1 files changed, 433 insertions, 0 deletions
diff --git a/src/fnettrace/main.c b/src/fnettrace/main.c
new file mode 100644
index 000000000..f036d0c9e
--- /dev/null
+++ b/src/fnettrace/main.c
@@ -0,0 +1,433 @@
+#include "fnettrace.h"
+#define MAX_BUF_SIZE (64 * 1024)
+static int arg_netfilter = 0;
+static char *arg_log = NULL;
+typedef struct hlist_t {
+        struct hlist_t *next;
+        uint32_t ip_src;
+        uint32_t ip_dst;
+        uint16_t port_src;
+        uint64_t  bytes;
+        int instance;
+#define MAX_TTL 20 // 20 * DISPLAY_INTERVAL = 1 minute
+        short ttl;
+        uint8_t protocol;
+} HList;
+#define HMAX 256
+HList *htable[HMAX] = {NULL};
+static int htable_empty = 1;
+static void hlist_add(uint32_t ip_src, uint32_t ip_dst, uint8_t protocol, uint16_t port_src, uint64_t bytes) {
+        uint8_t h = hash(ip_src);
+        htable_empty = 0;
+        // find
+        int instance = 0;
+        HList *ptr = htable[h];
+        while (ptr) {
+                if (ptr->ip_src == ip_src) {
+                        instance++;
+                        if (ptr->ip_dst == ip_dst && ptr->port_src == port_src && ptr->protocol == protocol) {
+                                ptr->bytes += bytes;
+                                ptr->ttl = MAX_TTL;
+                                return;
+                        }
+                }
+                ptr = ptr->next;
+        }
+        HList *hnew = malloc(sizeof(HList));
+        hnew->ip_src = ip_src;
+        hnew->ip_dst = ip_dst;
+        hnew->port_src = port_src;
+        hnew->protocol = protocol;
+        hnew->next = NULL;
+        hnew->bytes = bytes;
+        hnew->ttl = MAX_TTL;
+        hnew->instance = instance + 1;
+        if (htable[h] == NULL)
+                htable[h] = hnew;
+        else {
+                hnew->next = htable[h];
+                htable[h] = hnew;
+        }
+        ansi_clrline(1);
+        logprintf("  %u.%u.%u.%u\n", PRINT_IP(hnew->ip_src));
+}
+// remove entries with a ttl <= 0
+static void hlist_clean_ttl() {
+        if (htable_empty)
+                return;
+        int i;
+        for (i = 0; i < HMAX; i++) {
+                HList *ptr = htable[i];
+                HList *parent = NULL;
+                while (ptr) {
+                        if (--ptr->ttl <= 0) {
+                                HList *tmp = ptr;
+                                ptr = ptr->next;
+                                if (parent)
+                                        parent->next = ptr;
+                                else
+                                        htable[i] = ptr;
+                                free(tmp);
+                        }
+                        else {
+                                parent = ptr;
+                                ptr = ptr->next;
+                        }
+                }
+        }
+}
+static void hlist_print() {
+        ansi_clrscr(0);
+        if (htable_empty)
+                return;
+        if (arg_netfilter)
+                printf("\n\n");
+        static int clear_cnt = 0;
+        int i;
+        int cnt = 0;
+        int cnt_printed = 0;
+        for (i = 0; i < HMAX; i++) {
+                HList *ptr = htable[i];
+                while (ptr) {
+                        if (ptr->bytes) {
+                                cnt_printed++;
+                                char ip_src[30];
+                                sprintf(ip_src, "%u.%u.%u.%u:%u", PRINT_IP(ptr->ip_src), ptr->port_src);
+                                char ip_dst[30];
+                                sprintf(ip_dst, "%u.%u.%u.%u", PRINT_IP(ptr->ip_dst));
+                                printf("%-25s =>      %-25s\t%s:",
+                                        ip_src,
+                                        ip_dst,
+                                        (ptr->protocol == 6)? "TCP": "UDP");
+                                if (ptr->bytes > (DISPLAY_INTERVAL * 1024 * 2)) // > 2 KB/second
+                                        printf(" %lu KB/sec\n",
+                                                ptr->bytes / (DISPLAY_INTERVAL * 1024));
+                                else
+                                        printf(" %lu B/sec\n",
+                                                ptr->bytes / DISPLAY_INTERVAL);
+                                ptr->bytes = 0;
+                        }
+                        ptr = ptr->next;
+                        cnt++;
+                }
+        }
+        if (cnt_printed < 7) {
+                for (i = 0; i < 7 - cnt_printed; i++)
+                        printf("\n");
+        }
+        if (!arg_netfilter) {
+                printf("(%d %s in the last one minute)\n", cnt, (cnt == 1)? "stream": "streams");
+                hlist_clean_ttl();
+        }
+}
+static void run_trace(void) {
+        logprintf("accumulating traffic for %d seconds...\n", NETLOCK_INTERVAL);
+        // trace only rx ipv4 tcp and upd
+        int s1 = socket(AF_INET, SOCK_RAW, IPPROTO_TCP);
+        int s2 = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);
+        if (s1 < 0 || s2 < 0)
+                errExit("socket");
+        unsigned start = time(NULL);
+        unsigned last_print_traces = 0;
+        unsigned last_print_remaining = 0;
+        unsigned char buf[MAX_BUF_SIZE];
+        int progress_cnt = 0;
+        while (1) {
+                unsigned end = time(NULL);
+                if (arg_netfilter && end - start >= NETLOCK_INTERVAL) {
+                        ansi_clrline(1);
+                        break;
+                }
+                if (end % DISPLAY_INTERVAL == 1 && last_print_traces != end) { // first print after 1 second
+                        hlist_print();
+                        last_print_traces = end;
+                }
+                if (arg_netfilter && last_print_remaining != end) {
+                        ansi_clrline(1);
+                        int secs = NETLOCK_INTERVAL - (end  - start);
+                        logprintf("%d %s remaining   ", secs, (secs == 1)? "second": "seconds");
+                        last_print_remaining = end;
+                }
+                fd_set rfds;
+                FD_ZERO(&rfds);
+                FD_SET(s1, &rfds);
+                FD_SET(s2, &rfds);
+                int maxfd = (s1 > s2) ? s1 : s2;
+                 maxfd++;
+                struct timeval tv;
+                tv.tv_sec = 1;
+                tv.tv_usec = 0;
+                int rv = select(maxfd, &rfds, NULL, NULL, &tv);
+                if (rv < 0)
+                        errExit("select");
+                else if (rv == 0)
+                        continue;
+                int sock = (FD_ISSET(s1, &rfds)) ? s1 : s2;
+                unsigned char buf[MAX_BUF_SIZE];
+                unsigned bytes = recvfrom(sock, buf, MAX_BUF_SIZE, 0, NULL, NULL);
+                if (bytes >= 20) { // size of IP header
+                        // filter out loopback traffic
+                        if (buf[12] != 127) {
+                                uint32_t ip_src;
+                                memcpy(&ip_src, buf + 12, 4);
+                                ip_src = ntohl(ip_src);
+                                uint32_t ip_dst;
+                                memcpy(&ip_dst, buf + 16, 4);
+                                ip_dst = ntohl(ip_dst);
+                                uint8_t hlen = (buf[0] & 0x0f) * 4;
+                                uint16_t port_src;
+                                memcpy(&port_src, buf + hlen, 2);
+                                port_src = ntohs(port_src);
+                                hlist_add(ip_src, ip_dst, buf[9], port_src, (uint64_t) bytes);
+                        }
+                }
+        }
+        close(s1);
+        close(s2);
+}
+static char *filter_start =
+"*filter\n"
+":INPUT DROP [0:0]\n"
+":FORWARD DROP [0:0]\n"
+":OUTPUT DROP [0:0]\n";
+// return 1 if error
+static int print_filter(FILE *fp) {
+        if (htable_empty)
+                return 1;
+        fprintf(fp, "%s\n", filter_start);
+        fprintf(fp, "-A INPUT -s 127.0.0.0/8 -j ACCEPT\n");
+        fprintf(fp, "-A OUTPUT -d 127.0.0.0/8 -j ACCEPT\n");
+        fprintf(fp, "\n");
+        int i;
+        for (i = 0; i < HMAX; i++) {
+                HList *ptr = htable[i];
+                while (ptr) {
+                        if (ptr->instance == 1) {
+                                char *protocol = (ptr->protocol == 6)? "tcp": "udp";
+                                fprintf(fp, "-A INPUT -s %u.%u.%u.%u -sport %u -p %s  -j ACCEPT\n",
+                                        PRINT_IP(ptr->ip_src),
+                                        ptr->port_src,
+                                        protocol);
+                                fprintf(fp, "-A OUTPUT -d %u.%u.%u.%u -dport %u -p %s  -j ACCEPT\n",
+                                        PRINT_IP(ptr->ip_src),
+                                        ptr->port_src,
+                                        protocol);
+                                fprintf(fp, "\n");
+                        }
+                        ptr = ptr->next;
+                }
+        }
+        fprintf(fp, "COMMIT\n");
+        return 0;
+}
+static char *flush_rules[] = {
+        "-P INPUT ACCEPT",
+        "-P FORWARD ACCEPT",
+        "-P OUTPUT ACCEPT",
+        "-F",
+        "-X",
+        "-t nat -F",
+        "-t nat -X",
+        "-t mangle -F",
+        "-t mangle -X",
+        "iptables -t raw -F",
+        "-t raw -X",
+        NULL
+};
+static void flush_netfilter(void) {
+        // find iptables command
+        struct stat s;
+        char *iptables = NULL;
+        if (stat("/sbin/iptables", &s) == 0)
+                iptables = "/sbin/iptables";
+        else if (stat("/usr/sbin/iptables", &s) == 0)
+                iptables = "/usr/sbin/iptables";
+        if (iptables == NULL) {
+                fprintf(stderr, "Error: iptables command not found, netfilter not configured\n");
+                exit(1);
+        }
+        int i = 0;
+        while (flush_rules[i]) {
+                char *cmd;
+                if (asprintf(&cmd, "%s %s", iptables, flush_rules[i]) == -1)
+                        errExit("asprintf");
+                int rv = system(cmd);
+                (void) rv;
+                free(cmd);
+                i++;
+        }
+}
+static void deploy_netfilter(void) {
+        int rv;
+        char *cmd;
+        // create temporary file
+        char fname[] = "/tmp/firejail-XXXXXX";
+        int fd = mkstemp(fname);
+        if (fd == -1) {
+                fprintf(stderr, "Error: cannot create temporary configuration file\n");
+                exit(1);
+        }
+        FILE* fp = fdopen(fd, "w");
+        if (!fp) {
+                rv = unlink(fname);
+                (void) rv;
+                fprintf(stderr, "Error: cannot create temporary configuration file\n");
+                exit(1);
+        }
+        print_filter(fp);
+        fclose(fp);
+        if (arg_log) {
+                logprintf("\n");
+                logprintf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
+                if (asprintf(&cmd, "cat %s >> %s", fname, arg_log) == -1)
+                        errExit("asprintf");
+                rv = system(cmd);
+                (void) rv;
+                free(cmd);
+                logprintf("<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
+        }
+        // find iptables command
+        struct stat s;
+        char *iptables = NULL;
+        char *iptables_restore = NULL;
+        if (stat("/sbin/iptables", &s) == 0) {
+                iptables = "/sbin/iptables";
+                iptables_restore = "/sbin/iptables-restore";
+        }
+        else if (stat("/usr/sbin/iptables", &s) == 0) {
+                iptables = "/usr/sbin/iptables";
+                iptables_restore = "/usr/sbin/iptables-restore";
+        }
+        if (iptables == NULL || iptables_restore == NULL) {
+                fprintf(stderr, "Error: iptables command not found, netfilter not configured\n");
+                rv = unlink(fname);
+                (void) rv;
+                exit(1);
+        }
+        // configuring
+        if (asprintf(&cmd, "%s %s", iptables_restore, fname) == -1)
+                errExit("asprintf");
+        rv = system(cmd);
+        if (rv)
+                fprintf(stdout, "Warning: possible netfilter problem!");
+        free(cmd);
+        sleep(1);
+        if (asprintf(&cmd, "%s %s", iptables_restore, fname) == -1)
+                errExit("asprintf");
+        rv = system(cmd);
+        free(cmd);
+        printf("Current firewall configuration:\n\n");
+        if (asprintf(&cmd, "%s -vL -n", iptables) == -1)
+                errExit("asprintf");
+        rv = system(cmd);
+        rv = unlink(fname);
+        (void) rv;
+        logprintf("\nfirewall deployed\n");
+}
+void logprintf(char* fmt, ...) {
+        if (!arg_log)
+                return;
+        FILE *fp = fopen(arg_log, "a");
+        if (fp) { // disregard if error
+                va_list args;
+                va_start(args,fmt);
+                vfprintf(fp, fmt, args);
+                va_end(args);
+                fclose(fp);
+        }
+}
+static void usage(void) {
+        printf("Usage: fnetlock [OPTIONS]\n");
+        printf("Options:\n");
+        printf("   --help, -? - this help screen\n");
+        printf("   --netfilter - build the firewall rules and commit them.\n");
+        printf("   --log=filename - logfile\n");
+        printf("\n");
+}
+int main(int argc, char **argv) {
+        int i;
+        printf("\n\n");
+        if (getuid() != 0) {
+                fprintf(stderr, "Error: you need to be root to run this program\n");
+                return 1;
+        }
+        for (i = 1; i < argc; i++) {
+                if (strcmp(argv[i], "--help") == 0 || strcmp(argv[i], "-?") == 0) {
+                        usage();
+                        return 0;
+                }
+                else if (strcmp(argv[i], "--netfilter") == 0)
+                        arg_netfilter = 1;
+                else if (strncmp(argv[i], "--log=", 6) == 0)
+                        arg_log = argv[i] + 6;
+                else {
+                        fprintf(stderr, "Error: invalid argument\n");
+                        return 1;
+                }
+        }
+        if (arg_netfilter) {
+                logprintf("starting network lockdown\n");
+                flush_netfilter();
+        }
+        ansi_clrscr(0);
+        run_trace();
+        if (arg_netfilter) {
+                deploy_netfilter();
+                sleep(3);
+                if (arg_log)
+                        unlink(arg_log);
+        }
+        return 0;
+}

diff --git a/src/fnettrace/main.c b/src/fnettrace/main.c new file mode 100644 index 000000000..f036d0c9e --- /dev/null +++ b/src/fnettrace/main.c
@@ -0,0 +1,433 @@
	1	#include "fnettrace.h"
	2	#define MAX_BUF_SIZE (64 * 1024)
	3
	4	static int arg_netfilter = 0;
	5	static char *arg_log = NULL;
	6
	7	typedef struct hlist_t {
	8	struct hlist_t *next;
	9	uint32_t ip_src;
	10	uint32_t ip_dst;
	11	uint16_t port_src;
	12	uint64_t bytes;
	13	int instance;
	14	#define MAX_TTL 20 // 20 * DISPLAY_INTERVAL = 1 minute
	15	short ttl;
	16	uint8_t protocol;
	17	} HList;
	18
	19	#define HMAX 256
	20	HList *htable[HMAX] = {NULL};
	21	static int htable_empty = 1;
	22
	23	static void hlist_add(uint32_t ip_src, uint32_t ip_dst, uint8_t protocol, uint16_t port_src, uint64_t bytes) {
	24	uint8_t h = hash(ip_src);
	25	htable_empty = 0;
	26
	27	// find
	28	int instance = 0;
	29	HList *ptr = htable[h];
	30	while (ptr) {
	31	if (ptr->ip_src == ip_src) {
	32	instance++;
	33	if (ptr->ip_dst == ip_dst && ptr->port_src == port_src && ptr->protocol == protocol) {
	34	ptr->bytes += bytes;
	35	ptr->ttl = MAX_TTL;
	36	return;
	37	}
	38	}
	39	ptr = ptr->next;
	40	}
	41
	42	HList *hnew = malloc(sizeof(HList));
	43	hnew->ip_src = ip_src;
	44	hnew->ip_dst = ip_dst;
	45	hnew->port_src = port_src;
	46	hnew->protocol = protocol;
	47	hnew->next = NULL;
	48	hnew->bytes = bytes;
	49	hnew->ttl = MAX_TTL;
	50	hnew->instance = instance + 1;
	51	if (htable[h] == NULL)
	52	htable[h] = hnew;
	53	else {
	54	hnew->next = htable[h];
	55	htable[h] = hnew;
	56	}
	57
	58	ansi_clrline(1);
	59	logprintf(" %u.%u.%u.%u\n", PRINT_IP(hnew->ip_src));
	60	}
	61
	62	// remove entries with a ttl <= 0
	63	static void hlist_clean_ttl() {
	64	if (htable_empty)
	65	return;
	66
	67	int i;
	68	for (i = 0; i < HMAX; i++) {
	69	HList *ptr = htable[i];
	70	HList *parent = NULL;
	71	while (ptr) {
	72	if (--ptr->ttl <= 0) {
	73	HList *tmp = ptr;
	74	ptr = ptr->next;
	75	if (parent)
	76	parent->next = ptr;
	77	else
	78	htable[i] = ptr;
	79	free(tmp);
	80	}
	81	else {
	82	parent = ptr;
	83	ptr = ptr->next;
	84	}
	85	}
	86	}
	87	}
	88
	89	static void hlist_print() {
	90	ansi_clrscr(0);
	91	if (htable_empty)
	92	return;
	93	if (arg_netfilter)
	94	printf("\n\n");
	95	static int clear_cnt = 0;
	96
	97	int i;
	98	int cnt = 0;
	99	int cnt_printed = 0;
	100	for (i = 0; i < HMAX; i++) {
	101	HList *ptr = htable[i];
	102	while (ptr) {
	103	if (ptr->bytes) {
	104	cnt_printed++;
	105	char ip_src[30];
	106	sprintf(ip_src, "%u.%u.%u.%u:%u", PRINT_IP(ptr->ip_src), ptr->port_src);
	107	char ip_dst[30];
	108	sprintf(ip_dst, "%u.%u.%u.%u", PRINT_IP(ptr->ip_dst));
	109	printf("%-25s => %-25s\t%s:",
	110	ip_src,
	111	ip_dst,
	112	(ptr->protocol == 6)? "TCP": "UDP");
	113
	114	if (ptr->bytes > (DISPLAY_INTERVAL * 1024 * 2)) // > 2 KB/second
	115	printf(" %lu KB/sec\n",
	116	ptr->bytes / (DISPLAY_INTERVAL * 1024));
	117	else
	118	printf(" %lu B/sec\n",
	119	ptr->bytes / DISPLAY_INTERVAL);
	120	ptr->bytes = 0;
	121	}
	122
	123	ptr = ptr->next;
	124	cnt++;
	125	}
	126	}
	127
	128	if (cnt_printed < 7) {
	129	for (i = 0; i < 7 - cnt_printed; i++)
	130	printf("\n");
	131	}
	132
	133	if (!arg_netfilter) {
	134	printf("(%d %s in the last one minute)\n", cnt, (cnt == 1)? "stream": "streams");
	135	hlist_clean_ttl();
	136	}
	137	}
	138
	139	static void run_trace(void) {
	140	logprintf("accumulating traffic for %d seconds...\n", NETLOCK_INTERVAL);
	141
	142	// trace only rx ipv4 tcp and upd
	143	int s1 = socket(AF_INET, SOCK_RAW, IPPROTO_TCP);
	144	int s2 = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);
	145	if (s1 < 0 \|\| s2 < 0)
	146	errExit("socket");
	147
	148	unsigned start = time(NULL);
	149	unsigned last_print_traces = 0;
	150	unsigned last_print_remaining = 0;
	151	unsigned char buf[MAX_BUF_SIZE];
	152	int progress_cnt = 0;
	153	while (1) {
	154	unsigned end = time(NULL);
	155	if (arg_netfilter && end - start >= NETLOCK_INTERVAL) {
	156	ansi_clrline(1);
	157	break;
	158	}
	159	if (end % DISPLAY_INTERVAL == 1 && last_print_traces != end) { // first print after 1 second
	160	hlist_print();
	161	last_print_traces = end;
	162	}
	163	if (arg_netfilter && last_print_remaining != end) {
	164	ansi_clrline(1);
	165	int secs = NETLOCK_INTERVAL - (end - start);
	166	logprintf("%d %s remaining ", secs, (secs == 1)? "second": "seconds");
	167	last_print_remaining = end;
	168	}
	169
	170	fd_set rfds;
	171	FD_ZERO(&rfds);
	172	FD_SET(s1, &rfds);
	173	FD_SET(s2, &rfds);
	174	int maxfd = (s1 > s2) ? s1 : s2;
	175	maxfd++;
	176	struct timeval tv;
	177	tv.tv_sec = 1;
	178	tv.tv_usec = 0;
	179	int rv = select(maxfd, &rfds, NULL, NULL, &tv);
	180	if (rv < 0)
	181	errExit("select");
	182	else if (rv == 0)
	183	continue;
	184
	185
	186
	187	int sock = (FD_ISSET(s1, &rfds)) ? s1 : s2;
	188
	189	unsigned char buf[MAX_BUF_SIZE];
	190	unsigned bytes = recvfrom(sock, buf, MAX_BUF_SIZE, 0, NULL, NULL);
	191	if (bytes >= 20) { // size of IP header
	192	// filter out loopback traffic
	193	if (buf[12] != 127) {
	194	uint32_t ip_src;
	195	memcpy(&ip_src, buf + 12, 4);
	196	ip_src = ntohl(ip_src);
	197
	198	uint32_t ip_dst;
	199	memcpy(&ip_dst, buf + 16, 4);
	200	ip_dst = ntohl(ip_dst);
	201
	202	uint8_t hlen = (buf[0] & 0x0f) * 4;
	203	uint16_t port_src;
	204	memcpy(&port_src, buf + hlen, 2);
	205	port_src = ntohs(port_src);
	206
	207	hlist_add(ip_src, ip_dst, buf[9], port_src, (uint64_t) bytes);
	208	}
	209	}
	210	}
	211
	212	close(s1);
	213	close(s2);
	214	}
	215
	216	static char *filter_start =
	217	"*filter\n"
	218	":INPUT DROP [0:0]\n"
	219	":FORWARD DROP [0:0]\n"
	220	":OUTPUT DROP [0:0]\n";
	221
	222	// return 1 if error
	223	static int print_filter(FILE *fp) {
	224	if (htable_empty)
	225	return 1;
	226	fprintf(fp, "%s\n", filter_start);
	227	fprintf(fp, "-A INPUT -s 127.0.0.0/8 -j ACCEPT\n");
	228	fprintf(fp, "-A OUTPUT -d 127.0.0.0/8 -j ACCEPT\n");
	229	fprintf(fp, "\n");
	230
	231	int i;
	232	for (i = 0; i < HMAX; i++) {
	233	HList *ptr = htable[i];
	234	while (ptr) {
	235	if (ptr->instance == 1) {
	236	char *protocol = (ptr->protocol == 6)? "tcp": "udp";
	237	fprintf(fp, "-A INPUT -s %u.%u.%u.%u -sport %u -p %s -j ACCEPT\n",
	238	PRINT_IP(ptr->ip_src),
	239	ptr->port_src,
	240	protocol);
	241	fprintf(fp, "-A OUTPUT -d %u.%u.%u.%u -dport %u -p %s -j ACCEPT\n",
	242	PRINT_IP(ptr->ip_src),
	243	ptr->port_src,
	244	protocol);
	245	fprintf(fp, "\n");
	246	}
	247	ptr = ptr->next;
	248	}
	249	}
	250	fprintf(fp, "COMMIT\n");
	251
	252	return 0;
	253	}
	254
	255	static char *flush_rules[] = {
	256	"-P INPUT ACCEPT",
	257	"-P FORWARD ACCEPT",
	258	"-P OUTPUT ACCEPT",
	259	"-F",
	260	"-X",
	261	"-t nat -F",
	262	"-t nat -X",
	263	"-t mangle -F",
	264	"-t mangle -X",
	265	"iptables -t raw -F",
	266	"-t raw -X",
	267	NULL
	268	};
	269
	270	static void flush_netfilter(void) {
	271	// find iptables command
	272	struct stat s;
	273	char *iptables = NULL;
	274	if (stat("/sbin/iptables", &s) == 0)
	275	iptables = "/sbin/iptables";
	276	else if (stat("/usr/sbin/iptables", &s) == 0)
	277	iptables = "/usr/sbin/iptables";
	278	if (iptables == NULL) {
	279	fprintf(stderr, "Error: iptables command not found, netfilter not configured\n");
	280	exit(1);
	281	}
	282
	283	int i = 0;
	284	while (flush_rules[i]) {
	285	char *cmd;
	286	if (asprintf(&cmd, "%s %s", iptables, flush_rules[i]) == -1)
	287	errExit("asprintf");
	288	int rv = system(cmd);
	289	(void) rv;
	290	free(cmd);
	291	i++;
	292	}
	293	}
	294
	295	static void deploy_netfilter(void) {
	296	int rv;
	297	char *cmd;
	298
	299	// create temporary file
	300	char fname[] = "/tmp/firejail-XXXXXX";
	301	int fd = mkstemp(fname);
	302	if (fd == -1) {
	303	fprintf(stderr, "Error: cannot create temporary configuration file\n");
	304	exit(1);
	305	}
	306
	307	FILE* fp = fdopen(fd, "w");
	308	if (!fp) {
	309	rv = unlink(fname);
	310	(void) rv;
	311	fprintf(stderr, "Error: cannot create temporary configuration file\n");
	312	exit(1);
	313	}
	314	print_filter(fp);
	315	fclose(fp);
	316
	317	if (arg_log) {
	318	logprintf("\n");
	319	logprintf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
	320	if (asprintf(&cmd, "cat %s >> %s", fname, arg_log) == -1)
	321	errExit("asprintf");
	322	rv = system(cmd);
	323	(void) rv;
	324	free(cmd);
	325	logprintf("<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n");
	326	}
	327
	328	// find iptables command
	329	struct stat s;
	330	char *iptables = NULL;
	331	char *iptables_restore = NULL;
	332	if (stat("/sbin/iptables", &s) == 0) {
	333	iptables = "/sbin/iptables";
	334	iptables_restore = "/sbin/iptables-restore";
	335	}
	336	else if (stat("/usr/sbin/iptables", &s) == 0) {
	337	iptables = "/usr/sbin/iptables";
	338	iptables_restore = "/usr/sbin/iptables-restore";
	339	}
	340	if (iptables == NULL \|\| iptables_restore == NULL) {
	341	fprintf(stderr, "Error: iptables command not found, netfilter not configured\n");
	342	rv = unlink(fname);
	343	(void) rv;
	344	exit(1);
	345	}
	346
	347	// configuring
	348	if (asprintf(&cmd, "%s %s", iptables_restore, fname) == -1)
	349	errExit("asprintf");
	350	rv = system(cmd);
	351	if (rv)
	352	fprintf(stdout, "Warning: possible netfilter problem!");
	353	free(cmd);
	354
	355	sleep(1);
	356	if (asprintf(&cmd, "%s %s", iptables_restore, fname) == -1)
	357	errExit("asprintf");
	358	rv = system(cmd);
	359	free(cmd);
	360
	361	printf("Current firewall configuration:\n\n");
	362	if (asprintf(&cmd, "%s -vL -n", iptables) == -1)
	363	errExit("asprintf");
	364	rv = system(cmd);
	365
	366	rv = unlink(fname);
	367	(void) rv;
	368	logprintf("\nfirewall deployed\n");
	369	}
	370
	371	void logprintf(char* fmt, ...) {
	372	if (!arg_log)
	373	return;
	374
	375	FILE *fp = fopen(arg_log, "a");
	376	if (fp) { // disregard if error
	377	va_list args;
	378	va_start(args,fmt);
	379	vfprintf(fp, fmt, args);
	380	va_end(args);
	381	fclose(fp);
	382	}
	383	}
	384
	385	static void usage(void) {
	386	printf("Usage: fnetlock [OPTIONS]\n");
	387	printf("Options:\n");
	388	printf(" --help, -? - this help screen\n");
	389	printf(" --netfilter - build the firewall rules and commit them.\n");
	390	printf(" --log=filename - logfile\n");
	391	printf("\n");
	392	}
	393
	394	int main(int argc, char **argv) {
	395	int i;
	396	printf("\n\n");
	397
	398	if (getuid() != 0) {
	399	fprintf(stderr, "Error: you need to be root to run this program\n");
	400	return 1;
	401	}
	402
	403	for (i = 1; i < argc; i++) {
	404	if (strcmp(argv[i], "--help") == 0 \|\| strcmp(argv[i], "-?") == 0) {
	405	usage();
	406	return 0;
	407	}
	408	else if (strcmp(argv[i], "--netfilter") == 0)
	409	arg_netfilter = 1;
	410	else if (strncmp(argv[i], "--log=", 6) == 0)
	411	arg_log = argv[i] + 6;
	412	else {
	413	fprintf(stderr, "Error: invalid argument\n");
	414	return 1;
	415	}
	416	}
	417
	418	if (arg_netfilter) {
	419	logprintf("starting network lockdown\n");
	420	flush_netfilter();
	421	}
	422
	423	ansi_clrscr(0);
	424	run_trace();
	425	if (arg_netfilter) {
	426	deploy_netfilter();
	427	sleep(3);
	428	if (arg_log)
	429	unlink(arg_log);
	430	}
	431
	432	return 0;
	433	}