chore(restrictednet): add internal/restrictednet package

.github/workflows/ci.yml

@@ -63,6 +63,10 @@ jobs:
           -v "$(pwd)/coverage.txt:/tmp/gobuild/coverage.txt" \
           test-container
 
+      - name: Run integration tests in test container
+        run: |
+          docker run --rm --entrypoint "go test -tags=integration ./internal/restrictednet" test-container
+
       - name: Verify dev cross platform compatibility
         run: docker build --target xcompile .
 

.vscode/settings.json

@@ -3,7 +3,7 @@
   // to develop this project.
   "files.eol": "\n",
   "editor.formatOnSave": true,
-  "go.buildTags": "linux",
+  "go.buildTags": "linux,integration",
   "go.toolsEnvVars": {
     "CGO_ENABLED": "0"
   },

AGENTS.md

@@ -50,6 +50,7 @@ Guidance for coding agents working in this repository.
 - Prefer splitting a code line only when it triggers the `lll` linter, do not split a command or arguments list for each element
 - Use `netip` types instead of `net` types whenever possible
 - Use constants instead of variables whenever possible, especially function-local inline constants.
+- Prefer using pure functions over methods when possible. Especially if the method does not need any fields from the receiving struct, it should be a pure function.
 - Do not use `time.Sleep`, prefer using a `time.Timer` with a `select` statement also listening on a context cancelation
 - `panic`:
   - should only be used when a programming error is encountered and you should NOT return errors for programming errors (such as passing nil objects)
@@ -115,6 +116,7 @@ Mocking works with the `go.uber.org/mock` library, and the `mockgen` tool.
   - **Never** use `.AnyTimes()` on mocks. Always define the number of times a certain mock call should be called, with `.Times(3)` for example.
   - **Always** set the `.Return(...)` on the mock if the function returns something.
   - Avoid using **mock helpers** functions, prefer a bit of repetition than tight coupling and dependency
+  - Always define the gomock controller `ctrl` in the subtest and not in the parent test, or a subtest mock failing will crash all the other subtests.
 
 ### main.go
 
@@ -127,6 +129,7 @@ The Go formatter used is gofumpt.
 ### Errors
 
 - Always prefer wrapping errors with some context with `fmt.Errorf("doing this: %w", err)`
+- Use `errors.New("error message")` when creating a 'bottom' constant string error without additional context, instead of `fmt.Errorf`
 - In rare cases, you can just use `return err` notably:
   - If the function is called **recursively**, since we don't wrap the wrapping multiple times for each recursion
   - If the current function only statement is the call to another function, for example:
@@ -179,6 +182,8 @@ The Go formatter used is gofumpt.
 
 - Do not use `http.DefaultClient`, use a custom `*http.Client` with a fixed timeout and share with dependency injections.
 - Do not check for injected dependencies being `nil`, prefer to just panic on a nil pointer. By default it's fine to panic if a developer injects a dependency `nil`. `nil` does not mean use a default.
+- Prefer using a `switch { case ...}` statement over multiple consecutive `if` statements to have shorter code.
+- Prefer using `[...]T` instead of `[]T` when the length is fixed and known at compile time, to avoid unnecessary allocations.
 
 ## Validation checklist
 

internal/firewall/interfaces.go

@@ -28,6 +28,8 @@ type firewallImpl interface { //nolint:interfacebloat
 	AcceptIpv6MulticastOutput(ctx context.Context, intf string) error
 	AcceptOutput(ctx context.Context, protocol, intf string,
 		ip netip.Addr, port uint16, remove bool) error
+	AcceptOutputFromIPPortToIPPort(ctx context.Context, protocol, intf string,
+		source, destination netip.AddrPort, remove bool) error
 	AcceptOutputFromIPToSubnet(ctx context.Context, intf string, assignedIP netip.Addr,
 		subnet netip.Prefix, remove bool) error
 	AcceptOutputThroughInterface(ctx context.Context, intf string, remove bool) error

internal/firewall/iptables/iptables.go

@@ -2,6 +2,7 @@ package iptables
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"net/netip"
@@ -177,6 +178,29 @@ func (c *Config) AcceptOutput(ctx context.Context,
 	return c.runIP6tablesInstruction(ctx, instruction)
 }
 
+func (c *Config) AcceptOutputFromIPPortToIPPort(ctx context.Context,
+	protocol, intf string, source, destination netip.AddrPort, remove bool,
+) error {
+	if source.Addr().BitLen() != destination.Addr().BitLen() {
+		return errors.New("source and destination address families do not match")
+	}
+
+	interfaceFlag := "-o " + intf
+	if intf == "*" { // all interfaces
+		interfaceFlag = ""
+	}
+
+	instruction := fmt.Sprintf("%s OUTPUT %s -s %s -d %s -p %s -m %s --sport %d --dport %d -j ACCEPT",
+		appendOrDelete(remove), interfaceFlag, source.Addr(), destination.Addr(),
+		protocol, protocol, source.Port(), destination.Port())
+	if destination.Addr().Is4() {
+		return c.runIptablesInstruction(ctx, instruction)
+	} else if c.ip6Tables == "" {
+		return fmt.Errorf("accept output from %s to %s: %s", source, destination, needIP6Tables)
+	}
+	return c.runIP6tablesInstruction(ctx, instruction)
+}
+
 // AcceptOutputFromIPToSubnet accepts outgoing traffic from sourceIP to destinationSubnet
 // on the interface intf. If intf is empty, it is set to "*" which means all interfaces.
 // If remove is true, the rule is removed instead of added.

internal/firewall/wrappers.go

@@ -25,3 +25,10 @@ func (c *Config) AcceptOutput(ctx context.Context, protocol, intf string,
 ) error {
 	return c.impl.AcceptOutput(ctx, protocol, intf, ip, port, remove)
 }
+
+func (c *Config) AcceptOutputFromIPPortToIPPort(ctx context.Context,
+	protocol, intf string, source, destination netip.AddrPort, remove bool,
+) error {
+	return c.impl.AcceptOutputFromIPPortToIPPort(ctx, protocol, intf,
+		source, destination, remove)
+}

internal/restrictednet/client.go

@@ -0,0 +1,80 @@
+package restrictednet
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net"
+	"net/http"
+	"net/netip"
+	"strconv"
+
+	"github.com/qdm12/dns/v2/pkg/provider"
+)
+
+// Client is a client for making restricted network requests,
+// such as opening temporary firewall rules for HTTPS connections.
+// It is not meant to be high performance, although it can be used for
+// multiple requests and concurrently.
+type Client struct {
+	outboundInterface string
+	ipv6Supported     bool
+	firewall          Firewall
+	dohServers        []provider.DoHServer
+}
+
+func New(settings Settings) *Client {
+	if err := settings.validate(); err != nil {
+		panic(fmt.Sprintf("invalid settings: %v", err)) // programming error
+	}
+	dohServers := make([]provider.DoHServer, len(settings.UpstreamResolvers))
+	for i, upstreamResolver := range settings.UpstreamResolvers {
+		dohServers[i] = upstreamResolver.DoH
+	}
+
+	return &Client{
+		outboundInterface: settings.DefaultInterface,
+		ipv6Supported:     *settings.IPv6Supported,
+		firewall:          settings.Firewall,
+		dohServers:        dohServers,
+	}
+}
+
+// OpenHTTPSByHostname opens an https connection through the firewall,
+// to the hostname which in the format `host:port`. The returned cleanup
+// function must be called to remove the temporary firewall rule and close connections.
+// It first resolves the domain in hostname using DNS over HTTPS and then opens
+// the restricted HTTPS connection to the resolved IP.
+func (c *Client) OpenHTTPSByHostname(ctx context.Context, hostname string) (
+	httpClient *http.Client, cleanup func() error, err error,
+) {
+	host, portStr, err := net.SplitHostPort(hostname)
+	if err != nil {
+		return nil, nil, fmt.Errorf("splitting host and port: %w", err)
+	}
+	resolvedIPs, err := c.ResolveName(ctx, host)
+	if err != nil {
+		return nil, nil, fmt.Errorf("resolving name: %w", err)
+	} else if len(resolvedIPs) == 0 {
+		return nil, nil, fmt.Errorf("no IP address found for name %q", host)
+	}
+
+	portUint, err := strconv.ParseUint(portStr, 10, 16)
+	if err != nil {
+		return nil, nil, fmt.Errorf("parsing port: %w", err)
+	}
+	port := uint16(portUint)
+
+	errs := make([]error, 0, len(resolvedIPs))
+	for _, ip := range resolvedIPs {
+		addrPort := netip.AddrPortFrom(ip, port)
+		httpClient, cleanup, err := c.OpenHTTPS(ctx, host, addrPort)
+		if err != nil {
+			errs = append(errs, fmt.Errorf("for %s: %w", ip, err))
+			continue
+		}
+		return httpClient, cleanup, nil
+	}
+
+	return nil, nil, fmt.Errorf("opening HTTPS to %s: %w", hostname, errors.Join(errs...))
+}

internal/restrictednet/helpers_test.go

@@ -0,0 +1,5 @@
+package restrictednet
+
+func ptrTo[T any](value T) *T {
+	return &value
+}