package deb rpm

do not handle local device connection through tproxy if gateway is not enabled

CMakeLists.txt

@@ -1,6 +1,6 @@
 cmake_minimum_required(VERSION 3.10)
 
-project(cgproxy VERSION 1.0)
+project(cgproxy VERSION 3.4)
 add_executable(cgattach cgattach.cpp)
 
 install(TARGETS cgattach DESTINATION /usr/bin 
@@ -21,3 +21,28 @@ install(FILES cgproxy.conf
         DESTINATION /etc/)
 install(FILES cgroup-tproxy.sh 
         DESTINATION /usr/share/cgproxy/scripts/)
+
+
+## deb pack
+set(CPACK_GENERATOR "DEB;RPM")
+set(CPACK_PACKAGE_NAME "cgproxy")
+set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "cgproxy will transparent proxy anything running in specific cgroup.It aslo supports global transparent proxy and gateway proxy")
+
+set(CPACK_DEBIAN_PACKAGE_NAME "cgproxy")
+set(CPACK_DEBIAN_PACKAGE_ARCHITECTURE "x86_64")
+set(CPACK_DEBIAN_PACKAGE_DEPENDS "systemd")
+set(CPACK_DEBIAN_PACKAGE_SECTION "network")
+set(CPACK_DEBIAN_PACKAGE_PRIORITY "Optional")
+set(CPACK_DEBIAN_PACKAGE_HOMEPAGE "https://github.com/springzfx/cgproxy")
+set(CPACK_DEBIAN_PACKAGE_MAINTAINER "springzfx@gmail.com")
+set(CONTROL_DIR ${CMAKE_SOURCE_DIR}/control)
+set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA "${CONTROL_DIR}/postinst;${CONTROL_DIR}/prerm")
+
+set(CPACK_RPM_PACKAGE_ARCHITECTURE, "x86_64")
+set(CPACK_RPM_PACKAGE_REQUIRES "systemd")
+set(CPACK_RPM_PACKAGE_GROUP "network")
+set(CPACK_RPM_PACKAGE_URL "https://github.com/springzfx/cgproxy")
+set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${CONTROL_DIR}/postinst")
+set(CPACK_RPM_PRE_UNINSTALL_SCRIPT_FILE "${CONTROL_DIR}/prerm")
+
+include(CPack)

cgroup-tproxy.sh

@@ -35,7 +35,7 @@ cgroup_proxy="/proxy.slice"
 cgroup_noproxy="/noproxy.slice"
 
 # allow as gateway for local network
-enable_gateway=true
+enable_gateway=false
 
 ## some variables
 port=12345
@@ -63,19 +63,29 @@ for i in "$@"
 do
 case $i in
     stop)
-        iptables -t nat -F
-        iptables -t mangle -F
+        iptables -t mangle -D PREROUTING -j TPROXY_PRE
+        iptables -t mangle -D OUTPUT -j TPROXY_OUT
+        iptables -t mangle -F TPROXY_PRE
+        iptables -t mangle -F TPROXY_OUT
+        iptables -t mangle -F TPROXY_ENT
         iptables -t mangle -X TPROXY_PRE
         iptables -t mangle -X TPROXY_OUT
-        ip6tables -t mangle -F
+        iptables -t mangle -X TPROXY_ENT
+        ip6tables -t mangle -D PREROUTING -j TPROXY_PRE
+        ip6tables -t mangle -D OUTPUT -j TPROXY_OUT
+        ip6tables -t mangle -F TPROXY_PRE
+        ip6tables -t mangle -F TPROXY_OUT
+        ip6tables -t mangle -F TPROXY_ENT
         ip6tables -t mangle -X TPROXY_PRE
         ip6tables -t mangle -X TPROXY_OUT
+        ip6tables -t mangle -X TPROXY_ENT
         ip rule delete fwmark $mark_proxy lookup $table
         ip route flush table $table
         ip -6 rule delete fwmark $mark_proxy lookup $table
         ip -6 route flush table $table
-        iptables -t nat -A OUTPUT -F
-        ip6tables -t nat -A OUTPUT -F
+        ## may not exist, just ignore, and tracking their existence is reliable
+        iptables -t nat -D POSTROUTING -m addrtype ! --src-type LOCAL -j MASQUERADE &> /dev/null
+        ip6tables -t nat -D POSTROUTING -m addrtype ! --src-type LOCAL -j MASQUERADE &> /dev/null
         exit 0
         ;;
     --config=*)
@@ -98,19 +108,24 @@ test -d $cgroup_mount_point$cgroup_noproxy  || mkdir $cgroup_mount_point$cgroup_
 #ipv4#
 ip rule add fwmark $mark_proxy table $table
 ip route add local default dev lo table $table
+iptables -t mangle -N TPROXY_ENT
+iptables -t mangle -A TPROXY_ENT -p tcp -j TPROXY --on-ip 127.0.0.1 --on-port $port --tproxy-mark $mark_proxy
+iptables -t mangle -A TPROXY_ENT -p udp -j TPROXY --on-ip 127.0.0.1 --on-port $port --tproxy-mark $mark_proxy
+
 iptables -t mangle -N TPROXY_PRE
+iptables -t mangle -A TPROXY_PRE -p udp --dport 53 -j TPROXY_ENT
+iptables -t mangle -A TPROXY_PRE -p tcp --dport 53 -j TPROXY_ENT
+iptables -t mangle -A TPROXY_PRE -p icmp -j RETURN
 iptables -t mangle -A TPROXY_PRE -m addrtype --dst-type LOCAL -j RETURN
 iptables -t mangle -A TPROXY_PRE -m pkttype --pkt-type broadcast -j RETURN
 iptables -t mangle -A TPROXY_PRE -m pkttype --pkt-type multicast -j RETURN
-iptables -t mangle -A TPROXY_PRE -p tcp -j TPROXY --on-ip 127.0.0.1 --on-port $port --tproxy-mark $mark_proxy
-iptables -t mangle -A TPROXY_PRE -p udp -j TPROXY --on-ip 127.0.0.1 --on-port $port --tproxy-mark $mark_proxy
+iptables -t mangle -A TPROXY_PRE -j TPROXY_ENT
 iptables -t mangle -A PREROUTING -j TPROXY_PRE
-iptables -t mangle -A PREROUTING -m addrtype --dst-type LOCAL -m conntrack --ctstate NEW -j CONNMARK --set-mark $make_newin
 
 iptables -t mangle -N TPROXY_OUT
 iptables -t mangle -A TPROXY_OUT -o lo -j RETURN
 iptables -t mangle -A TPROXY_OUT -p icmp -j RETURN
-iptables -t mangle -A TPROXY_OUT -m connmark --mark  $make_newin -j RETURN # return incoming connection directly
+iptables -t mangle -A TPROXY_OUT -m connmark --mark  $make_newin -j RETURN
 iptables -t mangle -A TPROXY_OUT -m mark --mark $mark_noproxy -j RETURN
 iptables -t mangle -A TPROXY_OUT -m cgroup --path $cgroup_noproxy -j RETURN
 iptables -t mangle -A TPROXY_OUT -m cgroup --path $cgroup_proxy -j MARK --set-mark $mark_proxy
@@ -119,19 +134,24 @@ iptables -t mangle -A OUTPUT -j TPROXY_OUT
 #ipv6#
 ip -6 rule add fwmark $mark_proxy table $table
 ip -6 route add local default dev lo table $table
+ip6tables -t mangle -N TPROXY_ENT
+ip6tables -t mangle -A TPROXY_ENT -p tcp -j TPROXY --on-ip ::1 --on-port $port --tproxy-mark $mark_proxy
+ip6tables -t mangle -A TPROXY_ENT -p udp -j TPROXY --on-ip ::1 --on-port $port --tproxy-mark $mark_proxy
+
 ip6tables -t mangle -N TPROXY_PRE
+ip6tables -t mangle -A TPROXY_PRE -p udp --dport 53 -j TPROXY_ENT
+ip6tables -t mangle -A TPROXY_PRE -p tcp --dport 53 -j TPROXY_ENT
+ip6tables -t mangle -A TPROXY_PRE -p icmp -j RETURN
 ip6tables -t mangle -A TPROXY_PRE -m addrtype --dst-type LOCAL -j RETURN
 ip6tables -t mangle -A TPROXY_PRE -m pkttype --pkt-type broadcast -j RETURN
 ip6tables -t mangle -A TPROXY_PRE -m pkttype --pkt-type multicast -j RETURN
-ip6tables -t mangle -A TPROXY_PRE -p tcp -j TPROXY --on-ip ::1 --on-port $port --tproxy-mark $mark_proxy
-ip6tables -t mangle -A TPROXY_PRE -p udp -j TPROXY --on-ip ::1 --on-port $port --tproxy-mark $mark_proxy
+ip6tables -t mangle -A TPROXY_PRE -j TPROXY_ENT
 ip6tables -t mangle -A PREROUTING -j TPROXY_PRE
-ip6tables -t mangle -A PREROUTING -m addrtype --dst-type LOCAL -m conntrack --ctstate NEW -j CONNMARK --set-mark $make_newin
 
 ip6tables -t mangle -N TPROXY_OUT
 ip6tables -t mangle -A TPROXY_OUT -o lo -j RETURN
 ip6tables -t mangle -A TPROXY_OUT -p icmp -j RETURN
-ip6tables -t mangle -A TPROXY_OUT -m connmark --mark  $make_newin -j RETURN # return incoming connection directly
+ip6tables -t mangle -A TPROXY_OUT -m connmark --mark  $make_newin -j RETURN
 ip6tables -t mangle -A TPROXY_OUT -m mark --mark $mark_noproxy -j RETURN
 ip6tables -t mangle -A TPROXY_OUT -m cgroup --path $cgroup_noproxy -j RETURN
 ip6tables -t mangle -A TPROXY_OUT -m cgroup --path $cgroup_proxy -j MARK --set-mark $mark_proxy
@@ -158,6 +178,14 @@ $enable_ipv4 	|| iptables  -t mangle -I TPROXY_PRE -j RETURN
 $enable_ipv6 	|| ip6tables -t mangle -I TPROXY_PRE -j RETURN
 fi
 
+## do not handle local device connection through tproxy if gateway is not enabled
+$enable_gateway || iptables  -t mangle -I TPROXY_PRE  -m addrtype ! --src-type LOCAL -m addrtype ! --dst-type LOCAL -j RETURN
+$enable_gateway || ip6tables -t mangle -I TPROXY_PRE  -m addrtype ! --src-type LOCAL -m addrtype ! --dst-type LOCAL -j RETURN
+
+## make sure following rules are the first in chain TPROXY_PRE to mark new incoming connection or gateway proxy connection
+## so must put at last to insert first
+iptables  -t mangle -I TPROXY_PRE -m addrtype ! --src-type LOCAL -m conntrack --ctstate NEW -j CONNMARK --set-mark $make_newin
+ip6tables -t mangle -I TPROXY_PRE -m addrtype ! --src-type LOCAL -m conntrack --ctstate NEW -j CONNMARK --set-mark $make_newin
 
 ## message for user
 cat << DOC

control/postinst

@@ -0,0 +1,2 @@
+#!/bin/sh
+systemctl enable --now cgproxy.service

control/prerm

@@ -0,0 +1,2 @@
+#!/bin/sh
+systemctl disable --now cgproxy.service