aboutsummaryrefslogtreecommitdiffstats
path: root/src/firejail/network_main.c
diff options
context:
space:
mode:
authorLibravatar netblue30 <netblue30@yahoo.com>2018-07-06 09:34:52 -0400
committerLibravatar netblue30 <netblue30@yahoo.com>2018-07-06 09:34:52 -0400
commita8abd88081fabbc9590dd33d413cd0a0641ef642 (patch)
tree379295500c4b0d36e99a76e03c8ab9d73c0b6b68 /src/firejail/network_main.c
parentMerge pull request #2033 from smitsohu/whitelist (diff)
downloadfirejail-a8abd88081fabbc9590dd33d413cd0a0641ef642.tar.gz
firejail-a8abd88081fabbc9590dd33d413cd0a0641ef642.tar.zst
firejail-a8abd88081fabbc9590dd33d413cd0a0641ef642.zip
--netmask option
Diffstat (limited to 'src/firejail/network_main.c')
-rw-r--r--src/firejail/network_main.c57
1 files changed, 39 insertions, 18 deletions
diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c
index 1516b94d2..488615bda 100644
--- a/src/firejail/network_main.c
+++ b/src/firejail/network_main.c
@@ -61,25 +61,27 @@ void net_configure_bridge(Bridge *br, char *dev_name) {
61 // allow unconfigured interfaces 61 // allow unconfigured interfaces
62 if (net_get_if_addr(br->dev, &br->ip, &br->mask, br->mac, &br->mtu)) { 62 if (net_get_if_addr(br->dev, &br->ip, &br->mask, br->mac, &br->mtu)) {
63 fwarning("the network interface %s is not configured\n", br->dev); 63 fwarning("the network interface %s is not configured\n", br->dev);
64 br->configured = 1; 64// don't configure an ip address on unconfigured interfaces
65 br->arg_ip_none = 1; 65// br->arg_ip_none = 1;
66 return;
67 }
68 if (arg_debug) {
69 if (br->macvlan == 0)
70 printf("Bridge device %s at %d.%d.%d.%d/%d\n",
71 br->dev, PRINT_IP(br->ip), mask2bits(br->mask));
72 else
73 printf("macvlan parent device %s at %d.%d.%d.%d/%d\n",
74 br->dev, PRINT_IP(br->ip), mask2bits(br->mask));
75 } 66 }
67 else {
68 if (arg_debug) {
69 if (br->macvlan == 0)
70 printf("Bridge device %s at %d.%d.%d.%d/%d\n",
71 br->dev, PRINT_IP(br->ip), mask2bits(br->mask));
72 else
73 printf("macvlan parent device %s at %d.%d.%d.%d/%d\n",
74 br->dev, PRINT_IP(br->ip), mask2bits(br->mask));
75 }
76 76
77 uint32_t range = ~br->mask + 1; // the number of potential addresses 77 uint32_t range = ~br->mask + 1; // the number of potential addresses
78 // this software is not supported for /31 networks 78 // this software is not supported for /31 networks
79 if (range < 4) { 79 if (range < 4) {
80 fprintf(stderr, "Error: the software is not supported for /31 networks\n"); 80 fprintf(stderr, "Error: the software is not supported for /31 networks\n");
81 exit(1); 81 exit(1);
82 }
82 } 83 }
84
83 br->configured = 1; 85 br->configured = 1;
84} 86}
85 87
@@ -91,7 +93,7 @@ void net_configure_sandbox_ip(Bridge *br) {
91 93
92 if (br->arg_ip_none) 94 if (br->arg_ip_none)
93 br->ipsandbox = 0; 95 br->ipsandbox = 0;
94 else if (br->ipsandbox) { 96 else if (br->ipsandbox && br->ip && br->mask) {
95 // check network range 97 // check network range
96 char *rv = in_netrange(br->ipsandbox, br->ip, br->mask); 98 char *rv = in_netrange(br->ipsandbox, br->ip, br->mask);
97 if (rv) { 99 if (rv) {
@@ -104,9 +106,20 @@ void net_configure_sandbox_ip(Bridge *br) {
104 exit(1); 106 exit(1);
105 } 107 }
106 } 108 }
107 else 109 else if (br->ipsandbox && br->masksandbox) {
110 // send an ARP request and check if there is anybody on this IP address
111 if (arp_check(br->dev, br->ipsandbox)) {
112 fprintf(stderr, "Error: IP address %d.%d.%d.%d is already in use\n", PRINT_IP(br->ipsandbox));
113 exit(1);
114 }
115 }
116 else if (br->ip && br->mask)
108 // ip address assigned by arp-scan for a bridge device 117 // ip address assigned by arp-scan for a bridge device
109 br->ipsandbox = arp_assign(br->dev, br); //br->ip, br->mask); 118 br->ipsandbox = arp_assign(br->dev, br); //br->ip, br->mask);
119 else {
120 br->ipsandbox = 0;
121 br->arg_ip_none = 1;
122 }
110} 123}
111 124
112 125
@@ -148,21 +161,29 @@ void check_default_gw(uint32_t defaultgw) {
148 assert(defaultgw); 161 assert(defaultgw);
149 162
150 if (cfg.bridge0.configured) { 163 if (cfg.bridge0.configured) {
164 if (cfg.bridge0.ip == 0 && cfg.bridge0.ipsandbox)
165 return;
151 char *rv = in_netrange(defaultgw, cfg.bridge0.ip, cfg.bridge0.mask); 166 char *rv = in_netrange(defaultgw, cfg.bridge0.ip, cfg.bridge0.mask);
152 if (rv == 0) 167 if (rv == 0)
153 return; 168 return;
154 } 169 }
155 if (cfg.bridge1.configured) { 170 if (cfg.bridge1.configured) {
171 if (cfg.bridge1.ip == 0 && cfg.bridge1.ipsandbox)
172 return;
156 char *rv = in_netrange(defaultgw, cfg.bridge1.ip, cfg.bridge1.mask); 173 char *rv = in_netrange(defaultgw, cfg.bridge1.ip, cfg.bridge1.mask);
157 if (rv == 0) 174 if (rv == 0)
158 return; 175 return;
159 } 176 }
160 if (cfg.bridge2.configured) { 177 if (cfg.bridge2.configured) {
178 if (cfg.bridge2.ip == 0 && cfg.bridge2.ipsandbox)
179 return;
161 char *rv = in_netrange(defaultgw, cfg.bridge2.ip, cfg.bridge2.mask); 180 char *rv = in_netrange(defaultgw, cfg.bridge2.ip, cfg.bridge2.mask);
162 if (rv == 0) 181 if (rv == 0)
163 return; 182 return;
164 } 183 }
165 if (cfg.bridge3.configured) { 184 if (cfg.bridge3.configured) {
185 if (cfg.bridge3.ip == 0 && cfg.bridge3.ipsandbox)
186 return;
166 char *rv = in_netrange(defaultgw, cfg.bridge3.ip, cfg.bridge3.mask); 187 char *rv = in_netrange(defaultgw, cfg.bridge3.ip, cfg.bridge3.mask);
167 if (rv == 0) 188 if (rv == 0)
168 return; 189 return;
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-06-26 09:58:35 +0000