test TCP DNS override on Linux by ignoramous · Pull Request #189 · celzero/firestack

ignoramous · 2025-09-03T02:43:33Z

Copilot

Pull Request Overview

This PR adds a Linux testing tool to test TCP DNS override functionality. The tool creates a new Linux utility that can inject into network namespaces and test DNS-over-HTTPS (DoH) tunneling behavior.

Implements a TUN interface management tool for testing DNS override
Adds bridge implementation to integrate with the firestack intra package
Creates socket pair communication for namespace injection testing

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
linux-tool/toy/main.go	Main testing tool that handles TUN device creation, namespace injection, and DNS tunnel setup
linux-tool/glue/glue.go	Bridge implementation providing required interfaces for firestack integration and TUN device utilities

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

Copilot · 2025-09-03T02:44:20Z

linux-tool/toy/main.go

+func sendTUN(name string) {
+	sock := int(3)


The magic number '3' should be documented or replaced with a named constant to explain why file descriptor 3 is being used.

Suggested change

func sendTUN(name string) {

sock := int(3)

// SOCKET_FD is the file descriptor number expected to be a socket passed by the parent process.

const SOCKET_FD = 3

func sendTUN(name string) {

sock := SOCKET_FD

Copilot · 2025-09-03T02:44:21Z

linux-tool/glue/glue.go

+		return fd, err
+	}
+	var req [64]byte
+	copy(req[:15], []byte(name))


The copy operation limits the interface name to 15 bytes, but Linux interface names can be up to 15 characters (IFNAMSIZ-1). If the name is exactly 15 characters, this could cause issues since there's no null termination. Consider using copy(req[:16], []byte(name+"\0")) or validate the name length.

Suggested change

copy(req[:15], []byte(name))

if len(name) > 15 {

return -1, syscall.EINVAL

}

copy(req[:16], []byte(name+"\x00"))

Copilot · 2025-09-03T02:44:21Z

linux-tool/glue/glue.go

+	}
+}
+func OpenTUN(name string) (int, error) {
+	fd, err := syscall.Open("/dev/net/tun", syscall.O_RDWR, 600)


The file mode '600' should use a constant like 0600 for clarity, or better yet, use os.FileMode constants to make the octal permissions explicit.

Suggested change

fd, err := syscall.Open("/dev/net/tun", syscall.O_RDWR, 600)

fd, err := syscall.Open("/dev/net/tun", syscall.O_RDWR, 0600)

linux-tool/glue/glue.go

+func (bridge *MyBridge) OnProxiesStopped()        {}
+
+func Ioctl(fd int, req uint64, data []byte) (int, error) {
+	p := unsafe.Pointer(&data[0])


linux-tool/glue/glue.go

+func GenFDCmsg(fds []uint32) []byte {
+	cmsgLen := 16 + len(fds)*4
+	cmsg := make([]byte, cmsgLen)
+	binary.NativeEndian.PutUint64(cmsg[:], uint64(cmsgLen))


linux-tool/toy/main.go

+func sendTUN(name string) {
+	sock := int(3)
+	defer syscall.Close(sock)
+	syscall.SetNonblock(sock, true)


linux-tool/toy/main.go

+	ifInfo, err := net.InterfaceByName(name)
+	p(err)
+	var msg [4]byte
+	binary.NativeEndian.PutUint32(msg[:], uint32(ifInfo.MTU))


linux-tool/toy/main.go

+	p(err)
+	var msg [4]byte
+	binary.NativeEndian.PutUint32(msg[:], uint32(ifInfo.MTU))
+	cmsg := glue.GenFDCmsg([]uint32{uint32(tun)})


linux-tool/toy/main.go

+	pair, err := syscall.Socketpair(syscall.AF_UNIX, syscall.SOCK_SEQPACKET, 0)
+	p(err)
+	defer func() {
+		syscall.Close(pair[0])


linux-tool/toy/main.go

+	p(err)
+	defer func() {
+		syscall.Close(pair[0])
+		syscall.Close(pair[1])


linux-tool/toy/main.go

+		syscall.Close(pair[0])
+		syscall.Close(pair[1])
+	}()
+	syscall.SetNonblock(pair[0], true)


linux-tool/toy/main.go

+	c1 := exec.Command("/usr/bin/nsenter", "--target", fmt.Sprintf("%d", targetPid), "--user", "--net",
+		"--preserve-credentials", "--keep-caps",
+		elfPath, "-mode", "sendfd", "-tun", tunName)


test TCP DNS override on Linux

c801863

ignoramous requested a review from Copilot September 3, 2025 02:43

Copilot AI reviewed Sep 3, 2025

View reviewed changes

github-advanced-security bot found potential problems Sep 3, 2025

View reviewed changes

ignoramous mentioned this pull request Oct 22, 2025

Endpoint independent mapping slows down bandwidth #129

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

test TCP DNS override on Linux#189

test TCP DNS override on Linux#189
ignoramous wants to merge 1 commit intocelzero:n2from
Lanius-collaris:quick-test1

ignoramous commented Sep 3, 2025

Uh oh!

Copilot AI left a comment

Uh oh!

Copilot AI Sep 3, 2025

Uh oh!

Copilot AI Sep 3, 2025

Uh oh!

Copilot AI Sep 3, 2025

Uh oh!

Check warning

Check failure

Check warning

Check failure

Check failure

Check warning

Check warning

Check warning

Check failure

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

-	copy(req[:15], []byte(name))
+	if len(name) > 15 {
+		return -1, syscall.EINVAL
+	}
+	copy(req[:16], []byte(name+"\x00"))

	fd, err := syscall.Open("/dev/net/tun", syscall.O_RDWR, 600)
	fd, err := syscall.Open("/dev/net/tun", syscall.O_RDWR, 0600)

Conversation

ignoramous commented Sep 3, 2025

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull Request Overview

Reviewed Changes

Uh oh!

Copilot AI Sep 3, 2025

Choose a reason for hiding this comment

Uh oh!

Copilot AI Sep 3, 2025

Choose a reason for hiding this comment

Uh oh!

Copilot AI Sep 3, 2025

Choose a reason for hiding this comment

Uh oh!

Check warning

Check failure

Check warning

Check failure

Check failure

Check warning

Check warning

Check warning

Check failure

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants