Patrick Schleizer: > anonym: >> Patrick Schleizer: >>> anonym: >>> About the packaging. If you like the genmkfile way to package things, I >>> could also do the packaging. Only disadvantage would be an extra >>> dependency on genmkfile. >>> >>> https://github.com/Whonix/control-port-filter-python >>> https://github.com/Whonix/genmkfile >>> >>> That would be trivial on my side since Tails control filter seems very >>> similar to control-port-filter-python. (control-port-filter-python >>> packaged with genmkfile is a lintian --pedantic warning free and to my >>> knowledge, fully complaint Debian source and binary package.) Otherwise, >>> I'd just wait for you. >> >> Sure! I bet you'll beat me to it, so I don't want to be the blocker, but >> perhaps I'll take over the packaging in the future, depending on how >> things go (would this make sense to include in Debian?). However, first >> we need, in order: > > Not sure if upload to Debian would benefit any of our projects or if > anyone besides our two projects would be interested in that package. Due > to release cycles, I guess we'd end up not using that package in > Tails/Whonix anyhow. I must admit, that this chance to get genmkfile > into Debian as a byproduct is more appealing than the filter itself. > > If any other of Whonix's packages seems useful to be uploaded to Debian > or otherwise useful for Tails, I'd be happy to polish them if there are > any requests to return the favor and to improve the cooperation. > >> 1. A name that doesn't including 'tor'. What about 'grater' or >> 'onion-grater'? My inspiration is something like [0]. :) Otherwise >> there's 'onion-filter' I guess. > > What about control-port-filter-python? :) > > I was rethinking this. The packaging may not be that important on the > Whonix side. Since the tails filter is small, clean, nice and simple and > "quite similar" to currently used control-port-filter-python... I could > just copy over the tails filter to control-port-filter-python > usr/sbin/cpfpd. (Along with some minor things such as debian/control > migrating dependencies list and systemd unit file differences.) > >> 2. A dedicated Git repo (trivial once we have a name). > > https://github.com/Whonix/control-port-filter-python ? :) > > The separate upstream tails filter repository would just help me to stay > on top of changes rather than following changes in the huge Tails main > repository. It's not very important either. If you'd ever find a > security critical issue, please notify me. Otherwise for newer features, > I'll probably learn about them early enough. > >>> I added 'Flags=DiscardPK', which works and I thought that is useful at >>> least in case of Whonix. The workstation does not need to learn the >>> hidden service key since onionshare does not use it anyhow. Not sure >>> this (and the following) makes also sense in Tails? >>> >>> Some lines in Tor's response contain the following: >>> (azazazazazazaz10 is the HS) >>> >>> 650 HS_DESC CREATED azazazazazazaz10 UNKNOWN UNKNOWN gliberrish REPLICA=0 >>> 650 HS_DESC CREATED azazazazazazaz10 UNKNOWN UNKNOWN gliberrish REPLICA=1 >>> 650 HS_DESC UPLOAD azazazazazazaz10 UNKNOWN gliberrish gliberrish >>> 650 HS_DESC UPLOADED azazazazazazaz10 UNKNOWN gliberrish >>> >>> Could you please show how to rewrite them to: >>> >>> 650 HS_DESC CREATED azazazazazazaz10 UNKNOWN UNKNOWN dedacted REPLICA=0 >>> 650 HS_DESC CREATED azazazazazazaz10 UNKNOWN UNKNOWN dedacted REPLICA=1 >>> 650 HS_DESC UPLOAD azazazazazazaz10 UNKNOWN dedacted dedacted >>> 650 HS_DESC UPLOADED azazazazazazaz10 UNKNOWN dedacted >>> >>> I am not sure stem would complain about this, but I guess not >> >> onionshare uses stem's `create_ephemeral_hidden_service()` convenience >> method with `await_publication=True`, and it tracks the state of the >> hidden services publication via HS_DESC events, so you have to be >> careful here (e.g. only allowing the UPLOADED won't work, probably). >> >> So, to me it looks like you need the following (untested) config, >> although you might want to study the spec to see which events are to be >> expected: >> >> HS_DESC: >> - pattern: '650 HS_DESC CREATED (\S+) (\S+) (\S+) \S+ (.+)' >> replacement: '650 HS_DESC CREATED {} {} {} redacted {}' >> - pattern: '650 HS_DESC UPLOAD (\S+) (\S+) .*' >> replacement: '650 HS_DESC UPLOAD {} {} redacted redacted' >> - pattern: '650 HS_DESC UPLOADED (\S+) (\S+) .+' >> replacement: '650 HS_DESC UPLOADED {} {} redacted' >> - pattern: '.*' >> replacement: '' > > That unfortunately does not work. > > user@host:~/tcpfp$ ./tor-controlport-filter --listen-address 0.0.0.0 --debug > Tor control port filter started, listening on 0.0.0.0:9051 > 10.137.11.80:51904 (filter: whonix) connected: loaded filter: whonix > Final rules: > commands: > ADD_ONION: > - {pattern: 'NEW:BEST Port=80,(176[0-5][0-9])', replacement: 'NEW:BEST > Port=80,{client-address}:{} > Flags=DiscardPK'} > DEL_ONION: > - {pattern: .+} > GETCONF: > - {pattern: (__owningcontrollerprocess)} > GETINFO: > - {pattern: circuit-established} > - {pattern: status/circuit-established} > - pattern: net/listeners/socks > response: > - {pattern: 250-net/listeners/socks=".*", replacement: > '250-net/listeners/socks="127.0.0.1:9150"'} > - {pattern: version} > - {pattern: onions/current} > SIGNAL: > - {pattern: NEWNYM} > events: > CONF_CHANGED: {suppress: true} > HS_DESC: > - {pattern: 650 HS_DESC CREATED (\S+) (\S+) (\S+) \S+ (.+), > replacement: '650 HS_DESC > CREATED {} {} {} redacted {}'} > - {pattern: 650 HS_DESC UPLOAD (\S+) (\S+) .*, replacement: '650 > HS_DESC UPLOAD > {} {} redacted redacted'} > - {pattern: 650 HS_DESC UPLOADED (\S+) (\S+) .+, replacement: '650 > HS_DESC UPLOADED > {} {} redacted'} > - {pattern: .*, replacement: ''} > SIGNAL: {suppress: true} > restrict-stream-events: false > > 10.137.11.80:51904 (filter: whonix): -> PROTOCOLINFO 1 > 10.137.11.80:51904 (filter: whonix): <- 250-PROTOCOLINFO 1 > 10.137.11.80:51904 (filter: whonix): <- 250-AUTH METHODS=NULL > 10.137.11.80:51904 (filter: whonix): <- 250-VERSION Tor="0.2.8.9 > (git-cabd4ef300c6b3d6)" > 10.137.11.80:51904 (filter: whonix): <- 250 OK > 10.137.11.80:51904 (filter: whonix): -> AUTHENTICATE > 10.137.11.80:51904 (filter: whonix): <- 250 OK > 10.137.11.80:51904 (filter: whonix): -> SETEVENTS SIGNAL CONF_CHANGED > 10.137.11.80:51904 (filter: whonix): suppressed subscription to event > 'SIGNAL' > 10.137.11.80:51904 (filter: whonix): suppressed subscription to event > 'CONF_CHANGED' > 10.137.11.80:51904 (filter: whonix): <- 250 OK > 10.137.11.80:51904 (filter: whonix): -> GETCONF __owningcontrollerprocess > 10.137.11.80:51904 (filter: whonix): <- 250 __OwningControllerProcess > 10.137.11.80:51904 (filter: whonix): -> GETINFO version > 10.137.11.80:51904 (filter: whonix): <- (multi-line) > 250-version=0.2.8.9 (git-cabd4ef300c6b3d6) > 250 OK > 10.137.11.80:51904 (filter: whonix): -> SETEVENTS HS_DESC SIGNAL > CONF_CHANGED > 10.137.11.80:51904 (filter: whonix) disconnected: client quit > ---------------------------------------- > Exception happened during processing of request from ('10.137.11.80', 51904) > Traceback (most recent call last): > File "/usr/lib/python3.4/socketserver.py", line 613, in > process_request_thread > self.finish_request(request, client_address) > File "/usr/lib/python3.4/socketserver.py", line 344, in finish_request > self.RequestHandlerClass(request, client_address, self) > File "/usr/lib/python3.4/socketserver.py", line 669, in __init__ > self.handle() > File "./tor-controlport-filter", line 574, in handle > restrict_stream_events > File "./tor-controlport-filter", line 456, in handle_controlport_session > update_event_subscriptions(events) > File "./tor-controlport-filter", line 393, in update_event_subscriptions > if not rule.get('suppress', False) or \ > AttributeError: 'list' object has no attribute 'get' > ----------------------------------------
This is now fixed: https://phabricator.whonix.org/T574#10972 Best regards, Patrick _______________________________________________ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
