diff options
Diffstat (limited to 'src/firejail/network_main.c')
-rw-r--r-- | src/firejail/network_main.c | 57 |
1 files changed, 39 insertions, 18 deletions
diff --git a/src/firejail/network_main.c b/src/firejail/network_main.c index 1516b94d2..488615bda 100644 --- a/src/firejail/network_main.c +++ b/src/firejail/network_main.c | |||
@@ -61,25 +61,27 @@ void net_configure_bridge(Bridge *br, char *dev_name) { | |||
61 | // allow unconfigured interfaces | 61 | // allow unconfigured interfaces |
62 | if (net_get_if_addr(br->dev, &br->ip, &br->mask, br->mac, &br->mtu)) { | 62 | if (net_get_if_addr(br->dev, &br->ip, &br->mask, br->mac, &br->mtu)) { |
63 | fwarning("the network interface %s is not configured\n", br->dev); | 63 | fwarning("the network interface %s is not configured\n", br->dev); |
64 | br->configured = 1; | 64 | // don't configure an ip address on unconfigured interfaces |
65 | br->arg_ip_none = 1; | 65 | // br->arg_ip_none = 1; |
66 | return; | ||
67 | } | ||
68 | if (arg_debug) { | ||
69 | if (br->macvlan == 0) | ||
70 | printf("Bridge device %s at %d.%d.%d.%d/%d\n", | ||
71 | br->dev, PRINT_IP(br->ip), mask2bits(br->mask)); | ||
72 | else | ||
73 | printf("macvlan parent device %s at %d.%d.%d.%d/%d\n", | ||
74 | br->dev, PRINT_IP(br->ip), mask2bits(br->mask)); | ||
75 | } | 66 | } |
67 | else { | ||
68 | if (arg_debug) { | ||
69 | if (br->macvlan == 0) | ||
70 | printf("Bridge device %s at %d.%d.%d.%d/%d\n", | ||
71 | br->dev, PRINT_IP(br->ip), mask2bits(br->mask)); | ||
72 | else | ||
73 | printf("macvlan parent device %s at %d.%d.%d.%d/%d\n", | ||
74 | br->dev, PRINT_IP(br->ip), mask2bits(br->mask)); | ||
75 | } | ||
76 | 76 | ||
77 | uint32_t range = ~br->mask + 1; // the number of potential addresses | 77 | uint32_t range = ~br->mask + 1; // the number of potential addresses |
78 | // this software is not supported for /31 networks | 78 | // this software is not supported for /31 networks |
79 | if (range < 4) { | 79 | if (range < 4) { |
80 | fprintf(stderr, "Error: the software is not supported for /31 networks\n"); | 80 | fprintf(stderr, "Error: the software is not supported for /31 networks\n"); |
81 | exit(1); | 81 | exit(1); |
82 | } | ||
82 | } | 83 | } |
84 | |||
83 | br->configured = 1; | 85 | br->configured = 1; |
84 | } | 86 | } |
85 | 87 | ||
@@ -91,7 +93,7 @@ void net_configure_sandbox_ip(Bridge *br) { | |||
91 | 93 | ||
92 | if (br->arg_ip_none) | 94 | if (br->arg_ip_none) |
93 | br->ipsandbox = 0; | 95 | br->ipsandbox = 0; |
94 | else if (br->ipsandbox) { | 96 | else if (br->ipsandbox && br->ip && br->mask) { |
95 | // check network range | 97 | // check network range |
96 | char *rv = in_netrange(br->ipsandbox, br->ip, br->mask); | 98 | char *rv = in_netrange(br->ipsandbox, br->ip, br->mask); |
97 | if (rv) { | 99 | if (rv) { |
@@ -104,9 +106,20 @@ void net_configure_sandbox_ip(Bridge *br) { | |||
104 | exit(1); | 106 | exit(1); |
105 | } | 107 | } |
106 | } | 108 | } |
107 | else | 109 | else if (br->ipsandbox && br->masksandbox) { |
110 | // send an ARP request and check if there is anybody on this IP address | ||
111 | if (arp_check(br->dev, br->ipsandbox)) { | ||
112 | fprintf(stderr, "Error: IP address %d.%d.%d.%d is already in use\n", PRINT_IP(br->ipsandbox)); | ||
113 | exit(1); | ||
114 | } | ||
115 | } | ||
116 | else if (br->ip && br->mask) | ||
108 | // ip address assigned by arp-scan for a bridge device | 117 | // ip address assigned by arp-scan for a bridge device |
109 | br->ipsandbox = arp_assign(br->dev, br); //br->ip, br->mask); | 118 | br->ipsandbox = arp_assign(br->dev, br); //br->ip, br->mask); |
119 | else { | ||
120 | br->ipsandbox = 0; | ||
121 | br->arg_ip_none = 1; | ||
122 | } | ||
110 | } | 123 | } |
111 | 124 | ||
112 | 125 | ||
@@ -148,21 +161,29 @@ void check_default_gw(uint32_t defaultgw) { | |||
148 | assert(defaultgw); | 161 | assert(defaultgw); |
149 | 162 | ||
150 | if (cfg.bridge0.configured) { | 163 | if (cfg.bridge0.configured) { |
164 | if (cfg.bridge0.ip == 0 && cfg.bridge0.ipsandbox) | ||
165 | return; | ||
151 | char *rv = in_netrange(defaultgw, cfg.bridge0.ip, cfg.bridge0.mask); | 166 | char *rv = in_netrange(defaultgw, cfg.bridge0.ip, cfg.bridge0.mask); |
152 | if (rv == 0) | 167 | if (rv == 0) |
153 | return; | 168 | return; |
154 | } | 169 | } |
155 | if (cfg.bridge1.configured) { | 170 | if (cfg.bridge1.configured) { |
171 | if (cfg.bridge1.ip == 0 && cfg.bridge1.ipsandbox) | ||
172 | return; | ||
156 | char *rv = in_netrange(defaultgw, cfg.bridge1.ip, cfg.bridge1.mask); | 173 | char *rv = in_netrange(defaultgw, cfg.bridge1.ip, cfg.bridge1.mask); |
157 | if (rv == 0) | 174 | if (rv == 0) |
158 | return; | 175 | return; |
159 | } | 176 | } |
160 | if (cfg.bridge2.configured) { | 177 | if (cfg.bridge2.configured) { |
178 | if (cfg.bridge2.ip == 0 && cfg.bridge2.ipsandbox) | ||
179 | return; | ||
161 | char *rv = in_netrange(defaultgw, cfg.bridge2.ip, cfg.bridge2.mask); | 180 | char *rv = in_netrange(defaultgw, cfg.bridge2.ip, cfg.bridge2.mask); |
162 | if (rv == 0) | 181 | if (rv == 0) |
163 | return; | 182 | return; |
164 | } | 183 | } |
165 | if (cfg.bridge3.configured) { | 184 | if (cfg.bridge3.configured) { |
185 | if (cfg.bridge3.ip == 0 && cfg.bridge3.ipsandbox) | ||
186 | return; | ||
166 | char *rv = in_netrange(defaultgw, cfg.bridge3.ip, cfg.bridge3.mask); | 187 | char *rv = in_netrange(defaultgw, cfg.bridge3.ip, cfg.bridge3.mask); |
167 | if (rv == 0) | 188 | if (rv == 0) |
168 | return; | 189 | return; |