diff options
author | netblue30 <netblue30@protonmail.com> | 2022-02-02 10:58:14 -0500 |
---|---|---|
committer | netblue30 <netblue30@protonmail.com> | 2022-02-02 10:58:14 -0500 |
commit | f5c0b6af59b4c5e4c677d8bd9703beb4d2e628c3 (patch) | |
tree | acc78a5c8591f832c25bee1f988373540993db9e /src/fnettrace/main.c | |
parent | Bump github/codeql-action from 1.0.29 to 1.0.30 (diff) | |
download | firejail-f5c0b6af59b4c5e4c677d8bd9703beb4d2e628c3.tar.gz firejail-f5c0b6af59b4c5e4c677d8bd9703beb4d2e628c3.tar.zst firejail-f5c0b6af59b4c5e4c677d8bd9703beb4d2e628c3.zip |
netlocker fixes
Diffstat (limited to 'src/fnettrace/main.c')
-rw-r--r-- | src/fnettrace/main.c | 38 |
1 files changed, 32 insertions, 6 deletions
diff --git a/src/fnettrace/main.c b/src/fnettrace/main.c index e58cc79b3..31d49d839 100644 --- a/src/fnettrace/main.c +++ b/src/fnettrace/main.c | |||
@@ -23,6 +23,7 @@ | |||
23 | #define MAX_BUF_SIZE (64 * 1024) | 23 | #define MAX_BUF_SIZE (64 * 1024) |
24 | 24 | ||
25 | static int arg_netfilter = 0; | 25 | static int arg_netfilter = 0; |
26 | static int arg_tail = 0; | ||
26 | static char *arg_log = NULL; | 27 | static char *arg_log = NULL; |
27 | 28 | ||
28 | typedef struct hnode_t { | 29 | typedef struct hnode_t { |
@@ -574,11 +575,16 @@ void logprintf(char* fmt, ...) { | |||
574 | } | 575 | } |
575 | 576 | ||
576 | static void usage(void) { | 577 | static void usage(void) { |
577 | printf("Usage: fnetlock [OPTIONS]\n"); | 578 | printf("Usage: fnettrace [OPTIONS]\n"); |
578 | printf("Options:\n"); | 579 | printf("Options:\n"); |
579 | printf(" --help, -? - this help screen\n"); | 580 | printf(" --help, -? - this help screen\n"); |
580 | printf(" --log=filename - netlocker logfile\n"); | 581 | printf(" --log=filename - netlocker logfile\n"); |
581 | printf(" --netfilter - build the firewall rules and commit them.\n"); | 582 | printf(" --netfilter - build the firewall rules and commit them.\n"); |
583 | printf(" --tail - \"tail -f\" functionality\n"); | ||
584 | printf("Examples:\n"); | ||
585 | printf(" # fnettrace - traffic trace\n"); | ||
586 | printf(" # fnettrace --netfilter --log=logfile - netlocker, dump output in logfile\n"); | ||
587 | printf(" # fnettrace --tail --log=logifile - similar to \"tail -f logfile\"\n"); | ||
582 | printf("\n"); | 588 | printf("\n"); |
583 | } | 589 | } |
584 | 590 | ||
@@ -599,11 +605,6 @@ int main(int argc, char **argv) { | |||
599 | printf("%s\n", name); | 605 | printf("%s\n", name); |
600 | #endif | 606 | #endif |
601 | 607 | ||
602 | if (getuid() != 0) { | ||
603 | fprintf(stderr, "Error: you need to be root to run this program\n"); | ||
604 | return 1; | ||
605 | } | ||
606 | |||
607 | for (i = 1; i < argc; i++) { | 608 | for (i = 1; i < argc; i++) { |
608 | if (strcmp(argv[i], "--help") == 0 || strcmp(argv[i], "-?") == 0) { | 609 | if (strcmp(argv[i], "--help") == 0 || strcmp(argv[i], "-?") == 0) { |
609 | usage(); | 610 | usage(); |
@@ -611,6 +612,8 @@ int main(int argc, char **argv) { | |||
611 | } | 612 | } |
612 | else if (strcmp(argv[i], "--netfilter") == 0) | 613 | else if (strcmp(argv[i], "--netfilter") == 0) |
613 | arg_netfilter = 1; | 614 | arg_netfilter = 1; |
615 | else if (strcmp(argv[i], "--tail") == 0) | ||
616 | arg_tail = 1; | ||
614 | else if (strncmp(argv[i], "--log=", 6) == 0) | 617 | else if (strncmp(argv[i], "--log=", 6) == 0) |
615 | arg_log = argv[i] + 6; | 618 | arg_log = argv[i] + 6; |
616 | else { | 619 | else { |
@@ -619,6 +622,24 @@ int main(int argc, char **argv) { | |||
619 | } | 622 | } |
620 | } | 623 | } |
621 | 624 | ||
625 | // tail | ||
626 | if (arg_tail) { | ||
627 | if (!arg_log) { | ||
628 | fprintf(stderr, "Error: no log file\n"); | ||
629 | usage(); | ||
630 | exit(1); | ||
631 | } | ||
632 | |||
633 | tail(arg_log); | ||
634 | sleep(5); | ||
635 | exit(0); | ||
636 | } | ||
637 | |||
638 | if (getuid() != 0) { | ||
639 | fprintf(stderr, "Error: you need to be root to run this program\n"); | ||
640 | return 1; | ||
641 | } | ||
642 | |||
622 | ansi_clrscr(); | 643 | ansi_clrscr(); |
623 | if (arg_netfilter) | 644 | if (arg_netfilter) |
624 | logprintf("starting network lockdown\n"); | 645 | logprintf("starting network lockdown\n"); |
@@ -629,6 +650,11 @@ int main(int argc, char **argv) { | |||
629 | 650 | ||
630 | run_trace(); | 651 | run_trace(); |
631 | if (arg_netfilter) { | 652 | if (arg_netfilter) { |
653 | // TCP path MTU discovery will not work properly since the firewall drops all ICMP packets | ||
654 | // Instead, we use iPacketization Layer PMTUD (RFC 4821) support in Linux kernel | ||
655 | int rv = system("echo 1 > /proc/sys/net/ipv4/tcp_mtu_probing"); | ||
656 | (void) rv; | ||
657 | |||
632 | deploy_netfilter(); | 658 | deploy_netfilter(); |
633 | sleep(3); | 659 | sleep(3); |
634 | if (arg_log) | 660 | if (arg_log) |