fixes relating to intercepting DNS queries over IPv6

author: Christian Grothoff <christian@grothoff.org> 2016-09-27 22:25:05 +0000
committer: Christian Grothoff <christian@grothoff.org> 2016-09-27 22:25:05 +0000
commit: 64732cdb0d95320d9274b26fcac6e617d6473248 (patch)
tree: a21c273a37f4f210dd577a30e746d6269db75ccf /src/dns/gnunet-helper-dns.c
parent: 94adb0e8c48d47e13e7319bb0fe228263b15abbf (diff)
download: gnunet-64732cdb0d95320d9274b26fcac6e617d6473248.tar.gz
gnunet-64732cdb0d95320d9274b26fcac6e617d6473248.zip
1 files changed, 94 insertions, 1 deletions
diff --git a/src/dns/gnunet-helper-dns.c b/src/dns/gnunet-helper-dns.c
index 2f723d09d..1d411379f 100644
--- a/src/dns/gnunet-helper-dns.c
+++ b/src/dns/gnunet-helper-dns.c
@@ -101,6 +101,11 @@ struct in6_ifreq
 static const char *sbin_iptables;
 /**
+ * Name and full path of IPTABLES binary.
+ */
+static const char *sbin_ip6tables;
+/**
 * Name and full path of sysctl binary
 */
 static const char *sbin_sysctl;
@@ -757,7 +762,7 @@ main (int argc, char *const*argv)
    return 254;
  }
 #endif
-  if (0 == strncmp(argv[6], "1", 2))
+  if (0 == strncmp (argv[6], "1", 2))
    nortsetup = 1;
  if (0 == nortsetup)
@@ -774,6 +779,17 @@ main (int argc, char *const*argv)
               strerror (errno));
      return 3;
    }
+    if (0 == access ("/sbin/ip6tables", X_OK))
+      sbin_ip6tables = "/sbin/ip6tables";
+    else if (0 == access ("/usr/sbin/ip6tables", X_OK))
+      sbin_ip6tables = "/usr/sbin/ip6tables";
+    else
+    {
+      fprintf (stderr,
+               "Fatal: executable ip6tables not found in approved directories: %s\n",
+               strerror (errno));
+      return 3;
+    }
    if (0 == access ("/sbin/ip", X_OK))
      sbin_ip = "/sbin/ip";
    else if (0 == access ("/usr/sbin/ip", X_OK))
@@ -942,6 +958,16 @@ main (int argc, char *const*argv)
      if (0 != fork_and_exec (sbin_iptables, mangle_args))
        goto cleanup_rest;
    }
+    {
+      char *const mangle_args[] =
+        {
+         "ip6tables", "-m", "owner", "-t", "mangle", "-I", "OUTPUT", "1", "-p",
+         "udp", "--gid-owner", mygid, "--dport", DNS_PORT, "-j",
+         "ACCEPT", NULL
+        };
+      if (0 != fork_and_exec (sbin_ip6tables, mangle_args))
+        goto cleanup_rest;
+    }
    /* Mark all of the other DNS traffic using our mark DNS_MARK */
    {
      char *const mark_args[] =
@@ -953,6 +979,16 @@ main (int argc, char *const*argv)
      if (0 != fork_and_exec (sbin_iptables, mark_args))
        goto cleanup_mangle_1;
    }
+    {
+      char *const mark_args[] =
+        {
+         "ip6tables", "-t", "mangle", "-I", "OUTPUT", "2", "-p",
+         "udp", "--dport", DNS_PORT, "-j", "MARK", "--set-mark", DNS_MARK,
+         NULL
+        };
+      if (0 != fork_and_exec (sbin_ip6tables, mark_args))
+        goto cleanup_mangle_1;
+    }
    /* Forward all marked DNS traffic to our DNS_TABLE */
    {
      char *const forward_args[] =
@@ -962,6 +998,14 @@ main (int argc, char *const*argv)
      if (0 != fork_and_exec (sbin_ip, forward_args))
        goto cleanup_mark_2;
    }
+    {
+      char *const forward_args[] =
+        {
+          "ip", "-6", "rule", "add", "fwmark", DNS_MARK, "table", DNS_TABLE, NULL
+        };
+      if (0 != fork_and_exec (sbin_ip, forward_args))
+        goto cleanup_mark_2;
+    }
    /* Finally, add rule in our forwarding table to pass to our virtual interface */
    {
      char *const route_args[] =
@@ -972,6 +1016,15 @@ main (int argc, char *const*argv)
      if (0 != fork_and_exec (sbin_ip, route_args))
        goto cleanup_forward_3;
    }
+    {
+      char *const route_args[] =
+        {
+          "ip", "-6", "route", "add", "default", "dev", dev,
+          "table", DNS_TABLE, NULL
+        };
+      if (0 != fork_and_exec (sbin_ip, route_args))
+        goto cleanup_forward_3;
+    }
  }
  /* drop privs *except* for the saved UID; this is not perfect, but better
@@ -1028,6 +1081,16 @@ main (int argc, char *const*argv)
    if (0 != fork_and_exec (sbin_ip, route_clean_args))
      r += 1;
  }
+  if (0 == nortsetup)
+  {
+    char *const route_clean_args[] =
+      {
+        "ip", "-6", "route", "del", "default", "dev", dev,
+        "table", DNS_TABLE, NULL
+      };
+    if (0 != fork_and_exec (sbin_ip, route_clean_args))
+      r += 1;
+  }
 cleanup_forward_3:
  if (0 == nortsetup)
  {
@@ -1038,6 +1101,15 @@ main (int argc, char *const*argv)
    if (0 != fork_and_exec (sbin_ip, forward_clean_args))
      r += 2;
  }
+  if (0 == nortsetup)
+  {
+    char *const forward_clean_args[] =
+      {
+        "ip", "-6", "rule", "del", "fwmark", DNS_MARK, "table", DNS_TABLE, NULL
+      };
+    if (0 != fork_and_exec (sbin_ip, forward_clean_args))
+      r += 2;
+  }
 cleanup_mark_2:
  if (0 == nortsetup)
  {
@@ -1049,6 +1121,16 @@ main (int argc, char *const*argv)
    if (0 != fork_and_exec (sbin_iptables, mark_clean_args))
      r += 4;
  }
+  if (0 == nortsetup)
+  {
+    char *const mark_clean_args[] =
+      {
+        "ip6tables", "-t", "mangle", "-D", "OUTPUT", "-p", "udp",
+        "--dport", DNS_PORT, "-j", "MARK", "--set-mark", DNS_MARK, NULL
+      };
+    if (0 != fork_and_exec (sbin_ip6tables, mark_clean_args))
+      r += 4;
+  }
 cleanup_mangle_1:
  if (0 == nortsetup)
  {
@@ -1061,6 +1143,17 @@ main (int argc, char *const*argv)
    if (0 != fork_and_exec (sbin_iptables, mangle_clean_args))
      r += 8;
  }
+  if (0 == nortsetup)
+  {
+    char *const mangle_clean_args[] =
+      {
+        "ip6tables", "-m", "owner", "-t", "mangle", "-D", "OUTPUT", "-p", "udp",
+         "--gid-owner", mygid, "--dport", DNS_PORT, "-j", "ACCEPT",
+        NULL
+      };
+    if (0 != fork_and_exec (sbin_ip6tables, mangle_clean_args))
+      r += 8;
+  }
 cleanup_rest:
  /* close virtual interface */
author	Christian Grothoff <christian@grothoff.org>	2016-09-27 22:25:05 +0000
committer	Christian Grothoff <christian@grothoff.org>	2016-09-27 22:25:05 +0000
commit	64732cdb0d95320d9274b26fcac6e617d6473248 (patch)
tree	a21c273a37f4f210dd577a30e746d6269db75ccf /src/dns/gnunet-helper-dns.c
parent	94adb0e8c48d47e13e7319bb0fe228263b15abbf (diff)
download	gnunet-64732cdb0d95320d9274b26fcac6e617d6473248.tar.gz gnunet-64732cdb0d95320d9274b26fcac6e617d6473248.zip

diff --git a/src/dns/gnunet-helper-dns.c b/src/dns/gnunet-helper-dns.c index 2f723d09d..1d411379f 100644 --- a/src/dns/gnunet-helper-dns.c +++ b/src/dns/gnunet-helper-dns.c
@@ -101,6 +101,11 @@ struct in6_ifreq
101	static const char *sbin_iptables;	101	static const char *sbin_iptables;
102		102
103	/**	103	/**
		104	* Name and full path of IPTABLES binary.
		105	*/
		106	static const char *sbin_ip6tables;
		107
		108	/**
104	* Name and full path of sysctl binary	109	* Name and full path of sysctl binary
105	*/	110	*/
106	static const char *sbin_sysctl;	111	static const char *sbin_sysctl;
@@ -757,7 +762,7 @@ main (int argc, char constargv)
757	return 254;	762	return 254;
758	}	763	}
759	#endif	764	#endif
760	if (0 == strncmp(argv[6], "1", 2))	765	if (0 == strncmp (argv[6], "1", 2))
761	nortsetup = 1;	766	nortsetup = 1;
762		767
763	if (0 == nortsetup)	768	if (0 == nortsetup)
@@ -774,6 +779,17 @@ main (int argc, char constargv)
774	strerror (errno));	779	strerror (errno));
775	return 3;	780	return 3;
776	}	781	}
		782	if (0 == access ("/sbin/ip6tables", X_OK))
		783	sbin_ip6tables = "/sbin/ip6tables";
		784	else if (0 == access ("/usr/sbin/ip6tables", X_OK))
		785	sbin_ip6tables = "/usr/sbin/ip6tables";
		786	else
		787	{
		788	fprintf (stderr,
		789	"Fatal: executable ip6tables not found in approved directories: %s\n",
		790	strerror (errno));
		791	return 3;
		792	}
777	if (0 == access ("/sbin/ip", X_OK))	793	if (0 == access ("/sbin/ip", X_OK))
778	sbin_ip = "/sbin/ip";	794	sbin_ip = "/sbin/ip";
779	else if (0 == access ("/usr/sbin/ip", X_OK))	795	else if (0 == access ("/usr/sbin/ip", X_OK))
@@ -942,6 +958,16 @@ main (int argc, char constargv)
942	if (0 != fork_and_exec (sbin_iptables, mangle_args))	958	if (0 != fork_and_exec (sbin_iptables, mangle_args))
943	goto cleanup_rest;	959	goto cleanup_rest;
944	}	960	}
		961	{
		962	char *const mangle_args[] =
		963	{
		964	"ip6tables", "-m", "owner", "-t", "mangle", "-I", "OUTPUT", "1", "-p",
		965	"udp", "--gid-owner", mygid, "--dport", DNS_PORT, "-j",
		966	"ACCEPT", NULL
		967	};
		968	if (0 != fork_and_exec (sbin_ip6tables, mangle_args))
		969	goto cleanup_rest;
		970	}
945	/* Mark all of the other DNS traffic using our mark DNS_MARK */	971	/* Mark all of the other DNS traffic using our mark DNS_MARK */
946	{	972	{
947	char *const mark_args[] =	973	char *const mark_args[] =
@@ -953,6 +979,16 @@ main (int argc, char constargv)
953	if (0 != fork_and_exec (sbin_iptables, mark_args))	979	if (0 != fork_and_exec (sbin_iptables, mark_args))
954	goto cleanup_mangle_1;	980	goto cleanup_mangle_1;
955	}	981	}
		982	{
		983	char *const mark_args[] =
		984	{
		985	"ip6tables", "-t", "mangle", "-I", "OUTPUT", "2", "-p",
		986	"udp", "--dport", DNS_PORT, "-j", "MARK", "--set-mark", DNS_MARK,
		987	NULL
		988	};
		989	if (0 != fork_and_exec (sbin_ip6tables, mark_args))
		990	goto cleanup_mangle_1;
		991	}
956	/* Forward all marked DNS traffic to our DNS_TABLE */	992	/* Forward all marked DNS traffic to our DNS_TABLE */
957	{	993	{
958	char *const forward_args[] =	994	char *const forward_args[] =
@@ -962,6 +998,14 @@ main (int argc, char constargv)
962	if (0 != fork_and_exec (sbin_ip, forward_args))	998	if (0 != fork_and_exec (sbin_ip, forward_args))
963	goto cleanup_mark_2;	999	goto cleanup_mark_2;
964	}	1000	}
		1001	{
		1002	char *const forward_args[] =
		1003	{
		1004	"ip", "-6", "rule", "add", "fwmark", DNS_MARK, "table", DNS_TABLE, NULL
		1005	};
		1006	if (0 != fork_and_exec (sbin_ip, forward_args))
		1007	goto cleanup_mark_2;
		1008	}
965	/* Finally, add rule in our forwarding table to pass to our virtual interface */	1009	/* Finally, add rule in our forwarding table to pass to our virtual interface */
966	{	1010	{
967	char *const route_args[] =	1011	char *const route_args[] =
@@ -972,6 +1016,15 @@ main (int argc, char constargv)
972	if (0 != fork_and_exec (sbin_ip, route_args))	1016	if (0 != fork_and_exec (sbin_ip, route_args))
973	goto cleanup_forward_3;	1017	goto cleanup_forward_3;
974	}	1018	}
		1019	{
		1020	char *const route_args[] =
		1021	{
		1022	"ip", "-6", "route", "add", "default", "dev", dev,
		1023	"table", DNS_TABLE, NULL
		1024	};
		1025	if (0 != fork_and_exec (sbin_ip, route_args))
		1026	goto cleanup_forward_3;
		1027	}
975	}	1028	}
976		1029
977	/* drop privs except for the saved UID; this is not perfect, but better	1030	/* drop privs except for the saved UID; this is not perfect, but better
@@ -1028,6 +1081,16 @@ main (int argc, char constargv)
1028	if (0 != fork_and_exec (sbin_ip, route_clean_args))	1081	if (0 != fork_and_exec (sbin_ip, route_clean_args))
1029	r += 1;	1082	r += 1;
1030	}	1083	}
		1084	if (0 == nortsetup)
		1085	{
		1086	char *const route_clean_args[] =
		1087	{
		1088	"ip", "-6", "route", "del", "default", "dev", dev,
		1089	"table", DNS_TABLE, NULL
		1090	};
		1091	if (0 != fork_and_exec (sbin_ip, route_clean_args))
		1092	r += 1;
		1093	}
1031	cleanup_forward_3:	1094	cleanup_forward_3:
1032	if (0 == nortsetup)	1095	if (0 == nortsetup)
1033	{	1096	{
@@ -1038,6 +1101,15 @@ main (int argc, char constargv)
1038	if (0 != fork_and_exec (sbin_ip, forward_clean_args))	1101	if (0 != fork_and_exec (sbin_ip, forward_clean_args))
1039	r += 2;	1102	r += 2;
1040	}	1103	}
		1104	if (0 == nortsetup)
		1105	{
		1106	char *const forward_clean_args[] =
		1107	{
		1108	"ip", "-6", "rule", "del", "fwmark", DNS_MARK, "table", DNS_TABLE, NULL
		1109	};
		1110	if (0 != fork_and_exec (sbin_ip, forward_clean_args))
		1111	r += 2;
		1112	}
1041	cleanup_mark_2:	1113	cleanup_mark_2:
1042	if (0 == nortsetup)	1114	if (0 == nortsetup)
1043	{	1115	{
@@ -1049,6 +1121,16 @@ main (int argc, char constargv)
1049	if (0 != fork_and_exec (sbin_iptables, mark_clean_args))	1121	if (0 != fork_and_exec (sbin_iptables, mark_clean_args))
1050	r += 4;	1122	r += 4;
1051	}	1123	}
		1124	if (0 == nortsetup)
		1125	{
		1126	char *const mark_clean_args[] =
		1127	{
		1128	"ip6tables", "-t", "mangle", "-D", "OUTPUT", "-p", "udp",
		1129	"--dport", DNS_PORT, "-j", "MARK", "--set-mark", DNS_MARK, NULL
		1130	};
		1131	if (0 != fork_and_exec (sbin_ip6tables, mark_clean_args))
		1132	r += 4;
		1133	}
1052	cleanup_mangle_1:	1134	cleanup_mangle_1:
1053	if (0 == nortsetup)	1135	if (0 == nortsetup)
1054	{	1136	{
@@ -1061,6 +1143,17 @@ main (int argc, char constargv)
1061	if (0 != fork_and_exec (sbin_iptables, mangle_clean_args))	1143	if (0 != fork_and_exec (sbin_iptables, mangle_clean_args))
1062	r += 8;	1144	r += 8;
1063	}	1145	}
		1146	if (0 == nortsetup)
		1147	{
		1148	char *const mangle_clean_args[] =
		1149	{
		1150	"ip6tables", "-m", "owner", "-t", "mangle", "-D", "OUTPUT", "-p", "udp",
		1151	"--gid-owner", mygid, "--dport", DNS_PORT, "-j", "ACCEPT",
		1152	NULL
		1153	};
		1154	if (0 != fork_and_exec (sbin_ip6tables, mangle_clean_args))
		1155	r += 8;
		1156	}
1064		1157
1065	cleanup_rest:	1158	cleanup_rest:
1066	/* close virtual interface */	1159	/* close virtual interface */