Damian Johnson <atagar1@xxxxxxxxx> wrote:
> Hazaa, many thanks for the patches! Committed with the exception of
> sockstat2 (see below).
>
> http://www.atagar.com/transfer/tmp/arm_bsdTest2.tar.bz2
>
> > One unrelated problem I noticed is that Arm tends to show local
> > connections as Outbound.
>
> Netstat, lsof, etc doesn't include a notion of the directionality of a
> connection, so I'm using the local port to determine if it's inbound
> or outbound. If it matches the ORPort or DirPort then it's inbound,
> otherwise it's outbound (line 323 of the connPanel.py [1]). Do you
> know a smarter way of handling this?
I agree that a connection on the local ORPort or DirPort should be
listed as inbound, but I think the same should be done with connections
on the SocksPort. Currently they are listed as outbound with the local
Tor address replaced:
[public gateway IP]:9050 --> 10.0.0.1:58305 (??) UNKNOWN UNKNOWN 3.4s (OUTBOUND)
> I'm familiar with Linux's chroot jail environments (where this works),
> but not that details of what the bsd counterpart does.
I think those connections would be listed as outbound on other
systems, too.
> > Given that the connection doesn't leave the system, replacing
> > the Tor jail IP address with the public IP address of the gateway
> > is a bit confusing.
>
> Sorry, I'm not following. Why isn't the tor connection leaving the
> system? I'm using the results of 'GETINFO address' which tends to be a
> lot more helpful than showing the ip on the local network (though I
> can include an option to display the local address instead if you'd
> like).
The connection doesn't leave the system because its a socks
connection with both the source and the destination address
located on the same system.
I think an option to display the real address would be useful.
It probably would also make sense to not show the local port
when replacing the address.
The outbound connection:
fk@r500 ~ $sudo pfctl -ss | grep 31515
all tcp 10.0.0.2:31515 -> 192.168.0.106:52509 -> [some Tor server address]:9001 ESTABLISHED:ESTABLISHED
Is listed as:
[public gateway IP]:31515 --> [some Tor server address]:9001 (us) [fingerprint] [relay name] 14.6m (OUTBOUND)
but given that the local Tor address is behind two NAT layers
it's highly unlikely that the Tor server will see the connection
as coming from source port 31515.
Maybe it would make even more sense to show the connection
similar to the way pfctl does. I'm thinking of something like:
10.0.0.2:31515 --> [public Tor IP address][:port if known] --> [Tor server address]:9001 (us) [fingerprint] [relay name] 14.6m (OUTBOUND)
> > Also, when running Arm outside the Tor jail, the Tor
> > configuration file isn't found.
>
> See the "features.pathPrefix" entry in the sample armrc [2]. It's
> specifically for jail environments (arm will otherwise also be failing
> to find tor's state, log file, and some other resources used to
> prepopulate data). If you have a suggestion for an automatic method
> for determining the jail path then I'm all ears.
Using features.pathPrefix works for me, thanks for mentioning it.
Maybe it should be mentioning in the log message when the torrc
can't be found?
> > so arm is trying to read a torrc on the host in the location it knows
> > which is displayed from the jail, but is ignoring the jail flag.
>
> I'm attempting to read the torrc from the location Tor reports (via
> 'GETINFO config-file'), using the features.pathPrefix as... well, a
> path prefix. I'm not familiar with a method of getting the jail path
> for Linux jails. Is this information available for bsd jails?
It is, if you are outside the FreeBSD jail.
> I'm happy to help with a patch to autodetect for bsd jails if you have
> a suggestion for how.
The attached patch seems to work for me.
> > -- sockstat sockstat -4 | egrep '<process>\s*<pid>' | grep -v '*:*'
> > +- sockstat sockstat -4c | grep '<process> *<pid>'
>
> Aren't the *:* connections unestablished? From the output given earlier:
> _tor tor 4397 8 udp4 172.27.72.202:53 *:*
> _tor tor 4397 9 tcp4 172.27.72.202:9051 *:*
> _tor tor 4397 12 tcp4 172.27.72.202:54011 [scrubbed]:9001
>
> that seemed to be what it meant. Arm might choke on the asterisks (it
> expects numeric port numbers), but including with the commit...
Actually the problem was egrep not understanding "\s" as meta character.
sockstat's -c flag lets it only show the connected sockets, so the last
grep is no longer necessary.
> > + userInput = raw_input("Enter query (<ss, netstat, lsof, sockstat> PROCESS_NAME [PID]): ").split()
> > + elif userInput[0] == "sockstat": userInput[0] = CMD_SOCKSTAT
>
> Nice catch!
I missed procstat, though.
> > +RUN_BSD_SOCKSTAT_2 = "sockstat -4c | awk '($2 == \"%s\" && $3 == %s) {print $6 \" \" $7}'"
>
> Is there any advantage to having both sockstat commands? This will
> probably just confuse users so I'm holding off on this one for now.
No real advantage, but as I already had the patch anyway, I was interested
to see the performance differences (which seem to be negligible). I agree
that one sockstat command should do.
> > + # XXX: both issues could be solved by filtering for the
> > + # control port IP address instead of the process name.
>
> By the control port IP address? If there's multiple tor instances on
> the same system then they'd all have the same IP.
When I was running two Tor servers on a FreeBSD system, they were
running on different jails with different IP addresses using the
standard ports. Filtering for the address would have helped there.
You are obviously right that other configurations are possible,
though, they just didn't occur to me when I wrote the comment.
Fabian
From 4d76058ca1add6c4ab53d9eb714325cc79b8e721 Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@xxxxxxxxxxxxx>
Date: Wed, 8 Dec 2010 23:51:12 +0100
Subject: [PATCH] When monitoring a Tor process running in a FreeBSD jail, automatically prepend the jailpath to the configLocation.
The jailpath magic can still be overwritten using features.pathPrefix.
---
src/util/torTools.py | 33 +++++++++++++++++++++++++++++++++
1 files changed, 33 insertions(+), 0 deletions(-)
diff --git a/src/util/torTools.py b/src/util/torTools.py
index 03bdfdb..2a22a17 100644
--- a/src/util/torTools.py
+++ b/src/util/torTools.py
@@ -81,11 +81,44 @@ def loadConfig(config):
CONFIG["features.pathPrefix"] = prefixPath
+def getJid():
+ """
+ Get the FreeBSD jail id for the monitored Tor process.
+ """
+
+ torPid = getConn().getMyPid()
+ psOutput = sysTools.call("ps -p %s -o jid" % torPid)
+ # Output when called from a FreeBSD jail or when Tor isn't jailed:
+ # JID
+ # 0
+ # otherwise something like:
+ # JID
+ # 1
+ if len(psOutput) == 2 and len(psOutput[1].split()) == 1:
+ jid = psOutput[1].strip()
+ if jid.isdigit():
+ return int(jid)
+
+ log.log(log.WARN, "Failed to figure out the FreeBSD jail id. Assuming 0.")
+ return 0
+
def getPathPrefix():
"""
Provides the path prefix that should be used for fetching tor resources.
"""
+ osType = os.uname()[0]
+ if osType == "FreeBSD" and not CONFIG["features.pathPrefix"]:
+ jid = getJid()
+ if jid != 0:
+ jlsOutput = sysTools.call("jls -j %s" % jid)
+ # Output should be something like:
+ # JID IP Address Hostname Path
+ # 1 10.0.0.2 tor-jail /usr/jails/tor-jail
+ if len(jlsOutput) == 2 and len(jlsOutput[1].split()) == 4:
+ jailPath = jlsOutput[1].split()[3]
+ return jailPath
+
return CONFIG["features.pathPrefix"]
def getPid(controlPort=9051, pidFilePath=None):
--
1.7.3.3
Attachment:
signature.asc
Description: PGP signature