Merge 4c04473dffce696cc90e368d515412446b45c282 into 869c79422f1126a9994b756a8ffc7a9405e4946f

debian/cargo-checksum.json

@@ -0,0 +1,5 @@
+[source.crates-io]
+replace-with = "vendored-sources"
+
+[source.vendored-sources]
+directory = "vendor"

debian/changelog

@@ -0,0 +1,25 @@
+phantun (0.7.0) UNRELEASED; urgency=medium
+
+  [ Datong Sun ]
+  * fix(fake-tcp): when `connect()`-ing, attempt to get ephemeral port using algorithm similar to Linux (#162)
+  * chore(deps): bump dependencies to latest
+  * chore(cargo): bump `fake-tcp` version to `0.6.0` and `phantun` to `0.7.0`
+
+  [ dependabot[bot] ]
+  * chore(deps): bump docker/build-push-action from 5 to 6
+  * chore(release): remove MIPS targets due to being downgraded to Tier 3 support by Rust
+  * docs(readme): latest release is now `v0.7.0`
+
+  [ Randy Li ]
+  * phantun: change default tun address to link local
+  * phantun: add client and server xor support
+  * rpm: add selinux and rpm spec
+  * deb: add debian files
+
+ -- Randy Li <ayaka@soulik.info>  Wed, 11 Dec 2024 15:30:45 +0000
+
+phantun (0.6.1-1) UNRELEASED; urgency=medium
+
+  * Initial release. (Closes: #nnnn)  <nnnn is the bug number of your ITP>
+
+ -- Randy Li <ayaka@soulik.info>  Wed, 06 Nov 2024 18:58:00 +0000

debian/compat

@@ -0,0 +1 @@
+10

debian/control

@@ -0,0 +1,19 @@
+Source: phantun
+Section: net
+Priority: optional
+Maintainer: Randy Li <ayaka@soulik.info>
+Build-Depends: debhelper (>= 9), cargo, rustc
+Standards-Version: 4.5.0
+Homepage: <insert homepage here>
+
+Package: phantun-client
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Description: Phantun client
+ Phantun client binary.
+
+Package: phantun-server
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Description: Phantun server
+ Phantun server binary.

debian/copyright

@@ -0,0 +1,24 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: phantun
+Source: https://github.com/hizukiayaka/phantun
+
+Files: *
+Copyright: 2023, Randy Li <ayaka@soulik.info>
+License: MIT
+ Permission is hereby granted, free of charge, to any person obtaining a copy
+ of this software and associated documentation files (the "Software"), to deal
+ in the Software without restriction, including without limitation the rights
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ copies of the Software, and to permit persons to whom the Software is
+ furnished to do so, subject to the following conditions:
+ .
+ The above copyright notice and this permission notice shall be included in all
+ copies or substantial portions of the Software.
+ .
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ SOFTWARE.

debian/phantun-client-wrapper

@@ -0,0 +1,6 @@
+#!/bin/bash
+PID_FILE=$1
+shift 1
+mkdir -p /var/run/phantun
+/usr/libexec/phantun/phantun-client "$@" &
+echo $! > /var/run/phantun/${PID_FILE}

debian/phantun-client.install

@@ -0,0 +1,2 @@
+usr/libexec/phantun/phantun-client
+usr/bin/phantun-client

debian/phantun-server-wrapper

@@ -0,0 +1,6 @@
+#!/bin/bash
+PID_FILE=$1
+shift 1
+mkdir -p /var/run/phantun
+/usr/libexec/phantun/phantun-server "$@" &
+echo $! > /var/run/phantun/${PID_FILE}

debian/phantun-server.install

@@ -0,0 +1,2 @@
+usr/libexec/phantun/phantun-server
+usr/bin/phantun-server

debian/rules

@@ -0,0 +1,35 @@
+#!/usr/bin/make -f
+
+%:
+	dh $@ --buildsystem=cargo
+
+override_dh_auto_install:
+	# Define DESTDIR
+	DESTDIR=$(CURDIR)/debian/phantun
+
+	# Install client binary
+	install -D -m 0755 target/release/client debian/tmp/usr/libexec/phantun/phantun-client
+
+	# Install server binary
+	install -D -m 0755 target/release/server debian/tmp/usr/libexec/phantun/phantun-server
+    
+	# Create wrapper scripts
+	install -D -m 0755 debian/phantun-client-wrapper  debian/tmp/usr/bin/phantun-client
+
+	install -D -m 0755 debian/phantun-server-wrapper debian/tmp/usr/bin/phantun-server
+
+	chmod +x debian/tmp/usr/bin/phantun-client
+	chmod +x debian/tmp/usr/bin/phantun-server
+
+override_dh_auto_configure:
+	cp ./debian/cargo-checksum.json ./.cargo-checksum.json
+
+override_dh_auto_build:
+	cargo build --release
+
+override_dh_install:
+	dh_install
+
+override_dh_auto_test:
+	# Disable the auto test step
+	true

rpm/phantun.spec

@@ -0,0 +1,128 @@
+Name:         	phantun 
+Version:        0.7.0
+Release:        2%{?dist}
+Summary:        A lightweight and fast UDP to TCP obfuscator
+
+License:        Apache-2.0
+URL:            https://github.com/dndx/phantun/tree/main
+Source0:        %{name}-%{version}.tar.gz
+
+BuildRequires:  rust
+BuildRequires:  cargo
+BuildRequires:  selinux-policy-devel
+
+%description
+Your project with client and server components.
+
+%package client
+Summary:        Client component of phantun
+Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
+
+%description client
+Phantun Client is like a machine with private IP address
+(192.168.200.2/fcc8::2) behind a router. In order for it to reach
+the Internet, you will need to SNAT the private IP address
+before it's traffic leaves the NIC.
+
+%package server
+Summary:        Server component of phantun
+Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
+
+%description server
+Phantun Server is like a server with private IP address
+(192.168.201.2/fcc9::2) behind a router. In order to access it from
+the Internet, you need to DNAT it's listening port on the router
+and change the destination IP address to where the server
+is listening for incoming connections.
+
+%package selinux
+Summary:        SELinux module for phantun
+%{?selinux_requires}
+%global modulename phantun
+%global selinuxtype targeted
+
+%description selinux
+This package provides the SELinux policy module to ensure phantun
+runs properly under an environment with SELinux enabled.
+
+%global debug_package %{nil}
+
+%prep
+%setup -q
+
+%build
+cargo build --release
+make -C selinux
+
+%install
+# Install binaries
+install -D -m 0755 target/release/client %{buildroot}/usr/libexec/phantun/phantun-client
+install -D -m 0755 target/release/server %{buildroot}/usr/libexec/phantun/phantun-server
+
+mkdir -p %{buildroot}/usr/bin
+# Create wrapper scripts
+echo '#!/bin/bash
+PID_FILE=$1
+shift 1
+mkdir -p /var/run/phantun
+/usr/libexec/phantun/phantun-client "$@" &
+echo $! > /var/run/phantun/${PID_FILE}' > %{buildroot}/usr/bin/phantun-client
+
+echo '#!/bin/bash
+PID_FILE=$1
+shift 1
+mkdir -p /var/run/phantun
+/usr/libexec/phantun/phantun-server "$@" &
+echo $! > /var/run/phantun/${PID_FILE}' > %{buildroot}/usr/bin/phantun-server
+
+# Make wrapper scripts executable
+chmod +x %{buildroot}/usr/bin/phantun-client
+chmod +x %{buildroot}/usr/bin/phantun-server
+
+# SELinux
+install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
+install -m 0644 selinux/%{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
+
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
+
+%post selinux
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+    %selinux_modules_uninstall -s %{selinuxtype} %{modulename}
+fi
+
+%posttrans selinux
+%selinux_relabel_post -s %{selinuxtype}
+
+%files client
+/usr/libexec/phantun/phantun-client
+/usr/bin/phantun-client
+
+%files server
+/usr/libexec/phantun/phantun-server
+/usr/bin/phantun-server
+
+%files selinux
+%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
+
+%changelog
+* Wed Dec 11 2024 Randy Li <ayaka@soulik.info> - 0.7.0-2
+- chore(deps): update tokio-tun requirement from 0.9 to 0.11
+- chore(deps): update nix requirement from 0.27 to 0.28
+- chore(deps): bump softprops/action-gh-release from 1 to 2
+- chore(docs): update license year to 2024
+- docs(readme): update `README.md` to include incoming interface (`-i tun0`) in client NAT commands example (#163)
+- Revert "docs(readme): update `README.md` to include incoming interface (`-i t…"
+- fix(fake-tcp): when `connect()`-ing, attempt to get ephemeral port using algorithm similar to Linux (#162)
+- chore(deps): bump dependencies to latest
+- chore(cargo): bump `fake-tcp` version to `0.6.0` and `phantun` to `0.7.0`
+- chore(deps): bump docker/build-push-action from 5 to 6
+- chore(release): remove MIPS targets due to being downgraded to Tier 3 support by Rust
+- docs(readme): latest release is now `v0.7.0`
+
+* Sat Oct 14 2023 Randy Li <ayaka@soulik.info> - 0.6.1-1
+- Initial package
+

selinux/Makefile

@@ -0,0 +1,26 @@
+TARGET?=phantun
+MODULES?=${TARGET:=.pp.bz2}
+SHAREDIR?=/usr/share
+
+all: ${TARGET:=.pp.bz2}
+
+%.pp.bz2: %.pp
+	@echo Compressing $^ -\> $@
+	bzip2 -9 $^
+
+%.pp: %.te
+	make -f ${SHAREDIR}/selinux/devel/Makefile $@
+
+clean:
+	rm -f *~  *.tc *.pp *.pp.bz2
+	rm -rf tmp *.tar.gz
+
+man: install-policy
+	sepolicy manpage --path . --domain ${TARGET}_t
+
+install-policy: all
+	semodule -i ${TARGET}.pp.bz2
+
+install: man
+	install -D -m 644 ${TARGET}.pp.bz2 ${DESTDIR}${SHAREDIR}/selinux/packages/${TARGET}.pp.bz2
+	install -D -m 644 ${TARGET}_selinux.8 ${DESTDIR}${SHAREDIR}/man/man8/

selinux/phantun.fc

@@ -0,0 +1,5 @@
+/usr/libexec/phantun/phantun-client -- gen_context(system_u:object_r:phantun_client_exec_t,s0)
+/usr/libexec/phantun/phantun-server -- gen_context(system_u:object_r:phantun_server_exec_t,s0)
+/usr/bin/phantun-client -- gen_context(system_u:object_r:wireguard_exec_t,s0)
+/usr/bin/phantun-server -- gen_context(system_u:object_r:wireguard_exec_t,s0)
+/var/run/phantun(/.*)? gen_context(system_u:object_r:phantun_var_run_t,s0)

selinux/phantun.te

@@ -0,0 +1,60 @@
+policy_module(phantun, 1.0)
+
+gen_require(`
+    type wireguard_t;
+    type wireguard_exec_t;
+    class capability net_admin;
+    class tun_socket { append bind connect create getattr getopt ioctl lock read relabelfrom relabelto setattr setopt shutdown write };
+    class tcp_socket { name_bind listen accept connect };
+    class udp_socket { name_bind };
+    class file { getattr open read write create unlink execute };
+    class process { transition };
+')
+
+
+# Define custom types
+type phantun_server_exec_t;
+type phantun_client_exec_t;
+type phantun_server_port_t;
+type phantun_client_port_t;
+type phantun_var_run_t;
+
+# Allow the wrapper scripts to execute the phantun client and server binaries
+allow wireguard_exec_t phantun_client_exec_t:file { getattr open read execute };
+allow wireguard_exec_t phantun_server_exec_t:file { getattr open read execute };
+
+# Allow the wrapper scripts to write to the PID file
+allow wireguard_exec_t phantun_var_run_t:file { getattr open read write create unlink };
+allow wireguard_t self:process transition;
+
+####################################
+# Server
+#
+
+# Allow wireguard_t to execute the server binary
+allow wireguard_t phantun_server_exec_t:file { getattr open read execute };
+
+# Allow the server to create and manage tun devices
+allow phantun_server_exec_t self:tun_socket { append bind connect create getattr getopt ioctl lock read relabelfrom relabelto setattr setopt shutdown write };
+
+# Allow the server to bind to the custom TCP port and listen for incoming connections
+allow phantun_server_exec_t phantun_server_port_t:tcp_socket { name_bind listen accept };
+
+# Allow the server to use net_admin capability
+allow phantun_server_exec_t self:capability net_admin;
+
+####################################
+# Client
+#
+
+# Allow wireguard_t to execute the client binary
+allow wireguard_t phantun_client_exec_t:file { getattr open read execute };
+
+# Allow the client to create and manage tun devices
+allow phantun_client_exec_t self:tun_socket { append bind connect create getattr getopt ioctl lock read relabelfrom relabelto setattr setopt shutdown write };
+
+# Allow the client to bind to the custom UDP port
+#allow phantun_client_exec_t phantun_client_port_t:udp_socket { name_bind };
+
+# Allow the client to use net_admin capability
+allow phantun_client_exec_t self:capability net_admin;