8 files changed, 194 insertions, 25 deletions

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index 94f970eb8..65907e8ee 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -675,7 +675,7 @@ void check_output(int argc, char **argv);
 
 // netfilter.c
 void netfilter_netlock(pid_t pid);
-void netfilter_trace(pid_t pid);
+void netfilter_trace(pid_t pid, const char *cmd);
 void check_netfilter_file(const char *fname);
 void netfilter(const char *fname);
 void netfilter6(const char *fname);
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 12c2cf02b..b6e076dfc 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -419,7 +419,7 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                                 fprintf(stderr, "Error: --nettrace is only available to root user\n");
                                 exit(1);
                         }
-                        netfilter_trace(0);
+                        netfilter_trace(0, LIBDIR "/firejail/fnettrace");
                 }
                 else
                         exit_err_feature("networking");
@@ -432,7 +432,57 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
                                 exit(1);
                         }
                         pid_t pid = require_pid(argv[i] + 11);
-                        netfilter_trace(pid);
+                        netfilter_trace(pid, LIBDIR "/firejail/fnettrace");
+                }
+                else
+                        exit_err_feature("networking");
+                exit(0);
+        }
+        else if (strcmp(argv[i], "--nettrace-dns") == 0) {
+                if (checkcfg(CFG_NETWORK)) {
+                        if (getuid() != 0) {
+                                fprintf(stderr, "Error: --nettrace-dns is only available to root user\n");
+                                exit(1);
+                        }
+                        netfilter_trace(0, LIBDIR "/firejail/fnettrace-dns");
+                }
+                else
+                        exit_err_feature("networking");
+                exit(0);
+        }
+        else if (strncmp(argv[i], "--nettrace-dns=", 15) == 0) {
+                if (checkcfg(CFG_NETWORK)) {
+                        if (getuid() != 0) {
+                                fprintf(stderr, "Error: --nettrace is only available to root user\n");
+                                exit(1);
+                        }
+                        pid_t pid = require_pid(argv[i] + 15);
+                        netfilter_trace(pid, LIBDIR "/firejail/fnettrace-dns");
+                }
+                else
+                        exit_err_feature("networking");
+                exit(0);
+        }
+        else if (strcmp(argv[i], "--nettrace-sni") == 0) {
+                if (checkcfg(CFG_NETWORK)) {
+                        if (getuid() != 0) {
+                                fprintf(stderr, "Error: --nettrace is only available to root user\n");
+                                exit(1);
+                        }
+                        netfilter_trace(0, LIBDIR "/firejail/fnettrace-sni");
+                }
+                else
+                        exit_err_feature("networking");
+                exit(0);
+        }
+        else if (strncmp(argv[i], "--nettrace-sni=", 15) == 0) {
+                if (checkcfg(CFG_NETWORK)) {
+                        if (getuid() != 0) {
+                                fprintf(stderr, "Error: --nettrace is only available to root user\n");
+                                exit(1);
+                        }
+                        pid_t pid = require_pid(argv[i] + 15);
+                        netfilter_trace(pid, LIBDIR "/firejail/fnettrace-sni");
                 }
                 else
                         exit_err_feature("networking");
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c
index 686efb6cb..aab03c796 100644
--- a/src/firejail/netfilter.c
+++ b/src/firejail/netfilter.c
@@ -91,24 +91,20 @@ void netfilter_netlock(pid_t pid) {
         // it will never get here!!
 }
 
-void netfilter_trace(pid_t pid) {
+void netfilter_trace(pid_t pid, const char *cmd) {
         EUID_ASSERT();
 
         // a pid of 0 means the main system network namespace
         if (pid)
                 enter_network_namespace(pid);
 
-        char *cmd;
-        if (asprintf(&cmd, "%s/firejail/fnettrace", LIBDIR) == -1)
-                errExit("asprintf");
-
         //************************
         // build command
         //************************
         char *arg[4];
         arg[0] = "/bin/sh";
         arg[1] = "-c";
-        arg[2] = cmd;
+        arg[2] = (char *) cmd;
         arg[3] = NULL;
 
         clearenv();
diff --git a/src/firejail/usage.c b/src/firejail/usage.c
index e11081eed..17f5af434 100644
--- a/src/firejail/usage.c
+++ b/src/firejail/usage.c
@@ -153,7 +153,9 @@ static char *usage_str =
         "\tparent interfaces.\n"
         "    --netns=name - Run the program in a named, persistent network namespace.\n"
         "    --netstats - monitor network statistics.\n"
-        "    --nettrace - monitor TCP and UDP traffic coming into the sandbox.\n"
+        "    --nettrace - monitor received TCP, UDP and ICMP traffic.\n"
+        "    --nettrace - monitor DNS queries.\n"
+        "    --nettrace - monitor Server Name Indiication (TLS/SNI).\n"
 #endif
         "    --nice=value - set nice value.\n"
         "    --no3d - disable 3D hardware acceleration.\n"
diff --git a/src/fnettrace-dns/main.c b/src/fnettrace-dns/main.c
index 0281b5157..28c76a901 100644
--- a/src/fnettrace-dns/main.c
+++ b/src/fnettrace-dns/main.c
@@ -24,6 +24,8 @@
 #include <linux/if_ether.h>
 #define MAX_BUF_SIZE (64 * 1024)
 
+static char last[512] = {'\0'};
+
 // pkt - start of DNS layer
 void print_dns(uint32_t ip_src, unsigned char *pkt) {
         assert(pkt);
@@ -33,6 +35,8 @@ void print_dns(uint32_t ip_src, unsigned char *pkt) {
         time_t seconds = time(NULL);
         struct tm *t = localtime(&seconds);
 
+        int nxdomain = (*(pkt + 3) & 0x03 == 0x03)? 1: 0;
+
         // expecting a single question count
         if (pkt[4] != 0 || pkt[5] != 1)
                 goto errout;
@@ -49,8 +53,24 @@ void print_dns(uint32_t ip_src, unsigned char *pkt) {
                 len += delta;;
                 ptr += delta;
         }
+        if (*ptr  != 0)
+                goto errout;
+
+        ptr++;
+        uint16_t type;
+        memcpy(&type, ptr, 2);
+        type = ntohs(type);
+
+        // filter output
+        char tmp[sizeof(last)];
+        snprintf(tmp, sizeof(last), "%02d:%02d:%02d  %-15s  %s (type %u)%s",
+                t->tm_hour, t->tm_min, t->tm_sec, ip, pkt + 12 + 1,
+                type, (nxdomain)? " NXDOMAIN": "");
+        if (strcmp(tmp, last)) {
+                printf("%s\n", tmp);
+                strcpy(last, tmp);
+        }
 
-        printf("%02d:%02d:%02d  %15s  %s\n", t->tm_hour, t->tm_min, t->tm_sec, ip, pkt + 12 + 1);
         return;
 
 errout:
diff --git a/src/fnettrace-sni/main.c b/src/fnettrace-sni/main.c
index ea7a91548..571089e29 100644
--- a/src/fnettrace-sni/main.c
+++ b/src/fnettrace-sni/main.c
@@ -24,6 +24,8 @@
 #include <linux/if_ether.h>
 #define MAX_BUF_SIZE (64 * 1024)
 
+static char last[512] = {'\0'};
+
 // pkt - start of TLS layer
 static void print_tls(uint32_t ip_dest, unsigned char *pkt, unsigned len) {
         assert(pkt);
@@ -67,18 +69,25 @@ static void print_tls(uint32_t ip_dest, unsigned char *pkt, unsigned len) {
                 i++;
         }
 
-        if (name)
-                printf("%02d:%02d:%02d  %15s  %s\n", t->tm_hour, t->tm_min, t->tm_sec, ip, name);
+        if (name) {
+                // filter output
+                char tmp[sizeof(last)];
+                snprintf(tmp, sizeof(last), "%02d:%02d:%02d  %-15s  %s", t->tm_hour, t->tm_min, t->tm_sec, ip, name);
+                if (strcmp(tmp, last)) {
+                        printf("%s\n", tmp);
+                        strcpy(last, tmp);
+                }
+        }
         else
                 goto nosni;
         return;
 
 errout:
-        printf("%02d:%02d:%02d  %15s  Error: invalid TLS packet\n", t->tm_hour, t->tm_min, t->tm_sec, ip);
+        printf("%02d:%02d:%02d  %-15s  Error: invalid TLS packet\n", t->tm_hour, t->tm_min, t->tm_sec, ip);
         return;
 
 nosni:
-        printf("%02d:%02d:%02d  %15s  no SNI\n", t->tm_hour, t->tm_min, t->tm_sec, ip);
+        printf("%02d:%02d:%02d  %-15s  no SNI\n", t->tm_hour, t->tm_min, t->tm_sec, ip);
         return;
 }
 
@@ -131,7 +140,7 @@ static void custom_bpf(int sock) {
 }
 
 static void run_trace(void) {
-        // grab all Ethernet packets and use a custom BPF filter to get only UDP from source port 53
+        // grab all Ethernet packets and use a custom BPF filter to get TLS/SNI packets
         int s = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
         if (s < 0)
                 errExit("socket");
diff --git a/src/fnettrace/static-ip-map b/src/fnettrace/static-ip-map
index 97e626526..f9cd907e5 100644
--- a/src/fnettrace/static-ip-map
+++ b/src/fnettrace/static-ip-map
@@ -78,6 +78,7 @@
 45.90.28.0/22 NextDNS
 149.112.112.0/24 Quad9 DNS
 149.112.120.0/21 CIRA DNS Canada
+146.255.56.96/29 Applied Privacy
 176.103.128.0/19 Adguard DNS
 185.228.168.0/24 Cleanbrowsing DNS
 208.67.216.0/21 OpenDNS
@@ -94,13 +95,14 @@
 
 # some popular websites
 23.160.0.0/24 Twitch
-23.246.0.0/18, Netflix
+23.246.0.0/18 Netflix
 31.13.24.0/21 Facebook
 31.13.64.0/18 Facebook
 37.77.184.0/21 Netflix
 45.57.0.0/17 Netflix
 45.58.64.0/20 Dropbox
 45.113.128.0/22 Twitch
+47.88.0.0/14 Alibaba
 52.223.192.0/18 Twitch
 63.245.208.0/23 Mozilla
 64.63.0.0/18 Twitter
@@ -122,12 +124,12 @@
 99.181.64.0/18 Twitch
 103.53.48.0/23 Twitch
 104.244.40.0/21 Twitter
-129.134.0.0/16 Facebook
-140.82.112.0/20 GitHub
 103.10.124.0/23 Steam
 103.28.54.0/24 Steam
 108.160.160.0/20 Dropbox
 108.175.32.0/20 Netflix
+129.134.0.0/16 Facebook
+140.82.112.0/20 GitHub
 143.55.64.0/20 Github
 146.66.152.0/24 Steam
 146.66.155.0/24 Steam
@@ -146,6 +148,7 @@
 162.125.0.0/16 Dropbox
 162.213.32.0/22 Ubuntu One
 162.254.192.0/21 Steam
+172.98.56.0/22 Rumble
 185.2.220.0/22 Netflix
 185.9.188.0/22 Netflix
 185.25.182.0/23 Steam
@@ -156,6 +159,7 @@
 185.105.164.0/24 Dropbox
 185.125.188.0/22 Ubuntu One
 185.199.108.0/22 GitHub
+185.205.69.0/24 Tutanota
 188.64.224.0/21 Twitter
 190.217.33.0/24 Steam
 192.0.64.0/18 Wordpress
@@ -179,9 +183,23 @@
 208.78.164.0/22 Steam
 208.80.152.0/22 Wikipedia
 
+# WholeSale Internet
+69.197.128.0/18 WholeSale Internet
+173.208.128.0/17 WholeSale Internet
+204.12.192.0/18 WholeSale Internet
+208.110.64.0/19 WholeSale Internet
+208.110.91.0/24 WholeSale Internet
+208.67.0.0/21 WholeSale Internet
+
 # StackPath
+69.16.173.0/24 StackPath
+69.16.174.0/23 StackPath
+69.16.176.0/20 StackPath
 151.139.0.0/16 StackPath
 
+# Linode
+172.104.0.0/15 Linode
+
 # Akamai
 23.0.0.0/12 Akamai
 23.32.0.0/11 Akamai
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 82eea3977..3b743386e 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1548,7 +1548,7 @@ PID  User    RX(KB/s) TX(KB/s) Command
 7383 netblue 9.045    0.112    firejail \-\-net=eth0 transmission
 .TP
 \fB\-\-nettrace[=name|pid]
-Monitor TCP and UDP traffic coming into the sandbox specified by name or pid. Only networked sandboxes
+Monitor received TCP. UDP, and ICMP traffic. The sandbox can be specified by name or pid. Only networked sandboxes
 created with \-\-net are supported. This option is only available when running the sandbox as root.
 .br
 
@@ -1557,9 +1557,7 @@ Without a name/pid, Firejail will monitor the main system network namespace.
 .br
 
 .br
- $ sudo firejail --nettrace=browser
-.br
-
+$ sudo firejail --nettrace=browser
 .br
                         95 KB/s  geoip 457, IP database 4436
 .br
@@ -1576,10 +1574,86 @@ Without a name/pid, Firejail will monitor the main system network namespace.
 
 .br
 If /usr/bin/geoiplookup is installed (geoip-bin package in Debian),
-the country the IP address originates from is added to the trace.
-We also use the static IP map in /etc/firejail/hostnames
+the country the traffic originates from is added to the trace.
+We also use the static IP map in /usr/lib/firejail/static-ip-map
 to print the domain names for some of the more common websites and cloud platforms.
 No external services are contacted for reverse IP lookup.
+.TP
+\fB\-\-nettrace-dns[=name|pid]
+Monitor DNS queries. The sandbox can be specified by name or pid. Only networked sandboxes
+created with \-\-net are supported. This option is only available when running the sandbox as root.
+.br
+
+.br
+Without a name/pid, Firejail will monitor the main system network namespace.
+.br
+
+.br
+$ sudo firejail --nettrace-dns=browser
+.br
+11:31:43  9.9.9.9        linux.com (type 1)
+.br
+11:31:45  9.9.9.9        fonts.googleapis.com (type 1) NXDOMAIN
+.br
+11:31:45  9.9.9.9        js.hs-scripts.com (type 1) NXDOMAIN
+.br
+11:31:45  9.9.9.9        www.linux.com (type 1)
+.br
+11:31:45  9.9.9.9        fonts.googleapis.com (type 1) NXDOMAIN
+.br
+11:31:52  9.9.9.9        js.hs-scripts.com (type 1) NXDOMAIN
+.br
+11:32:05  9.9.9.9        secure.gravatar.com (type 1)
+.br
+11:32:06  9.9.9.9        secure.gravatar.com (type 1)
+.br
+11:32:08  9.9.9.9        taikai.network (type 1)
+.br
+11:32:08  9.9.9.9        cdn.jsdelivr.net (type 1)
+.br
+11:32:08  9.9.9.9        taikai.azureedge.net (type 1)
+.br
+11:32:08  9.9.9.9        www.youtube.com (type 1)
+.br
+.TP
+\fB\-\-nettrace-sni[=name|pid]
+Monitor Server Name Indication (TLS/SNI). The sandbox can be specified by name or pid. Only networked sandboxes
+created with \-\-net are supported. This option is only available when running the sandbox as root.
+.br
+
+.br
+Without a name/pid, Firejail will monitor the main system network namespace.
+.br
+
+.br
+$ sudo firejail --nettrace-sni=browser
+.br
+07:49:51  23.185.0.3       linux.com
+.br
+07:49:51  23.185.0.3       www.linux.com
+.br
+07:50:05  192.0.73.2       secure.gravatar.com
+.br
+07:52:35  172.67.68.93     www.howtoforge.com
+.br
+07:52:37  13.225.103.59    sf.ezoiccdn.com
+.br
+07:52:42  142.250.176.3    www.gstatic.com
+.br
+07:53:03  173.236.250.32   www.linuxlinks.com
+.br
+07:53:05  192.0.77.37      c0.wp.com
+.br
+07:53:08  192.0.78.32      jetpack.wordpress.com
+.br
+07:53:09  192.0.77.32      s0.wp.com
+.br
+07:53:09  192.0.77.2       i0.wp.com
+.br
+07:53:10  192.0.77.2       i0.wp.com
+.br
+07:53:11  192.0.73.2       1.gravatar.com
+.br
 #endif
 .TP
 \fB\-\-nice=value