[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] r38085 - gnunet/src/dns
From: |
gnunet |
Subject: |
[GNUnet-SVN] r38085 - gnunet/src/dns |
Date: |
Sun, 9 Oct 2016 14:00:16 +0200 |
Author: grothoff
Date: 2016-10-09 14:00:15 +0200 (Sun, 09 Oct 2016)
New Revision: 38085
Modified:
gnunet/src/dns/gnunet-helper-dns.c
Log:
do not try to intercept link local DNS traffic, as we cannot properly re-inject
it intot the kernel's IP stack
Modified: gnunet/src/dns/gnunet-helper-dns.c
===================================================================
--- gnunet/src/dns/gnunet-helper-dns.c 2016-10-09 11:51:12 UTC (rev 38084)
+++ gnunet/src/dns/gnunet-helper-dns.c 2016-10-09 12:00:15 UTC (rev 38085)
@@ -966,14 +966,16 @@
"ACCEPT", NULL
};
if (0 != fork_and_exec (sbin_ip6tables, mangle_args))
- goto cleanup_rest;
+ goto cleanup_mangle_1b;
}
- /* Mark all of the other DNS traffic using our mark DNS_MARK */
+ /* Mark all of the other DNS traffic using our mark DNS_MARK,
+ unless it is on a link-local IPv6 address, which we cannot support. */
{
char *const mark_args[] =
{
"iptables", "-t", "mangle", "-I", "OUTPUT", "2", "-p",
- "udp", "--dport", DNS_PORT, "-j", "MARK", "--set-mark", DNS_MARK,
+ "udp", "--dport", DNS_PORT,
+ "-j", "MARK", "--set-mark", DNS_MARK,
NULL
};
if (0 != fork_and_exec (sbin_iptables, mark_args))
@@ -983,11 +985,13 @@
char *const mark_args[] =
{
"ip6tables", "-t", "mangle", "-I", "OUTPUT", "2", "-p",
- "udp", "--dport", DNS_PORT, "-j", "MARK", "--set-mark", DNS_MARK,
+ "udp", "--dport", DNS_PORT,
+ "!", "-s", "fe80::/10", /* this line excludes link-local traffic */
+ "-j", "MARK", "--set-mark", DNS_MARK,
NULL
};
if (0 != fork_and_exec (sbin_ip6tables, mark_args))
- goto cleanup_mangle_1;
+ goto cleanup_mark_2b;
}
/* Forward all marked DNS traffic to our DNS_TABLE */
{
@@ -1004,7 +1008,7 @@
"ip", "-6", "rule", "add", "fwmark", DNS_MARK, "table", DNS_TABLE,
NULL
};
if (0 != fork_and_exec (sbin_ip, forward_args))
- goto cleanup_mark_2;
+ goto cleanup_forward_3b;
}
/* Finally, add rule in our forwarding table to pass to our virtual
interface */
{
@@ -1023,7 +1027,7 @@
"table", DNS_TABLE, NULL
};
if (0 != fork_and_exec (sbin_ip, route_args))
- goto cleanup_forward_3;
+ goto cleanup_route_4b;
}
}
@@ -1049,7 +1053,7 @@
r = 0; /* did fully setup routing table (if nothing else happens, we were
successful!) */
/* now forward until we hit a problem */
- run (fd_tun);
+ run (fd_tun);
/* now need to regain privs so we can remove the firewall rules we added! */
#ifdef HAVE_SETRESUID
@@ -1075,17 +1079,18 @@
{
char *const route_clean_args[] =
{
- "ip", "route", "del", "default", "dev", dev,
+ "ip", "-6", "route", "del", "default", "dev", dev,
"table", DNS_TABLE, NULL
};
if (0 != fork_and_exec (sbin_ip, route_clean_args))
r += 1;
}
+ cleanup_route_4b:
if (0 == nortsetup)
{
char *const route_clean_args[] =
{
- "ip", "-6", "route", "del", "default", "dev", dev,
+ "ip", "route", "del", "default", "dev", dev,
"table", DNS_TABLE, NULL
};
if (0 != fork_and_exec (sbin_ip, route_clean_args))
@@ -1096,16 +1101,17 @@
{
char *const forward_clean_args[] =
{
- "ip", "rule", "del", "fwmark", DNS_MARK, "table", DNS_TABLE, NULL
+ "ip", "-6", "rule", "del", "fwmark", DNS_MARK, "table", DNS_TABLE, NULL
};
if (0 != fork_and_exec (sbin_ip, forward_clean_args))
r += 2;
}
+ cleanup_forward_3b:
if (0 == nortsetup)
{
char *const forward_clean_args[] =
{
- "ip", "-6", "rule", "del", "fwmark", DNS_MARK, "table", DNS_TABLE, NULL
+ "ip", "rule", "del", "fwmark", DNS_MARK, "table", DNS_TABLE, NULL
};
if (0 != fork_and_exec (sbin_ip, forward_clean_args))
r += 2;
@@ -1115,20 +1121,23 @@
{
char *const mark_clean_args[] =
{
- "iptables", "-t", "mangle", "-D", "OUTPUT", "-p", "udp",
- "--dport", DNS_PORT, "-j", "MARK", "--set-mark", DNS_MARK, NULL
+ "ip6tables", "-t", "mangle", "-D", "OUTPUT", "-p", "udp",
+ "--dport", DNS_PORT,
+ "!", "-s", "fe80::/10", /* this line excludes link-local traffic */
+ "-j", "MARK", "--set-mark", DNS_MARK, NULL
};
- if (0 != fork_and_exec (sbin_iptables, mark_clean_args))
+ if (0 != fork_and_exec (sbin_ip6tables, mark_clean_args))
r += 4;
}
+ cleanup_mark_2b:
if (0 == nortsetup)
{
char *const mark_clean_args[] =
{
- "ip6tables", "-t", "mangle", "-D", "OUTPUT", "-p", "udp",
+ "iptables", "-t", "mangle", "-D", "OUTPUT", "-p", "udp",
"--dport", DNS_PORT, "-j", "MARK", "--set-mark", DNS_MARK, NULL
};
- if (0 != fork_and_exec (sbin_ip6tables, mark_clean_args))
+ if (0 != fork_and_exec (sbin_iptables, mark_clean_args))
r += 4;
}
cleanup_mangle_1:
@@ -1136,22 +1145,23 @@
{
char *const mangle_clean_args[] =
{
- "iptables", "-m", "owner", "-t", "mangle", "-D", "OUTPUT", "-p", "udp",
+ "ip6tables", "-m", "owner", "-t", "mangle", "-D", "OUTPUT", "-p", "udp",
"--gid-owner", mygid, "--dport", DNS_PORT, "-j", "ACCEPT",
NULL
};
- if (0 != fork_and_exec (sbin_iptables, mangle_clean_args))
+ if (0 != fork_and_exec (sbin_ip6tables, mangle_clean_args))
r += 8;
}
+ cleanup_mangle_1b:
if (0 == nortsetup)
{
char *const mangle_clean_args[] =
{
- "ip6tables", "-m", "owner", "-t", "mangle", "-D", "OUTPUT", "-p", "udp",
+ "iptables", "-m", "owner", "-t", "mangle", "-D", "OUTPUT", "-p", "udp",
"--gid-owner", mygid, "--dport", DNS_PORT, "-j", "ACCEPT",
NULL
};
- if (0 != fork_and_exec (sbin_ip6tables, mangle_clean_args))
+ if (0 != fork_and_exec (sbin_iptables, mangle_clean_args))
r += 8;
}
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [GNUnet-SVN] r38085 - gnunet/src/dns,
gnunet <=