Merge pull request openwrt#939 from morgenroth/Add-redsocks

redsocks: add new package

net/redsocks/Makefile

@@ -0,0 +1,56 @@
+#
+# Copyright (C) 2014 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=redsocks
+PKG_VERSION:=0.4
+PKG_RELEASE:=1
+
+PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-release-$(PKG_VERSION)
+PKG_SOURCE:=release-$(PKG_VERSION).tar.gz
+PKG_SOURCE_URL:=https://github.com/darkk/redsocks/archive/
+PKG_MD5SUM:=810102ef06a9ea796f310ae811afc6a8
+PKG_MAINTAINER:=Johannes Morgenroth <[email protected]>
+PKG_LICENSE:=Apache-2.0
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/redsocks
+  SECTION:=net
+  CATEGORY:=Network
+  DEPENDS:=+libevent2
+  TITLE:=Redirect any TCP connection to a SOCKS or HTTPS proxy server
+endef
+
+define Package/redsocks/conffiles
+/etc/redsocks.conf
+endef
+
+define Package/redsocks/description
+ Redsocks is a daemon running on the local system, that will transparently
+ tunnel any TCP connection via a remote SOCKS4, SOCKS5 or HTTP proxy server. It
+ uses the system firewall's redirection facility to intercept TCP connections,
+ thus the redirection is system-wide, with fine-grained control, and does
+ not depend on LD_PRELOAD libraries.
+
+ Redsocks supports tunneling TCP connections and UDP packets. It has
+ authentication support for both, SOCKS and HTTP proxies.
+
+ Also included is a small DNS server returning answers with the "truncated" flag
+ set for any UDP query, forcing the resolver to use TCP.
+endef
+
+define Package/redsocks/install
+	$(INSTALL_DIR) $(1)/usr/sbin/
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/redsocks $(1)/usr/sbin/
+	$(INSTALL_DIR) $(1)/etc/init.d/
+	$(INSTALL_BIN) files/redsocks.init $(1)/etc/init.d/redsocks
+	$(INSTALL_CONF) files/redsocks.conf $(1)/etc/
+endef
+
+$(eval $(call BuildPackage,redsocks))

net/redsocks/files/redsocks.conf

@@ -0,0 +1,108 @@
+base {
+	// debug: connection progress & client list on SIGUSR1
+	log_debug = off;
+
+	// info: start and end of client session
+	log_info = on;
+
+	/* possible `log' values are:
+	 *   stderr
+	 *   "file:/path/to/file"
+	 *   syslog:FACILITY  facility is any of "daemon", "local0"..."local7"
+	 */
+	// log = stderr;
+	// log = "file:/path/to/file";
+	log = "syslog:local7";
+
+	// detach from console
+	daemon = on;
+
+	/* Change uid, gid and root directory, these options require root
+	 * privilegies on startup.
+	 * Note, your chroot may requre /etc/localtime if you write log to syslog.
+	 * Log is opened before chroot & uid changing.
+	 */
+	// user = nobody;
+	// group = nobody;
+	// chroot = "/var/chroot";
+
+	/* possible `redirector' values are:
+	 *   iptables   - for Linux
+	 *   ipf        - for FreeBSD
+	 *   pf         - for OpenBSD
+	 *   generic    - some generic redirector that MAY work
+	 */
+	redirector = iptables;
+}
+
+redsocks {
+	/* `local_ip' defaults to 127.0.0.1 for security reasons,
+	 * use 0.0.0.0 if you want to listen on every interface.
+	 * `local_*' are used as port to redirect to.
+	 */
+	local_ip = 127.0.0.1;
+	local_port = 12345;
+
+	// listen() queue length. Default value is SOMAXCONN and it should be
+	// good enough for most of us.
+	// listenq = 128; // SOMAXCONN equals 128 on my Linux box.
+
+	// `max_accept_backoff` is a delay to retry `accept()` after accept
+	// failure (e.g. due to lack of file descriptors). It's measured in
+	// milliseconds and maximal value is 65535. `min_accept_backoff` is
+	// used as initial backoff value and as a damper for `accept() after
+	// close()` logic.
+	// min_accept_backoff = 100;
+	// max_accept_backoff = 60000;
+
+	// `ip' and `port' are IP and tcp-port of proxy-server
+	// You can also use hostname instead of IP, only one (random)
+	// address of multihomed host will be used.
+	ip = example.org;
+	port = 1080;
+
+
+	// known types: socks4, socks5, http-connect, http-relay
+	type = socks5;
+
+	// login = "foobar";
+	// password = "baz";
+}
+
+redudp {
+	// `local_ip' should not be 0.0.0.0 as it's also used for outgoing
+	// packets that are sent as replies - and it should be fixed
+	// if we want NAT to work properly.
+	local_ip = 127.0.0.1;
+	local_port = 10053;
+
+	// `ip' and `port' of socks5 proxy server.
+	ip = 10.0.0.1;
+	port = 1080;
+	login = username;
+	password = pazzw0rd;
+
+	// redsocks knows about two options while redirecting UDP packets at
+	// linux: TPROXY and REDIRECT.  TPROXY requires more complex routing
+	// configuration and fresh kernel (>= 2.6.37 according to squid
+	// developers[1]) but has hack-free way to get original destination
+	// address, REDIRECT is easier to configure, but requires `dest_ip` and
+	// `dest_port` to be set, limiting packet redirection to single
+	// destination.
+	// [1] http://wiki.squid-cache.org/Features/Tproxy4
+	dest_ip = 8.8.8.8;
+	dest_port = 53;
+
+	udp_timeout = 30;
+	udp_timeout_stream = 180;
+}
+
+dnstc {
+	// fake and really dumb DNS server that returns "truncated answer" to
+	// every query via UDP, RFC-compliant resolver should repeat same query
+	// via TCP in this case.
+	local_ip = 127.0.0.1;
+	local_port = 5300;
+}
+
+// you can add more `redsocks' and `redudp' sections if you need.

net/redsocks/files/redsocks.init

@@ -0,0 +1,36 @@
+#!/bin/sh /etc/rc.common
+# Copyright (C) 2007 OpenWrt.org
+
+START=90
+
+# check if configuration exists
+[ -e "/etc/redsocks.conf" ] || exit 0
+
+start() {
+	if [ -e "/var/run/redsocks.pid" ]; then
+		echo "redsocks is already running"
+		exit 0
+	fi
+
+	/bin/echo -n "running redsocks ..."
+
+	# startup the safety-wrapper for the daemon
+	/usr/sbin/redsocks -p /var/run/redsocks.pid
+
+	/bin/echo " done"
+}
+
+stop() {
+	if [ ! -e "/var/run/redsocks.pid" ]; then
+		echo "redsocks is not running"
+		exit 0
+	fi
+
+	/bin/echo -n "stopping redsocks ..."
+
+	# kill the process
+	/bin/kill $(cat /var/run/redsocks.pid)
+	rm /var/run/redsocks.pid
+
+	echo " done"
+}

net/redsocks/patches/0001-Fix-bug-in-DNS-resolution-results-were-ignored-since.patch

@@ -0,0 +1,53 @@
+From 290f19972e9f7b74f818ae211cb535e32f1f314f Mon Sep 17 00:00:00 2001
+From: Leonid Evdokimov <[email protected]>
+Date: Tue, 10 Apr 2012 00:57:26 +0400
+Subject: [PATCH 01/12] Fix bug in DNS resolution - results were ignored (since
+ 8179a1ff).
+
+---
+ parser.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/parser.c b/parser.c
+index 85d3533..6198828 100644
+--- a/parser.c
++++ b/parser.c
+@@ -295,22 +295,22 @@ static int vp_in_addr(parser_context *context, void *addr, const char *token)
+ 		memcpy(addr, &ia, sizeof(ia));
+ 	}
+ 	else {
+-		struct addrinfo *addr, hints;
++		struct addrinfo *ainfo, hints;
+ 		int err;
+ 		memset(&hints, 0, sizeof(hints));
+ 		hints.ai_family = AF_INET; /* IPv4-only */
+ 		hints.ai_socktype = SOCK_STREAM; /* I want to have one address once and ONLY once, that's why I specify socktype and protocol */
+ 		hints.ai_protocol = IPPROTO_TCP;
+ 		hints.ai_flags = AI_ADDRCONFIG; /* I don't need IPv4 addrs without IPv4 connectivity */
+-		err = getaddrinfo(token, NULL, &hints, &addr);
++		err = getaddrinfo(token, NULL, &hints, &ainfo);
+ 		if (err == 0) {
+ 			int count, taken;
+ 			struct addrinfo *iter;
+ 			struct sockaddr_in *resolved_addr;
+-			for (iter = addr, count = 0; iter; iter = iter->ai_next, ++count)
++			for (iter = ainfo, count = 0; iter; iter = iter->ai_next, ++count)
+ 				;
+ 			taken = rand() % count;
+-			for (iter = addr; taken > 0; iter = iter->ai_next, --taken)
++			for (iter = ainfo; taken > 0; iter = iter->ai_next, --taken)
+ 				;
+ 			resolved_addr = (struct sockaddr_in*)iter->ai_addr;
+ 			assert(resolved_addr->sin_family == iter->ai_family && iter->ai_family == AF_INET);
+@@ -318,7 +318,7 @@ static int vp_in_addr(parser_context *context, void *addr, const char *token)
+ 				log_error(LOG_WARNING, "%s resolves to %d addresses, using %s",
+ 				          token, count, inet_ntoa(resolved_addr->sin_addr));
+ 			memcpy(addr, &resolved_addr->sin_addr, sizeof(ia));
+-			freeaddrinfo(addr);
++			freeaddrinfo(ainfo);
+ 		}
+ 		else {
+ 			if (err == EAI_SYSTEM)
+-- 
+1.9.1
+