2 This file is part of GNUnet.
3 Copyright (C) 2010, 2011, 2012 Christian Grothoff
5 GNUnet is free software: you can redistribute it and/or modify it
6 under the terms of the GNU Affero General Public License as published
7 by the Free Software Foundation, either version 3 of the License,
8 or (at your option) any later version.
10 GNUnet is distributed in the hope that it will be useful, but
11 WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 Affero General Public License for more details.
15 You should have received a copy of the GNU Affero General Public License
16 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 * @file dns/gnunet-helper-dns.c
21 * @brief helper to install firewall rules to hijack all DNS traffic
22 * and send it to our virtual interface (except for DNS traffic
23 * that originates on the specified port). We then
24 * allow interacting with our virtual interface via stdin/stdout.
25 * @author Philipp Tölke
26 * @author Christian Grothoff
28 * This program alters the Linux firewall rules so that DNS traffic
29 * that ordinarily exits the system can be intercepted and managed by
30 * a virtual interface. In order to achieve this, DNS traffic is
31 * marked with the DNS_MARK given in below and re-routed to a custom
32 * table with the DNS_TABLE ID given below. Systems and
33 * administrators must take care to not cause conflicts with these
34 * values (it was deemed safest to hardcode them as passing these
35 * values as arguments might permit messing with arbitrary firewall
36 * rules, which would be dangerous). Traffic coming from the same
37 * group ID as the effective group ID that this process is running
38 * as is not intercepted.
40 * The code first sets up the virtual interface, then begins to
41 * redirect the DNS traffic to it, and then on errors or SIGTERM shuts
42 * down the virtual interface and removes the rules for the traffic
46 * Note that having this binary SUID is only partially safe: it will
47 * allow redirecting (and intercepting / mangling) of all DNS traffic
48 * originating from this system by any user who is able to run it.
49 * Furthermore, this code will make it trivial to DoS all DNS traffic
50 * originating from the current system, simply by sending it to
51 * nowhere (redirect stdout to /dev/null).
53 * Naturally, neither of these problems can be helped as this is the
54 * fundamental purpose of the binary. Certifying that this code is
55 * "safe" thus only means that it doesn't allow anything else (such
56 * as local priv. escalation, etc.).
58 * The following list of people have reviewed this code and considered
59 * it safe (within specifications) since the last modification (if you
60 * reviewed it, please have your name added to the list):
62 * - Christian Grothoff
66 #include <linux/if_tun.h>
69 * Need 'struct GNUNET_MessageHeader'.
71 #include "gnunet_crypto_lib.h"
72 #include "gnunet_common.h"
75 * Need DNS message types.
77 #include "gnunet_protocols.h"
80 * Maximum size of a GNUnet message (GNUNET_MAX_MESSAGE_SIZE)
82 #define MAX_SIZE 65536
86 * This is in linux/include/net/ipv6.h, but not always exported...
90 struct in6_addr ifr6_addr;
91 uint32_t ifr6_prefixlen;
92 unsigned int ifr6_ifindex;
97 * Name and full path of IPTABLES binary.
99 static const char *sbin_iptables;
102 * Name and full path of IPTABLES binary.
104 static const char *sbin_ip6tables;
107 * Name and full path of sysctl binary
109 static const char *sbin_sysctl;
112 * Name and full path of IPTABLES binary.
114 static const char *sbin_ip;
117 * Port for DNS traffic.
119 #define DNS_PORT "53"
122 * Marker we set for our hijacked DNS traffic. We use GNUnet's
123 * port (2086) plus the DNS port (53) in HEX to make a 32-bit mark
124 * (which is hopefully long enough to not collide); so
125 * 0x08260035 = 136708149 (hopefully unique enough...).
127 #define DNS_MARK "136708149"
130 * Table we use for our DNS rules. 0-255 is the range and
131 * 0, 253, 254 and 255 are already reserved. As this is about
132 * DNS and as "53" is likely (fingers crossed!) high enough to
133 * not usually conflict with a normal user's setup, we use 53
134 * to give a hint that this has something to do with DNS.
136 #define DNS_TABLE "53"
140 * Control pipe for shutdown via signal. [0] is the read end,
141 * [1] is the write end.
147 * Signal handler called to initiate "nice" shutdown. Signals select
148 * loop via non-bocking pipe 'cpipe'.
150 * @param signal signal number of the signal (not used)
153 signal_handler (int signal)
155 /* ignore return value, as the signal handler could theoretically
156 be called many times before the shutdown can actually happen */
157 (void) write (cpipe[1], "K", 1);
162 * Open '/dev/null' and make the result the given
165 * @param target_fd desired FD to point to /dev/null
166 * @param flags open flags (O_RDONLY, O_WRONLY)
169 open_dev_null (int target_fd,
174 fd = open ("/dev/null", flags);
179 if (-1 == dup2 (fd, target_fd))
189 * Run the given command and wait for it to complete.
191 * @param file name of the binary to run
192 * @param cmd command line arguments (as given to 'execv')
193 * @return 0 on success, 1 on any error
196 fork_and_exec (const char *file,
213 /* we are the child process */
214 /* close stdin/stdout to not cause interference
215 with the helper's main protocol! */
217 open_dev_null (0, O_RDONLY);
219 open_dev_null (1, O_WRONLY);
220 (void) execv (file, cmd);
221 /* can only get here on error */
223 "exec `%s' failed: %s\n",
228 /* keep running waitpid as long as the only error we get is 'EINTR' */
229 while ( (-1 == (ret = waitpid (pid, &status, 0))) &&
234 "waitpid failed: %s\n",
238 if (! (WIFEXITED (status) && (0 == WEXITSTATUS (status))))
240 /* child process completed and returned success, we're happy */
246 * Creates a tun-interface called @a dev;
248 * @param dev is asumed to point to a char[IFNAMSIZ]
249 * if *dev == '\\0', uses the name supplied by the kernel;
250 * @return the fd to the tun or -1 on error
264 if (-1 == (fd = open ("/dev/net/tun", O_RDWR)))
266 fprintf (stderr, "Error opening `%s': %s\n", "/dev/net/tun",
271 if (fd >= FD_SETSIZE)
273 fprintf (stderr, "File descriptor to large: %d", fd);
278 memset (&ifr, 0, sizeof (ifr));
279 ifr.ifr_flags = IFF_TUN;
282 strncpy (ifr.ifr_name, dev, IFNAMSIZ);
284 if (-1 == ioctl (fd, TUNSETIFF, (void *) &ifr))
286 fprintf (stderr, "Error with ioctl on `%s': %s\n", "/dev/net/tun",
291 strcpy (dev, ifr.ifr_name);
297 * @brief Sets the IPv6-Address given in @a address on the interface @a dev
299 * @param dev the interface to configure
300 * @param address the IPv6-Address
301 * @param prefix_len the length of the network-prefix
304 set_address6 (const char *dev, const char *address, unsigned long prefix_len)
307 struct in6_ifreq ifr6;
308 struct sockaddr_in6 sa6;
312 * parse the new address
314 memset (&sa6, 0, sizeof (struct sockaddr_in6));
315 sa6.sin6_family = AF_INET6;
316 if (1 != inet_pton (AF_INET6, address, sa6.sin6_addr.s6_addr))
319 "Failed to parse IPv6 address `%s': %s\n",
325 if (-1 == (fd = socket (PF_INET6, SOCK_DGRAM, 0)))
328 "Error creating IPv6 socket: %s (ignored)\n",
330 /* ignore error, maybe only IPv4 works on this system! */
334 memset (&ifr, 0, sizeof (struct ifreq));
336 * Get the index of the if
338 strncpy (ifr.ifr_name, dev, IFNAMSIZ);
339 if (-1 == ioctl (fd, SIOGIFINDEX, &ifr))
341 fprintf (stderr, "ioctl failed at %d: %s\n", __LINE__, strerror (errno));
346 memset (&ifr6, 0, sizeof (struct in6_ifreq));
347 ifr6.ifr6_addr = sa6.sin6_addr;
348 ifr6.ifr6_ifindex = ifr.ifr_ifindex;
349 ifr6.ifr6_prefixlen = prefix_len;
354 if (-1 == ioctl (fd, SIOCSIFADDR, &ifr6))
356 fprintf (stderr, "ioctl failed at line %d: %s\n", __LINE__,
365 if (-1 == ioctl (fd, SIOCGIFFLAGS, &ifr))
367 fprintf (stderr, "ioctl failed at line %d: %s\n", __LINE__,
374 * Add the UP and RUNNING flags
376 ifr.ifr_flags |= IFF_UP | IFF_RUNNING;
377 if (-1 == ioctl (fd, SIOCSIFFLAGS, &ifr))
379 fprintf (stderr, "ioctl failed at line %d: %s\n", __LINE__,
387 fprintf (stderr, "close failed: %s\n", strerror (errno));
394 * @brief Sets the IPv4-Address given in @a address on the interface @a dev
396 * @param dev the interface to configure
397 * @param address the IPv4-Address
398 * @param mask the netmask
401 set_address4 (const char *dev, const char *address, const char *mask)
404 struct sockaddr_in *addr;
407 memset (&ifr, 0, sizeof (struct ifreq));
408 addr = (struct sockaddr_in *) &(ifr.ifr_addr);
409 addr->sin_family = AF_INET;
414 if (1 != inet_pton (AF_INET, address, &addr->sin_addr.s_addr))
417 "Failed to parse IPv4 address `%s': %s\n",
423 if (-1 == (fd = socket (PF_INET, SOCK_DGRAM, 0)))
426 "Error creating IPv4 socket: %s\n",
431 strncpy (ifr.ifr_name, dev, IFNAMSIZ);
436 if (-1 == ioctl (fd, SIOCSIFADDR, &ifr))
438 fprintf (stderr, "ioctl failed at %d: %s\n", __LINE__, strerror (errno));
446 addr = (struct sockaddr_in *) &(ifr.ifr_netmask);
447 if (1 != inet_pton (AF_INET, mask, &addr->sin_addr.s_addr))
449 fprintf (stderr, "Failed to parse address `%s': %s\n", mask,
458 if (-1 == ioctl (fd, SIOCSIFNETMASK, &ifr))
460 fprintf (stderr, "ioctl failed at line %d: %s\n", __LINE__,
469 if (-1 == ioctl (fd, SIOCGIFFLAGS, &ifr))
471 fprintf (stderr, "ioctl failed at line %d: %s\n", __LINE__,
478 * Add the UP and RUNNING flags
480 ifr.ifr_flags |= IFF_UP | IFF_RUNNING;
481 if (-1 == ioctl (fd, SIOCSIFFLAGS, &ifr))
483 fprintf (stderr, "ioctl failed at line %d: %s\n", __LINE__,
491 fprintf (stderr, "close failed: %s\n", strerror (errno));
499 * Start forwarding to and from the tunnel. This function runs with
500 * "reduced" priviledges (saved UID is still 0, but effective UID is
503 * @param fd_tun tunnel FD
509 * The buffer filled by reading from fd_tun
511 unsigned char buftun[MAX_SIZE];
512 ssize_t buftun_size = 0;
513 unsigned char *buftun_read = NULL;
516 * The buffer filled by reading from stdin
518 unsigned char bufin[MAX_SIZE];
519 ssize_t bufin_size = 0;
520 size_t bufin_rpos = 0;
521 unsigned char *bufin_read = NULL;
532 * We are supposed to read and the buffer is empty
533 * -> select on read from tun
535 if (0 == buftun_size)
536 FD_SET (fd_tun, &fds_r);
539 * We are supposed to read and the buffer is not empty
540 * -> select on write to stdout
546 * We are supposed to write and the buffer is empty
547 * -> select on read from stdin
549 if (NULL == bufin_read)
553 * We are supposed to write and the buffer is not empty
554 * -> select on write to tun
556 if (NULL != bufin_read)
557 FD_SET (fd_tun, &fds_w);
559 FD_SET (cpipe[0], &fds_r);
560 max = (fd_tun > cpipe[0]) ? fd_tun : cpipe[0];
562 int r = select (max + 1, &fds_r, &fds_w, NULL, NULL);
568 fprintf (stderr, "select failed: %s\n", strerror (errno));
574 if (FD_ISSET (cpipe[0], &fds_r))
575 return; /* aborted by signal */
577 if (FD_ISSET (fd_tun, &fds_r))
580 read (fd_tun, buftun + sizeof (struct GNUNET_MessageHeader),
581 MAX_SIZE - sizeof (struct GNUNET_MessageHeader));
582 if (-1 == buftun_size)
584 if ( (errno == EINTR) ||
590 fprintf (stderr, "read-error: %s\n", strerror (errno));
593 if (0 == buftun_size)
595 fprintf (stderr, "EOF on tun\n");
598 buftun_read = buftun;
600 struct GNUNET_MessageHeader *hdr =
601 (struct GNUNET_MessageHeader *) buftun;
602 buftun_size += sizeof (struct GNUNET_MessageHeader);
603 hdr->type = htons (GNUNET_MESSAGE_TYPE_DNS_HELPER);
604 hdr->size = htons (buftun_size);
607 else if (FD_ISSET (1, &fds_w))
609 ssize_t written = write (1, buftun_read, buftun_size);
613 if ( (errno == EINTR) ||
616 fprintf (stderr, "write-error to stdout: %s\n", strerror (errno));
621 fprintf (stderr, "write returned 0\n");
624 buftun_size -= written;
625 buftun_read += written;
628 if (FD_ISSET (0, &fds_r))
630 bufin_size = read (0, bufin + bufin_rpos, MAX_SIZE - bufin_rpos);
631 if (-1 == bufin_size)
634 if ( (errno == EINTR) ||
637 fprintf (stderr, "read-error: %s\n", strerror (errno));
643 fprintf (stderr, "EOF on stdin\n");
647 struct GNUNET_MessageHeader *hdr;
650 bufin_rpos += bufin_size;
651 if (bufin_rpos < sizeof (struct GNUNET_MessageHeader))
653 hdr = (struct GNUNET_MessageHeader *) bufin;
654 if (ntohs (hdr->type) != GNUNET_MESSAGE_TYPE_DNS_HELPER)
656 fprintf (stderr, "protocol violation!\n");
659 if (ntohs (hdr->size) > bufin_rpos)
661 bufin_read = bufin + sizeof (struct GNUNET_MessageHeader);
662 bufin_size = ntohs (hdr->size) - sizeof (struct GNUNET_MessageHeader);
663 bufin_rpos -= bufin_size + sizeof (struct GNUNET_MessageHeader);
666 else if (FD_ISSET (fd_tun, &fds_w))
668 ssize_t written = write (fd_tun, bufin_read, bufin_size);
672 if ( (errno == EINTR) ||
675 fprintf (stderr, "write-error to tun: %s\n", strerror (errno));
680 fprintf (stderr, "write returned 0\n");
684 bufin_size -= written;
685 bufin_read += written;
688 memmove (bufin, bufin_read, bufin_rpos);
689 bufin_read = NULL; /* start reading again */
701 * Main function of "gnunet-helper-dns", which opens a VPN tunnel interface,
702 * redirects all outgoing DNS traffic (except from the specified port) to that
703 * interface and then passes traffic from and to the interface via stdin/stdout.
705 * Once stdin/stdout close or have other errors, the tunnel is closed and the
706 * DNS traffic redirection is stopped.
708 * @param argc number of arguments
709 * @param argv 0: binary name (should be "gnunet-helper-vpn")
710 * 1: tunnel interface name (typically "gnunet-dns")
711 * 2: IPv6 address for the tunnel ("FE80::1")
712 * 3: IPv6 netmask length in bits ("64")
713 * 4: IPv4 address for the tunnel ("1.2.3.4")
714 * 5: IPv4 netmask ("255.255.0.0")
715 * 6: skip sysctl, routing and iptables setup ("0")
716 * @return 0 on success, otherwise code indicating type of error:
717 * 1 wrong number of arguments
718 * 2 invalid arguments (i.e. port number / prefix length wrong)
719 * 3 iptables not executable
720 * 4 ip not executable
721 * 5 failed to initialize tunnel interface
722 * 6 failed to initialize control pipe
723 * 8 failed to change routing table, cleanup successful
724 * 9-23 failed to change routing table and failed to undo some changes to routing table
725 * 24 failed to drop privs
726 * 25-39 failed to drop privs and then failed to undo some changes to routing table
727 * 40 failed to regain privs
728 * 41-55 failed to regain prisv and then failed to undo some changes to routing table
729 * 254 insufficient priviledges
730 * 255 failed to handle kill signal properly
733 main (int argc, char *const*argv)
744 fprintf (stderr, "Fatal: must supply 6 arguments!\n");
748 /* assert privs so we can modify the firewall rules! */
750 #ifdef HAVE_SETRESUID
751 if (0 != setresuid (uid, 0, 0))
753 fprintf (stderr, "Failed to setresuid to root: %s\n", strerror (errno));
757 if (0 != seteuid (0))
759 fprintf (stderr, "Failed to seteuid back to root: %s\n", strerror (errno));
763 if (0 == strncmp (argv[6], "1", 2))
768 /* verify that the binaries we care about are executable */
769 if (0 == access ("/sbin/iptables", X_OK))
770 sbin_iptables = "/sbin/iptables";
771 else if (0 == access ("/usr/sbin/iptables", X_OK))
772 sbin_iptables = "/usr/sbin/iptables";
776 "Fatal: executable iptables not found in approved directories: %s\n",
780 if (0 == access ("/sbin/ip6tables", X_OK))
781 sbin_ip6tables = "/sbin/ip6tables";
782 else if (0 == access ("/usr/sbin/ip6tables", X_OK))
783 sbin_ip6tables = "/usr/sbin/ip6tables";
787 "Fatal: executable ip6tables not found in approved directories: %s\n",
791 if (0 == access ("/sbin/ip", X_OK))
792 sbin_ip = "/sbin/ip";
793 else if (0 == access ("/usr/sbin/ip", X_OK))
794 sbin_ip = "/usr/sbin/ip";
795 else if (0 == access ("/bin/ip", X_OK)) /* gentoo has it there */
800 "Fatal: executable ip not found in approved directories: %s\n",
804 if (0 == access ("/sbin/sysctl", X_OK))
805 sbin_sysctl = "/sbin/sysctl";
806 else if (0 == access ("/usr/sbin/sysctl", X_OK))
807 sbin_sysctl = "/usr/sbin/sysctl";
811 "Fatal: executable sysctl not found in approved directories: %s\n",
817 /* setup 'mygid' string */
818 snprintf (mygid, sizeof (mygid), "%d", (int) getegid());
820 /* do not die on SIGPIPE */
821 if (SIG_ERR == signal (SIGPIPE, SIG_IGN))
823 fprintf (stderr, "Failed to protect against SIGPIPE: %s\n",
828 /* setup pipe to shutdown nicely on SIGINT */
829 if (0 != pipe (cpipe))
832 "Fatal: could not setup control pipe: %s\n",
836 if (cpipe[0] >= FD_SETSIZE)
838 fprintf (stderr, "Pipe file descriptor to large: %d", cpipe[0]);
839 (void) close (cpipe[0]);
840 (void) close (cpipe[1]);
844 /* make pipe non-blocking, as we theoretically could otherwise block
845 in the signal handler */
846 int flags = fcntl (cpipe[1], F_GETFL);
849 fprintf (stderr, "Failed to read flags for pipe: %s", strerror (errno));
850 (void) close (cpipe[0]);
851 (void) close (cpipe[1]);
855 if (0 != fcntl (cpipe[1], F_SETFL, flags))
857 fprintf (stderr, "Failed to make pipe non-blocking: %s", strerror (errno));
858 (void) close (cpipe[0]);
859 (void) close (cpipe[1]);
863 if ( (SIG_ERR == signal (SIGTERM, &signal_handler)) ||
864 #if (SIGTERM != GNUNET_TERM_SIG)
865 (SIG_ERR == signal (GNUNET_TERM_SIG, &signal_handler)) ||
867 (SIG_ERR == signal (SIGINT, &signal_handler)) ||
868 (SIG_ERR == signal (SIGHUP, &signal_handler)) )
871 "Fatal: could not initialize signal handler: %s\n",
873 (void) close (cpipe[0]);
874 (void) close (cpipe[1]);
879 /* get interface name */
880 strncpy (dev, argv[1], IFNAMSIZ);
881 dev[IFNAMSIZ - 1] = '\0';
883 /* Disable rp filtering */
886 char *const sysctl_args[] = {"sysctl", "-w",
887 "net.ipv4.conf.all.rp_filter=0", NULL};
888 char *const sysctl_args2[] = {"sysctl", "-w",
889 "net.ipv4.conf.default.rp_filter=0", NULL};
890 if ((0 != fork_and_exec (sbin_sysctl, sysctl_args)) ||
891 (0 != fork_and_exec (sbin_sysctl, sysctl_args2)))
894 "Failed to disable rp filtering.\n");
900 /* now open virtual interface (first part that requires root) */
901 if (-1 == (fd_tun = init_tun (dev)))
903 fprintf (stderr, "Fatal: could not initialize tun-interface\n");
904 (void) signal (SIGTERM, SIG_IGN);
905 #if (SIGTERM != GNUNET_TERM_SIG)
906 (void) signal (GNUNET_TERM_SIG, SIG_IGN);
908 (void) signal (SIGINT, SIG_IGN);
909 (void) signal (SIGHUP, SIG_IGN);
910 (void) close (cpipe[0]);
911 (void) close (cpipe[1]);
915 /* now set interface addresses */
917 const char *address = argv[2];
918 long prefix_len = atol (argv[3]);
920 if ((prefix_len < 1) || (prefix_len > 127))
922 fprintf (stderr, "Fatal: prefix_len out of range\n");
923 (void) signal (SIGTERM, SIG_IGN);
924 #if (SIGTERM != GNUNET_TERM_SIG)
925 (void) signal (GNUNET_TERM_SIG, SIG_IGN);
927 (void) signal (SIGINT, SIG_IGN);
928 (void) signal (SIGHUP, SIG_IGN);
929 (void) close (cpipe[0]);
930 (void) close (cpipe[1]);
933 set_address6 (dev, address, prefix_len);
937 const char *address = argv[4];
938 const char *mask = argv[5];
940 set_address4 (dev, address, mask);
944 /* update routing tables -- next part why we need SUID! */
945 /* Forward everything from our EGID (which should only be held
946 by the 'gnunet-service-dns') and with destination
947 to port 53 on UDP, without hijacking */
950 r = 8; /* failed to fully setup routing table */
952 char *const mangle_args[] =
954 "iptables", "-m", "owner", "-t", "mangle", "-I", "OUTPUT", "1", "-p",
955 "udp", "--gid-owner", mygid, "--dport", DNS_PORT, "-j",
958 if (0 != fork_and_exec (sbin_iptables, mangle_args))
962 char *const mangle_args[] =
964 "ip6tables", "-m", "owner", "-t", "mangle", "-I", "OUTPUT", "1", "-p",
965 "udp", "--gid-owner", mygid, "--dport", DNS_PORT, "-j",
968 if (0 != fork_and_exec (sbin_ip6tables, mangle_args))
969 goto cleanup_mangle_1b;
971 /* Mark all of the other DNS traffic using our mark DNS_MARK,
972 unless it is on a link-local IPv6 address, which we cannot support. */
974 char *const mark_args[] =
976 "iptables", "-t", "mangle", "-I", "OUTPUT", "2", "-p",
977 "udp", "--dport", DNS_PORT,
978 "-j", "MARK", "--set-mark", DNS_MARK,
981 if (0 != fork_and_exec (sbin_iptables, mark_args))
982 goto cleanup_mangle_1;
985 char *const mark_args[] =
987 "ip6tables", "-t", "mangle", "-I", "OUTPUT", "2", "-p",
988 "udp", "--dport", DNS_PORT,
989 "!", "-s", "fe80::/10", /* this line excludes link-local traffic */
990 "-j", "MARK", "--set-mark", DNS_MARK,
993 if (0 != fork_and_exec (sbin_ip6tables, mark_args))
994 goto cleanup_mark_2b;
996 /* Forward all marked DNS traffic to our DNS_TABLE */
998 char *const forward_args[] =
1000 "ip", "rule", "add", "fwmark", DNS_MARK, "table", DNS_TABLE, NULL
1002 if (0 != fork_and_exec (sbin_ip, forward_args))
1003 goto cleanup_mark_2;
1006 char *const forward_args[] =
1008 "ip", "-6", "rule", "add", "fwmark", DNS_MARK, "table", DNS_TABLE, NULL
1010 if (0 != fork_and_exec (sbin_ip, forward_args))
1011 goto cleanup_forward_3b;
1013 /* Finally, add rule in our forwarding table to pass to our virtual interface */
1015 char *const route_args[] =
1017 "ip", "route", "add", "default", "dev", dev,
1018 "table", DNS_TABLE, NULL
1020 if (0 != fork_and_exec (sbin_ip, route_args))
1021 goto cleanup_forward_3;
1024 char *const route_args[] =
1026 "ip", "-6", "route", "add", "default", "dev", dev,
1027 "table", DNS_TABLE, NULL
1029 if (0 != fork_and_exec (sbin_ip, route_args))
1030 goto cleanup_route_4b;
1034 /* drop privs *except* for the saved UID; this is not perfect, but better
1035 than doing nothing */
1036 #ifdef HAVE_SETRESUID
1037 if (0 != setresuid (uid, uid, 0))
1039 fprintf (stderr, "Failed to setresuid: %s\n", strerror (errno));
1041 goto cleanup_route_4;
1044 /* Note: no 'setuid' here as we must keep our saved UID as root */
1045 if (0 != seteuid (uid))
1047 fprintf (stderr, "Failed to seteuid: %s\n", strerror (errno));
1049 goto cleanup_route_4;
1053 r = 0; /* did fully setup routing table (if nothing else happens, we were successful!) */
1055 /* now forward until we hit a problem */
1058 /* now need to regain privs so we can remove the firewall rules we added! */
1059 #ifdef HAVE_SETRESUID
1060 if (0 != setresuid (uid, 0, 0))
1062 fprintf (stderr, "Failed to setresuid back to root: %s\n", strerror (errno));
1064 goto cleanup_route_4;
1067 if (0 != seteuid (0))
1069 fprintf (stderr, "Failed to seteuid back to root: %s\n", strerror (errno));
1071 goto cleanup_route_4;
1075 /* update routing tables again -- this is why we could not fully drop privs */
1076 /* now undo updating of routing tables; normal exit or clean-up-on-error case */
1080 char *const route_clean_args[] =
1082 "ip", "-6", "route", "del", "default", "dev", dev,
1083 "table", DNS_TABLE, NULL
1085 if (0 != fork_and_exec (sbin_ip, route_clean_args))
1091 char *const route_clean_args[] =
1093 "ip", "route", "del", "default", "dev", dev,
1094 "table", DNS_TABLE, NULL
1096 if (0 != fork_and_exec (sbin_ip, route_clean_args))
1102 char *const forward_clean_args[] =
1104 "ip", "-6", "rule", "del", "fwmark", DNS_MARK, "table", DNS_TABLE, NULL
1106 if (0 != fork_and_exec (sbin_ip, forward_clean_args))
1112 char *const forward_clean_args[] =
1114 "ip", "rule", "del", "fwmark", DNS_MARK, "table", DNS_TABLE, NULL
1116 if (0 != fork_and_exec (sbin_ip, forward_clean_args))
1122 char *const mark_clean_args[] =
1124 "ip6tables", "-t", "mangle", "-D", "OUTPUT", "-p", "udp",
1125 "--dport", DNS_PORT,
1126 "!", "-s", "fe80::/10", /* this line excludes link-local traffic */
1127 "-j", "MARK", "--set-mark", DNS_MARK, NULL
1129 if (0 != fork_and_exec (sbin_ip6tables, mark_clean_args))
1135 char *const mark_clean_args[] =
1137 "iptables", "-t", "mangle", "-D", "OUTPUT", "-p", "udp",
1138 "--dport", DNS_PORT, "-j", "MARK", "--set-mark", DNS_MARK, NULL
1140 if (0 != fork_and_exec (sbin_iptables, mark_clean_args))
1146 char *const mangle_clean_args[] =
1148 "ip6tables", "-m", "owner", "-t", "mangle", "-D", "OUTPUT", "-p", "udp",
1149 "--gid-owner", mygid, "--dport", DNS_PORT, "-j", "ACCEPT",
1152 if (0 != fork_and_exec (sbin_ip6tables, mangle_clean_args))
1158 char *const mangle_clean_args[] =
1160 "iptables", "-m", "owner", "-t", "mangle", "-D", "OUTPUT", "-p", "udp",
1161 "--gid-owner", mygid, "--dport", DNS_PORT, "-j", "ACCEPT",
1164 if (0 != fork_and_exec (sbin_iptables, mangle_clean_args))
1169 /* close virtual interface */
1170 (void) close (fd_tun);
1171 /* remove signal handler so we can close the pipes */
1172 (void) signal (SIGTERM, SIG_IGN);
1173 #if (SIGTERM != GNUNET_TERM_SIG)
1174 (void) signal (GNUNET_TERM_SIG, SIG_IGN);
1176 (void) signal (SIGINT, SIG_IGN);
1177 (void) signal (SIGHUP, SIG_IGN);
1178 (void) close (cpipe[0]);
1179 (void) close (cpipe[1]);
1183 /* end of gnunet-helper-dns.c */