along with GNUnet; see the file COPYING. If not, write to the
Free Software Foundation, Inc., 59 Temple Place - Suite 330,
Boston, MA 02111-1307, USA.
- */
+*/
/**
* @file dns/gnunet-helper-dns.c
/**
* Name and full path of IPTABLES binary.
*/
-#define SBIN_IPTABLES "/sbin/iptables"
+static const char *sbin_iptables;
/**
* Name and full path of IPTABLES binary.
*/
-#define SBIN_IP "/sbin/ip"
+static const char *sbin_ip;
/**
* Port for DNS traffic.
if (0 == pid)
{
/* we are the child process */
+ /* close stdin/stdout to not cause interference
+ with the helper's main protocol! */
+ (void) close (0);
+ (void) close (1);
(void) execv (file, cmd);
/* can only get here on error */
fprintf (stderr,
bufin_size = read (0, bufin + bufin_rpos, MAX_SIZE - bufin_rpos);
if (-1 == bufin_size)
{
+ bufin_read = NULL;
if ( (errno == EINTR) ||
(errno == EAGAIN) )
continue;
}
if (0 == bufin_size)
{
+ bufin_read = NULL;
fprintf (stderr, "EOF on stdin\n");
return;
}
* 5 failed to initialize tunnel interface
* 6 failed to initialize control pipe
* 8 failed to change routing table, cleanup successful
- * 9-23 failed to undo some changes to routing table
+ * 9-23 failed to change routing table and failed to undo some changes to routing table
* 24 failed to drop privs
* 25-39 failed to drop privs and then failed to undo some changes to routing table
* 40 failed to regain privs
}
/* verify that the binaries were care about are executable */
- if (0 != access (SBIN_IPTABLES, X_OK))
+ if (0 == access ("/sbin/iptables", X_OK))
+ sbin_iptables = "/sbin/iptables";
+ else if (0 == access ("/usr/sbin/iptables", X_OK))
+ sbin_iptables = "/usr/sbin/iptables";
+ else
{
fprintf (stderr,
- "`%s' is not executable: %s\n",
- SBIN_IPTABLES,
+ "Fatal: executable iptables not found in approved directories: %s\n",
strerror (errno));
return 3;
}
- if (0 != access (SBIN_IP, X_OK))
+ if (0 == access ("/sbin/ip", X_OK))
+ sbin_ip = "/sbin/ip";
+ else if (0 == access ("/usr/sbin/ip", X_OK))
+ sbin_ip = "/usr/sbin/ip";
+ else
{
- fprintf (stderr,
- "`%s' is not executable: %s\n",
- SBIN_IP,
+ fprintf (stderr,
+ "Fatal: executable ip not found in approved directories: %s\n",
strerror (errno));
return 4;
}
return 6;
}
}
- if (SIG_ERR == signal (SIGINT, &signal_handler))
+ if ( (SIG_ERR == signal (SIGTERM, &signal_handler)) ||
+ (SIG_ERR == signal (SIGINT, &signal_handler)) ||
+ (SIG_ERR == signal (SIGHUP, &signal_handler)) )
{
fprintf (stderr,
"Fatal: could not initialize signal handler: %s\n",
if (-1 == (fd_tun = init_tun (dev)))
{
fprintf (stderr, "Fatal: could not initialize tun-interface\n");
+ (void) signal (SIGTERM, SIG_IGN);
(void) signal (SIGINT, SIG_IGN);
+ (void) signal (SIGHUP, SIG_IGN);
(void) close (cpipe[0]);
(void) close (cpipe[1]);
return 5;
if ((prefix_len < 1) || (prefix_len > 127))
{
fprintf (stderr, "Fatal: prefix_len out of range\n");
+ (void) signal (SIGTERM, SIG_IGN);
(void) signal (SIGINT, SIG_IGN);
+ (void) signal (SIGHUP, SIG_IGN);
(void) close (cpipe[0]);
(void) close (cpipe[1]);
return 2;
"udp", "--sport", localport, "--dport", DNS_PORT, "-j",
"ACCEPT", NULL
};
- if (0 != fork_and_exec (SBIN_IPTABLES, mangle_args))
- goto cleanup_mangle_1;
+ if (0 != fork_and_exec (sbin_iptables, mangle_args))
+ goto cleanup_rest;
}
/* Mark all of the other DNS traffic using our mark DNS_MARK */
{
char *const mark_args[] =
{
- "iptables", "-t", "mangle", "-I", "OUTPUT", DNS_TABLE, "-p",
+ "iptables", "-t", "mangle", "-I", "OUTPUT", "2", "-p",
"udp", "--dport", DNS_PORT, "-j", "MARK", "--set-mark", DNS_MARK,
NULL
};
- if (0 != fork_and_exec (SBIN_IPTABLES, mark_args))
- goto cleanup_mark_2;
+ if (0 != fork_and_exec (sbin_iptables, mark_args))
+ goto cleanup_mangle_1;
}
/* Forward all marked DNS traffic to our DNS_TABLE */
{
{
"ip", "rule", "add", "fwmark", DNS_MARK, "table", DNS_TABLE, NULL
};
- if (0 != fork_and_exec (SBIN_IP, forward_args))
- goto cleanup_forward_3;
+ if (0 != fork_and_exec (sbin_ip, forward_args))
+ goto cleanup_mark_2;
}
/* Finally, add rule in our forwarding table to pass to our virtual interface */
{
char *const route_args[] =
{
- "ip", "route", "add", "default", "via", dev,
+ "ip", "route", "add", "default", "dev", dev,
"table", DNS_TABLE, NULL
};
- if (0 != fork_and_exec (SBIN_IP, route_args))
- goto cleanup_route_4;
+ if (0 != fork_and_exec (sbin_ip, route_args))
+ goto cleanup_forward_3;
}
/* drop privs *except* for the saved UID; this is not perfect, but better
/* now forward until we hit a problem */
run (fd_tun);
- (void) close (fd_tun);
/* now need to regain privs so we can remove the firewall rules we added! */
#ifdef HAVE_SETRESUID
{
char *const route_clean_args[] =
{
- "ip", "route", "del", "default", "via", dev,
+ "ip", "route", "del", "default", "dev", dev,
"table", DNS_TABLE, NULL
};
- if (0 != fork_and_exec (SBIN_IP, route_clean_args))
+ if (0 != fork_and_exec (sbin_ip, route_clean_args))
r += 1;
}
cleanup_forward_3:
{
"ip", "rule", "del", "fwmark", DNS_MARK, "table", DNS_TABLE, NULL
};
- if (0 != fork_and_exec (SBIN_IP, forward_clean_args))
+ if (0 != fork_and_exec (sbin_ip, forward_clean_args))
r += 2;
}
cleanup_mark_2:
"iptables", "-t", "mangle", "-D", "OUTPUT", "-p", "udp",
"--dport", DNS_PORT, "-j", "MARK", "--set-mark", DNS_MARK, NULL
};
- if (0 != fork_and_exec (SBIN_IPTABLES, mark_clean_args))
+ if (0 != fork_and_exec (sbin_iptables, mark_clean_args))
r += 4;
}
cleanup_mangle_1:
"--sport", localport, "--dport", DNS_PORT, "-j", "ACCEPT",
NULL
};
- if (0 != fork_and_exec (SBIN_IPTABLES, mangle_clean_args))
+ if (0 != fork_and_exec (sbin_iptables, mangle_clean_args))
r += 8;
}
- /* remove SIGINT handler so we can close the pipes */
+ cleanup_rest:
+ /* close virtual interface */
+ (void) close (fd_tun);
+ /* remove signal handler so we can close the pipes */
+ (void) signal (SIGTERM, SIG_IGN);
(void) signal (SIGINT, SIG_IGN);
+ (void) signal (SIGHUP, SIG_IGN);
(void) close (cpipe[0]);
(void) close (cpipe[1]);
return r;
}
-/* end of gnunet-helper-hijack-dns.c */
+/* end of gnunet-helper-dns.c */
projects / oweals / gnunet.git / blobdiff