diff options
| author | Philipp Tölke <toelke@in.tum.de> | 2010-09-21 11:04:55 +0000 |
|---|---|---|
| committer | Philipp Tölke <toelke@in.tum.de> | 2010-09-21 11:04:55 +0000 |
| commit | 4b7d5b4823c5f3b89f6ed98ed1ccd5862d5f8237 (patch) | |
| tree | 755833052d8d904ffbea99ef9abaac14fe844fcd /src | |
| parent | d3d98c1dcdc5b512d45c949bd1538ec8e9c10058 (diff) | |
| download | gnunet-4b7d5b4823c5f3b89f6ed98ed1ccd5862d5f8237.tar.gz gnunet-4b7d5b4823c5f3b89f6ed98ed1ccd5862d5f8237.zip | |
hijack the DNS-Packets in another way
The Problem with the old way (via DNAT) was, that, of course, the destination
address was changed so the query could not be send to the original dns-server.
This way (with policy-routing) the packets stay unchanged. This also might
work for IPv6.
Diffstat (limited to 'src')
| -rw-r--r-- | src/vpn/gnunet-daemon-vpn.c | 2 | ||||
| -rw-r--r-- | src/vpn/gnunet-helper-hijack-dns.c | 25 |
2 files changed, 22 insertions, 5 deletions
diff --git a/src/vpn/gnunet-daemon-vpn.c b/src/vpn/gnunet-daemon-vpn.c index 82692768f..1258f5120 100644 --- a/src/vpn/gnunet-daemon-vpn.c +++ b/src/vpn/gnunet-daemon-vpn.c | |||
| @@ -169,7 +169,7 @@ static void message_token(void *cls, void *client, const struct GNUNET_MessageHe | |||
| 169 | } else if (ntohs(pkt_tun->tun.type) == 0x0800) { | 169 | } else if (ntohs(pkt_tun->tun.type) == 0x0800) { |
| 170 | struct ip_pkt *pkt = (struct ip_pkt*) message; | 170 | struct ip_pkt *pkt = (struct ip_pkt*) message; |
| 171 | struct ip_udp *udp = (struct ip_udp*) message; | 171 | struct ip_udp *udp = (struct ip_udp*) message; |
| 172 | if (pkt->ip_hdr.proto == 0x11 && udp->ip_hdr.dadr == 0x020a0a0a && ntohs(udp->udp_hdr.dpt) == 53 ) { | 172 | if (pkt->ip_hdr.proto == 0x11 && ntohs(udp->udp_hdr.dpt) == 53 ) { |
| 173 | size_t len = sizeof(struct query_packet) + ntohs(udp->udp_hdr.len) - 9; /* 9 = 8 for the udp-header + 1 for the unsigned char data[1]; */ | 173 | size_t len = sizeof(struct query_packet) + ntohs(udp->udp_hdr.len) - 9; /* 9 = 8 for the udp-header + 1 for the unsigned char data[1]; */ |
| 174 | struct query_packet_list* query = GNUNET_malloc(len + 2*sizeof(struct query_packet_list*)); | 174 | struct query_packet_list* query = GNUNET_malloc(len + 2*sizeof(struct query_packet_list*)); |
| 175 | query->pkt.hdr.type = htons(GNUNET_MESSAGE_TYPE_LOCAL_QUERY_DNS); | 175 | query->pkt.hdr.type = htons(GNUNET_MESSAGE_TYPE_LOCAL_QUERY_DNS); |
diff --git a/src/vpn/gnunet-helper-hijack-dns.c b/src/vpn/gnunet-helper-hijack-dns.c index cc002a8cb..7a41b27d2 100644 --- a/src/vpn/gnunet-helper-hijack-dns.c +++ b/src/vpn/gnunet-helper-hijack-dns.c | |||
| @@ -64,17 +64,34 @@ int main(int argc, char** argv) { | |||
| 64 | fprintf(stderr, "stat on /sbin/iptables failed: %s\n", strerror(errno)); | 64 | fprintf(stderr, "stat on /sbin/iptables failed: %s\n", strerror(errno)); |
| 65 | return GNUNET_SYSERR; | 65 | return GNUNET_SYSERR; |
| 66 | } | 66 | } |
| 67 | if (stat("/sbin/ip", &s) < 0) { | ||
| 68 | fprintf(stderr, "stat on /sbin/ip failed: %s\n", strerror(errno)); | ||
| 69 | return GNUNET_SYSERR; | ||
| 70 | } | ||
| 67 | 71 | ||
| 68 | char localport[7]; | 72 | char localport[7]; |
| 69 | snprintf(localport, 7, "%d", port); | 73 | snprintf(localport, 7, "%d", port); |
| 70 | 74 | ||
| 71 | int r; | 75 | int r; |
| 72 | if (delete) { | 76 | if (delete) { |
| 73 | r = fork_and_exec("/sbin/iptables", (char*[]){"iptables", "-t", "nat", "-D", "OUTPUT", "-p", "udp", "--sport", localport, "--dport", "53", "-j", "ACCEPT", NULL}); | 77 | e4: |
| 74 | r = fork_and_exec("/sbin/iptables", (char*[]){"iptables", "-t", "nat", "-D", "OUTPUT", "-p", "udp", "--dport", "53", "-j", "DNAT", "--to-destination", "10.10.10.2:53", NULL}); | 78 | r = fork_and_exec("/sbin/ip", (char*[]){"ip", "route", "del", "default", "via", "10.10.10.2","table","2", NULL}); |
| 79 | e3: | ||
| 80 | r = fork_and_exec("/sbin/ip", (char*[]){"ip", "rule", "del", "fwmark", "3", "table","2", NULL}); | ||
| 81 | e2: | ||
| 82 | r = fork_and_exec("/sbin/iptables", (char*[]){"iptables", "-t", "mangle", "-D", "OUTPUT", "-p", "udp", "--dport", "53", "-j", "MARK", "--set-mark", "3", NULL}); | ||
| 83 | e1: | ||
| 84 | r = fork_and_exec("/sbin/iptables", (char*[]){"iptables", "-t", "mangle", "-D", "OUTPUT", "-p", "udp", "--sport", localport, "--dport", "53", "-j", "ACCEPT", NULL}); | ||
| 85 | if (!delete) r = 0; | ||
| 75 | } else { | 86 | } else { |
| 76 | r = fork_and_exec("/sbin/iptables", (char*[]){"iptables", "-t", "nat", "-I", "OUTPUT", "1", "-p", "udp", "--sport", localport, "--dport", "53", "-j", "ACCEPT", NULL}); | 87 | r = fork_and_exec("/sbin/iptables", (char*[]){"iptables", "-t", "mangle", "-I", "OUTPUT", "1", "-p", "udp", "--sport", localport, "--dport", "53", "-j", "ACCEPT", NULL}); |
| 77 | r = fork_and_exec("/sbin/iptables", (char*[]){"iptables", "-t", "nat", "-I", "OUTPUT", "2", "-p", "udp", "--dport", "53", "-j", "DNAT", "--to-destination", "10.10.10.2:53", NULL}); | 88 | if (!r) goto e1; |
| 89 | r = fork_and_exec("/sbin/iptables", (char*[]){"iptables", "-t", "mangle", "-I", "OUTPUT", "2", "-p", "udp", "--dport", "53", "-j", "MARK", "--set-mark", "3", NULL}); | ||
| 90 | if (!r) goto e2; | ||
| 91 | r = fork_and_exec("/sbin/ip", (char*[]){"ip", "rule", "add", "fwmark", "3", "table","2", NULL}); | ||
| 92 | if (!r) goto e3; | ||
| 93 | r = fork_and_exec("/sbin/ip", (char*[]){"ip", "route", "add", "default", "via", "10.10.10.2","table","2", NULL}); | ||
| 94 | if (!r) goto e4; | ||
| 78 | } | 95 | } |
| 79 | if (r) return GNUNET_YES; | 96 | if (r) return GNUNET_YES; |
| 80 | return GNUNET_SYSERR; | 97 | return GNUNET_SYSERR; |