From: Christian Grothoff Date: Sun, 9 Oct 2016 12:00:15 +0000 (+0000) Subject: do not try to intercept link local DNS traffic, as we cannot properly re-inject it... X-Git-Tag: initial-import-from-subversion-38251~142 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=a766078062ac47d0a9f06570388da851a53f5457;p=oweals%2Fgnunet.git do not try to intercept link local DNS traffic, as we cannot properly re-inject it intot the kernel's IP stack --- diff --git a/src/dns/gnunet-helper-dns.c b/src/dns/gnunet-helper-dns.c index 1d411379f..1c5744002 100644 --- a/src/dns/gnunet-helper-dns.c +++ b/src/dns/gnunet-helper-dns.c @@ -966,14 +966,16 @@ main (int argc, char *const*argv) "ACCEPT", NULL }; if (0 != fork_and_exec (sbin_ip6tables, mangle_args)) - goto cleanup_rest; + goto cleanup_mangle_1b; } - /* Mark all of the other DNS traffic using our mark DNS_MARK */ + /* Mark all of the other DNS traffic using our mark DNS_MARK, + unless it is on a link-local IPv6 address, which we cannot support. */ { char *const mark_args[] = { "iptables", "-t", "mangle", "-I", "OUTPUT", "2", "-p", - "udp", "--dport", DNS_PORT, "-j", "MARK", "--set-mark", DNS_MARK, + "udp", "--dport", DNS_PORT, + "-j", "MARK", "--set-mark", DNS_MARK, NULL }; if (0 != fork_and_exec (sbin_iptables, mark_args)) @@ -983,11 +985,13 @@ main (int argc, char *const*argv) char *const mark_args[] = { "ip6tables", "-t", "mangle", "-I", "OUTPUT", "2", "-p", - "udp", "--dport", DNS_PORT, "-j", "MARK", "--set-mark", DNS_MARK, + "udp", "--dport", DNS_PORT, + "!", "-s", "fe80::/10", /* this line excludes link-local traffic */ + "-j", "MARK", "--set-mark", DNS_MARK, NULL }; if (0 != fork_and_exec (sbin_ip6tables, mark_args)) - goto cleanup_mangle_1; + goto cleanup_mark_2b; } /* Forward all marked DNS traffic to our DNS_TABLE */ { @@ -1004,7 +1008,7 @@ main (int argc, char *const*argv) "ip", "-6", "rule", "add", "fwmark", DNS_MARK, "table", DNS_TABLE, NULL }; if (0 != fork_and_exec (sbin_ip, forward_args)) - goto cleanup_mark_2; + goto cleanup_forward_3b; } /* Finally, add rule in our forwarding table to pass to our virtual interface */ { @@ -1023,7 +1027,7 @@ main (int argc, char *const*argv) "table", DNS_TABLE, NULL }; if (0 != fork_and_exec (sbin_ip, route_args)) - goto cleanup_forward_3; + goto cleanup_route_4b; } } @@ -1049,7 +1053,7 @@ main (int argc, char *const*argv) r = 0; /* did fully setup routing table (if nothing else happens, we were successful!) */ /* now forward until we hit a problem */ - run (fd_tun); + run (fd_tun); /* now need to regain privs so we can remove the firewall rules we added! */ #ifdef HAVE_SETRESUID @@ -1075,17 +1079,18 @@ main (int argc, char *const*argv) { char *const route_clean_args[] = { - "ip", "route", "del", "default", "dev", dev, + "ip", "-6", "route", "del", "default", "dev", dev, "table", DNS_TABLE, NULL }; if (0 != fork_and_exec (sbin_ip, route_clean_args)) r += 1; } + cleanup_route_4b: if (0 == nortsetup) { char *const route_clean_args[] = { - "ip", "-6", "route", "del", "default", "dev", dev, + "ip", "route", "del", "default", "dev", dev, "table", DNS_TABLE, NULL }; if (0 != fork_and_exec (sbin_ip, route_clean_args)) @@ -1096,16 +1101,17 @@ main (int argc, char *const*argv) { char *const forward_clean_args[] = { - "ip", "rule", "del", "fwmark", DNS_MARK, "table", DNS_TABLE, NULL + "ip", "-6", "rule", "del", "fwmark", DNS_MARK, "table", DNS_TABLE, NULL }; if (0 != fork_and_exec (sbin_ip, forward_clean_args)) r += 2; } + cleanup_forward_3b: if (0 == nortsetup) { char *const forward_clean_args[] = { - "ip", "-6", "rule", "del", "fwmark", DNS_MARK, "table", DNS_TABLE, NULL + "ip", "rule", "del", "fwmark", DNS_MARK, "table", DNS_TABLE, NULL }; if (0 != fork_and_exec (sbin_ip, forward_clean_args)) r += 2; @@ -1115,20 +1121,23 @@ main (int argc, char *const*argv) { char *const mark_clean_args[] = { - "iptables", "-t", "mangle", "-D", "OUTPUT", "-p", "udp", - "--dport", DNS_PORT, "-j", "MARK", "--set-mark", DNS_MARK, NULL + "ip6tables", "-t", "mangle", "-D", "OUTPUT", "-p", "udp", + "--dport", DNS_PORT, + "!", "-s", "fe80::/10", /* this line excludes link-local traffic */ + "-j", "MARK", "--set-mark", DNS_MARK, NULL }; - if (0 != fork_and_exec (sbin_iptables, mark_clean_args)) + if (0 != fork_and_exec (sbin_ip6tables, mark_clean_args)) r += 4; } + cleanup_mark_2b: if (0 == nortsetup) { char *const mark_clean_args[] = { - "ip6tables", "-t", "mangle", "-D", "OUTPUT", "-p", "udp", + "iptables", "-t", "mangle", "-D", "OUTPUT", "-p", "udp", "--dport", DNS_PORT, "-j", "MARK", "--set-mark", DNS_MARK, NULL }; - if (0 != fork_and_exec (sbin_ip6tables, mark_clean_args)) + if (0 != fork_and_exec (sbin_iptables, mark_clean_args)) r += 4; } cleanup_mangle_1: @@ -1136,22 +1145,23 @@ main (int argc, char *const*argv) { char *const mangle_clean_args[] = { - "iptables", "-m", "owner", "-t", "mangle", "-D", "OUTPUT", "-p", "udp", + "ip6tables", "-m", "owner", "-t", "mangle", "-D", "OUTPUT", "-p", "udp", "--gid-owner", mygid, "--dport", DNS_PORT, "-j", "ACCEPT", NULL }; - if (0 != fork_and_exec (sbin_iptables, mangle_clean_args)) + if (0 != fork_and_exec (sbin_ip6tables, mangle_clean_args)) r += 8; } + cleanup_mangle_1b: if (0 == nortsetup) { char *const mangle_clean_args[] = { - "ip6tables", "-m", "owner", "-t", "mangle", "-D", "OUTPUT", "-p", "udp", + "iptables", "-m", "owner", "-t", "mangle", "-D", "OUTPUT", "-p", "udp", "--gid-owner", mygid, "--dport", DNS_PORT, "-j", "ACCEPT", NULL }; - if (0 != fork_and_exec (sbin_ip6tables, mangle_clean_args)) + if (0 != fork_and_exec (sbin_iptables, mangle_clean_args)) r += 8; }