nettrace/netlock

author: netblue30 <netblue30@protonmail.com> 2022-01-04 10:42:51 -0500
committer: netblue30 <netblue30@protonmail.com> 2022-01-04 10:42:51 -0500
commit: 1000c238d5299a7fe3fc54a0d7001f8ce8979df8 (patch)
tree: e95d9d61070965bd5fe61523177268206939c04f /src/fnettrace/main.c
parent: Merge pull request #4807 from WhyNotHugo/skype-config (diff)
download: firejail-1000c238d5299a7fe3fc54a0d7001f8ce8979df8.tar.gz
firejail-1000c238d5299a7fe3fc54a0d7001f8ce8979df8.tar.zst
firejail-1000c238d5299a7fe3fc54a0d7001f8ce8979df8.zip
1 files changed, 173 insertions, 158 deletions
diff --git a/src/fnettrace/main.c b/src/fnettrace/main.c
index 04aabf514..658b90eb3 100644
--- a/src/fnettrace/main.c
+++ b/src/fnettrace/main.c
@@ -18,144 +18,176 @@
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 #include "fnettrace.h"
+//#define DEBUG 1
 #define MAX_BUF_SIZE (64 * 1024)
 static int arg_netfilter = 0;
 static char *arg_log = NULL;
 typedef struct hlist_t {
-        struct hlist_t *next;
+        struct hlist_t *hnext;  // used for hash table
+        struct hlist_t *dnext;  // used to display stremas on the screen
        uint32_t ip_src;
        uint32_t ip_dst;
+        uint64_t  bytes;        // number of bytes received in the last display interval
        uint16_t port_src;
-        uint64_t  bytes;
+        uint16_t ip_instance;
-        int instance;
+                // the firewall is build based on source address, and in the linked list
-#define MAX_TTL 20 // 20 * DISPLAY_INTERVAL = 1 minute
+                // we have elements with the same address but different ports
-        short ttl;
        uint8_t protocol;
 } HList;
+// hash table
 #define HMAX 256
 HList *htable[HMAX] = {NULL};
-static int htable_empty = 1;
+// display linked list
+HList *dlist = NULL;
 static void hlist_add(uint32_t ip_src, uint32_t ip_dst, uint8_t protocol, uint16_t port_src, uint64_t bytes) {
        uint8_t h = hash(ip_src);
-        htable_empty = 0;
        // find
-        int instance = 0;
+        int ip_instance = 0;
        HList *ptr = htable[h];
        while (ptr) {
                if (ptr->ip_src == ip_src) {
-                        instance++;
+                        ip_instance++;
                        if (ptr->ip_dst == ip_dst && ptr->port_src == port_src && ptr->protocol == protocol) {
                                ptr->bytes += bytes;
-                                ptr->ttl = MAX_TTL;
                                return;
                        }
                }
-                ptr = ptr->next;
+                ptr = ptr->hnext;
        }
+#ifdef DEBUG
+        printf("malloc %d.%d.%d.%d\n", PRINT_IP(ip_src));
+#endif
        HList *hnew = malloc(sizeof(HList));
+        if (!hnew)
+                errExit("malloc");
        hnew->ip_src = ip_src;
        hnew->ip_dst = ip_dst;
        hnew->port_src = port_src;
        hnew->protocol = protocol;
-        hnew->next = NULL;
+        hnew->hnext = NULL;
        hnew->bytes = bytes;
-        hnew->ttl = MAX_TTL;
+        hnew->ip_instance = ip_instance + 1;
-        hnew->instance = instance + 1;
        if (htable[h] == NULL)
                htable[h] = hnew;
        else {
-                hnew->next = htable[h];
+                hnew->hnext = htable[h];
                htable[h] = hnew;
        }
-        ansi_clrline(1);
+        // add to the end of list
-        logprintf("  %d%d.%d.%d\n", PRINT_IP(hnew->ip_src));
+        hnew->dnext = NULL;
+        if (dlist == NULL)
+                dlist = hnew;
+        else {
+                ptr = dlist;
+                while (ptr->dnext != NULL)
+                        ptr = ptr->dnext;
+                ptr->dnext = hnew;
+        }
+        if (arg_netfilter)
+                logprintf(" %d.%d.%d.%d ", PRINT_IP(hnew->ip_src));
 }
-// remove entries with a ttl <= 0
+static void hlist_free(HList *elem) {
-static void hlist_clean_ttl() {
+        assert(elem);
-        if (htable_empty)
+#ifdef DEBUG
-                return;
+        printf("free %d.%d.%d.%d\n", PRINT_IP(elem->ip_src));
+#endif
-        int i;
+        uint8_t h = hash(elem->ip_src);
-        for (i = 0; i < HMAX; i++) {
+        HList *ptr = htable[h];
-                HList *ptr = htable[i];
+        assert(ptr);
-                HList *parent = NULL;
-                while (ptr) {
+        HList *prev = NULL;
-                        if (--ptr->ttl <= 0) {
+        while (ptr != elem) {
-                                HList *tmp = ptr;
+                prev = ptr;
-                                ptr = ptr->next;
+                ptr = ptr->hnext;
-                                if (parent)
-                                        parent->next = ptr;
-                                else
-                                        htable[i] = ptr;
-                                free(tmp);
-                        }
-                        else {
-                                parent = ptr;
-                                ptr = ptr->next;
-                        }
-                }
        }
+        if (prev == NULL)
+                htable[h] = elem->hnext;
+        else
+                prev->hnext = elem->hnext;
+        free(elem);
 }
-static void hlist_print() {
+#ifdef DEBUG
-        ansi_clrscr(0);
+static void debug_dlist(void) {
-        if (htable_empty)
+        HList *ptr = dlist;
-                return;
+        while (ptr) {
-        if (arg_netfilter)
+                printf("dlist %d.%d.%d.%d:%d\n", PRINT_IP(ptr->ip_src), ptr->port_src);
-                printf("\n\n");
+                ptr = ptr->dnext;
+        }
+}
+static void debug_hlist(void) {
        int i;
-        int cnt = 0;
-        int cnt_printed = 0;
        for (i = 0; i < HMAX; i++) {
                HList *ptr = htable[i];
                while (ptr) {
-                        if (ptr->bytes) {
+                        printf("hlist (%d) %d.%d.%d.%d:%d\n", i, PRINT_IP(ptr->ip_src), ptr->port_src);
-                                cnt_printed++;
+                        ptr = ptr->hnext;
-                                char ip_src[30];
-                                sprintf(ip_src, "%d.%d.%d.%d:%u", PRINT_IP(ptr->ip_src), ptr->port_src);
-                                char ip_dst[30];
-                                sprintf(ip_dst, "%d.%d.%d.%d", PRINT_IP(ptr->ip_dst));
-                                printf("%-25s =>      %-25s\t%s:",
-                                        ip_src,
-                                        ip_dst,
-                                        (ptr->protocol == 6)? "TCP": "UDP");
-                                if (ptr->bytes > (DISPLAY_INTERVAL * 1024 * 2)) // > 2 KB/second
-                                        printf(" %lu KB/sec\n",
-                                                ptr->bytes / (DISPLAY_INTERVAL * 1024));
-                                else
-                                        printf(" %lu B/sec\n",
-                                                ptr->bytes / DISPLAY_INTERVAL);
-                                ptr->bytes = 0;
-                        }
-                        ptr = ptr->next;
-                        cnt++;
                }
        }
+}
+#endif
+static void hlist_print(void) {
+        assert(!arg_netfilter);
+        ansi_clrscr();
+#ifdef DEBUG
+        printf("*********************\n");
+        debug_dlist();
+        printf("-----------------------------\n");
+        debug_hlist();
+        printf("*********************\n");
+#endif
+        HList *ptr = dlist;
+        HList *prev = NULL;
+        while (ptr) {
+                HList *next = ptr->dnext;
+                if (ptr->bytes) {
+                        char ip_src[30];
+                        sprintf(ip_src, "%d.%d.%d.%d:%u", PRINT_IP(ptr->ip_src), ptr->port_src);
+                        char ip_dst[30];
+                        sprintf(ip_dst, "%d.%d.%d.%d", PRINT_IP(ptr->ip_dst));
+                        printf("%-22s =>     %-15s     %s:",
+                                ip_src,
+                                ip_dst,
+                                (ptr->protocol == 6)? "TCP": "UDP");
+                        if (ptr->bytes > (DISPLAY_INTERVAL * 1024 * 2)) // > 2 KB/second
+                                printf(" %lu KB/sec\n",
+                                        ptr->bytes / (DISPLAY_INTERVAL * 1024));
+                        else
+                                printf(" %lu B/sec\n",
+                                        ptr->bytes / DISPLAY_INTERVAL);
+                        ptr->bytes = 0;
+                        prev = ptr;
+                }
+                else {
+                        // free the element
+                        if (prev == NULL)
+                                dlist = next;
+                        else
+                                prev->dnext = next;
+                        hlist_free(ptr);
+                }
-        if (cnt_printed < 7) {
+                ptr = next;
-                for (i = 0; i < 7 - cnt_printed; i++)
-                        printf("\n");
-        }
-        if (!arg_netfilter) {
-                printf("(%d %s in the last one minute)\n", cnt, (cnt == 1)? "stream": "streams");
-                hlist_clean_ttl();
        }
 }
 static void run_trace(void) {
-        logprintf("accumulating traffic for %d seconds...\n", NETLOCK_INTERVAL);
+        if (arg_netfilter)
+                logprintf("accumulating traffic for %d seconds\n", NETLOCK_INTERVAL);
        // trace only rx ipv4 tcp and upd
        int s1 = socket(AF_INET, SOCK_RAW, IPPROTO_TCP);
@@ -169,18 +201,16 @@ static void run_trace(void) {
        unsigned char buf[MAX_BUF_SIZE];
        while (1) {
                unsigned end = time(NULL);
-                if (arg_netfilter && end - start >= NETLOCK_INTERVAL) {
+                if (arg_netfilter && end - start >= NETLOCK_INTERVAL)
-                        ansi_clrline(1);
                        break;
-                }
                if (end % DISPLAY_INTERVAL == 1 && last_print_traces != end) { // first print after 1 second
-                        hlist_print();
+                        if (!arg_netfilter)
+                                hlist_print();
                        last_print_traces = end;
                }
                if (arg_netfilter && last_print_remaining != end) {
-                        ansi_clrline(1);
+                        logprintf(".");
-                        int secs = NETLOCK_INTERVAL - (end  - start);
+                        fflush(0);
-                        logprintf("%d %s remaining   ", secs, (secs == 1)? "second": "seconds");
                        last_print_remaining = end;
                }
@@ -228,14 +258,14 @@ static void run_trace(void) {
 }
 static char *filter_start =
-"*filter\n"
+        "*filter\n"
-":INPUT DROP [0:0]\n"
+        ":INPUT DROP [0:0]\n"
-":FORWARD DROP [0:0]\n"
+        ":FORWARD DROP [0:0]\n"
-":OUTPUT DROP [0:0]\n";
+        ":OUTPUT DROP [0:0]\n";
 // return 1 if error
 static int print_filter(FILE *fp) {
-        if (htable_empty)
+        if (dlist == NULL)
                return 1;
        fprintf(fp, "%s\n", filter_start);
        fprintf(fp, "-A INPUT -s 127.0.0.0/8 -j ACCEPT\n");
@@ -246,19 +276,19 @@ static int print_filter(FILE *fp) {
        for (i = 0; i < HMAX; i++) {
                HList *ptr = htable[i];
                while (ptr) {
-                        if (ptr->instance == 1) {
+                        // filter rules are targeting ip address, the port number is disregarded,
+                        // so we look only at the first instance of an address
+                        if (ptr->ip_instance == 1) {
                                char *protocol = (ptr->protocol == 6)? "tcp": "udp";
-                                fprintf(fp, "-A INPUT -s %d.%d.%d.%d -sport %u -p %s  -j ACCEPT\n",
+                                fprintf(fp, "-A INPUT -s %d.%d.%d.%d -p %s  -j ACCEPT\n",
                                        PRINT_IP(ptr->ip_src),
-                                        ptr->port_src,
                                        protocol);
-                                fprintf(fp, "-A OUTPUT -d %d.%d.%d.%d -dport %u -p %s  -j ACCEPT\n",
+                                fprintf(fp, "-A OUTPUT -d %d.%d.%d.%d -p %s  -j ACCEPT\n",
                                        PRINT_IP(ptr->ip_src),
-                                        ptr->port_src,
                                        protocol);
                                fprintf(fp, "\n");
                        }
-                        ptr = ptr->next;
+                        ptr = ptr->hnext;
                }
        }
        fprintf(fp, "COMMIT\n");
@@ -268,33 +298,46 @@ static int print_filter(FILE *fp) {
 static char *flush_rules[] = {
        "-P INPUT ACCEPT",
-        "-P FORWARD ACCEPT",
+//      "-P FORWARD DENY",
        "-P OUTPUT ACCEPT",
        "-F",
        "-X",
-        "-t nat -F",
+//      "-t nat -F",
-        "-t nat -X",
+//      "-t nat -X",
-        "-t mangle -F",
+//      "-t mangle -F",
-        "-t mangle -X",
+//      "-t mangle -X",
-        "iptables -t raw -F",
+//      "iptables -t raw -F",
-        "-t raw -X",
+//      "-t raw -X",
        NULL
 };
-static void flush_netfilter(void) {
+static void deploy_netfilter(void) {
+        int rv;
+        char *cmd;
+        int i;
+        if (dlist == NULL) {
+                logprintf("Sorry, no network traffic was detected. The firewall was not configured.\n");
+                return;
+        }
        // find iptables command
-        struct stat s;
        char *iptables = NULL;
-        if (stat("/sbin/iptables", &s) == 0)
+        char *iptables_restore = NULL;
+        if (access("/sbin/iptables", X_OK) == 0) {
                iptables = "/sbin/iptables";
-        else if (stat("/usr/sbin/iptables", &s) == 0)
+                iptables_restore = "/sbin/iptables-restore";
+        }
+        else if (access("/usr/sbin/iptables", X_OK) == 0) {
                iptables = "/usr/sbin/iptables";
-        if (iptables == NULL) {
+                iptables_restore = "/usr/sbin/iptables-restore";
+        }
+        if (iptables == NULL || iptables_restore == NULL) {
                fprintf(stderr, "Error: iptables command not found, netfilter not configured\n");
                exit(1);
        }
-        int i = 0;
+        // flush all netfilter rules
+        i = 0;
        while (flush_rules[i]) {
                char *cmd;
                if (asprintf(&cmd, "%s %s", iptables, flush_rules[i]) == -1)
@@ -304,11 +347,6 @@ static void flush_netfilter(void) {
                free(cmd);
                i++;
        }
-}
-static void deploy_netfilter(void) {
-        int rv;
-        char *cmd;
        // create temporary file
        char fname[] = "/tmp/firejail-XXXXXX";
@@ -328,54 +366,28 @@ static void deploy_netfilter(void) {
        print_filter(fp);
        fclose(fp);
-        if (arg_log) {
+        logprintf("\n\n");
-                logprintf("\n");
+        logprintf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
-                logprintf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
+        if (asprintf(&cmd, "cat %s >> %s", fname, arg_log) == -1)
-                if (asprintf(&cmd, "cat %s >> %s", fname, arg_log) == -1)
-                        errExit("asprintf");
-                rv = system(cmd);
-                (void) rv;
-                free(cmd);
-                logprintf("<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
-        }
-        // find iptables command
-        struct stat s;
-        char *iptables = NULL;
-        char *iptables_restore = NULL;
-        if (stat("/sbin/iptables", &s) == 0) {
-                iptables = "/sbin/iptables";
-                iptables_restore = "/sbin/iptables-restore";
-        }
-        else if (stat("/usr/sbin/iptables", &s) == 0) {
-                iptables = "/usr/sbin/iptables";
-                iptables_restore = "/usr/sbin/iptables-restore";
-        }
-        if (iptables == NULL || iptables_restore == NULL) {
-                fprintf(stderr, "Error: iptables command not found, netfilter not configured\n");
-                rv = unlink(fname);
-                (void) rv;
-                exit(1);
-        }
-        // configuring
-        if (asprintf(&cmd, "%s %s", iptables_restore, fname) == -1)
                errExit("asprintf");
        rv = system(cmd);
-        if (rv)
+        (void) rv;
-                fprintf(stdout, "Warning: possible netfilter problem!");
        free(cmd);
-        sleep(1);
+        if (asprintf(&cmd, "cat %s", fname) == -1)
-        if (asprintf(&cmd, "%s %s", iptables_restore, fname) == -1)
                errExit("asprintf");
        rv = system(cmd);
+        (void) rv;
        free(cmd);
+        logprintf("<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
-        printf("Current firewall configuration:\n\n");
+        // configuring
-        if (asprintf(&cmd, "%s -vL -n", iptables) == -1)
+        if (asprintf(&cmd, "%s %s", iptables_restore, fname) == -1)
                errExit("asprintf");
        rv = system(cmd);
+        if (rv)
+                fprintf(stdout, "Warning: possible netfilter problem!");
+        free(cmd);
        rv = unlink(fname);
        (void) rv;
@@ -394,6 +406,11 @@ void logprintf(char* fmt, ...) {
                va_end(args);
                fclose(fp);
        }
+        va_list args;
+        va_start(args,fmt);
+        vfprintf(stdout, fmt, args);
+        va_end(args);
 }
 static void usage(void) {
@@ -429,12 +446,10 @@ int main(int argc, char **argv) {
                }
        }
-        if (arg_netfilter) {
+        ansi_clrscr();
+        if (arg_netfilter)
                logprintf("starting network lockdown\n");
-                flush_netfilter();
-        }
-        ansi_clrscr(0);
        run_trace();
        if (arg_netfilter) {
                deploy_netfilter();
author	netblue30 <netblue30@protonmail.com>	2022-01-04 10:42:51 -0500
committer	netblue30 <netblue30@protonmail.com>	2022-01-04 10:42:51 -0500
commit	1000c238d5299a7fe3fc54a0d7001f8ce8979df8 (patch)
tree	e95d9d61070965bd5fe61523177268206939c04f /src/fnettrace/main.c
parent	Merge pull request #4807 from WhyNotHugo/skype-config (diff)
download	firejail-1000c238d5299a7fe3fc54a0d7001f8ce8979df8.tar.gz firejail-1000c238d5299a7fe3fc54a0d7001f8ce8979df8.tar.zst firejail-1000c238d5299a7fe3fc54a0d7001f8ce8979df8.zip

diff --git a/src/fnettrace/main.c b/src/fnettrace/main.c index 04aabf514..658b90eb3 100644 --- a/src/fnettrace/main.c +++ b/src/fnettrace/main.c
@@ -18,144 +18,176 @@
18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.	18	* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19	*/	19	*/
20	#include "fnettrace.h"	20	#include "fnettrace.h"
		21	//#define DEBUG 1
21	#define MAX_BUF_SIZE (64 * 1024)	22	#define MAX_BUF_SIZE (64 * 1024)
22		23
23	static int arg_netfilter = 0;	24	static int arg_netfilter = 0;
24	static char *arg_log = NULL;	25	static char *arg_log = NULL;
25		26
26	typedef struct hlist_t {	27	typedef struct hlist_t {
27	struct hlist_t *next;	28	struct hlist_t *hnext; // used for hash table
		29	struct hlist_t *dnext; // used to display stremas on the screen
28	uint32_t ip_src;	30	uint32_t ip_src;
29	uint32_t ip_dst;	31	uint32_t ip_dst;
		32	uint64_t bytes; // number of bytes received in the last display interval
30	uint16_t port_src;	33	uint16_t port_src;
31	uint64_t bytes;	34	uint16_t ip_instance;
32	int instance;	35	// the firewall is build based on source address, and in the linked list
33	#define MAX_TTL 20 // 20 * DISPLAY_INTERVAL = 1 minute	36	// we have elements with the same address but different ports
34	short ttl;
35	uint8_t protocol;	37	uint8_t protocol;
36	} HList;	38	} HList;
37		39
		40	// hash table
38	#define HMAX 256	41	#define HMAX 256
39	HList *htable[HMAX] = {NULL};	42	HList *htable[HMAX] = {NULL};
40	static int htable_empty = 1;	43	// display linked list
		44	HList *dlist = NULL;
41		45
42	static void hlist_add(uint32_t ip_src, uint32_t ip_dst, uint8_t protocol, uint16_t port_src, uint64_t bytes) {	46	static void hlist_add(uint32_t ip_src, uint32_t ip_dst, uint8_t protocol, uint16_t port_src, uint64_t bytes) {
43	uint8_t h = hash(ip_src);	47	uint8_t h = hash(ip_src);
44	htable_empty = 0;
45		48
46	// find	49	// find
47	int instance = 0;	50	int ip_instance = 0;
48	HList *ptr = htable[h];	51	HList *ptr = htable[h];
49	while (ptr) {	52	while (ptr) {
50	if (ptr->ip_src == ip_src) {	53	if (ptr->ip_src == ip_src) {
51	instance++;	54	ip_instance++;
52	if (ptr->ip_dst == ip_dst && ptr->port_src == port_src && ptr->protocol == protocol) {	55	if (ptr->ip_dst == ip_dst && ptr->port_src == port_src && ptr->protocol == protocol) {
53	ptr->bytes += bytes;	56	ptr->bytes += bytes;
54	ptr->ttl = MAX_TTL;
55	return;	57	return;
56	}	58	}
57	}	59	}
58	ptr = ptr->next;	60	ptr = ptr->hnext;
59	}	61	}
60		62
		63	#ifdef DEBUG
		64	printf("malloc %d.%d.%d.%d\n", PRINT_IP(ip_src));
		65	#endif
61	HList *hnew = malloc(sizeof(HList));	66	HList *hnew = malloc(sizeof(HList));
		67	if (!hnew)
		68	errExit("malloc");
62	hnew->ip_src = ip_src;	69	hnew->ip_src = ip_src;
63	hnew->ip_dst = ip_dst;	70	hnew->ip_dst = ip_dst;
64	hnew->port_src = port_src;	71	hnew->port_src = port_src;
65	hnew->protocol = protocol;	72	hnew->protocol = protocol;
66	hnew->next = NULL;	73	hnew->hnext = NULL;
67	hnew->bytes = bytes;	74	hnew->bytes = bytes;
68	hnew->ttl = MAX_TTL;	75	hnew->ip_instance = ip_instance + 1;
69	hnew->instance = instance + 1;
70	if (htable[h] == NULL)	76	if (htable[h] == NULL)
71	htable[h] = hnew;	77	htable[h] = hnew;
72	else {	78	else {
73	hnew->next = htable[h];	79	hnew->hnext = htable[h];
74	htable[h] = hnew;	80	htable[h] = hnew;
75	}	81	}
76		82
77	ansi_clrline(1);	83	// add to the end of list
78	logprintf(" %d%d.%d.%d\n", PRINT_IP(hnew->ip_src));	84	hnew->dnext = NULL;
		85	if (dlist == NULL)
		86	dlist = hnew;
		87	else {
		88	ptr = dlist;
		89	while (ptr->dnext != NULL)
		90	ptr = ptr->dnext;
		91	ptr->dnext = hnew;
		92	}
		93
		94	if (arg_netfilter)
		95	logprintf(" %d.%d.%d.%d ", PRINT_IP(hnew->ip_src));
79	}	96	}
80		97
81	// remove entries with a ttl <= 0	98	static void hlist_free(HList *elem) {
82	static void hlist_clean_ttl() {	99	assert(elem);
83	if (htable_empty)	100	#ifdef DEBUG
84	return;	101	printf("free %d.%d.%d.%d\n", PRINT_IP(elem->ip_src));
		102	#endif
85		103
86	int i;	104	uint8_t h = hash(elem->ip_src);
87	for (i = 0; i < HMAX; i++) {	105	HList *ptr = htable[h];
88	HList *ptr = htable[i];	106	assert(ptr);
89	HList *parent = NULL;	107
90	while (ptr) {	108	HList *prev = NULL;
91	if (--ptr->ttl <= 0) {	109	while (ptr != elem) {
92	HList *tmp = ptr;	110	prev = ptr;
93	ptr = ptr->next;	111	ptr = ptr->hnext;
94	if (parent)
95	parent->next = ptr;
96	else
97	htable[i] = ptr;
98	free(tmp);
99	}
100	else {
101	parent = ptr;
102	ptr = ptr->next;
103	}
104	}
105	}	112	}
		113	if (prev == NULL)
		114	htable[h] = elem->hnext;
		115	else
		116	prev->hnext = elem->hnext;
		117	free(elem);
106	}	118	}
107		119
108	static void hlist_print() {	120	#ifdef DEBUG
109	ansi_clrscr(0);	121	static void debug_dlist(void) {
110	if (htable_empty)	122	HList *ptr = dlist;
111	return;	123	while (ptr) {
112	if (arg_netfilter)	124	printf("dlist %d.%d.%d.%d:%d\n", PRINT_IP(ptr->ip_src), ptr->port_src);
113	printf("\n\n");	125	ptr = ptr->dnext;
114		126	}
		127	}
		128	static void debug_hlist(void) {
115	int i;	129	int i;
116	int cnt = 0;
117	int cnt_printed = 0;
118	for (i = 0; i < HMAX; i++) {	130	for (i = 0; i < HMAX; i++) {
119	HList *ptr = htable[i];	131	HList *ptr = htable[i];
120	while (ptr) {	132	while (ptr) {
121	if (ptr->bytes) {	133	printf("hlist (%d) %d.%d.%d.%d:%d\n", i, PRINT_IP(ptr->ip_src), ptr->port_src);
122	cnt_printed++;	134	ptr = ptr->hnext;
123	char ip_src[30];
124	sprintf(ip_src, "%d.%d.%d.%d:%u", PRINT_IP(ptr->ip_src), ptr->port_src);
125	char ip_dst[30];
126	sprintf(ip_dst, "%d.%d.%d.%d", PRINT_IP(ptr->ip_dst));
127	printf("%-25s => %-25s\t%s:",
128	ip_src,
129	ip_dst,
130	(ptr->protocol == 6)? "TCP": "UDP");
131
132	if (ptr->bytes > (DISPLAY_INTERVAL * 1024 * 2)) // > 2 KB/second
133	printf(" %lu KB/sec\n",
134	ptr->bytes / (DISPLAY_INTERVAL * 1024));
135	else
136	printf(" %lu B/sec\n",
137	ptr->bytes / DISPLAY_INTERVAL);
138	ptr->bytes = 0;
139	}
140
141	ptr = ptr->next;
142	cnt++;
143	}	135	}
144	}	136	}
		137	}
		138	#endif
		139
		140	static void hlist_print(void) {
		141	assert(!arg_netfilter);
		142	ansi_clrscr();
		143
		144	#ifdef DEBUG
		145	printf("*********************\n");
		146	debug_dlist();
		147	printf("-----------------------------\n");
		148	debug_hlist();
		149	printf("*********************\n");
		150	#endif
		151
		152	HList *ptr = dlist;
		153	HList *prev = NULL;
		154	while (ptr) {
		155	HList *next = ptr->dnext;
		156	if (ptr->bytes) {
		157	char ip_src[30];
		158	sprintf(ip_src, "%d.%d.%d.%d:%u", PRINT_IP(ptr->ip_src), ptr->port_src);
		159	char ip_dst[30];
		160	sprintf(ip_dst, "%d.%d.%d.%d", PRINT_IP(ptr->ip_dst));
		161	printf("%-22s => %-15s %s:",
		162	ip_src,
		163	ip_dst,
		164	(ptr->protocol == 6)? "TCP": "UDP");
		165
		166	if (ptr->bytes > (DISPLAY_INTERVAL * 1024 * 2)) // > 2 KB/second
		167	printf(" %lu KB/sec\n",
		168	ptr->bytes / (DISPLAY_INTERVAL * 1024));
		169	else
		170	printf(" %lu B/sec\n",
		171	ptr->bytes / DISPLAY_INTERVAL);
		172	ptr->bytes = 0;
		173	prev = ptr;
		174	}
		175	else {
		176	// free the element
		177	if (prev == NULL)
		178	dlist = next;
		179	else
		180	prev->dnext = next;
		181	hlist_free(ptr);
		182	}
145		183
146	if (cnt_printed < 7) {	184	ptr = next;
147	for (i = 0; i < 7 - cnt_printed; i++)
148	printf("\n");
149	}
150
151	if (!arg_netfilter) {
152	printf("(%d %s in the last one minute)\n", cnt, (cnt == 1)? "stream": "streams");
153	hlist_clean_ttl();
154	}	185	}
155	}	186	}
156		187
157	static void run_trace(void) {	188	static void run_trace(void) {
158	logprintf("accumulating traffic for %d seconds...\n", NETLOCK_INTERVAL);	189	if (arg_netfilter)
		190	logprintf("accumulating traffic for %d seconds\n", NETLOCK_INTERVAL);
159		191
160	// trace only rx ipv4 tcp and upd	192	// trace only rx ipv4 tcp and upd
161	int s1 = socket(AF_INET, SOCK_RAW, IPPROTO_TCP);	193	int s1 = socket(AF_INET, SOCK_RAW, IPPROTO_TCP);
@@ -169,18 +201,16 @@ static void run_trace(void) {
169	unsigned char buf[MAX_BUF_SIZE];	201	unsigned char buf[MAX_BUF_SIZE];
170	while (1) {	202	while (1) {
171	unsigned end = time(NULL);	203	unsigned end = time(NULL);
172	if (arg_netfilter && end - start >= NETLOCK_INTERVAL) {	204	if (arg_netfilter && end - start >= NETLOCK_INTERVAL)
173	ansi_clrline(1);
174	break;	205	break;
175	}
176	if (end % DISPLAY_INTERVAL == 1 && last_print_traces != end) { // first print after 1 second	206	if (end % DISPLAY_INTERVAL == 1 && last_print_traces != end) { // first print after 1 second
177	hlist_print();	207	if (!arg_netfilter)
		208	hlist_print();
178	last_print_traces = end;	209	last_print_traces = end;
179	}	210	}
180	if (arg_netfilter && last_print_remaining != end) {	211	if (arg_netfilter && last_print_remaining != end) {
181	ansi_clrline(1);	212	logprintf(".");
182	int secs = NETLOCK_INTERVAL - (end - start);	213	fflush(0);
183	logprintf("%d %s remaining ", secs, (secs == 1)? "second": "seconds");
184	last_print_remaining = end;	214	last_print_remaining = end;
185	}	215	}
186		216
@@ -228,14 +258,14 @@ static void run_trace(void) {
228	}	258	}
229		259
230	static char *filter_start =	260	static char *filter_start =
231	"*filter\n"	261	"*filter\n"
232	":INPUT DROP [0:0]\n"	262	":INPUT DROP [0:0]\n"
233	":FORWARD DROP [0:0]\n"	263	":FORWARD DROP [0:0]\n"
234	":OUTPUT DROP [0:0]\n";	264	":OUTPUT DROP [0:0]\n";
235		265
236	// return 1 if error	266	// return 1 if error
237	static int print_filter(FILE *fp) {	267	static int print_filter(FILE *fp) {
238	if (htable_empty)	268	if (dlist == NULL)
239	return 1;	269	return 1;
240	fprintf(fp, "%s\n", filter_start);	270	fprintf(fp, "%s\n", filter_start);
241	fprintf(fp, "-A INPUT -s 127.0.0.0/8 -j ACCEPT\n");	271	fprintf(fp, "-A INPUT -s 127.0.0.0/8 -j ACCEPT\n");
@@ -246,19 +276,19 @@ static int print_filter(FILE *fp) {
246	for (i = 0; i < HMAX; i++) {	276	for (i = 0; i < HMAX; i++) {
247	HList *ptr = htable[i];	277	HList *ptr = htable[i];
248	while (ptr) {	278	while (ptr) {
249	if (ptr->instance == 1) {	279	// filter rules are targeting ip address, the port number is disregarded,
		280	// so we look only at the first instance of an address
		281	if (ptr->ip_instance == 1) {
250	char *protocol = (ptr->protocol == 6)? "tcp": "udp";	282	char *protocol = (ptr->protocol == 6)? "tcp": "udp";
251	fprintf(fp, "-A INPUT -s %d.%d.%d.%d -sport %u -p %s -j ACCEPT\n",	283	fprintf(fp, "-A INPUT -s %d.%d.%d.%d -p %s -j ACCEPT\n",
252	PRINT_IP(ptr->ip_src),	284	PRINT_IP(ptr->ip_src),
253	ptr->port_src,
254	protocol);	285	protocol);
255	fprintf(fp, "-A OUTPUT -d %d.%d.%d.%d -dport %u -p %s -j ACCEPT\n",	286	fprintf(fp, "-A OUTPUT -d %d.%d.%d.%d -p %s -j ACCEPT\n",
256	PRINT_IP(ptr->ip_src),	287	PRINT_IP(ptr->ip_src),
257	ptr->port_src,
258	protocol);	288	protocol);
259	fprintf(fp, "\n");	289	fprintf(fp, "\n");
260	}	290	}
261	ptr = ptr->next;	291	ptr = ptr->hnext;
262	}	292	}
263	}	293	}
264	fprintf(fp, "COMMIT\n");	294	fprintf(fp, "COMMIT\n");
@@ -268,33 +298,46 @@ static int print_filter(FILE *fp) {
268		298
269	static char *flush_rules[] = {	299	static char *flush_rules[] = {
270	"-P INPUT ACCEPT",	300	"-P INPUT ACCEPT",
271	"-P FORWARD ACCEPT",	301	// "-P FORWARD DENY",
272	"-P OUTPUT ACCEPT",	302	"-P OUTPUT ACCEPT",
273	"-F",	303	"-F",
274	"-X",	304	"-X",
275	"-t nat -F",	305	// "-t nat -F",
276	"-t nat -X",	306	// "-t nat -X",
277	"-t mangle -F",	307	// "-t mangle -F",
278	"-t mangle -X",	308	// "-t mangle -X",
279	"iptables -t raw -F",	309	// "iptables -t raw -F",
280	"-t raw -X",	310	// "-t raw -X",
281	NULL	311	NULL
282	};	312	};
283		313
284	static void flush_netfilter(void) {	314	static void deploy_netfilter(void) {
		315	int rv;
		316	char *cmd;
		317	int i;
		318
		319	if (dlist == NULL) {
		320	logprintf("Sorry, no network traffic was detected. The firewall was not configured.\n");
		321	return;
		322	}
285	// find iptables command	323	// find iptables command
286	struct stat s;
287	char *iptables = NULL;	324	char *iptables = NULL;
288	if (stat("/sbin/iptables", &s) == 0)	325	char *iptables_restore = NULL;
		326	if (access("/sbin/iptables", X_OK) == 0) {
289	iptables = "/sbin/iptables";	327	iptables = "/sbin/iptables";
290	else if (stat("/usr/sbin/iptables", &s) == 0)	328	iptables_restore = "/sbin/iptables-restore";
		329	}
		330	else if (access("/usr/sbin/iptables", X_OK) == 0) {
291	iptables = "/usr/sbin/iptables";	331	iptables = "/usr/sbin/iptables";
292	if (iptables == NULL) {	332	iptables_restore = "/usr/sbin/iptables-restore";
		333	}
		334	if (iptables == NULL \|\| iptables_restore == NULL) {
293	fprintf(stderr, "Error: iptables command not found, netfilter not configured\n");	335	fprintf(stderr, "Error: iptables command not found, netfilter not configured\n");
294	exit(1);	336	exit(1);
295	}	337	}
296		338
297	int i = 0;	339	// flush all netfilter rules
		340	i = 0;
298	while (flush_rules[i]) {	341	while (flush_rules[i]) {
299	char *cmd;	342	char *cmd;
300	if (asprintf(&cmd, "%s %s", iptables, flush_rules[i]) == -1)	343	if (asprintf(&cmd, "%s %s", iptables, flush_rules[i]) == -1)
@@ -304,11 +347,6 @@ static void flush_netfilter(void) {
304	free(cmd);	347	free(cmd);
305	i++;	348	i++;
306	}	349	}
307	}
308
309	static void deploy_netfilter(void) {
310	int rv;
311	char *cmd;
312		350
313	// create temporary file	351	// create temporary file
314	char fname[] = "/tmp/firejail-XXXXXX";	352	char fname[] = "/tmp/firejail-XXXXXX";
@@ -328,54 +366,28 @@ static void deploy_netfilter(void) {
328	print_filter(fp);	366	print_filter(fp);
329	fclose(fp);	367	fclose(fp);
330		368
331	if (arg_log) {	369	logprintf("\n\n");
332	logprintf("\n");	370	logprintf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
333	logprintf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");	371	if (asprintf(&cmd, "cat %s >> %s", fname, arg_log) == -1)
334	if (asprintf(&cmd, "cat %s >> %s", fname, arg_log) == -1)
335	errExit("asprintf");
336	rv = system(cmd);
337	(void) rv;
338	free(cmd);
339	logprintf("<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
340	}
341
342	// find iptables command
343	struct stat s;
344	char *iptables = NULL;
345	char *iptables_restore = NULL;
346	if (stat("/sbin/iptables", &s) == 0) {
347	iptables = "/sbin/iptables";
348	iptables_restore = "/sbin/iptables-restore";
349	}
350	else if (stat("/usr/sbin/iptables", &s) == 0) {
351	iptables = "/usr/sbin/iptables";
352	iptables_restore = "/usr/sbin/iptables-restore";
353	}
354	if (iptables == NULL \|\| iptables_restore == NULL) {
355	fprintf(stderr, "Error: iptables command not found, netfilter not configured\n");
356	rv = unlink(fname);
357	(void) rv;
358	exit(1);
359	}
360
361	// configuring
362	if (asprintf(&cmd, "%s %s", iptables_restore, fname) == -1)
363	errExit("asprintf");	372	errExit("asprintf");
364	rv = system(cmd);	373	rv = system(cmd);
365	if (rv)	374	(void) rv;
366	fprintf(stdout, "Warning: possible netfilter problem!");
367	free(cmd);	375	free(cmd);
368		376
369	sleep(1);	377	if (asprintf(&cmd, "cat %s", fname) == -1)
370	if (asprintf(&cmd, "%s %s", iptables_restore, fname) == -1)
371	errExit("asprintf");	378	errExit("asprintf");
372	rv = system(cmd);	379	rv = system(cmd);
		380	(void) rv;
373	free(cmd);	381	free(cmd);
		382	logprintf("<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
374		383
375	printf("Current firewall configuration:\n\n");	384	// configuring
376	if (asprintf(&cmd, "%s -vL -n", iptables) == -1)	385	if (asprintf(&cmd, "%s %s", iptables_restore, fname) == -1)
377	errExit("asprintf");	386	errExit("asprintf");
378	rv = system(cmd);	387	rv = system(cmd);
		388	if (rv)
		389	fprintf(stdout, "Warning: possible netfilter problem!");
		390	free(cmd);
379		391
380	rv = unlink(fname);	392	rv = unlink(fname);
381	(void) rv;	393	(void) rv;
@@ -394,6 +406,11 @@ void logprintf(char* fmt, ...) {
394	va_end(args);	406	va_end(args);
395	fclose(fp);	407	fclose(fp);
396	}	408	}
		409
		410	va_list args;
		411	va_start(args,fmt);
		412	vfprintf(stdout, fmt, args);
		413	va_end(args);
397	}	414	}
398		415
399	static void usage(void) {	416	static void usage(void) {
@@ -429,12 +446,10 @@ int main(int argc, char **argv) {
429	}	446	}
430	}	447	}
431		448
432	if (arg_netfilter) {	449	ansi_clrscr();
		450	if (arg_netfilter)
433	logprintf("starting network lockdown\n");	451	logprintf("starting network lockdown\n");
434	flush_netfilter();
435	}
436		452
437	ansi_clrscr(0);
438	run_trace();	453	run_trace();
439	if (arg_netfilter) {	454	if (arg_netfilter) {
440	deploy_netfilter();	455	deploy_netfilter();