Revision 310ae019
b/vncauthproxy/proxy.py | ||
---|---|---|
20 | 20 |
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA |
21 | 21 |
# 02110-1301, USA. |
22 | 22 |
|
23 |
DEFAULT_LISTEN_ADDRESS = None |
|
24 |
DEFAULT_LISTEN_PORT = 24999 |
|
23 |
# Daemon files |
|
25 | 24 |
DEFAULT_LOG_FILE = "/var/log/vncauthproxy/vncauthproxy.log" |
26 | 25 |
DEFAULT_PID_FILE = "/var/run/vncauthproxy/vncauthproxy.pid" |
27 |
DEFAULT_CONNECT_TIMEOUT = 30 |
|
26 |
|
|
27 |
# By default, bind / listen for control connections to TCP *:24999 |
|
28 |
# (both IPv4 and IPv6) |
|
29 |
DEFAULT_LISTEN_ADDRESS = None |
|
30 |
DEFAULT_LISTEN_PORT = 24999 |
|
31 |
|
|
32 |
# Backlog for the control socket |
|
33 |
DEFAULT_BACKLOG = 256 |
|
34 |
|
|
35 |
# Timeout for the VNC server connection establishment / RFB handshake |
|
36 |
DEFAULT_SERVER_TIMEOUT = 60.0 |
|
37 |
|
|
38 |
# Connect retries and delay between retries for the VNC server socket |
|
28 | 39 |
DEFAULT_CONNECT_RETRIES = 3 |
29 | 40 |
DEFAULT_RETRY_WAIT = 0.1 |
30 |
DEFAULT_BACKLOG = 256 |
|
31 |
DEFAULT_SOCK_TIMEOUT = 60.0 |
|
41 |
|
|
42 |
# Connect timeout for the listening sockets |
|
43 |
DEFAULT_CONNECT_TIMEOUT = 30 |
|
44 |
|
|
45 |
# Port range for the listening sockets |
|
46 |
# |
|
32 | 47 |
# We must take care not to fall into the ephemeral port range, |
33 | 48 |
# this can lead to transient failures to bind a chosen port. |
34 | 49 |
# |
35 | 50 |
# By default, Linux uses 32768 to 61000, see: |
36 | 51 |
# http://www.ncftp.com/ncftpd/doc/misc/ephemeral_ports.html#Linux |
37 | 52 |
# so 25000-30000 seems to be a sensible default. |
53 |
# |
|
54 |
# We also take into account the ports that Ganeti daemons bind to, the port |
|
55 |
# range used by DRBD etc. |
|
38 | 56 |
DEFAULT_MIN_PORT = 25000 |
39 | 57 |
DEFAULT_MAX_PORT = 30000 |
40 | 58 |
|
... | ... | |
98 | 116 |
""" |
99 | 117 |
id = 1 |
100 | 118 |
|
101 |
def __init__(self, logger, listeners, pool, daddr, dport, server, password, |
|
102 |
connect_timeout): |
|
119 |
def __init__(self, logger, client): |
|
103 | 120 |
""" |
104 | 121 |
@type logger: logging.Logger |
105 | 122 |
@param logger: the logger to use |
106 |
@type listeners: list |
|
107 |
@param listeners: list of listening sockets to use for clients |
|
108 |
@type pool: list |
|
109 |
@param pool: if not None, return the client number into this port pool |
|
110 |
@type daddr: str |
|
111 |
@param daddr: destination address (IPv4, IPv6 or hostname) |
|
112 |
@type dport: int |
|
113 |
@param dport: destination port |
|
114 |
@type server: socket |
|
115 |
@param server: VNC server socket |
|
116 |
@type password: str |
|
117 |
@param password: password to request from the client |
|
118 |
@type connect_timeout: int |
|
119 |
@param connect_timeout: how long to wait for client connections |
|
120 |
(seconds) |
|
123 |
@type client: socket.socket |
|
124 |
@param listeners: the client control connection socket |
|
121 | 125 |
|
122 | 126 |
""" |
123 | 127 |
gevent.Greenlet.__init__(self) |
124 | 128 |
self.id = VncAuthProxy.id |
125 | 129 |
VncAuthProxy.id += 1 |
126 | 130 |
self.log = logger |
127 |
self.listeners = listeners
|
|
131 |
self.client = client
|
|
128 | 132 |
# A list of worker/forwarder greenlets, one for each direction |
129 | 133 |
self.workers = [] |
130 |
# All listening sockets are assumed to be on the same port |
|
131 |
self.sport = listeners[0].getsockname()[1] |
|
132 |
self.pool = pool |
|
133 |
self.daddr = daddr |
|
134 |
self.dport = dport |
|
135 |
self.server = server |
|
136 |
self.password = password |
|
137 |
self.client = None |
|
138 |
self.timeout = connect_timeout |
|
134 |
self.sport = None |
|
135 |
self.pool = None |
|
136 |
self.daddr = None |
|
137 |
self.dport = None |
|
138 |
self.server = None |
|
139 |
self.password = None |
|
139 | 140 |
|
140 | 141 |
def _cleanup(self): |
141 | 142 |
"""Cleanup everything: workers, sockets, ports |
... | ... | |
197 | 198 |
# No need to close the source and dest sockets here. |
198 | 199 |
# They are owned by and will be closed by the original greenlet. |
199 | 200 |
|
201 |
def _perform_server_handshake(self): |
|
202 |
""" |
|
203 |
Initiate a connection with the backend server and perform basic |
|
204 |
RFB 3.8 handshake with it. |
|
205 |
|
|
206 |
Return a socket connected to the backend server. |
|
207 |
|
|
208 |
""" |
|
209 |
server = None |
|
210 |
|
|
211 |
tries = self.retries |
|
212 |
while tries: |
|
213 |
tries -= 1 |
|
214 |
|
|
215 |
# Initiate server connection |
|
216 |
for res in socket.getaddrinfo(self.addr, self.dport, |
|
217 |
socket.AF_UNSPEC, |
|
218 |
socket.SOCK_STREAM, 0, |
|
219 |
socket.AI_PASSIVE): |
|
220 |
af, socktype, proto, canonname, sa = res |
|
221 |
try: |
|
222 |
server = socket.socket(af, socktype, proto) |
|
223 |
except socket.error: |
|
224 |
server = None |
|
225 |
continue |
|
226 |
|
|
227 |
# Set socket timeout for the initial handshake |
|
228 |
server.settimeout(self.server_timeout) |
|
229 |
|
|
230 |
try: |
|
231 |
logger.debug("Connecting to %s:%s", *sa[:2]) |
|
232 |
server.connect(sa) |
|
233 |
logger.debug("Connection to %s:%s successful", *sa[:2]) |
|
234 |
except socket.error: |
|
235 |
server.close() |
|
236 |
server = None |
|
237 |
continue |
|
238 |
|
|
239 |
# We succesfully connected to the server |
|
240 |
tries = 0 |
|
241 |
break |
|
242 |
|
|
243 |
# Wait and retry |
|
244 |
gevent.sleep(self.retry_wait) |
|
245 |
|
|
246 |
if server is None: |
|
247 |
raise Exception("Failed to connect to server") |
|
248 |
|
|
249 |
version = server.recv(1024) |
|
250 |
if not rfb.check_version(version): |
|
251 |
raise Exception("Unsupported RFB version: %s" % version.strip()) |
|
252 |
|
|
253 |
server.send(rfb.RFB_VERSION_3_8 + "\n") |
|
254 |
|
|
255 |
res = server.recv(1024) |
|
256 |
types = rfb.parse_auth_request(res) |
|
257 |
if not types: |
|
258 |
raise Exception("Error handshaking with the server") |
|
259 |
|
|
260 |
else: |
|
261 |
logger.debug("Supported authentication types: %s", |
|
262 |
" ".join([str(x) for x in types])) |
|
263 |
|
|
264 |
if rfb.RFB_AUTHTYPE_NONE not in types: |
|
265 |
raise Exception("Error, server demands authentication") |
|
266 |
|
|
267 |
server.send(rfb.to_u8(rfb.RFB_AUTHTYPE_NONE)) |
|
268 |
|
|
269 |
# Check authentication response |
|
270 |
res = server.recv(4) |
|
271 |
res = rfb.from_u32(res) |
|
272 |
|
|
273 |
if res != 0: |
|
274 |
raise Exception("Authentication error") |
|
275 |
|
|
276 |
# Reset the timeout for the rest of the session |
|
277 |
server.settimeout(None) |
|
278 |
|
|
279 |
self.server = server |
|
280 |
|
|
281 |
def _establish_connection(self): |
|
282 |
client = self.client |
|
283 |
ports = VncAuthProxy.ports |
|
284 |
|
|
285 |
# Receive and parse a client request. |
|
286 |
response = { |
|
287 |
"source_port": 0, |
|
288 |
"status": "FAILED", |
|
289 |
} |
|
290 |
try: |
|
291 |
# TODO: support multiple forwardings in the same message? |
|
292 |
# |
|
293 |
# Control request, in JSON: |
|
294 |
# |
|
295 |
# { |
|
296 |
# "source_port": |
|
297 |
# <source port or 0 for automatic allocation>, |
|
298 |
# "destination_address": |
|
299 |
# <destination address of backend server>, |
|
300 |
# "destination_port": |
|
301 |
# <destination port> |
|
302 |
# "password": |
|
303 |
# <the password to use to authenticate clients> |
|
304 |
# } |
|
305 |
# |
|
306 |
# The <password> is used for MITM authentication of clients |
|
307 |
# connecting to <source_port>, who will subsequently be |
|
308 |
# forwarded to a VNC server listening at |
|
309 |
# <destination_address>:<destination_port> |
|
310 |
# |
|
311 |
# Control reply, in JSON: |
|
312 |
# { |
|
313 |
# "source_port": <the allocated source port> |
|
314 |
# "status": <one of "OK" or "FAILED"> |
|
315 |
# } |
|
316 |
# |
|
317 |
buf = client.recv(1024) |
|
318 |
req = json.loads(buf) |
|
319 |
|
|
320 |
sport_orig = int(req['source_port']) |
|
321 |
daddr = req['destination_address'] |
|
322 |
dport = int(req['destination_port']) |
|
323 |
password = req['password'] |
|
324 |
except Exception, e: |
|
325 |
logger.warn("Malformed request: %s", buf) |
|
326 |
client.send(json.dumps(response)) |
|
327 |
client.close() |
|
328 |
raise gevent.GreenletExit |
|
329 |
|
|
330 |
server = None |
|
331 |
try: |
|
332 |
# If the client has so indicated, pick an ephemeral source port |
|
333 |
# randomly, and remove it from the port pool. |
|
334 |
if sport_orig == 0: |
|
335 |
while True: |
|
336 |
try: |
|
337 |
sport = random.choice(ports) |
|
338 |
ports.remove(sport) |
|
339 |
break |
|
340 |
except ValueError: |
|
341 |
logger.debug("Port %d already taken", sport) |
|
342 |
|
|
343 |
logger.debug("Got port %d from pool, %d remaining", |
|
344 |
sport, len(ports)) |
|
345 |
pool = ports |
|
346 |
else: |
|
347 |
sport = sport_orig |
|
348 |
pool = None |
|
349 |
|
|
350 |
self.sport = sport |
|
351 |
self.pool = pool |
|
352 |
|
|
353 |
self.listeners = get_listening_sockets(sport) |
|
354 |
perform_server_handshake() |
|
355 |
|
|
356 |
logger.info("New forwarding: %d (client req'd: %d) -> %s:%d", |
|
357 |
sport, sport_orig, self.daddr, self.dport) |
|
358 |
response = {"source_port": sport, |
|
359 |
"status": "OK"} |
|
360 |
except IndexError: |
|
361 |
logger.error(("FAILED forwarding, out of ports for [req'd by " |
|
362 |
"client: %d -> %s:%d]"), |
|
363 |
sport_orig, self.daddr, self.dport) |
|
364 |
raise gevent.GreenletExit |
|
365 |
except Exception, msg: |
|
366 |
logger.error(msg) |
|
367 |
logger.error(("FAILED forwarding: %d (client req'd: %d) -> " |
|
368 |
"%s:%d"), sport, sport_orig, self.daddr, self.dport) |
|
369 |
if not pool is None: |
|
370 |
pool.append(sport) |
|
371 |
logger.debug("Returned port %d to pool, %d remanining", |
|
372 |
sport, len(pool)) |
|
373 |
if not server is None: |
|
374 |
server.close() |
|
375 |
raise gevent.GreenletExit |
|
376 |
finally: |
|
377 |
client.send(json.dumps(response)) |
|
378 |
client.close() |
|
379 |
|
|
200 | 380 |
def _client_handshake(self): |
201 | 381 |
""" |
202 | 382 |
Perform handshake/authentication with a connecting client |
... | ... | |
258 | 438 |
# Accept the authentication |
259 | 439 |
self.client.send(rfb.to_u32(rfb.RFB_AUTH_SUCCESS)) |
260 | 440 |
|
261 |
def _run(self):
|
|
441 |
def _proxy(self):
|
|
262 | 442 |
try: |
263 | 443 |
self.info("Waiting for a client to connect at %s", |
264 | 444 |
", ".join(["%s:%d" % s.getsockname()[:2] |
... | ... | |
320 | 500 |
finally: |
321 | 501 |
self._cleanup() |
322 | 502 |
|
503 |
def _run(self): |
|
504 |
_establish_connection() |
|
505 |
_proxy() |
|
506 |
|
|
323 | 507 |
# Logging support inside VncAuthproxy |
324 | 508 |
# Wrap all common logging functions in logging-specific methods |
325 | 509 |
for funcname in ["info", "debug", "warn", "error", "critical", |
... | ... | |
338 | 522 |
raise SystemExit |
339 | 523 |
|
340 | 524 |
|
341 |
def get_listening_sockets(sport): |
|
525 |
def get_listening_sockets(sport, saddr=None):
|
|
342 | 526 |
sockets = [] |
343 | 527 |
|
344 | 528 |
# Use two sockets, one for IPv4, one for IPv6. IPv4-to-IPv6 mapped |
345 | 529 |
# addresses do not work reliably everywhere (under linux it may have |
346 | 530 |
# been disabled in /proc/sys/net/ipv6/bind_ipv6_only). |
347 |
for res in socket.getaddrinfo(None, sport, socket.AF_UNSPEC,
|
|
531 |
for res in socket.getaddrinfo(saddr, sport, socket.AF_UNSPEC,
|
|
348 | 532 |
socket.SOCK_STREAM, 0, socket.AI_PASSIVE): |
349 | 533 |
af, socktype, proto, canonname, sa = res |
350 | 534 |
try: |
... | ... | |
371 | 555 |
return sockets |
372 | 556 |
|
373 | 557 |
|
374 |
def perform_server_handshake(daddr, dport, tries, retry_wait, sock_timeout): |
|
375 |
""" |
|
376 |
Initiate a connection with the backend server and perform basic |
|
377 |
RFB 3.8 handshake with it. |
|
378 |
|
|
379 |
Return a socket connected to the backend server. |
|
380 |
|
|
381 |
""" |
|
382 |
server = None |
|
383 |
|
|
384 |
while tries: |
|
385 |
tries -= 1 |
|
386 |
|
|
387 |
# Initiate server connection |
|
388 |
for res in socket.getaddrinfo(daddr, dport, socket.AF_UNSPEC, |
|
389 |
socket.SOCK_STREAM, 0, |
|
390 |
socket.AI_PASSIVE): |
|
391 |
af, socktype, proto, canonname, sa = res |
|
392 |
try: |
|
393 |
server = socket.socket(af, socktype, proto) |
|
394 |
except socket.error: |
|
395 |
server = None |
|
396 |
continue |
|
397 |
|
|
398 |
# Set socket timeout for the initial handshake |
|
399 |
server.settimeout(sock_timeout) |
|
400 |
|
|
401 |
try: |
|
402 |
logger.debug("Connecting to %s:%s", *sa[:2]) |
|
403 |
server.connect(sa) |
|
404 |
logger.debug("Connection to %s:%s successful", *sa[:2]) |
|
405 |
except socket.error: |
|
406 |
server.close() |
|
407 |
server = None |
|
408 |
continue |
|
409 |
|
|
410 |
# We succesfully connected to the server |
|
411 |
tries = 0 |
|
412 |
break |
|
413 |
|
|
414 |
# Wait and retry |
|
415 |
gevent.sleep(retry_wait) |
|
416 |
|
|
417 |
if server is None: |
|
418 |
raise Exception("Failed to connect to server") |
|
419 |
|
|
420 |
version = server.recv(1024) |
|
421 |
if not rfb.check_version(version): |
|
422 |
raise Exception("Unsupported RFB version: %s" % version.strip()) |
|
423 |
|
|
424 |
server.send(rfb.RFB_VERSION_3_8 + "\n") |
|
425 |
|
|
426 |
res = server.recv(1024) |
|
427 |
types = rfb.parse_auth_request(res) |
|
428 |
if not types: |
|
429 |
raise Exception("Error handshaking with the server") |
|
430 |
|
|
431 |
else: |
|
432 |
logger.debug("Supported authentication types: %s", |
|
433 |
" ".join([str(x) for x in types])) |
|
434 |
|
|
435 |
if rfb.RFB_AUTHTYPE_NONE not in types: |
|
436 |
raise Exception("Error, server demands authentication") |
|
437 |
|
|
438 |
server.send(rfb.to_u8(rfb.RFB_AUTHTYPE_NONE)) |
|
439 |
|
|
440 |
# Check authentication response |
|
441 |
res = server.recv(4) |
|
442 |
res = rfb.from_u32(res) |
|
443 |
|
|
444 |
if res != 0: |
|
445 |
raise Exception("Authentication error") |
|
446 |
|
|
447 |
# Reset the timeout for the rest of the session |
|
448 |
server.settimeout(None) |
|
449 |
|
|
450 |
return server |
|
451 |
|
|
452 |
|
|
453 | 558 |
def parse_arguments(args): |
454 | 559 |
from optparse import OptionParser |
455 | 560 |
|
456 | 561 |
parser = OptionParser() |
457 |
parser.add_option("--listen-address", dest="listen_address", |
|
458 |
default=DEFAULT_LISTEN_ADDRESS, |
|
459 |
metavar="LISTEN_ADDRESS", |
|
460 |
help=("Address to listen for control connections")) |
|
461 |
parser.add_option( "--listen-port", dest="listen_port", |
|
462 |
default=DEFAULT_LISTEN_PORT, |
|
463 |
metavar="LISTEN_PORT", |
|
464 |
help=("Port to listen for control connections")) |
|
465 | 562 |
parser.add_option("-d", "--debug", action="store_true", dest="debug", |
466 | 563 |
help="Enable debugging information") |
467 |
parser.add_option("-l", "--log", dest="log_file",
|
|
564 |
parser.add_option("--log", dest="log_file", |
|
468 | 565 |
default=DEFAULT_LOG_FILE, |
469 | 566 |
metavar="FILE", |
470 |
help=("Write log to FILE instead of %s" %
|
|
567 |
help=("Write log to FILE (default: %s)" %
|
|
471 | 568 |
DEFAULT_LOG_FILE)) |
472 | 569 |
parser.add_option('--pid-file', dest="pid_file", |
473 | 570 |
default=DEFAULT_PID_FILE, |
474 | 571 |
metavar='PIDFILE', |
475 | 572 |
help=("Save PID to file (default: %s)" % |
476 | 573 |
DEFAULT_PID_FILE)) |
477 |
parser.add_option("-t", "--connect-timeout", dest="connect_timeout", |
|
478 |
default=DEFAULT_CONNECT_TIMEOUT, type="int", |
|
479 |
metavar="SECONDS", help=("Wait SECONDS sec for a client " |
|
480 |
"to connect")) |
|
481 |
parser.add_option("-r", "--connect-retries", dest="connect_retries", |
|
574 |
parser.add_option("--listen-address", dest="listen_address", |
|
575 |
default=DEFAULT_LISTEN_ADDRESS, |
|
576 |
metavar="LISTEN_ADDRESS", |
|
577 |
help=("Address to listen for control connections" |
|
578 |
"(default: *)")) |
|
579 |
parser.add_option("--listen-port", dest="listen_port", |
|
580 |
default=DEFAULT_LISTEN_PORT, |
|
581 |
metavar="LISTEN_PORT", |
|
582 |
help=("Port to listen for control connections" |
|
583 |
"(default: %d)" % DEFAULT_LISTEN_PORT)) |
|
584 |
parser.add_option("-b", "--backlog", dest="backlog", |
|
585 |
default=DEFAULT_BACKLOG, type="int", metavar="N", |
|
586 |
help=("Size of the backlog for the control connection " |
|
587 |
"socket (default: %s)" % DEFAULT_BACKLOG)) |
|
588 |
parser.add_option("--server-timeout", dest="server_timeout", |
|
589 |
default=DEFAULT_SERVER_TIMEOUT, type="float", |
|
590 |
metavar="N", |
|
591 |
help=("Wait for N seconds for the VNC server RFB " |
|
592 |
"handshake (default %s)" % DEFAULT_SERVER_TIMEOUT)) |
|
593 |
parser.add_option("--connect-retries", dest="connect_retries", |
|
482 | 594 |
default=DEFAULT_CONNECT_RETRIES, type="int", |
483 |
metavar="RETRIES", |
|
484 |
help="How many times to try to connect to the server") |
|
485 |
parser.add_option("-w", "--retry-wait", dest="retry_wait", |
|
595 |
metavar="N", |
|
596 |
help=("Retry N times to connect to the " |
|
597 |
"server (default: %d)" % |
|
598 |
DEFAULT_CONNECT_RETRIES)) |
|
599 |
parser.add_option("--retry-wait", dest="retry_wait", |
|
486 | 600 |
default=DEFAULT_RETRY_WAIT, type="float", |
487 |
metavar="SECONDS", help=("Retry connection to server " |
|
488 |
"every SECONDS sec")) |
|
601 |
metavar="N", |
|
602 |
help=("Wait N seconds before retrying " |
|
603 |
"to connect to the server (default: %s)" % |
|
604 |
DEFAULT_RETRY_WAIT)) |
|
605 |
parser.add_option("--connect-timeout", dest="connect_timeout", |
|
606 |
default=DEFAULT_CONNECT_TIMEOUT, type="int", |
|
607 |
metavar="N", |
|
608 |
help=("Wait N seconds for a client " |
|
609 |
"to connect (default: %d)" |
|
610 |
% DEFAULT_CONNECT_TIMEOUT)) |
|
489 | 611 |
parser.add_option("-p", "--min-port", dest="min_port", |
490 | 612 |
default=DEFAULT_MIN_PORT, type="int", metavar="MIN_PORT", |
491 | 613 |
help=("The minimum port number to use for automatically-" |
492 |
"allocated ephemeral ports")) |
|
614 |
"allocated ephemeral ports (default: %s)" % |
|
615 |
DEFAULT_MIN_PORT)) |
|
493 | 616 |
parser.add_option("-P", "--max-port", dest="max_port", |
494 | 617 |
default=DEFAULT_MAX_PORT, type="int", metavar="MAX_PORT", |
495 | 618 |
help=("The maximum port number to use for automatically-" |
496 |
"allocated ephemeral ports")) |
|
497 |
parser.add_option("-b", "--backlog", dest="backlog", |
|
498 |
default=DEFAULT_BACKLOG, type="int", metavar="BACKLOG", |
|
499 |
help=("Length of the backlog queue for the control" |
|
500 |
"connection socket")) |
|
501 |
parser.add_option("--socket-timeout", dest="sock_timeout", |
|
502 |
default=DEFAULT_SOCK_TIMEOUT, type="float", |
|
503 |
metavar="SOCK_TIMEOUT", |
|
504 |
help=("Socket timeout for the server handshake")) |
|
505 |
|
|
506 |
return parser.parse_args(args) |
|
507 |
|
|
508 |
|
|
509 |
def establish_connection(client, addr, ports, opts): |
|
510 |
# Receive and parse a client request. |
|
511 |
response = { |
|
512 |
"source_port": 0, |
|
513 |
"status": "FAILED", |
|
514 |
} |
|
515 |
try: |
|
516 |
# TODO: support multiple forwardings in the same message? |
|
517 |
# |
|
518 |
# Control request, in JSON: |
|
519 |
# |
|
520 |
# { |
|
521 |
# "source_port": |
|
522 |
# <source port or 0 for automatic allocation>, |
|
523 |
# "destination_address": |
|
524 |
# <destination address of backend server>, |
|
525 |
# "destination_port": |
|
526 |
# <destination port> |
|
527 |
# "password": |
|
528 |
# <the password to use to authenticate clients> |
|
529 |
# } |
|
530 |
# |
|
531 |
# The <password> is used for MITM authentication of clients |
|
532 |
# connecting to <source_port>, who will subsequently be |
|
533 |
# forwarded to a VNC server listening at |
|
534 |
# <destination_address>:<destination_port> |
|
535 |
# |
|
536 |
# Control reply, in JSON: |
|
537 |
# { |
|
538 |
# "source_port": <the allocated source port> |
|
539 |
# "status": <one of "OK" or "FAILED"> |
|
540 |
# } |
|
541 |
# |
|
542 |
buf = client.recv(1024) |
|
543 |
req = json.loads(buf) |
|
544 |
|
|
545 |
sport_orig = int(req['source_port']) |
|
546 |
daddr = req['destination_address'] |
|
547 |
dport = int(req['destination_port']) |
|
548 |
password = req['password'] |
|
549 |
except Exception, e: |
|
550 |
logger.warn("Malformed request: %s", buf) |
|
551 |
client.send(json.dumps(response)) |
|
552 |
client.close() |
|
553 |
|
|
554 |
# Spawn a new Greenlet to service the request. |
|
555 |
server = None |
|
556 |
try: |
|
557 |
# If the client has so indicated, pick an ephemeral source port |
|
558 |
# randomly, and remove it from the port pool. |
|
559 |
if sport_orig == 0: |
|
560 |
while True: |
|
561 |
try: |
|
562 |
sport = random.choice(ports) |
|
563 |
ports.remove(sport) |
|
564 |
break |
|
565 |
except ValueError: |
|
566 |
logger.debug("Port %d already taken", sport) |
|
567 |
|
|
568 |
logger.debug("Got port %d from pool, %d remaining", |
|
569 |
sport, len(ports)) |
|
570 |
pool = ports |
|
571 |
else: |
|
572 |
sport = sport_orig |
|
573 |
pool = None |
|
574 |
|
|
575 |
listeners = get_listening_sockets(sport) |
|
576 |
server = perform_server_handshake(daddr, dport, |
|
577 |
opts.connect_retries, |
|
578 |
opts.retry_wait, opts.sock_timeout) |
|
579 |
|
|
580 |
VncAuthProxy.spawn(logger, listeners, pool, daddr, dport, |
|
581 |
server, password, opts.connect_timeout) |
|
582 |
|
|
583 |
logger.info("New forwarding: %d (client req'd: %d) -> %s:%d", |
|
584 |
sport, sport_orig, daddr, dport) |
|
585 |
response = {"source_port": sport, |
|
586 |
"status": "OK"} |
|
587 |
except IndexError: |
|
588 |
logger.error(("FAILED forwarding, out of ports for [req'd by " |
|
589 |
"client: %d -> %s:%d]"), |
|
590 |
sport_orig, daddr, dport) |
|
591 |
except Exception, msg: |
|
592 |
logger.error(msg) |
|
593 |
logger.error(("FAILED forwarding: %d (client req'd: %d) -> " |
|
594 |
"%s:%d"), sport, sport_orig, daddr, dport) |
|
595 |
if not pool is None: |
|
596 |
pool.append(sport) |
|
597 |
logger.debug("Returned port %d to pool, %d remanining", |
|
598 |
sport, len(pool)) |
|
599 |
if not server is None: |
|
600 |
server.close() |
|
601 |
finally: |
|
602 |
client.send(json.dumps(response)) |
|
603 |
client.close() |
|
619 |
"allocated ephemeral ports (default: %s)" % |
|
620 |
DEFAULT_MAX_PORT)) |
|
621 |
|
|
622 |
(opts, args) = parser.parse_args(args) |
|
623 |
|
|
624 |
if args: |
|
625 |
parser.print_help() |
|
626 |
sys.exit(1) |
|
604 | 627 |
|
605 | 628 |
|
606 | 629 |
def main(): |
607 | 630 |
"""Run the daemon from the command line""" |
608 | 631 |
|
609 |
(opts, args) = parse_arguments(sys.argv[1:])
|
|
632 |
(opts, ) = parse_arguments(sys.argv[1:]) |
|
610 | 633 |
|
611 | 634 |
# Create pidfile |
612 | 635 |
pidf = pidlockfile.TimeoutPIDLockFile(opts.pid_file, 10) |
... | ... | |
652 | 675 |
# we *must* reinit gevent |
653 | 676 |
gevent.reinit() |
654 | 677 |
|
655 |
sockets = [] |
|
656 |
for res in socket.getaddrinfo(opts.listen_address, opts.listen_port, |
|
657 |
socket.AF_UNSPEC, socket.SOCK_STREAM, 0, |
|
658 |
socket.AI_PASSIVE): |
|
659 |
af, socktype, proto, canonname, sa = res |
|
660 |
try: |
|
661 |
s = None |
|
662 |
s = socket.socket(af, socktype, proto) |
|
663 |
if af == socket.AF_INET6: |
|
664 |
# Bind v6 only when AF_INET6, otherwise either v4 or v6 bind |
|
665 |
# will fail. |
|
666 |
s.setsockopt(socket.IPPROTO_IPV6, socket.IPV6_V6ONLY, 1) |
|
667 |
s.bind(sa) |
|
668 |
s.listen(opts.backlog) |
|
669 |
sockets.append(s) |
|
670 |
logger.info("Control socket listening on %s:%d", *sa[:2]) |
|
671 |
except socket.error, msg: |
|
672 |
logger.critical("Error binding control socket to %s:%d: %s", |
|
673 |
sa[0], sa[1], msg[1]) |
|
674 |
if s: |
|
675 |
s.close() |
|
676 |
while sockets: |
|
677 |
sockets.pop.close() |
|
678 |
|
|
679 |
sys.exit(1) |
|
680 |
|
|
681 | 678 |
# Catch signals to ensure graceful shutdown, |
682 |
# e.g., to make sure the control socket gets unlink()ed. |
|
683 | 679 |
# |
684 | 680 |
# Uses gevent.signal so the handler fires even during |
685 | 681 |
# gevent.socket.accept() |
... | ... | |
689 | 685 |
# Init ephemeral port pool |
690 | 686 |
ports = range(opts.min_port, opts.max_port + 1) |
691 | 687 |
|
688 |
# Init VncAuthProxy class attributes |
|
689 |
VncAuthProxy.server_timeout = opts.server_timeout |
|
690 |
VncAuthProxy.connect_retries = opts.connect_retries |
|
691 |
VncAuthProxy.retry_wait = opts.retry_wait |
|
692 |
VncAuthProxy.connect_timeout = opts.connect_timeout |
|
693 |
|
|
694 |
try: |
|
695 |
sockets = get_listening_sockets(opts.listen_address, |
|
696 |
opts.listen_port) |
|
697 |
except socket.error: |
|
698 |
logger.critical("Error binding control socket") |
|
699 |
sys.exit(1) |
|
700 |
|
|
692 | 701 |
while True: |
693 | 702 |
try: |
694 | 703 |
rlist, _, _ = select(sockets, [], []) |
695 | 704 |
for ctrl in rlist: |
696 |
client, addr = ctrl.accept()
|
|
705 |
client, _ = ctrl.accept()
|
|
697 | 706 |
logger.info("New control connection") |
698 | 707 |
|
699 |
gevent.Greenlet.spawn(establish_connection, client, addr, |
|
700 |
ports, opts) |
|
708 |
VncAuthProxy.spawn(logger, client) |
|
701 | 709 |
except Exception, e: |
702 | 710 |
logger.exception(e) |
703 | 711 |
continue |
Also available in: Unified diff