enabled nettraces by default in the main build - you would need to be root to run these optionslandlock-split

4 files changed, 47 insertions, 28 deletions

diff --git a/src/firejail/main.c b/src/firejail/main.c
index e3dab561c..0c9c80137 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -420,7 +420,6 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                         exit_err_feature("x11");
         }
 #endif
-#ifdef HAVE_NETWORK
         else if (strcmp(argv[i], "--nettrace") == 0) {
                 if (checkcfg(CFG_NETWORK)) {
                         if (getuid() != 0) {
@@ -524,8 +523,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                 exit(0);
         }
 
-
-
+#ifdef HAVE_NETWORK
         else if (strncmp(argv[i], "--bandwidth=", 12) == 0) {
                 if (checkcfg(CFG_NETWORK)) {
                         logargs(argc, argv);
diff --git a/src/fnettrace/main.c b/src/fnettrace/main.c
index 5a0b97e89..4db8e7478 100644
--- a/src/fnettrace/main.c
+++ b/src/fnettrace/main.c
@@ -308,6 +308,8 @@ static inline const char *common_port(uint16_t port) {
                         return "Tor";
                 else if (port == 9030)
                         return "Tor";
+                else if (port == 9040)
+                        return "Tor";
                 else if (port == 9050)
                         return "Tor";
                 else if (port == 9051)
@@ -506,16 +508,16 @@ static void print_stats(FILE *fp) {
 
         fprintf(fp, "\n\nIP map");
         if (fp == stdout)
-                ansi_faint("  - server-address network (packets)\n");
+                ansi_faint("  - network (packets)\n");
         else
-                fprintf(fp, "  - server-address network (packets)\n");
+                fprintf(fp, "  - network (packets)\n");
         radix_print(fp, 1);
 
         fprintf(fp, "\n\nEvents %d", ev_cnt);
         if (fp == stdout)
-                ansi_faint(" - time address:port data\n");
+                ansi_faint(" - time address data\n");
         else
-                fprintf(fp, " - time address:port data\n");
+                fprintf(fp, " - time address data\n");
         ev_print(fp);
 
 }
diff --git a/src/fnettrace/static-ip-map.txt b/src/fnettrace/static-ip-map.txt
index 3e857b200..aeac58c6a 100644
--- a/src/fnettrace/static-ip-map.txt
+++ b/src/fnettrace/static-ip-map.txt
@@ -188,6 +188,7 @@
 104.244.40.0/21 Twitter
 108.160.160.0/20 Dropbox
 108.175.32.0/20 Netflix
+129.144.0.0/12 Oracle
 129.134.0.0/16 Facebook
 140.82.112.0/20 GitHub
 143.55.64.0/20 GitHub
@@ -221,7 +222,6 @@
 185.125.188.0/22 Ubuntu One
 185.199.108.0/22 GitHub
 185.205.69.0/24 Tutanota
-185.238.113.0/24 Bitchute
 188.64.224.0/21 Twitter
 190.217.33.0/24 Steam
 192.0.64.0/18 Wordpress
@@ -253,7 +253,11 @@
 63.141.247.168/29 BitChute
 63.141.247.240/29 BitChute
 69.30.200.200/29 BitChute
+69.30.230.64/29 BitChute
+69.30.241.40/29 BitChute
 69.30.241.48/29 BitChute
+69.30.243.168/29 BitChute
+69.30.245.232/29 BitChute
 69.30.253.16/29 BitChute
 69.197.182.184/29 BitChute
 74.91.28.208/29 BitChute
@@ -264,6 +268,7 @@
 107.150.45.120/29 BitChute
 142.54.180.104/29 BitChute
 142.54.181.184/29 BitChute
+142.54.188.112/29 BitChute
 142.54.189.192/29 BitChute
 173.208.154.8/29 BitChute
 173.208.154.160/29 BitChute
@@ -275,19 +280,27 @@
 173.208.216.40/29 BitChute
 173.208.219.112/29 BitChute
 173.208.246.160/29 BitChute
+185.238.113.0/24 BitChute
+192.151.147.16/29 BitChute
 192.151.158.136/29 BitChute
 192.187.97.88/29 BitChute
 192.187.114.16/29 BitChute
 192.187.114.96/29 BitChute
+192.187.118.168/29 BitChute
+192.187.121.208/29 BitChute
 192.187.123.112/29 BitChute
 192.187.126.0/29 BitChute
 198.204.226.120/29 BitChute
 198.204.228.48/29 BitChute
+198.204.235.88/29 BitChute
 198.204.235.216/29 BitChute
 198.204.245.32/29 BitChute
 198.204.245.88/29 BitChute
 198.204.250.208/29 BitChute
+198.204.253.64/29 BitChute
+198.204.253.184/29 BitChute
 199.168.96.24/29 BitChute
+199.168.96.64/29 BitChute
 204.12.220.136/29 BitChute
 204.12.194.176/29 BitChute
 204.12.194.248/29 BitChute
@@ -297,7 +310,7 @@
 # WholeSale Internet
 69.30.192.0/18 WholeSale Internet
 69.197.128.0/18 WholeSale Internet
-
+142.54.160.0/19 WholeSale Internet
 173.208.128.0/17 WholeSale Internet
 204.12.192.0/18 WholeSale Internet
 208.67.0.0/21 WholeSale Internet
@@ -625,6 +638,7 @@
 206.190.32.0/19 Yahoo
 209.73.160.0/19 Yahoo
 209.191.64.0/18 Yahoo
+212.82.100.0/22 Yahoo
 216.115.96.0/20 Yahoo
 
 # Google
@@ -634,6 +648,18 @@
 8.35.192.0/20 Google
 23.236.48.0/20 Google
 23.251.128.0/19 Google
+34.4.16.0/20 Google
+34.4.64.0/18 Google
+34.4.6.0/23 Google
+34.16.0.0/12 Google
+34.32.0.0/11 Google
+34.4.128.0/17 Google
+34.8.0.0/13 Google
+34.4.8.0/21 Google
+34.5.0.0/16 Google
+34.6.0.0/15 Google
+34.4.32.0/19 Google
+34.4.5.0/24 Google
 34.64.0.0/10 Google
 34.128.0.0/10 Google
 35.184.0.0/13 Google
@@ -1884,6 +1910,7 @@
 34.192.0.0/12 Amazon
 34.208.0.0/12 Amazon
 34.224.0.0/12 Amazon
+34.225.127.72/10 Amazon
 34.240.0.0/13 Amazon
 34.248.0.0/13 Amazon
 35.71.64.0/22 Amazon
@@ -3432,7 +3459,7 @@
 54.93.0.0/16 Amazon
 54.94.0.0/16 Amazon
 54.95.0.0/16 Amazon
-54.144.0.0/14 Amazon
+54.144.0.0/12 Amazon
 54.148.0.0/15 Amazon
 54.150.0.0/16 Amazon
 54.151.0.0/17 Amazon
@@ -3443,7 +3470,7 @@
 54.154.0.0/16 Amazon
 54.155.0.0/16 Amazon
 54.156.0.0/14 Amazon
-54.160.0.0/13 Amazon
+54.160.0.0/11 Amazon
 54.168.0.0/16 Amazon
 54.169.0.0/16 Amazon
 54.170.0.0/15 Amazon
@@ -3456,7 +3483,7 @@
 54.182.0.0/16 Amazon
 54.183.0.0/16 Amazon
 54.184.0.0/13 Amazon
-54.192.0.0/16 Amazon
+54.192.0.0/12 Amazon
 54.193.0.0/16 Amazon
 54.194.0.0/15 Amazon
 54.196.0.0/15 Amazon
@@ -3467,12 +3494,12 @@
 54.204.0.0/15 Amazon
 54.206.0.0/16 Amazon
 54.207.0.0/16 Amazon
-54.208.0.0/15 Amazon
+54.208.0.0/13 Amazon
 54.210.0.0/15 Amazon
 54.212.0.0/15 Amazon
 54.214.0.0/16 Amazon
 54.215.0.0/16 Amazon
-54.216.0.0/15 Amazon
+54.216.0.0/14 Amazon
 54.218.0.0/16 Amazon
 54.219.0.0/16 Amazon
 54.220.0.0/16 Amazon
diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in
index ee4adf5b8..06969e851 100644
--- a/src/man/firejail.1.in
+++ b/src/man/firejail.1.in
@@ -788,7 +788,6 @@ $ firejail \-\-list
 .br
 $ firejail \-\-dns.print=3272
 
-#ifdef HAVE_NETWORK
 .TP
 \fB\-\-dnstrace[=name|pid]
 Monitor DNS queries. The sandbox can be specified by name or pid. Only networked sandboxes
@@ -828,7 +827,6 @@ $ sudo firejail --dnstrace
 .br
 11:32:08  9.9.9.9        www.youtube.com (type 1)
 .br
-#endif
 
 .TP
 \fB\-\-env=name=value
@@ -930,7 +928,6 @@ $ firejail --ignore=seccomp --ignore=caps firefox
 $ firejail \-\-ignore="net eth0" firefox
 #endif
 
-#ifdef HAVE_NETWORK
 .TP
 \fB\-\-icmptrace[=name|pid]
 Monitor ICMP traffic. The sandbox can be specified by name or pid. Only networked sandboxes
@@ -956,7 +953,6 @@ $ sudo firejail --icmptrace
 .br
 20:53:55  192.168.1.60 -> 1.1.1.1 - 154 bytes - Destination unreachable/Port unreachable
 .br
-#endif
 
 .TP
 \fB\-\-\include=file.profile
@@ -1643,6 +1639,7 @@ PID  User    RX(KB/s) TX(KB/s) Command
 1294 netblue 53.355   1.473    firejail \-\-net=eth0 firefox
 .br
 7383 netblue 9.045    0.112    firejail \-\-net=eth0 transmission
+#endif
 .TP
 \fB\-\-nettrace[=name|pid]
 Monitor received TCP. UDP, and ICMP traffic. The sandbox can be specified by name or pid. Only networked sandboxes
@@ -1658,17 +1655,15 @@ Example:
 .br
 $ sudo firejail --nettrace
 .br
-                        95 KB/s  geoip 457, IP database 4436
+                       93 KB/s  address:port (protocol) network
 .br
-   52 KB/s ***********           64.222.84.207:443 United States
+  14 B/s  **                    104.24.8.4:443(QUIC) Cloudflare
 .br
-   33 KB/s *******               89.147.74.105:63930 Hungary
+  80 KB/s *****************     192.187.97.90:443(TLS) BitChute
 .br
-    0 B/s                        45.90.28.0:443 NextDNS
+   1 B/s                        149.56.228.45:443(DoH) Canada
 .br
-    0 B/s                        94.70.122.176:52309(UDP) Greece
-.br
-  339 B/s                        104.26.7.35:443 Cloudflare
+(D)isplay, (S)ave, (C)lear, e(X)it
 .br
 
 .br
@@ -1677,7 +1672,6 @@ the country the traffic originates from is added to the trace.
 We also use the static IP map in /usr/lib/firejail/static-ip-map
 to print the domain names for some of the more common websites and cloud platforms.
 No external services are contacted for reverse IP lookup.
-#endif
 .TP
 \fB\-\-nice=value
 Set nice value for all processes running inside the sandbox.
@@ -2862,7 +2856,6 @@ $ firejail \-\-list
 .br
 $ firejail \-\-shutdown=3272
 
-#ifdef HAVE_NETWORK
 .TP
 \fB\-\-snitrace[=name|pid]
 Monitor Server Name Indication (TLS/SNI). The sandbox can be specified by name or pid. Only networked sandboxes
@@ -2904,7 +2897,6 @@ $ sudo firejail --snitrace
 .br
 07:53:11  192.0.73.2       1.gravatar.com
 .br
-#endif
 
 .TP
 \fB\-\-tab