1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
|
# Copyright (c) Twisted Matrix Laboratories.
# See LICENSE for details.
"""
Tools for automated testing of L{twisted.pair}-based applications.
"""
import struct
import socket
from errno import (
EPERM, EAGAIN, EWOULDBLOCK, ENOSYS, EBADF, EINVAL, EINTR, ENOBUFS)
from collections import deque
from functools import wraps
from zope.interface import implementer
from twisted.internet.protocol import DatagramProtocol
from twisted.pair.ethernet import EthernetProtocol
from twisted.pair.rawudp import RawUDPProtocol
from twisted.pair.ip import IPProtocol
from twisted.pair.tuntap import (
_IFNAMSIZ, _TUNSETIFF, _IInputOutputSystem, TunnelFlags)
from twisted.python.compat import nativeString
# The number of bytes in the "protocol information" header that may be present
# on datagrams read from a tunnel device. This is two bytes of flags followed
# by two bytes of protocol identification. All this code does with this
# information is use it to discard the header.
_PI_SIZE = 4
def _H(n):
"""
Pack an integer into a network-order two-byte string.
@param n: The integer to pack. Only values that fit into 16 bits are
supported.
@return: The packed representation of the integer.
@rtype: L{bytes}
"""
return struct.pack('>H', n)
_IPv4 = 0x0800
def _ethernet(src, dst, protocol, payload):
"""
Construct an ethernet frame.
@param src: The source ethernet address, encoded.
@type src: L{bytes}
@param dst: The destination ethernet address, encoded.
@type dst: L{bytes}
@param protocol: The protocol number of the payload of this datagram.
@type protocol: L{int}
@param payload: The content of the ethernet frame (such as an IP datagram).
@type payload: L{bytes}
@return: The full ethernet frame.
@rtype: L{bytes}
"""
return dst + src + _H(protocol) + payload
def _ip(src, dst, payload):
"""
Construct an IP datagram with the given source, destination, and
application payload.
@param src: The source IPv4 address as a dotted-quad string.
@type src: L{bytes}
@param dst: The destination IPv4 address as a dotted-quad string.
@type dst: L{bytes}
@param payload: The content of the IP datagram (such as a UDP datagram).
@type payload: L{bytes}
@return: An IP datagram header and payload.
@rtype: L{bytes}
"""
ipHeader = (
# Version and header length, 4 bits each
b'\x45'
# Differentiated services field
b'\x00'
# Total length
+ _H(20 + len(payload))
+ b'\x00\x01\x00\x00\x40\x11'
# Checksum
+ _H(0)
# Source address
+ socket.inet_pton(socket.AF_INET, nativeString(src))
# Destination address
+ socket.inet_pton(socket.AF_INET, nativeString(dst)))
# Total all of the 16-bit integers in the header
checksumStep1 = sum(struct.unpack('!10H', ipHeader))
# Pull off the carry
carry = checksumStep1 >> 16
# And add it to what was left over
checksumStep2 = (checksumStep1 & 0xFFFF) + carry
# Compute the one's complement sum
checksumStep3 = checksumStep2 ^ 0xFFFF
# Reconstruct the IP header including the correct checksum so the platform
# IP stack, if there is one involved in this test, doesn't drop it on the
# floor as garbage.
ipHeader = (
ipHeader[:10] +
struct.pack('!H', checksumStep3) +
ipHeader[12:])
return ipHeader + payload
def _udp(src, dst, payload):
"""
Construct a UDP datagram with the given source, destination, and
application payload.
@param src: The source port number.
@type src: L{int}
@param dst: The destination port number.
@type dst: L{int}
@param payload: The content of the UDP datagram.
@type payload: L{bytes}
@return: A UDP datagram header and payload.
@rtype: L{bytes}
"""
udpHeader = (
# Source port
_H(src)
# Destination port
+ _H(dst)
# Length
+ _H(len(payload) + 8)
# Checksum
+ _H(0))
return udpHeader + payload
class Tunnel(object):
"""
An in-memory implementation of a tun or tap device.
@cvar _DEVICE_NAME: A string representing the conventional filesystem entry
for the tunnel factory character special device.
@type _DEVICE_NAME: C{bytes}
"""
_DEVICE_NAME = b"/dev/net/tun"
# Between POSIX and Python, there are 4 combinations. Here are two, at
# least.
EAGAIN_STYLE = IOError(EAGAIN, "Resource temporarily unavailable")
EWOULDBLOCK_STYLE = OSError(EWOULDBLOCK, "Operation would block")
# Oh yea, and then there's the case where maybe we would've read, but
# someone sent us a signal instead.
EINTR_STYLE = IOError(EINTR, "Interrupted function call")
nonBlockingExceptionStyle = EAGAIN_STYLE
SEND_BUFFER_SIZE = 1024
def __init__(self, system, openFlags, fileMode):
"""
@param system: An L{_IInputOutputSystem} provider to use to perform I/O.
@param openFlags: Any flags to apply when opening the tunnel device.
See C{os.O_*}.
@type openFlags: L{int}
@param fileMode: ignored
"""
self.system = system
# Drop fileMode on the floor - evidence and logic suggest it is
# irrelevant with respect to /dev/net/tun
self.openFlags = openFlags
self.tunnelMode = None
self.requestedName = None
self.name = None
self.readBuffer = deque()
self.writeBuffer = deque()
self.pendingSignals = deque()
@property
def blocking(self):
"""
If the file descriptor for this tunnel is open in blocking mode,
C{True}. C{False} otherwise.
"""
return not (self.openFlags & self.system.O_NONBLOCK)
@property
def closeOnExec(self):
"""
If the file descriptor for this tunnel is marked as close-on-exec,
C{True}. C{False} otherwise.
"""
return bool(self.openFlags & self.system.O_CLOEXEC)
def addToReadBuffer(self, datagram):
"""
Deliver a datagram to this tunnel's read buffer. This makes it
available to be read later using the C{read} method.
@param datagram: The IPv4 datagram to deliver. If the mode of this
tunnel is TAP then ethernet framing will be added automatically.
@type datagram: L{bytes}
"""
# TAP devices also include ethernet framing.
if self.tunnelMode & TunnelFlags.IFF_TAP.value:
datagram = _ethernet(
src=b'\x00' * 6, dst=b'\xff' * 6, protocol=_IPv4,
payload=datagram)
self.readBuffer.append(datagram)
def read(self, limit):
"""
Read a datagram out of this tunnel.
@param limit: The maximum number of bytes from the datagram to return.
If the next datagram is larger than this, extra bytes are dropped
and lost forever.
@type limit: L{int}
@raise OSError: Any of the usual I/O problems can result in this
exception being raised with some particular error number set.
@raise IOError: Any of the usual I/O problems can result in this
exception being raised with some particular error number set.
@return: The datagram which was read from the tunnel. If the tunnel
mode does not include L{TunnelFlags.IFF_NO_PI} then the datagram is
prefixed with a 4 byte PI header.
@rtype: L{bytes}
"""
if self.readBuffer:
if self.tunnelMode & TunnelFlags.IFF_NO_PI.value:
header = b""
else:
# Synthesize a PI header to include in the result. Nothing in
# twisted.pair uses the PI information yet so we can synthesize
# something incredibly boring (ie 32 bits of 0).
header = b"\x00" * _PI_SIZE
limit -= 4
return header + self.readBuffer.popleft()[:limit]
elif self.blocking:
raise NotImplementedError()
else:
raise self.nonBlockingExceptionStyle
def write(self, datagram):
"""
Write a datagram into this tunnel.
@param datagram: The datagram to write.
@type datagram: L{bytes}
@raise IOError: Any of the usual I/O problems can result in this
exception being raised with some particular error number set.
@return: The number of bytes of the datagram which were written.
@rtype: L{int}
"""
if self.pendingSignals:
self.pendingSignals.popleft()
raise IOError(EINTR, "Interrupted system call")
if len(datagram) > self.SEND_BUFFER_SIZE:
raise IOError(ENOBUFS, "No buffer space available")
self.writeBuffer.append(datagram)
return len(datagram)
def _privileged(original):
"""
Wrap a L{MemoryIOSystem} method with permission-checking logic. The
returned function will check C{self.permissions} and raise L{IOError} with
L{errno.EPERM} if the function name is not listed as an available
permission.
@param original: The L{MemoryIOSystem} instance to wrap.
@return: A wrapper around C{original} that applies permission checks.
"""
@wraps(original)
def permissionChecker(self, *args, **kwargs):
if original.__name__ not in self.permissions:
raise IOError(EPERM, "Operation not permitted")
return original(self, *args, **kwargs)
return permissionChecker
@implementer(_IInputOutputSystem)
class MemoryIOSystem(object):
"""
An in-memory implementation of basic I/O primitives, useful in the context
of unit testing as a drop-in replacement for parts of the C{os} module.
@ivar _devices:
@ivar _openFiles:
@ivar permissions:
@ivar _counter:
"""
_counter = 8192
O_RDWR = 1 << 0
O_NONBLOCK = 1 << 1
O_CLOEXEC = 1 << 2
def __init__(self):
self._devices = {}
self._openFiles = {}
self.permissions = set(['open', 'ioctl'])
def getTunnel(self, port):
"""
Get the L{Tunnel} object associated with the given L{TuntapPort}.
@param port: A L{TuntapPort} previously initialized using this
L{MemoryIOSystem}.
@return: The tunnel object created by a prior use of C{open} on this
object on the tunnel special device file.
@rtype: L{Tunnel}
"""
return self._openFiles[port.fileno()]
def registerSpecialDevice(self, name, cls):
"""
Specify a class which will be used to handle I/O to a device of a
particular name.
@param name: The filesystem path name of the device.
@type name: L{bytes}
@param cls: A class (like L{Tunnel}) to instantiated whenever this
device is opened.
"""
self._devices[name] = cls
@_privileged
def open(self, name, flags, mode=None):
"""
A replacement for C{os.open}. This initializes state in this
L{MemoryIOSystem} which will be reflected in the behavior of the other
file descriptor-related methods (eg L{MemoryIOSystem.read},
L{MemoryIOSystem.write}, etc).
@param name: A string giving the name of the file to open.
@type name: C{bytes}
@param flags: The flags with which to open the file.
@type flags: C{int}
@param mode: The mode with which to open the file.
@type mode: C{int}
@raise OSError: With C{ENOSYS} if the file is not a recognized special
device file.
@return: A file descriptor associated with the newly opened file
description.
@rtype: L{int}
"""
if name in self._devices:
fd = self._counter
self._counter += 1
self._openFiles[fd] = self._devices[name](self, flags, mode)
return fd
raise OSError(ENOSYS, "Function not implemented")
def read(self, fd, limit):
"""
Try to read some bytes out of one of the in-memory buffers which may
previously have been populated by C{write}.
@see: L{os.read}
"""
try:
return self._openFiles[fd].read(limit)
except KeyError:
raise OSError(EBADF, "Bad file descriptor")
def write(self, fd, data):
"""
Try to add some bytes to one of the in-memory buffers to be accessed by
a later C{read} call.
@see: L{os.write}
"""
try:
return self._openFiles[fd].write(data)
except KeyError:
raise OSError(EBADF, "Bad file descriptor")
def close(self, fd):
"""
Discard the in-memory buffer and other in-memory state for the given
file descriptor.
@see: L{os.close}
"""
try:
del self._openFiles[fd]
except KeyError:
raise OSError(EBADF, "Bad file descriptor")
@_privileged
def ioctl(self, fd, request, args):
"""
Perform some configuration change to the in-memory state for the given
file descriptor.
@see: L{fcntl.ioctl}
"""
try:
tunnel = self._openFiles[fd]
except KeyError:
raise IOError(EBADF, "Bad file descriptor")
if request != _TUNSETIFF:
raise IOError(EINVAL, "Request or args is not valid.")
name, mode = struct.unpack('%dsH' % (_IFNAMSIZ,), args)
tunnel.tunnelMode = mode
tunnel.requestedName = name
tunnel.name = name[:_IFNAMSIZ - 3] + b"123"
return struct.pack('%dsH' % (_IFNAMSIZ,), tunnel.name, mode)
def sendUDP(self, datagram, address):
"""
Write an ethernet frame containing an ip datagram containing a udp
datagram containing the given payload, addressed to the given address,
to a tunnel device previously opened on this I/O system.
@param datagram: A UDP datagram payload to send.
@type datagram: L{bytes}
@param address: The destination to which to send the datagram.
@type address: L{tuple} of (L{bytes}, L{int})
@return: A two-tuple giving the address from which gives the address
from which the datagram was sent.
@rtype: L{tuple} of (L{bytes}, L{int})
"""
# Just make up some random thing
srcIP = '10.1.2.3'
srcPort = 21345
serialized = _ip(
src=srcIP, dst=address[0], payload=_udp(
src=srcPort, dst=address[1], payload=datagram))
openFiles = list(self._openFiles.values())
openFiles[0].addToReadBuffer(serialized)
return (srcIP, srcPort)
def receiveUDP(self, fileno, host, port):
"""
Get a socket-like object which can be used to receive a datagram sent
from the given address.
@param fileno: A file descriptor representing a tunnel device which the
datagram will be received via.
@type fileno: L{int}
@param host: The IPv4 address to which the datagram was sent.
@type host: L{bytes}
@param port: The UDP port number to which the datagram was sent.
received.
@type port: L{int}
@return: A L{socket.socket}-like object which can be used to receive
the specified datagram.
"""
return _FakePort(self, fileno)
class _FakePort(object):
"""
A socket-like object which can be used to read UDP datagrams from
tunnel-like file descriptors managed by a L{MemoryIOSystem}.
"""
def __init__(self, system, fileno):
self._system = system
self._fileno = fileno
def recv(self, nbytes):
"""
Receive a datagram sent to this port using the L{MemoryIOSystem} which
created this object.
This behaves like L{socket.socket.recv} but the data being I{sent} and
I{received} only passes through various memory buffers managed by this
object and L{MemoryIOSystem}.
@see: L{socket.socket.recv}
"""
data = self._system._openFiles[self._fileno].writeBuffer.popleft()
datagrams = []
receiver = DatagramProtocol()
def capture(datagram, address):
datagrams.append(datagram)
receiver.datagramReceived = capture
udp = RawUDPProtocol()
udp.addProto(12345, receiver)
ip = IPProtocol()
ip.addProto(17, udp)
mode = self._system._openFiles[self._fileno].tunnelMode
if (mode & TunnelFlags.IFF_TAP.value):
ether = EthernetProtocol()
ether.addProto(0x800, ip)
datagramReceived = ether.datagramReceived
else:
datagramReceived = lambda data: ip.datagramReceived(
data, None, None, None, None)
dataHasPI = not (mode & TunnelFlags.IFF_NO_PI.value)
if dataHasPI:
# datagramReceived can't handle the PI, get rid of it.
data = data[_PI_SIZE:]
datagramReceived(data)
return datagrams[0][:nbytes]
|