-
Notifications
You must be signed in to change notification settings - Fork 229
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
redo route management. #2140
Comments
how would per-application routing be done ? I've tried a few and they seem like hacks. Netns, iptables+running as different users, firejail, all have different issues. And there is flatpak, which has no consideration for proxying either. |
in the proposed setup, it'd be nftables rules + run application as a user in a group e.g.
tooling for netns are painful still. |
Is it possible that a process changes its GID so that it leaks the traffic. nvm, apps are not assumed to be malicious in this threat model |
only if a process can |
|
How about setting up a netns and running firefox in firejail ? It sounds more secure to me. (nftables seemed to leak traffic for me when interface down or misconfigured) |
that would indeed work very well. there was an attempt years ago to do it that failed.
lokinet needs to somehow straddle the boundary of both netns so that dns and tun are inside it and the rest of lokinet is outside it.
yea it's a l3 tun, if it was l2 tap it may work |
how do you think of portmaster. it seems to do selective routing |
i like their ui but i know nothing of their internals |
from my two days use of portmaster, its a pain to use without subscribing to their SPN.
it'd be great if it can route to socks proxies, tor (through tun2socks or something idk) and lokinet, as an all-encompassing solution to desktop proxy-selective-routing on linux. (but it doesnt consider netns) edit, I switched to Opensnitch when portmaster started hogging my cpu |
@planetoryd
You mean like stream isolation? I think more documentation should be about editing the loki config (the equivilent to Tor's torrc) |
stream isolation would be for .loki and .snode using ipv6 flow labels, it should be in with #2119 |
I mean maintaining multiple isolated online identities through different proxies securely, in general. The core of proxy-selective-routing is not application/connection/whatever, but identity isolation. The set of rules are means to the end. Casual proxying usually aims at simple circumvention of censor, or accessing private networks. It's already available. Find the right environment variables, parameters, and try again if the app doesn't pick them up. Usually there are two identities at least, one for package installers, the other for browsing. more for more complex setup. |
FYI, I wrote a Rust script to handle my needs. It's really handy to me. Ex. enters netns without sudo (sudo messes up a lot of things I decided to ditch it in this scenario) I use it daily. |
On Tuesday, 23 May 2023 06:32:55 EDT plein wrote:
FYI, I wrote a [Rust script](https://github.com/planetoryd/netns-proxy) to
handle my needs. It's really handy to me. Ex. enters netns without sudo
(sudo messes up a lot of things I decided to ditch it in this scenario) I
use it daily.
this is very very cool.
you should make a lokinet-awesome repo too. i have a few other things i'd like
to add to such.
…--
~jeff
|
the route poker as is, currently is a linux only thing and it's kind of hacky. we end up having to periodically probe the routing table to figure out if we need to modify it. this was done because i wanted to make it work and all i had to reference was openvpn. the way it is done now also does not allow us to do selective routing, which is something users have been asking for (i want it too).
ideally i want to remove the route poker and delegate the responsibility of route management to the system layer using nftables. i can see 2 primary modes of operation:
_lokinet-direct
would be forced to route traffic over thelokitun0
interface._lokinet-tunnel
group will always use thelokitun0
interface for traffic.this means future route management would not be done by lokinet process on linux. this would also make the route management code on every other platform much simpler as they all offload this to the system layer already.
The text was updated successfully, but these errors were encountered: