2 This file is part of GNUnet.
3 Copyright (C) 2010, 2011, 2012 Christian Grothoff
5 GNUnet is free software: you can redistribute it and/or modify it
6 under the terms of the GNU Affero General Public License as published
7 by the Free Software Foundation, either version 3 of the License,
8 or (at your option) any later version.
10 GNUnet is distributed in the hope that it will be useful, but
11 WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 Affero General Public License for more details.
15 You should have received a copy of the GNU Affero General Public License
16 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 SPDX-License-Identifier: AGPL3.0-or-later
22 * @file exit/gnunet-helper-exit.c
24 * @brief the helper for exit nodes. Opens a virtual
25 * network-interface, sends data received on the if to stdout, sends
26 * data received on stdin to the interface. The code also enables
27 * IPv4/IPv6 forwarding and NAT on the current system (the latter on
28 * an interface specified on the command-line); these changes to the
29 * network configuration are NOT automatically undone when the program
30 * is stopped (this is because we cannot be sure that some other
31 * application didn't enable them before or after us; also, these
32 * changes should be mostly harmless as it simply turns the system
35 * @author Philipp Tölke
36 * @author Christian Grothoff
38 * The following list of people have reviewed this code and considered
39 * it safe since the last modification (if you reviewed it, please
40 * have your name added to the list):
45 #include <linux/if_tun.h>
48 * Need 'struct GNUNET_MessageHeader'.
50 #include "gnunet_crypto_lib.h"
51 #include "gnunet_common.h"
54 * Need VPN message types.
56 #include "gnunet_protocols.h"
59 * Should we print (interesting|debug) messages that can happen during
62 #define DEBUG GNUNET_NO
65 * Maximum size of a GNUnet message (GNUNET_MAX_MESSAGE_SIZE)
67 #define MAX_SIZE 65536
70 * Path to 'sysctl' binary.
72 static const char *sbin_sysctl;
75 * Path to 'iptables' binary.
77 static const char *sbin_iptables;
82 * This is in linux/include/net/ipv6.h, but not always exported...
86 struct in6_addr ifr6_addr;
87 uint32_t ifr6_prefixlen; /* __u32 in the original */
94 * Open '/dev/null' and make the result the given
97 * @param target_fd desired FD to point to /dev/null
98 * @param flags open flags (O_RDONLY, O_WRONLY)
101 open_dev_null (int target_fd,
106 fd = open ("/dev/null", flags);
111 if (-1 == dup2 (fd, target_fd))
121 * Run the given command and wait for it to complete.
123 * @param file name of the binary to run
124 * @param cmd command line arguments (as given to 'execv')
125 * @return 0 on success, 1 on any error
128 fork_and_exec (const char *file,
145 /* we are the child process */
146 /* close stdin/stdout to not cause interference
147 with the helper's main protocol! */
149 open_dev_null (0, O_RDONLY);
151 open_dev_null (1, O_WRONLY);
152 (void) execv (file, cmd);
153 /* can only get here on error */
155 "exec `%s' failed: %s\n",
160 /* keep running waitpid as long as the only error we get is 'EINTR' */
161 while ((-1 == (ret = waitpid (pid, &status, 0))) &&
167 "waitpid failed: %s\n",
171 if (! (WIFEXITED (status) && (0 == WEXITSTATUS (status))))
173 /* child process completed and returned success, we're happy */
179 * Creates a tun-interface called dev;
181 * @param dev is asumed to point to a char[IFNAMSIZ]
182 * if *dev == '\\0', uses the name supplied by the kernel;
183 * @return the fd to the tun or -1 on error
197 if (-1 == (fd = open ("/dev/net/tun", O_RDWR)))
199 fprintf (stderr, "Error opening `%s': %s\n", "/dev/net/tun",
204 if (fd >= FD_SETSIZE)
206 fprintf (stderr, "File descriptor to large: %d", fd);
211 memset (&ifr, 0, sizeof(ifr));
212 ifr.ifr_flags = IFF_TUN;
215 strncpy (ifr.ifr_name, dev, IFNAMSIZ);
217 if (-1 == ioctl (fd, TUNSETIFF, (void *) &ifr))
220 "Error with ioctl on `%s': %s\n", "/dev/net/tun",
225 strcpy (dev, ifr.ifr_name);
231 * @brief Sets the IPv6-Address given in address on the interface dev
233 * @param dev the interface to configure
234 * @param address the IPv6-Address
235 * @param prefix_len the length of the network-prefix
238 set_address6 (const char *dev, const char *address, unsigned long prefix_len)
241 struct sockaddr_in6 sa6;
243 struct in6_ifreq ifr6;
246 * parse the new address
248 memset (&sa6, 0, sizeof(struct sockaddr_in6));
249 sa6.sin6_family = AF_INET6;
250 if (1 != inet_pton (AF_INET6, address, &sa6.sin6_addr))
252 fprintf (stderr, "Failed to parse address `%s': %s\n", address,
257 if (-1 == (fd = socket (PF_INET6, SOCK_DGRAM, 0)))
259 fprintf (stderr, "Error creating socket: %s\n", strerror (errno));
263 memset (&ifr, 0, sizeof(struct ifreq));
265 * Get the index of the if
267 strncpy (ifr.ifr_name, dev, IFNAMSIZ);
268 if (-1 == ioctl (fd, SIOGIFINDEX, &ifr))
270 fprintf (stderr, "ioctl failed at %d: %s\n", __LINE__, strerror (errno));
275 memset (&ifr6, 0, sizeof(struct in6_ifreq));
276 ifr6.ifr6_addr = sa6.sin6_addr;
277 ifr6.ifr6_ifindex = ifr.ifr_ifindex;
278 ifr6.ifr6_prefixlen = prefix_len;
283 if (-1 == ioctl (fd, SIOCSIFADDR, &ifr6))
285 fprintf (stderr, "ioctl failed at line %d: %s\n", __LINE__,
294 if (-1 == ioctl (fd, SIOCGIFFLAGS, &ifr))
296 fprintf (stderr, "ioctl failed at line %d: %s\n", __LINE__,
303 * Add the UP and RUNNING flags
305 ifr.ifr_flags |= IFF_UP | IFF_RUNNING;
306 if (-1 == ioctl (fd, SIOCSIFFLAGS, &ifr))
308 fprintf (stderr, "ioctl failed at line %d: %s\n", __LINE__,
316 fprintf (stderr, "close failed: %s\n", strerror (errno));
323 * @brief Sets the IPv4-Address given in address on the interface dev
325 * @param dev the interface to configure
326 * @param address the IPv4-Address
327 * @param mask the netmask
330 set_address4 (const char *dev, const char *address, const char *mask)
333 struct sockaddr_in *addr;
336 memset (&ifr, 0, sizeof(struct ifreq));
337 addr = (struct sockaddr_in *) &(ifr.ifr_addr);
338 addr->sin_family = AF_INET;
343 if (1 != inet_pton (AF_INET, address, &addr->sin_addr.s_addr))
345 fprintf (stderr, "Failed to parse address `%s': %s\n", address,
350 if (-1 == (fd = socket (PF_INET, SOCK_DGRAM, 0)))
352 fprintf (stderr, "Error creating socket: %s\n", strerror (errno));
356 strncpy (ifr.ifr_name, dev, IFNAMSIZ);
361 if (-1 == ioctl (fd, SIOCSIFADDR, &ifr))
363 fprintf (stderr, "ioctl failed at %d: %s\n", __LINE__, strerror (errno));
371 addr = (struct sockaddr_in *) &(ifr.ifr_netmask);
372 if (1 != inet_pton (AF_INET, mask, &addr->sin_addr.s_addr))
374 fprintf (stderr, "Failed to parse address `%s': %s\n", mask,
383 if (-1 == ioctl (fd, SIOCSIFNETMASK, &ifr))
385 fprintf (stderr, "ioctl failed at line %d: %s\n", __LINE__,
394 if (-1 == ioctl (fd, SIOCGIFFLAGS, &ifr))
396 fprintf (stderr, "ioctl failed at line %d: %s\n", __LINE__,
403 * Add the UP and RUNNING flags
405 ifr.ifr_flags |= IFF_UP | IFF_RUNNING;
406 if (-1 == ioctl (fd, SIOCSIFFLAGS, &ifr))
408 fprintf (stderr, "ioctl failed at line %d: %s\n", __LINE__,
416 fprintf (stderr, "close failed: %s\n", strerror (errno));
424 * Start forwarding to and from the tunnel.
426 * @param fd_tun tunnel FD
432 * The buffer filled by reading from fd_tun
434 unsigned char buftun[MAX_SIZE];
435 ssize_t buftun_size = 0;
436 unsigned char *buftun_read = NULL;
439 * The buffer filled by reading from stdin
441 unsigned char bufin[MAX_SIZE];
442 ssize_t bufin_size = 0;
443 size_t bufin_rpos = 0;
444 unsigned char *bufin_read = NULL;
449 /* read refers to reading from fd_tun, writing to stdout */
452 /* write refers to reading from stdin, writing to fd_tun */
455 while ((1 == read_open) && (1 == write_open))
461 * We are supposed to read and the buffer is empty
462 * -> select on read from tun
464 if (read_open && (0 == buftun_size))
465 FD_SET (fd_tun, &fds_r);
468 * We are supposed to read and the buffer is not empty
469 * -> select on write to stdout
471 if (read_open && (0 != buftun_size))
475 * We are supposed to write and the buffer is empty
476 * -> select on read from stdin
478 if (write_open && (NULL == bufin_read))
482 * We are supposed to write and the buffer is not empty
483 * -> select on write to tun
485 if (write_open && (NULL != bufin_read))
486 FD_SET (fd_tun, &fds_w);
488 int r = select (fd_tun + 1, &fds_r, &fds_w, NULL, NULL);
494 fprintf (stderr, "select failed: %s\n", strerror (errno));
500 if (FD_ISSET (fd_tun, &fds_r))
503 read (fd_tun, buftun + sizeof(struct GNUNET_MessageHeader),
504 MAX_SIZE - sizeof(struct GNUNET_MessageHeader));
505 if (-1 == buftun_size)
510 shutdown (fd_tun, SHUT_RD);
511 shutdown (1, SHUT_WR);
515 else if (0 == buftun_size)
518 fprintf (stderr, "EOF on tun\n");
520 shutdown (fd_tun, SHUT_RD);
521 shutdown (1, SHUT_WR);
527 buftun_read = buftun;
528 struct GNUNET_MessageHeader *hdr =
529 (struct GNUNET_MessageHeader *) buftun;
530 buftun_size += sizeof(struct GNUNET_MessageHeader);
531 hdr->type = htons (GNUNET_MESSAGE_TYPE_VPN_HELPER);
532 hdr->size = htons (buftun_size);
535 else if (FD_ISSET (1, &fds_w))
537 ssize_t written = write (1, buftun_read, buftun_size);
545 "write-error to stdout: %s\n",
547 shutdown (fd_tun, SHUT_RD);
548 shutdown (1, SHUT_WR);
552 else if (0 == written)
554 fprintf (stderr, "write returned 0!?\n");
559 buftun_size -= written;
560 buftun_read += written;
564 if (FD_ISSET (0, &fds_r))
566 bufin_size = read (0, bufin + bufin_rpos, MAX_SIZE - bufin_rpos);
567 if (-1 == bufin_size)
569 fprintf (stderr, "read-error: %s\n", strerror (errno));
570 shutdown (0, SHUT_RD);
571 shutdown (fd_tun, SHUT_WR);
575 else if (0 == bufin_size)
578 fprintf (stderr, "EOF on stdin\n");
580 shutdown (0, SHUT_RD);
581 shutdown (fd_tun, SHUT_WR);
587 struct GNUNET_MessageHeader *hdr;
590 bufin_rpos += bufin_size;
591 if (bufin_rpos < sizeof(struct GNUNET_MessageHeader))
593 hdr = (struct GNUNET_MessageHeader *) bufin;
594 if (ntohs (hdr->type) != GNUNET_MESSAGE_TYPE_VPN_HELPER)
596 fprintf (stderr, "protocol violation!\n");
599 if (ntohs (hdr->size) > bufin_rpos)
601 bufin_read = bufin + sizeof(struct GNUNET_MessageHeader);
602 bufin_size = ntohs (hdr->size) - sizeof(struct GNUNET_MessageHeader);
603 bufin_rpos -= bufin_size + sizeof(struct GNUNET_MessageHeader);
606 else if (FD_ISSET (fd_tun, &fds_w))
608 ssize_t written = write (fd_tun, bufin_read, bufin_size);
612 fprintf (stderr, "write-error to tun: %s\n", strerror (errno));
613 shutdown (0, SHUT_RD);
614 shutdown (fd_tun, SHUT_WR);
618 else if (0 == written)
620 fprintf (stderr, "write returned 0!?\n");
625 bufin_size -= written;
626 bufin_read += written;
629 memmove (bufin, bufin_read, bufin_rpos);
630 bufin_read = NULL; /* start reading again */
642 * Open VPN tunnel interface.
644 * @param argc must be 6
645 * @param argv 0: binary name ("gnunet-helper-exit")
646 * 1: tunnel interface name ("gnunet-exit")
647 * 2: "physical" interface name ("eth0"), or "-" to not setup NAT
649 * 3: IPv6 address ("::1"), or "-" to skip IPv6
650 * 4: IPv6 netmask length in bits ("64") [ignored if #4 is "-"]
651 * 5: IPv4 address ("1.2.3.4"), or "-" to skip IPv4
652 * 6: IPv4 netmask ("255.255.0.0") [ignored if #4 is "-"]
655 main (int argc, char **argv)
663 fprintf (stderr, "Fatal: must supply 6 arguments!\n");
666 if ((0 == strcmp (argv[3], "-")) &&
667 (0 == strcmp (argv[5], "-")))
669 fprintf (stderr, "Fatal: disabling both IPv4 and IPv6 makes no sense.\n");
672 if (0 != strcmp (argv[2], "-"))
675 if (0 == access (IPTABLES, X_OK))
676 sbin_iptables = IPTABLES;
679 if (0 == access ("/sbin/iptables", X_OK))
680 sbin_iptables = "/sbin/iptables";
681 else if (0 == access ("/usr/sbin/iptables", X_OK))
682 sbin_iptables = "/usr/sbin/iptables";
686 "Fatal: executable iptables not found in approved directories: %s\n",
691 if (0 == access (SYSCTL, X_OK))
692 sbin_sysctl = SYSCTL;
695 if (0 == access ("/sbin/sysctl", X_OK))
696 sbin_sysctl = "/sbin/sysctl";
697 else if (0 == access ("/usr/sbin/sysctl", X_OK))
698 sbin_sysctl = "/usr/sbin/sysctl";
702 "Fatal: executable sysctl not found in approved directories: %s\n",
708 strncpy (dev, argv[1], IFNAMSIZ);
709 dev[IFNAMSIZ - 1] = '\0';
711 if (-1 == (fd_tun = init_tun (dev)))
714 "Fatal: could not initialize tun-interface `%s' with IPv6 %s/%s and IPv4 %s/%s\n",
723 if (0 != strcmp (argv[3], "-"))
726 const char *address = argv[3];
727 long prefix_len = atol (argv[4]);
729 if ((prefix_len < 1) || (prefix_len > 127))
731 fprintf (stderr, "Fatal: prefix_len out of range\n");
734 set_address6 (dev, address, prefix_len);
736 if (0 != strcmp (argv[2], "-"))
738 char *const sysctl_args[] = {
739 "sysctl", "-w", "net.ipv6.conf.all.forwarding=1", NULL
741 if (0 != fork_and_exec (sbin_sysctl,
745 "Failed to enable IPv6 forwarding. Will continue anyway.\n");
750 if (0 != strcmp (argv[5], "-"))
753 const char *address = argv[5];
754 const char *mask = argv[6];
756 set_address4 (dev, address, mask);
758 if (0 != strcmp (argv[2], "-"))
761 char *const sysctl_args[] = {
762 "sysctl", "-w", "net.ipv4.ip_forward=1", NULL
764 if (0 != fork_and_exec (sbin_sysctl,
768 "Failed to enable IPv4 forwarding. Will continue anyway.\n");
772 char *const iptables_args[] = {
773 "iptables", "-t", "nat", "-A", "POSTROUTING", "-o", argv[2], "-j",
776 if (0 != fork_and_exec (sbin_iptables,
780 "Failed to enable IPv4 masquerading (NAT). Will continue anyway.\n");
786 uid_t uid = getuid ();
787 #ifdef HAVE_SETRESUID
788 if (0 != setresuid (uid, uid, uid))
790 fprintf (stderr, "Failed to setresuid: %s\n", strerror (errno));
795 if (0 != (setuid (uid) | seteuid (uid)))
797 fprintf (stderr, "Failed to setuid: %s\n", strerror (errno));
803 if (SIG_ERR == signal (SIGPIPE, SIG_IGN))
805 fprintf (stderr, "Failed to protect against SIGPIPE: %s\n",
807 /* no exit, we might as well die with SIGPIPE should it ever happen */
812 (void) close (fd_tun);
816 /* end of gnunet-helper-exit.c */