monadical/greywall
Archived
13
0
Fork 0
Code Issues Pull Requests 1 Actions 2 Packages Projects Releases Wiki Activity
This repository has been archived on 2026-03-13. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
481616455a75b91c2741a7b02e384744b65a3f17
greywall/internal/sandbox/linux_stub.go
Mathieu Virbel 481616455a fix: add SOCKS5 auth, DNS bridge, and TUN capability support 
Three issues prevented transparent proxying from working end-to-end:

1. bwrap dropped CAP_NET_ADMIN before exec, so ip tuntap/link commands
   failed inside the sandbox. Add --cap-add CAP_NET_ADMIN and
   CAP_NET_BIND_SERVICE when transparent proxy is active.

2. tun2socks only offered SOCKS5 no-auth (method 0x00), but many proxies
   (e.g. gost) require username/password auth (method 0x02). Pass through
   credentials from the proxy URL so tun2socks offers both auth methods.

3. DNS resolution failed because UDP DNS needs SOCKS5 UDP ASSOCIATE which
   most proxies don't support. Add --dns flag and DnsBridge that routes
   DNS queries from the sandbox through a Unix socket to a host-side DNS
   server. Falls back to TCP relay through the tunnel when no --dns is set.

Also brings up loopback interface (ip link set lo up) inside the network
namespace so socat can bind to 127.0.0.1.
2026-02-10 14:57:56 -06:00

88 lines
2.6 KiB
Go
Raw Blame History

//go:build !linux
package sandbox
import (
"fmt"
"github.com/Use-Tusk/fence/internal/config"
)
// ProxyBridge is a stub for non-Linux platforms.
type ProxyBridge struct {
SocketPath string
ProxyHost string
ProxyPort string
}
// DnsBridge is a stub for non-Linux platforms.
type DnsBridge struct {
SocketPath string
DnsAddr string
}
// ReverseBridge is a stub for non-Linux platforms.
type ReverseBridge struct {
Ports []int
SocketPaths []string
}
// LinuxSandboxOptions is a stub for non-Linux platforms.
type LinuxSandboxOptions struct {
UseLandlock bool
UseSeccomp bool
UseEBPF bool
Monitor bool
Debug bool
}
// NewProxyBridge returns an error on non-Linux platforms.
func NewProxyBridge(proxyURL string, debug bool) (*ProxyBridge, error) {
return nil, fmt.Errorf("proxy bridge not available on this platform")
}
// Cleanup is a no-op on non-Linux platforms.
func (b *ProxyBridge) Cleanup() {}
// NewDnsBridge returns an error on non-Linux platforms.
func NewDnsBridge(dnsAddr string, debug bool) (*DnsBridge, error) {
return nil, fmt.Errorf("DNS bridge not available on this platform")
}
// Cleanup is a no-op on non-Linux platforms.
func (b *DnsBridge) Cleanup() {}
// NewReverseBridge returns an error on non-Linux platforms.
func NewReverseBridge(ports []int, debug bool) (*ReverseBridge, error) {
return nil, fmt.Errorf("reverse bridge not available on this platform")
}
// Cleanup is a no-op on non-Linux platforms.
func (b *ReverseBridge) Cleanup() {}
// WrapCommandLinux returns an error on non-Linux platforms.
func WrapCommandLinux(cfg *config.Config, command string, proxyBridge *ProxyBridge, dnsBridge *DnsBridge, reverseBridge *ReverseBridge, tun2socksPath string, debug bool) (string, error) {
return "", fmt.Errorf("Linux sandbox not available on this platform")
}
// WrapCommandLinuxWithOptions returns an error on non-Linux platforms.
func WrapCommandLinuxWithOptions(cfg *config.Config, command string, proxyBridge *ProxyBridge, dnsBridge *DnsBridge, reverseBridge *ReverseBridge, tun2socksPath string, opts LinuxSandboxOptions) (string, error) {
return "", fmt.Errorf("Linux sandbox not available on this platform")
}
// StartLinuxMonitor returns nil on non-Linux platforms.
func StartLinuxMonitor(pid int, opts LinuxSandboxOptions) (*LinuxMonitors, error) {
return nil, nil
}
// LinuxMonitors is a stub for non-Linux platforms.
type LinuxMonitors struct{}
// Stop is a no-op on non-Linux platforms.
func (m *LinuxMonitors) Stop() {}
// PrintLinuxFeatures prints a message on non-Linux platforms.
func PrintLinuxFeatures() {
fmt.Println("Linux sandbox features are only available on Linux.")
}
Reference in New Issue View Git Blame Copy Permalink