netfilter split

1 files changed, 115 insertions, 0 deletions

diff --git a/src/fnetfilter/main.c b/src/fnetfilter/main.c
new file mode 100644
index 000000000..67ab31832
--- /dev/null
+++ b/src/fnetfilter/main.c
@@ -0,0 +1,115 @@
+ /*
+ * Copyright (C) 2014-2017 Firejail Authors
+ *
+ * This file is part of firejail project
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+#include "../include/common.h"
+
+#define MAXBUF 4098
+int arg_quiet = 0;
+
+static char *default_filter =
+"*filter\n"
+":INPUT DROP [0:0]\n"
+":FORWARD DROP [0:0]\n"
+":OUTPUT ACCEPT [0:0]\n"
+"-A INPUT -i lo -j ACCEPT\n"
+"-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n"
+"# echo replay is handled by -m state RELATED/ESTABLISHED below\n"
+"#-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT\n"
+"-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT\n"
+"-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT\n"
+"-A INPUT -p icmp --icmp-type echo-request -j ACCEPT \n"
+"# disable STUN\n"
+"-A OUTPUT -p udp --dport 3478 -j DROP\n"
+"-A OUTPUT -p udp --dport 3479 -j DROP\n"
+"-A OUTPUT -p tcp --dport 3478 -j DROP\n"
+"-A OUTPUT -p tcp --dport 3479 -j DROP\n"
+"COMMIT\n";
+
+static void usage(void) {
+        printf("Usage:\n");
+        printf("\tfnetfilter netfilter-command destination-file\n");
+}
+
+int main(int argc, char **argv) {
+#if 0
+{
+system("cat /proc/self/status");
+int i;
+for (i = 0; i < argc; i++)
+        printf("*%s* ", argv[i]);
+printf("\n");
+}
+#endif
+
+        char *quiet = getenv("FIREJAIL_QUIET");
+        if (quiet && strcmp(quiet, "yes") == 0)
+                arg_quiet = 1;
+
+        if (strcmp(argv[1], "-h") == 0 || strcmp(argv[1], "--help") == 0 || strcmp(argv[1], "-?") ==0) {
+                usage();
+                return 0;
+        }
+
+        if (argc != 2 && argc != 3) {
+                usage();
+                return 1;
+        }
+
+        char *destfile = (argc == 3)? argv[2]: argv[1];
+        char *command = (argc == 3)? argv[1]: NULL;     
+//printf("command %s\n", command);
+//printf("destfile %s\n", destfile);
+
+        // handle default config (command = NULL, destfile)
+        if (command == NULL) {
+                // create a default filter file
+                FILE *fp = fopen(destfile, "w");
+                if (!fp) {
+                        fprintf(stderr, "Error fnetfilter: cannot open %s\n", destfile);
+                        exit(1);
+                }
+                fprintf(fp, "%s\n", default_filter);
+                fclose(fp);
+        }
+        else {
+                // copy the file
+                FILE *fp1 = fopen(command, "r");
+                if (!fp1) {
+                        fprintf(stderr, "Error fnetfilter: cannot open %s\n", command);
+                        exit(1);
+                }
+
+                FILE *fp2 = fopen(destfile, "w");
+                if (!fp2) {
+                        fprintf(stderr, "Error fnetfilter: cannot open %s\n", destfile);
+                        exit(1);
+                }
+                
+                char buf[MAXBUF];
+                while (fgets(buf, MAXBUF, fp1))
+                        fprintf(fp2, "%s", buf);
+
+                fclose(fp1);
+                fclose(fp2);
+        }
+        
+
+printf("fnetfilter running\n");
+        return 0;
+}