From 8a9f6240201e991cbe94c05070189a996c6cbe5f Mon Sep 17 00:00:00 2001
From: Simon <simon@gb7fr.org.uk>
Date: Tue, 9 May 2023 23:10:16 +0100
Subject: [PATCH] Squashed commit of the following:

commit a490c6832695a2f5593a03b57386692d2d32850f
Author: Simon <simon@gb7fr.org.uk>
Date:   Tue May 9 19:12:11 2023 +0100

    flkdlkf

commit 807887ac815f72ed5b00e639ef466759fc423e88
Author: Simon <simon@gb7fr.org.uk>
Date:   Tue May 9 19:08:22 2023 +0100

    klkl

commit 23c9a59a8e915fc1716e3d9b0d64ffe9ad3f5130
Author: Simon <simon@gb7fr.org.uk>
Date:   Tue May 9 19:04:32 2023 +0100

    dd

commit ff8b8ee83f1968daf7488140a5b47d0b05992bf6
Author: Simon <simon@gb7fr.org.uk>
Date:   Tue May 9 19:00:05 2023 +0100

    klkdlk

commit 30b72208c7ec191d5178fd478475438cf56f7a11
Author: Simon <simon@gb7fr.org.uk>
Date:   Tue May 9 18:51:47 2023 +0100

    typo

commit fa2a5bf10524cb3830163e10e584c0d0738654ad
Author: Simon <simon@gb7fr.org.uk>
Date:   Tue May 9 18:48:14 2023 +0100

    gmgm

commit b300a12731fbef0a03eb953eb759770bd9ef99a6
Author: Simon <simon@gb7fr.org.uk>
Date:   Tue May 9 18:37:35 2023 +0100

    don't need self?

commit f9fec3ed68ec9981ca9e21f923d2169065bd15da
Author: Simon <simon@gb7fr.org.uk>
Date:   Tue May 9 18:32:26 2023 +0100

    Trying to get callinthread correct

commit 9a47064d56168c40a9bb5ef270ed85a0db0ae335
Author: Simon <simon@gb7fr.org.uk>
Date:   Tue May 9 17:40:44 2023 +0100

    priv helper

commit 0b131651599e91989b186af715cab9e1713021ad
Author: Simon <simon@gb7fr.org.uk>
Date:   Tue May 9 17:36:22 2023 +0100

    ph

commit fc9e9dcbd915333e4df7b52bba47eb63bc98aca5
Author: Simon <simon@gb7fr.org.uk>
Date:   Tue May 9 12:03:35 2023 +0100

    fix

commit e043fd4c82a8c60ccfa7ffbabe2ec2637afa59e3
Author: Simon <simon@gb7fr.org.uk>
Date:   Tue May 9 10:09:38 2023 +0100

    Create /run/priv_control in preparation for priv_control unix socket

commit 49df720303ff7724102a0d392e4cc44fb9e5143d
Author: Simon <simon@gb7fr.org.uk>
Date:   Tue May 9 10:02:08 2023 +0100

    Add Pyro5 to requirements

commit 2ff6b49fb51cf2dbe770097ef33d5aa5f86e4cf1
Author: Simon <simon@gb7fr.org.uk>
Date:   Mon May 8 22:21:58 2023 +0100

    ff

commit 44cf8e3182860f691d57c7d194ff2064686db6cd
Author: Simon <simon@gb7fr.org.uk>
Date:   Mon May 8 22:17:11 2023 +0100

    Add Pyro5 to Proxy

commit c70711deac31186fc6403b80e4e24fce713562dd
Merge: 7b13b9f b373917
Author: Simon <simon@gb7fr.org.uk>
Date:   Mon May 8 22:16:50 2023 +0100

    Merge branch 'master' into testing

commit 7b13b9f04638b637bf2d1ac79d3885ce1005f137
Author: Simon <simon@gb7fr.org.uk>
Date:   Sun Jan 29 19:01:33 2023 +0000

    SERVER_ID is bytes!

commit cee3bc76fb8cb8dfaa72a9816469e3bf525341c9
Author: Simon <simon@gb7fr.org.uk>
Date:   Sun Jan 29 18:50:06 2023 +0000

    frog

commit 82432b9c2c28f850551719f8dfb8b350accdcc62
Author: Simon <simon@gb7fr.org.uk>
Date:   Sun Jan 29 18:49:53 2023 +0000

    fred

commit 6601573c7fe6464f39a8d09f4f4311c16f61ba1f
Author: Simon <simon@gb7fr.org.uk>
Date:   Sun Jan 29 18:39:08 2023 +0000

    Stringly

commit 28fa37f8280e13f0748b9d94c3e46ffb2406e3e6
Author: Simon <simon@gb7fr.org.uk>
Date:   Sun Jan 29 18:30:37 2023 +0000

    self

commit 3e6d28d4dda82e81755ce8020eb1cbd5d89b004e
Author: Simon <simon@gb7fr.org.uk>
Date:   Sun Jan 29 18:23:42 2023 +0000

    Fix trace

commit a15901dc79d80a2be8fd17166d3d2e81cf384616
Author: Simon <simon@gb7fr.org.uk>
Date:   Sun Jan 29 18:21:30 2023 +0000

    Tweak config file used in install script

commit 654ec135ca0da89086f42de85405af6dfbf963eb
Merge: f75ff26 d4e3922
Author: Simon <simon@gb7fr.org.uk>
Date:   Sun Jan 29 17:48:22 2023 +0000

    Merge branch 'master' into testing

commit f75ff26cfab2529543beca7aa73db9c69516e84d
Merge: c0b5216 48339d3
Author: Simon <simon@gb7fr.org.uk>
Date:   Sun Jan 29 17:46:07 2023 +0000

    Merge branch 'master' into testing

commit c0b5216e5a065701fe682174545ba76e08ef2afe
Author: Simon <simon@gb7fr.org.uk>
Date:   Sun Jan 29 11:04:45 2023 +0000

    more config work

commit c79ce0551dc60fc1de8149ae6926822125c4a397
Author: Simon <simon@gb7fr.org.uk>
Date:   Sun Jan 29 00:54:56 2023 +0000

    ib

commit 294a09c8f1e18589e9fd22a5162ece201856b761
Author: Simon <simon@gb7fr.org.uk>
Date:   Sun Jan 29 00:50:36 2023 +0000

    Enable minimal config and tidy up global ACL

commit d1dc58d46f5e7b7c1204c65653230bf05f13d088
Author: Simon <simon@gb7fr.org.uk>
Date:   Sat Jan 28 23:12:41 2023 +0000

    Deprecate protocol versions 2 and 3
---
 .gitlab-ci.yml               |  3 +-
 docker-configs/Dockerfile-ci |  4 ++-
 hotspot_proxy_v2.py          | 62 +++++++++++++++++++++++++++++++-----
 requirements.txt             |  1 +
 4 files changed, 59 insertions(+), 11 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index cdcb2ae..ac941da 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -54,8 +54,7 @@ build-testing:       # This job runs in the build stage, which runs first.
   script:
     - echo "Compiling the code..."
     - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
-    - docker buildx build --no-cache -f docker-configs/Dockerfile-ci -t gitlab.hacknix.net:5050/hacknix/freedmr:testing --platform linux/amd64 --push .
-    - docker logut
+    - docker buildx build --no-cache -f docker-configs/Dockerfile-ci -t $CI_REGISTRY/hacknix/freedmr:testing --platform linux/amd64 --push .
   only:
     - testing
 
diff --git a/docker-configs/Dockerfile-ci b/docker-configs/Dockerfile-ci
index a7389f3..9796126 100644
--- a/docker-configs/Dockerfile-ci
+++ b/docker-configs/Dockerfile-ci
@@ -29,7 +29,9 @@ RUN adduser -D -u 54000 radio && \
 	ls -lah && \
         pip install --no-cache-dir -r requirements.txt && \
         apk del git gcc musl-dev && \
-        chown -R radio: /opt/freedmr
+        chown -R radio: /opt/freedmr && \
+        mkdir /run/priv_control/ && \
+        chown -R radio: /run/priv_control
 
 COPY docker-configs/entrypoint-proxy /entrypoint
 USER radio
diff --git a/hotspot_proxy_v2.py b/hotspot_proxy_v2.py
index bad2ba2..1e6a494 100644
--- a/hotspot_proxy_v2.py
+++ b/hotspot_proxy_v2.py
@@ -25,10 +25,11 @@ import ipaddress
 import os
 from setproctitle import setproctitle
 from datetime import datetime
+import Pyro5.api
 
 # Does anybody read this stuff? There's a PEP somewhere that says I should do this.
 __author__     = 'Simon Adlem - G7RZU'
-__copyright__  = 'Copyright (c) Simon Adlem, G7RZU 2020,2021,2022'
+__copyright__  = 'Copyright (c) Simon Adlem, G7RZU 2020,2021,2022,2023'
 __credits__    = 'Jon Lee, G4TSN; Norman Williams, M6NBP; Christian, OA4DOA'
 __license__    = 'GNU GPLv3'
 __maintainer__ = 'Simon Adlem G7RZU'
@@ -49,10 +50,40 @@ def IsIPv6Address(ip):
     except ValueError as errorCode:
         pass
 
+class privHelper():
+    def __init__(self):
+        self._netfilterURI = 'PYRO:netfilterControl@./u:/run/priv_control/priv_control.unixsocket'
+        self._conntrackURI = 'PYRO:conntrackControl@./u:/run/priv_control/priv_control.unixsocket'
+
+    def addBL(self,dport,ip):
+        try:
+            with Pyro5.api.Proxy(self._netfilterURI) as nf:
+                nf.blocklistAdd(dport,ip)
+        except Exception as e:
+            print('(PrivError) {}'.format(e))
+
+    def delBL(self,dport,ip):
+        try:
+            with Pyro5.api.Proxy(self._netfilterURI) as nf:
+                nf.blocklistDel(dport,ip)
+        except Exception as e:
+            print('(PrivError) {}'.format(e))
+
+    def flushCT(self):
+        try:
+            with Pyro5.api.Proxy(self._conntrackURI) as ct:
+                ct.flushUDPTarget(62031)
+        except Exception as e:
+            print('(PrivError) {}'.format(e))
+
+
+
+
 class Proxy(DatagramProtocol):
 
-    def __init__(self,Master,ListenPort,connTrack,peerTrack,blackList,IPBlackList,Timeout,Debug,ClientInfo,DestportStart,DestPortEnd):
+    def __init__(self,Master,ListenPort,connTrack,peerTrack,blackList,IPBlackList,Timeout,Debug,ClientInfo,DestportStart,DestPortEnd,privHelper):
         self.master = Master
+        self.ListenPort = ListenPort
         self.connTrack = connTrack
         self.peerTrack = peerTrack
         self.timeout = Timeout
@@ -63,6 +94,8 @@ class Proxy(DatagramProtocol):
         self.destPortStart = DestportStart
         self.destPortEnd = DestPortEnd
         self.numPorts = DestPortEnd - DestportStart
+        self.privHelper = privHelper
+
         
         
     def reaper(self,_peer_id):
@@ -131,6 +164,9 @@ class Proxy(DatagramProtocol):
                     return
                 if self.clientinfo:
                     print('Add to blacklist: host {}. Expire time {}'.format(self.peerTrack[_peer_id]['shost'],_bltime))
+                if self.privHelper:
+                    print('Ask priv_helper to add to iptables: host {}, port {}.'.format(self.peerTrack[_peer_id]['shost'],self.ListenPort))
+                    reactor.callInThread(self.privHelper.addBL,self.ListenPort,self.peerTrack[_peer_id]['shost'])
                 return
             
             if _command == DMRD:
@@ -226,6 +262,10 @@ if __name__ == '__main__':
     import argparse
     import sys
     import json
+    import stat
+    import functools
+
+    print = functools.partial(print, flush=True)
 
     #Set process title early
     setproctitle(__file__)
@@ -283,12 +323,12 @@ if __name__ == '__main__':
         BlackList = [1234567]
         #e.g. {10.0.0.1: 0, 10.0.0.2: 0}
         IPBlackList = {}
-        UsePrivilegedHelper = False
         
 #*******************        
     
     CONNTRACK = {}
     PEERTRACK = {}
+    PRIV_HELPER = None
     
     # Set up the signal handler
     def sig_handler(_signal, _frame):
@@ -314,12 +354,15 @@ if __name__ == '__main__':
         ClientInfo = bool(os.environ['FDPROXY_CLIENTINFO'])
     if 'FDPROXY_LISTENPORT' in os.environ:
         ListenPort = int(os.environ['FDPROXY_LISTENPORT'])
-    if 'USE_PRIV_HELPER' in os.environ:
-        UsePrivilegedHelper = os.environ['USE_PRIV_HELPER']
 
-    if UsePrivilegedHelper:
+    unixSocket = '/run/priv_control/priv_control.unixsocket'
+
+    if os.path.exists(unixSocket) and stat.S_ISSOCK(os.stat(unixSocket).st_mode):
+        print('(PRIV) Found UNIX socket. Enabling priv helper')
+        PRIV_HELPER = privHelper()
+        print('(PRIV) flush conntrack')
+        PRIV_HELPER.flushCT()
 
-        
     for port in range(DestportStart,DestPortEnd+1,1):
         CONNTRACK[port] = False
     
@@ -328,7 +371,7 @@ if __name__ == '__main__':
     if ListenIP == '::' and IsIPv4Address(Master):
         Master = '::ffff:' + Master
 
-    reactor.listenUDP(ListenPort,Proxy(Master,ListenPort,CONNTRACK,PEERTRACK,BlackList,IPBlackList,Timeout,Debug,ClientInfo,DestportStart,DestPortEnd),interface=ListenIP)
+    reactor.listenUDP(ListenPort,Proxy(Master,ListenPort,CONNTRACK,PEERTRACK,BlackList,IPBlackList,Timeout,Debug,ClientInfo,DestportStart,DestPortEnd,PRIV_HELPER),interface=ListenIP)
 
     def loopingErrHandle(failure):
         print('(GLOBAL) STOPPING REACTOR TO AVOID MEMORY LEAK: Unhandled error innowtimed loop.\n {}'.format(failure))
@@ -358,6 +401,9 @@ if __name__ == '__main__':
             IPBlackList.pop(delete)
             if ClientInfo:
                 print('Remove dynamic blacklist entry for {}'.format(delete))
+            if PRIV_HELPER:
+                print('Ask priv helper to remove blacklist entry for {} from iptables'.format(delete))
+                reactor.callInThread(PRIV_HELPER.delBL,ListenPort,delete)
 
         
     if Stats == True:
diff --git a/requirements.txt b/requirements.txt
index 98a1d9e..69123e4 100755
--- a/requirements.txt
+++ b/requirements.txt
@@ -5,3 +5,4 @@ dmr_utils3>=0.1.19
 configparser>=3.0.0
 resettabletimer>=0.7.0
 setproctitle
+Pyro5