diff options
author | Christian Grothoff <christian@grothoff.org> | 2016-10-09 12:00:15 +0000 |
---|---|---|
committer | Christian Grothoff <christian@grothoff.org> | 2016-10-09 12:00:15 +0000 |
commit | a766078062ac47d0a9f06570388da851a53f5457 (patch) | |
tree | d9561844684f39d664e1a433c17b80ca66f4c915 /src/dns | |
parent | eb876a69e4d34771a7c614fa1355f4e902bd1abe (diff) | |
download | gnunet-a766078062ac47d0a9f06570388da851a53f5457.tar.gz gnunet-a766078062ac47d0a9f06570388da851a53f5457.zip |
do not try to intercept link local DNS traffic, as we cannot properly re-inject it intot the kernel's IP stack
Diffstat (limited to 'src/dns')
-rw-r--r-- | src/dns/gnunet-helper-dns.c | 52 |
1 files changed, 31 insertions, 21 deletions
diff --git a/src/dns/gnunet-helper-dns.c b/src/dns/gnunet-helper-dns.c index 1d411379f..1c5744002 100644 --- a/src/dns/gnunet-helper-dns.c +++ b/src/dns/gnunet-helper-dns.c | |||
@@ -966,14 +966,16 @@ main (int argc, char *const*argv) | |||
966 | "ACCEPT", NULL | 966 | "ACCEPT", NULL |
967 | }; | 967 | }; |
968 | if (0 != fork_and_exec (sbin_ip6tables, mangle_args)) | 968 | if (0 != fork_and_exec (sbin_ip6tables, mangle_args)) |
969 | goto cleanup_rest; | 969 | goto cleanup_mangle_1b; |
970 | } | 970 | } |
971 | /* Mark all of the other DNS traffic using our mark DNS_MARK */ | 971 | /* Mark all of the other DNS traffic using our mark DNS_MARK, |
972 | unless it is on a link-local IPv6 address, which we cannot support. */ | ||
972 | { | 973 | { |
973 | char *const mark_args[] = | 974 | char *const mark_args[] = |
974 | { | 975 | { |
975 | "iptables", "-t", "mangle", "-I", "OUTPUT", "2", "-p", | 976 | "iptables", "-t", "mangle", "-I", "OUTPUT", "2", "-p", |
976 | "udp", "--dport", DNS_PORT, "-j", "MARK", "--set-mark", DNS_MARK, | 977 | "udp", "--dport", DNS_PORT, |
978 | "-j", "MARK", "--set-mark", DNS_MARK, | ||
977 | NULL | 979 | NULL |
978 | }; | 980 | }; |
979 | if (0 != fork_and_exec (sbin_iptables, mark_args)) | 981 | if (0 != fork_and_exec (sbin_iptables, mark_args)) |
@@ -983,11 +985,13 @@ main (int argc, char *const*argv) | |||
983 | char *const mark_args[] = | 985 | char *const mark_args[] = |
984 | { | 986 | { |
985 | "ip6tables", "-t", "mangle", "-I", "OUTPUT", "2", "-p", | 987 | "ip6tables", "-t", "mangle", "-I", "OUTPUT", "2", "-p", |
986 | "udp", "--dport", DNS_PORT, "-j", "MARK", "--set-mark", DNS_MARK, | 988 | "udp", "--dport", DNS_PORT, |
989 | "!", "-s", "fe80::/10", /* this line excludes link-local traffic */ | ||
990 | "-j", "MARK", "--set-mark", DNS_MARK, | ||
987 | NULL | 991 | NULL |
988 | }; | 992 | }; |
989 | if (0 != fork_and_exec (sbin_ip6tables, mark_args)) | 993 | if (0 != fork_and_exec (sbin_ip6tables, mark_args)) |
990 | goto cleanup_mangle_1; | 994 | goto cleanup_mark_2b; |
991 | } | 995 | } |
992 | /* Forward all marked DNS traffic to our DNS_TABLE */ | 996 | /* Forward all marked DNS traffic to our DNS_TABLE */ |
993 | { | 997 | { |
@@ -1004,7 +1008,7 @@ main (int argc, char *const*argv) | |||
1004 | "ip", "-6", "rule", "add", "fwmark", DNS_MARK, "table", DNS_TABLE, NULL | 1008 | "ip", "-6", "rule", "add", "fwmark", DNS_MARK, "table", DNS_TABLE, NULL |
1005 | }; | 1009 | }; |
1006 | if (0 != fork_and_exec (sbin_ip, forward_args)) | 1010 | if (0 != fork_and_exec (sbin_ip, forward_args)) |
1007 | goto cleanup_mark_2; | 1011 | goto cleanup_forward_3b; |
1008 | } | 1012 | } |
1009 | /* Finally, add rule in our forwarding table to pass to our virtual interface */ | 1013 | /* Finally, add rule in our forwarding table to pass to our virtual interface */ |
1010 | { | 1014 | { |
@@ -1023,7 +1027,7 @@ main (int argc, char *const*argv) | |||
1023 | "table", DNS_TABLE, NULL | 1027 | "table", DNS_TABLE, NULL |
1024 | }; | 1028 | }; |
1025 | if (0 != fork_and_exec (sbin_ip, route_args)) | 1029 | if (0 != fork_and_exec (sbin_ip, route_args)) |
1026 | goto cleanup_forward_3; | 1030 | goto cleanup_route_4b; |
1027 | } | 1031 | } |
1028 | } | 1032 | } |
1029 | 1033 | ||
@@ -1049,7 +1053,7 @@ main (int argc, char *const*argv) | |||
1049 | r = 0; /* did fully setup routing table (if nothing else happens, we were successful!) */ | 1053 | r = 0; /* did fully setup routing table (if nothing else happens, we were successful!) */ |
1050 | 1054 | ||
1051 | /* now forward until we hit a problem */ | 1055 | /* now forward until we hit a problem */ |
1052 | run (fd_tun); | 1056 | run (fd_tun); |
1053 | 1057 | ||
1054 | /* now need to regain privs so we can remove the firewall rules we added! */ | 1058 | /* now need to regain privs so we can remove the firewall rules we added! */ |
1055 | #ifdef HAVE_SETRESUID | 1059 | #ifdef HAVE_SETRESUID |
@@ -1075,17 +1079,18 @@ main (int argc, char *const*argv) | |||
1075 | { | 1079 | { |
1076 | char *const route_clean_args[] = | 1080 | char *const route_clean_args[] = |
1077 | { | 1081 | { |
1078 | "ip", "route", "del", "default", "dev", dev, | 1082 | "ip", "-6", "route", "del", "default", "dev", dev, |
1079 | "table", DNS_TABLE, NULL | 1083 | "table", DNS_TABLE, NULL |
1080 | }; | 1084 | }; |
1081 | if (0 != fork_and_exec (sbin_ip, route_clean_args)) | 1085 | if (0 != fork_and_exec (sbin_ip, route_clean_args)) |
1082 | r += 1; | 1086 | r += 1; |
1083 | } | 1087 | } |
1088 | cleanup_route_4b: | ||
1084 | if (0 == nortsetup) | 1089 | if (0 == nortsetup) |
1085 | { | 1090 | { |
1086 | char *const route_clean_args[] = | 1091 | char *const route_clean_args[] = |
1087 | { | 1092 | { |
1088 | "ip", "-6", "route", "del", "default", "dev", dev, | 1093 | "ip", "route", "del", "default", "dev", dev, |
1089 | "table", DNS_TABLE, NULL | 1094 | "table", DNS_TABLE, NULL |
1090 | }; | 1095 | }; |
1091 | if (0 != fork_and_exec (sbin_ip, route_clean_args)) | 1096 | if (0 != fork_and_exec (sbin_ip, route_clean_args)) |
@@ -1096,16 +1101,17 @@ main (int argc, char *const*argv) | |||
1096 | { | 1101 | { |
1097 | char *const forward_clean_args[] = | 1102 | char *const forward_clean_args[] = |
1098 | { | 1103 | { |
1099 | "ip", "rule", "del", "fwmark", DNS_MARK, "table", DNS_TABLE, NULL | 1104 | "ip", "-6", "rule", "del", "fwmark", DNS_MARK, "table", DNS_TABLE, NULL |
1100 | }; | 1105 | }; |
1101 | if (0 != fork_and_exec (sbin_ip, forward_clean_args)) | 1106 | if (0 != fork_and_exec (sbin_ip, forward_clean_args)) |
1102 | r += 2; | 1107 | r += 2; |
1103 | } | 1108 | } |
1109 | cleanup_forward_3b: | ||
1104 | if (0 == nortsetup) | 1110 | if (0 == nortsetup) |
1105 | { | 1111 | { |
1106 | char *const forward_clean_args[] = | 1112 | char *const forward_clean_args[] = |
1107 | { | 1113 | { |
1108 | "ip", "-6", "rule", "del", "fwmark", DNS_MARK, "table", DNS_TABLE, NULL | 1114 | "ip", "rule", "del", "fwmark", DNS_MARK, "table", DNS_TABLE, NULL |
1109 | }; | 1115 | }; |
1110 | if (0 != fork_and_exec (sbin_ip, forward_clean_args)) | 1116 | if (0 != fork_and_exec (sbin_ip, forward_clean_args)) |
1111 | r += 2; | 1117 | r += 2; |
@@ -1115,20 +1121,23 @@ main (int argc, char *const*argv) | |||
1115 | { | 1121 | { |
1116 | char *const mark_clean_args[] = | 1122 | char *const mark_clean_args[] = |
1117 | { | 1123 | { |
1118 | "iptables", "-t", "mangle", "-D", "OUTPUT", "-p", "udp", | 1124 | "ip6tables", "-t", "mangle", "-D", "OUTPUT", "-p", "udp", |
1119 | "--dport", DNS_PORT, "-j", "MARK", "--set-mark", DNS_MARK, NULL | 1125 | "--dport", DNS_PORT, |
1126 | "!", "-s", "fe80::/10", /* this line excludes link-local traffic */ | ||
1127 | "-j", "MARK", "--set-mark", DNS_MARK, NULL | ||
1120 | }; | 1128 | }; |
1121 | if (0 != fork_and_exec (sbin_iptables, mark_clean_args)) | 1129 | if (0 != fork_and_exec (sbin_ip6tables, mark_clean_args)) |
1122 | r += 4; | 1130 | r += 4; |
1123 | } | 1131 | } |
1132 | cleanup_mark_2b: | ||
1124 | if (0 == nortsetup) | 1133 | if (0 == nortsetup) |
1125 | { | 1134 | { |
1126 | char *const mark_clean_args[] = | 1135 | char *const mark_clean_args[] = |
1127 | { | 1136 | { |
1128 | "ip6tables", "-t", "mangle", "-D", "OUTPUT", "-p", "udp", | 1137 | "iptables", "-t", "mangle", "-D", "OUTPUT", "-p", "udp", |
1129 | "--dport", DNS_PORT, "-j", "MARK", "--set-mark", DNS_MARK, NULL | 1138 | "--dport", DNS_PORT, "-j", "MARK", "--set-mark", DNS_MARK, NULL |
1130 | }; | 1139 | }; |
1131 | if (0 != fork_and_exec (sbin_ip6tables, mark_clean_args)) | 1140 | if (0 != fork_and_exec (sbin_iptables, mark_clean_args)) |
1132 | r += 4; | 1141 | r += 4; |
1133 | } | 1142 | } |
1134 | cleanup_mangle_1: | 1143 | cleanup_mangle_1: |
@@ -1136,22 +1145,23 @@ main (int argc, char *const*argv) | |||
1136 | { | 1145 | { |
1137 | char *const mangle_clean_args[] = | 1146 | char *const mangle_clean_args[] = |
1138 | { | 1147 | { |
1139 | "iptables", "-m", "owner", "-t", "mangle", "-D", "OUTPUT", "-p", "udp", | 1148 | "ip6tables", "-m", "owner", "-t", "mangle", "-D", "OUTPUT", "-p", "udp", |
1140 | "--gid-owner", mygid, "--dport", DNS_PORT, "-j", "ACCEPT", | 1149 | "--gid-owner", mygid, "--dport", DNS_PORT, "-j", "ACCEPT", |
1141 | NULL | 1150 | NULL |
1142 | }; | 1151 | }; |
1143 | if (0 != fork_and_exec (sbin_iptables, mangle_clean_args)) | 1152 | if (0 != fork_and_exec (sbin_ip6tables, mangle_clean_args)) |
1144 | r += 8; | 1153 | r += 8; |
1145 | } | 1154 | } |
1155 | cleanup_mangle_1b: | ||
1146 | if (0 == nortsetup) | 1156 | if (0 == nortsetup) |
1147 | { | 1157 | { |
1148 | char *const mangle_clean_args[] = | 1158 | char *const mangle_clean_args[] = |
1149 | { | 1159 | { |
1150 | "ip6tables", "-m", "owner", "-t", "mangle", "-D", "OUTPUT", "-p", "udp", | 1160 | "iptables", "-m", "owner", "-t", "mangle", "-D", "OUTPUT", "-p", "udp", |
1151 | "--gid-owner", mygid, "--dport", DNS_PORT, "-j", "ACCEPT", | 1161 | "--gid-owner", mygid, "--dport", DNS_PORT, "-j", "ACCEPT", |
1152 | NULL | 1162 | NULL |
1153 | }; | 1163 | }; |
1154 | if (0 != fork_and_exec (sbin_ip6tables, mangle_clean_args)) | 1164 | if (0 != fork_and_exec (sbin_iptables, mangle_clean_args)) |
1155 | r += 8; | 1165 | r += 8; |
1156 | } | 1166 | } |
1157 | 1167 | ||