $tap table $table

	local gw=$(ip route | grep default | grep $itf | awk '{ print $3}')
	sudo ip route add default via $gw table $table
}

clean_host_source_routing() {
	local n=${1:-1}
	local tap=$(tap_name $n)
	local table=$(host_table $n)

	sudo ip rule del iif $tap table $table
	sudo ip route del default table $table
}

check_mptcp() {
	# wget into an identity crisis obviously
	ssh_vm wget -O- -U curl multipath-tcp.org 2>/dev/null
}

run_ssh_socks() {
	ssh -o "UserKnownHostsFile /dev/null" -o "StrictHostKeyChecking no" -p 6222 -D $SOCK_PORT -N  root@localhost
}

run_socks() {
	echo "Starting ^C to kill it !"
	local method=${1:-ssh}
	run_${method}_socks
}

install_vm_extra() {
	boot_vm 0 yes 2>/dev/null &
	wait_vm_ssh
	ssh_vm mkdir -p tools
	install_dante
	install_redsocks
	ssh_vm shutdown -h now
}

install_dante() {
	ssh_vm apt-get install -y --allow-unauthenticated build-essential
	ssh_vm "wget -O- https://www.inet.no/dante/files/dante-1.4.2.tar.gz | tar -ixz --directory tools"
	ssh_vm "cd tools/dante-1.4.2 && ./configure && make"
}

install_redsocks() {
	ssh_vm apt-get install -y --allow-unauthenticated libevent-2.0-5 libevent-core-2.0-5 libevent-dev
	ssh_vm "wget -O- https://github.com/darkk/redsocks/archive/release-0.5.tar.gz | tar ixz --directory tools"
	ssh_vm "cd tools/redsocks-release-0.5 && make"
}

run_dante_socks() {
	cat <<EOF | ssh_vm "cat - > /tmp/sockd.conf"
logoutput: stderr

internal: $(guest_ip) port = $SOCK_PORT

external: $(guest_ip)

socksmethod: none

client pass {
        from: $(subnet) port 1-65535 to: 0.0.0.0/0
}

socks pass {
        from: $(subnet) to: 0.0.0.0/0
        protocol: tcp udp
}
EOF
	ssh_vm_pseudoterm tools/dante-1.4.2/sockd/sockd -f /tmp/sockd.conf
}

run_redsocks() {
	cat <<EOF | ssh_vm "cat - > /tmp/redsocks.conf"
base {
        // debug: connection progress
        log_debug = off;

        // info: start and end of client session
        log_info = on;

        log = stderr;

        // detach from console
        daemon = on;

        redirector = iptables;

}

redsocks {
        /* 'local_ip' defaults to 127.0.0.1 for security reasons,
         * use 0.0.0.0 if you want to listen on every interface.
         * 'local_*' are used as port to redirect to.
         */
        local_ip = 0.0.0.0;
        local_port = 12345;

        // 'ip' and 'port' are IP and tcp-port of proxy-server
        // You can also use hostname instead of IP, only one (random)
        // address of multihomed host will be used.
        ip = $(guest_ip);
        port = $SOCK_PORT;

        // known types: socks4, socks5, http-connect, http-relay
        type = socks5;

}
EOF

	ssh_vm iptables -t nat -N REDSOCKS

	# ssh_vm iptables -t nat -A REDSOCKS -d 0.0.0.0/8 -j RETURN
	ssh_vm iptables -t nat -A REDSOCKS -d 10.0.0.0/8 -j RETURN
	# ssh_vm iptables -t nat -A REDSOCKS -d 127.0.0.0/8 -j RETURN
	# ssh_vm iptables -t nat -A REDSOCKS -d 169.254.0.0/16 -j RETURN
	# ssh_vm iptables -t nat -A REDSOCKS -d 172.16.0.0/12 -j RETURN
	# ssh_vm iptables -t nat -A REDSOCKS -d 192.168.0.0/16 -j RETURN
	# ssh_vm iptables -t nat -A REDSOCKS -d 224.0.0.0/4 -j RETURN
	# ssh_vm iptables -t nat -A REDSOCKS -d 240.0.0.0/4 -j RETURN

	ssh_vm iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-ports 12345

	ssh_vm iptables -t nat -A PREROUTING --in-interface $(guest_itf) -p tcp -j REDSOCKS

	ssh_vm tools/redsocks-release-0.5/redsocks -c /tmp/redsocks.conf

}

qemu_vm_netdev() {
	local n=${1:-1}
	local i

	for i in $(seq 0 $(($n - 1))); do
		echo -n "-device e1000,netdev=network${i} "
		echo -n "-netdev tap,id=network${i},ifname=$(tap_name $i),script=no,downscript=no "
	done
}

boot_vm() {
	local n=${1:-1}
	local quiet=${2:-no}
	local display

	if [ $quiet = "yes" ]; then
		display="-display none"
	else
		display="-nographic"
	fi

	qemu-system-x86_64 -m 512 -kernel ./mptcp/build-kvm/arch/x86/boot/bzImage -hda $IMG -append "root=/dev/sda rw console=ttyS0" --enable-kvm $display -device e1000,netdev=mgmt -netdev user,id=mgmt,hostfwd=tcp:127.0.0.1:6222-:22 $(qemu_vm_netdev $n) \
		-fsdev local,security_model=mapped-xattr,id=fsdev0,path=$PWD/mptcp/build-kvm/mymodules/lib/modules,readonly -device virtio-9p-pci,id=fs0,fsdev=fsdev0,mount_tag=modules
}

wait_vm_ssh() {
	echo -n "Waiting for ssh's vm to be ready..."

	while ! ssh_vm echo "Ready!" 2>/dev/null ; do
		echo -n ".";
		sleep 1;
	done
}

mount_vm_modules() {
	ssh_vm mkdir -p /lib/modules
	ssh_vm mount -t 9p -o trans=virtio,version=9p2000.L modules /lib/modules
}

# $1: comma-separated list of interface to use
boot_socks() {
	local itfs=${1?First params is comma-separated list of interface}
	local itfa=($(echo ${itfs} | tr ',' ' '))
	local n=${#itfa[@]}
	local maxidx=$((n - 1))
	local i

	for i in $(seq 0 $maxidx); do
		configure_host_tap $i
		configure_host_nat $i
		configure_host_source_routing ${itfa[$i]} $i
	done

	boot_vm $n yes &

	wait_vm_ssh

	mount_vm_modules

	for i in $(seq 0 $maxidx); do
		configure_guest_nw $i
	done

	run_redsocks
	run_socks dante

	ssh_vm shutdown -h now

	for i in $(seq 0 $maxidx); do
		clean_host_tap $i
		clean_host_nat $i
		clean_host_source_routing $i
	done
}