2021-08-12 15:42:43 +02:00
|
|
|
// SPDX-License-Identifier: AGPL-3.0-or-later
|
|
|
|
|
|
|
|
/* PASST - Plug A Simple Socket Transport
|
|
|
|
* for qemu/UNIX domain socket mode
|
|
|
|
*
|
|
|
|
* PASTA - Pack A Subtle Tap Abstraction
|
|
|
|
* for network namespace/tap device mode
|
|
|
|
*
|
|
|
|
* conf.c - Configuration settings and option parsing
|
|
|
|
*
|
|
|
|
* Copyright (c) 2020-2021 Red Hat GmbH
|
|
|
|
* Author: Stefano Brivio <sbrivio@redhat.com>
|
2021-10-13 22:25:03 +02:00
|
|
|
*
|
seccomp: Add a number of alternate and per-arch syscalls
Depending on the C library, but not necessarily in all the
functions we use, statx() might be used instead of stat(),
getdents() instead of getdents64(), readlinkat() instead of
readlink(), openat() instead of open().
On aarch64, it's clone() and not fork(), and dup3() instead of
dup2() -- just allow the existing alternative instead of dealing
with per-arch selections.
Since glibc commit 9a7565403758 ("posix: Consolidate fork
implementation"), we need to allow set_robust_list() for
fork()/clone(), even in a single-threaded context.
On some architectures, epoll_pwait() is provided instead of
epoll_wait(), but never both. Same with newfstat() and
fstat(), sigreturn() and rt_sigreturn(), getdents64() and
getdents(), readlink() and readlinkat(), unlink() and
unlinkat(), whereas pipe() might not be available, but
pipe2() always is, exclusively or not.
Seen on Fedora 34: newfstatat() is used on top of fstat().
syslog() is an actual system call on some glibc/arch combinations,
instead of a connect()/send() implementation.
On ppc64 and ppc64le, _llseek(), recv(), send() and getuid()
are used. For ppc64 only: ugetrlimit() for the getrlimit()
implementation, plus sigreturn() and fcntl64().
On s390x, additionally, we need to allow socketcall() (on top
of socket()), and sigreturn() also for passt (not just for
pasta).
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-01-26 06:55:28 +01:00
|
|
|
* #syscalls stat|statx
|
2021-08-12 15:42:43 +02:00
|
|
|
*/
|
|
|
|
|
2021-10-21 04:26:08 +02:00
|
|
|
#include <arpa/inet.h>
|
|
|
|
#include <errno.h>
|
|
|
|
#include <fcntl.h>
|
2021-08-12 15:42:43 +02:00
|
|
|
#include <getopt.h>
|
|
|
|
#include <string.h>
|
2021-10-21 04:26:08 +02:00
|
|
|
#include <sched.h>
|
2021-08-12 15:42:43 +02:00
|
|
|
#include <sys/types.h>
|
|
|
|
#include <sys/stat.h>
|
|
|
|
#include <limits.h>
|
|
|
|
#include <stdlib.h>
|
|
|
|
#include <stdint.h>
|
|
|
|
#include <unistd.h>
|
|
|
|
#include <syslog.h>
|
|
|
|
#include <time.h>
|
|
|
|
#include <netinet/in.h>
|
2021-10-21 04:26:08 +02:00
|
|
|
#include <netinet/if_ether.h>
|
|
|
|
|
2021-08-12 15:42:43 +02:00
|
|
|
#include "util.h"
|
|
|
|
#include "passt.h"
|
2021-10-21 04:26:08 +02:00
|
|
|
#include "netlink.h"
|
2021-08-12 15:42:43 +02:00
|
|
|
#include "udp.h"
|
|
|
|
#include "tcp.h"
|
2021-10-11 12:01:31 +02:00
|
|
|
#include "pasta.h"
|
2021-08-12 15:42:43 +02:00
|
|
|
|
2021-09-27 05:24:30 +02:00
|
|
|
/**
|
|
|
|
* get_bound_ports() - Get maps of ports with bound sockets
|
|
|
|
* @c: Execution context
|
|
|
|
* @ns: If set, set bitmaps for ports to tap/ns -- to init otherwise
|
|
|
|
* @proto: Protocol number (IPPROTO_TCP or IPPROTO_UDP)
|
|
|
|
*/
|
|
|
|
void get_bound_ports(struct ctx *c, int ns, uint8_t proto)
|
|
|
|
{
|
|
|
|
uint8_t *udp_map, *udp_exclude, *tcp_map, *tcp_exclude;
|
|
|
|
|
|
|
|
if (ns) {
|
|
|
|
udp_map = c->udp.port_to_tap;
|
|
|
|
udp_exclude = c->udp.port_to_init;
|
|
|
|
tcp_map = c->tcp.port_to_tap;
|
|
|
|
tcp_exclude = c->tcp.port_to_init;
|
|
|
|
} else {
|
|
|
|
udp_map = c->udp.port_to_init;
|
|
|
|
udp_exclude = c->udp.port_to_tap;
|
|
|
|
tcp_map = c->tcp.port_to_init;
|
|
|
|
tcp_exclude = c->tcp.port_to_tap;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (proto == IPPROTO_UDP) {
|
|
|
|
memset(udp_map, 0, USHRT_MAX / 8);
|
|
|
|
procfs_scan_listen("udp", udp_map, udp_exclude);
|
|
|
|
procfs_scan_listen("udp6", udp_map, udp_exclude);
|
|
|
|
|
|
|
|
procfs_scan_listen("tcp", udp_map, udp_exclude);
|
|
|
|
procfs_scan_listen("tcp6", udp_map, udp_exclude);
|
|
|
|
} else if (proto == IPPROTO_TCP) {
|
|
|
|
memset(tcp_map, 0, USHRT_MAX / 8);
|
|
|
|
procfs_scan_listen("tcp", tcp_map, tcp_exclude);
|
|
|
|
procfs_scan_listen("tcp6", tcp_map, tcp_exclude);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-08-12 15:42:43 +02:00
|
|
|
/**
|
|
|
|
* struct get_bound_ports_ns_arg - Arguments for get_bound_ports_ns()
|
|
|
|
* @c: Execution context
|
|
|
|
* @proto: Protocol number (IPPROTO_TCP or IPPROTO_UDP)
|
|
|
|
*/
|
|
|
|
struct get_bound_ports_ns_arg {
|
|
|
|
struct ctx *c;
|
|
|
|
uint8_t proto;
|
|
|
|
};
|
|
|
|
|
|
|
|
/**
|
2021-09-27 05:24:30 +02:00
|
|
|
* get_bound_ports_ns() - Get maps of ports in namespace with bound sockets
|
2021-08-12 15:42:43 +02:00
|
|
|
* @arg: See struct get_bound_ports_ns_arg
|
|
|
|
*
|
|
|
|
* Return: 0
|
|
|
|
*/
|
|
|
|
static int get_bound_ports_ns(void *arg)
|
|
|
|
{
|
|
|
|
struct get_bound_ports_ns_arg *a = (struct get_bound_ports_ns_arg *)arg;
|
|
|
|
struct ctx *c = a->c;
|
|
|
|
|
2021-09-29 16:11:06 +02:00
|
|
|
if (!c->pasta_netns_fd || ns_enter(c))
|
2021-08-12 15:42:43 +02:00
|
|
|
return 0;
|
|
|
|
|
2021-09-27 05:24:30 +02:00
|
|
|
get_bound_ports(c, 1, a->proto);
|
2021-08-12 15:42:43 +02:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
enum conf_port_type {
|
|
|
|
PORT_SPEC = 1,
|
|
|
|
PORT_NONE,
|
|
|
|
PORT_AUTO,
|
|
|
|
PORT_ALL,
|
|
|
|
};
|
|
|
|
|
|
|
|
static int conf_ports(struct ctx *c, char optname, const char *optarg,
|
|
|
|
enum conf_port_type *set)
|
|
|
|
{
|
|
|
|
int start_src = -1, end_src = -1, start_dst = -1, end_dst = -1;
|
|
|
|
void (*remap)(in_port_t port, in_port_t delta);
|
|
|
|
const char *p;
|
|
|
|
uint8_t *map;
|
|
|
|
char *sep;
|
|
|
|
|
|
|
|
if (optname == 't') {
|
|
|
|
map = c->tcp.port_to_tap;
|
|
|
|
remap = tcp_remap_to_tap;
|
|
|
|
} else if (optname == 'T') {
|
|
|
|
map = c->tcp.port_to_init;
|
|
|
|
remap = tcp_remap_to_init;
|
|
|
|
} else if (optname == 'u') {
|
|
|
|
map = c->udp.port_to_tap;
|
|
|
|
remap = udp_remap_to_tap;
|
|
|
|
} else if (optname == 'U') {
|
|
|
|
map = c->udp.port_to_init;
|
|
|
|
remap = udp_remap_to_init;
|
|
|
|
} else { /* For gcc -O3 */
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!strcmp(optarg, "none")) {
|
|
|
|
if (*set)
|
|
|
|
return -EINVAL;
|
|
|
|
*set = PORT_NONE;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!strcmp(optarg, "auto")) {
|
|
|
|
if (*set || c->mode != MODE_PASTA)
|
|
|
|
return -EINVAL;
|
|
|
|
*set = PORT_AUTO;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!strcmp(optarg, "all")) {
|
|
|
|
if (*set || c->mode != MODE_PASST)
|
|
|
|
return -EINVAL;
|
|
|
|
*set = PORT_ALL;
|
|
|
|
memset(map, 0xff, PORT_EPHEMERAL_MIN / 8);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (*set > PORT_SPEC)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
*set = PORT_SPEC;
|
|
|
|
|
|
|
|
if (strspn(optarg, "0123456789-,:") != strlen(optarg)) {
|
|
|
|
err("Invalid port specifier %s", optarg);
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
|
|
|
|
p = optarg;
|
|
|
|
do {
|
|
|
|
int i, port;
|
|
|
|
|
2021-10-14 03:08:54 +02:00
|
|
|
errno = 0;
|
2021-08-12 15:42:43 +02:00
|
|
|
port = strtol(p, &sep, 10);
|
|
|
|
if (sep == p)
|
|
|
|
break;
|
|
|
|
|
|
|
|
if (port < 0 || port > USHRT_MAX || errno)
|
|
|
|
goto bad;
|
|
|
|
|
|
|
|
/* -p 22
|
|
|
|
* ^ start_src end_src == start_dst == end_dst == -1
|
|
|
|
*
|
|
|
|
* -p 22-25
|
|
|
|
* | ^ end_src
|
|
|
|
* ` start_src start_dst == end_dst == -1
|
|
|
|
*
|
|
|
|
* -p 80:8080
|
|
|
|
* | ^ start_dst
|
|
|
|
* ` start_src end_src == end_dst == -1
|
|
|
|
*
|
|
|
|
* -p 22-80:8022-8080
|
|
|
|
* | | | ^ end_dst
|
|
|
|
* | | ` start_dst
|
|
|
|
* | ` end_dst
|
|
|
|
* ` start_src
|
|
|
|
*/
|
|
|
|
switch (*sep) {
|
|
|
|
case '-':
|
|
|
|
if (start_src == -1) { /* 22-... */
|
|
|
|
start_src = port;
|
|
|
|
} else {
|
|
|
|
if (!end_src) /* 22:8022-8080 */
|
|
|
|
goto bad;
|
|
|
|
start_dst = port; /* 22-80:8022-... */
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case ':':
|
|
|
|
if (start_src == -1) /* 80:... */
|
|
|
|
start_src = end_src = port;
|
|
|
|
else if (end_src == -1) /* 22-80:... */
|
|
|
|
end_src = port;
|
|
|
|
else /* 22-80:8022:... */
|
|
|
|
goto bad;
|
|
|
|
break;
|
|
|
|
case ',':
|
|
|
|
case 0:
|
|
|
|
if (start_src == -1) /* 80 */
|
|
|
|
start_src = end_src = port;
|
|
|
|
else if (end_src == -1) /* 22-25 */
|
|
|
|
end_src = port;
|
|
|
|
else if (start_dst == -1) /* 80:8080 */
|
|
|
|
start_dst = end_dst = port;
|
|
|
|
else if (end_dst == -1) /* 22-80:8022-8080 */
|
|
|
|
end_dst = port;
|
|
|
|
else
|
|
|
|
goto bad;
|
|
|
|
|
|
|
|
if (start_src > end_src) /* 80-22 */
|
|
|
|
goto bad;
|
|
|
|
|
|
|
|
if (start_dst > end_dst) /* 22-80:8080:8022 */
|
|
|
|
goto bad;
|
|
|
|
|
|
|
|
if (end_dst != -1 &&
|
|
|
|
end_dst - start_dst != end_src - start_src)
|
|
|
|
goto bad; /* 22-81:8022:8080 */
|
|
|
|
|
|
|
|
for (i = start_src; i <= end_src; i++) {
|
|
|
|
if (bitmap_isset(map, i))
|
|
|
|
goto overlap;
|
|
|
|
|
|
|
|
bitmap_set(map, i);
|
|
|
|
|
|
|
|
if (start_dst == -1) /* 22 or 22-80 */
|
|
|
|
continue;
|
|
|
|
|
|
|
|
/* 80:8080 or 22-80:8080:8080 */
|
|
|
|
remap(i, (in_port_t)(start_dst - start_src));
|
|
|
|
}
|
|
|
|
|
|
|
|
start_src = end_src = start_dst = end_dst = -1;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
p = sep + 1;
|
|
|
|
} while (*sep);
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
bad:
|
|
|
|
err("Invalid port specifier %s", optarg);
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
overlap:
|
|
|
|
err("Overlapping port specifier %s", optarg);
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* get_dns() - Get nameserver addresses from local /etc/resolv.conf
|
|
|
|
* @c: Execution context
|
|
|
|
*/
|
|
|
|
static void get_dns(struct ctx *c)
|
|
|
|
{
|
2021-10-14 01:21:29 +02:00
|
|
|
int dns4_set, dns6_set, dnss_set, dns_set, fd;
|
2021-08-12 15:42:43 +02:00
|
|
|
struct in6_addr *dns6 = &c->dns6[0];
|
|
|
|
struct fqdn *s = c->dns_search;
|
|
|
|
uint32_t *dns4 = &c->dns4[0];
|
|
|
|
char buf[BUFSIZ], *p, *end;
|
|
|
|
|
2021-10-10 01:13:37 +02:00
|
|
|
dns4_set = !c->v4 || !!*dns4;
|
|
|
|
dns6_set = !c->v6 || !IN6_IS_ADDR_UNSPECIFIED(dns6);
|
2021-08-12 15:42:43 +02:00
|
|
|
dnss_set = !!*s->n || c->no_dns_search;
|
|
|
|
dns_set = dns4_set || dns6_set || c->no_dns;
|
|
|
|
|
|
|
|
if (dns_set && dnss_set)
|
|
|
|
return;
|
|
|
|
|
2021-10-14 01:21:29 +02:00
|
|
|
if ((fd = open("/etc/resolv.conf", O_RDONLY)) < 0)
|
2021-08-12 15:42:43 +02:00
|
|
|
goto out;
|
|
|
|
|
2021-10-20 00:01:35 +02:00
|
|
|
while (!(*buf = 0) && line_read(buf, BUFSIZ, fd)) {
|
2021-08-12 15:42:43 +02:00
|
|
|
if (!dns_set && strstr(buf, "nameserver ") == buf) {
|
|
|
|
p = strrchr(buf, ' ');
|
|
|
|
if (!p)
|
|
|
|
continue;
|
|
|
|
|
|
|
|
end = strpbrk(buf, "%\n");
|
|
|
|
if (end)
|
|
|
|
*end = 0;
|
|
|
|
|
2021-10-10 01:13:37 +02:00
|
|
|
if (!dns4_set &&
|
|
|
|
dns4 - &c->dns4[0] < ARRAY_SIZE(c->dns4) - 1 &&
|
2021-09-26 23:22:31 +02:00
|
|
|
inet_pton(AF_INET, p + 1, dns4)) {
|
2021-08-12 15:42:43 +02:00
|
|
|
dns4++;
|
2021-09-26 23:22:31 +02:00
|
|
|
*dns4 = 0;
|
|
|
|
}
|
2021-08-12 15:42:43 +02:00
|
|
|
|
2021-10-10 01:13:37 +02:00
|
|
|
if (!dns6_set &&
|
|
|
|
dns6 - &c->dns6[0] < ARRAY_SIZE(c->dns6) - 1 &&
|
2021-09-26 23:22:31 +02:00
|
|
|
inet_pton(AF_INET6, p + 1, dns6)) {
|
2021-08-12 15:42:43 +02:00
|
|
|
dns6++;
|
2021-09-26 23:22:31 +02:00
|
|
|
memset(dns6, 0, sizeof(*dns6));
|
|
|
|
}
|
2021-08-12 15:42:43 +02:00
|
|
|
} else if (!dnss_set && strstr(buf, "search ") == buf &&
|
|
|
|
s == c->dns_search) {
|
|
|
|
end = strpbrk(buf, "\n");
|
|
|
|
if (end)
|
|
|
|
*end = 0;
|
|
|
|
|
2021-10-19 19:18:04 +02:00
|
|
|
if (!strtok(buf, " \t"))
|
|
|
|
continue;
|
|
|
|
|
2021-09-26 23:22:31 +02:00
|
|
|
while (s - c->dns_search < ARRAY_SIZE(c->dns_search) - 1
|
|
|
|
&& (p = strtok(NULL, " \t"))) {
|
2021-08-12 15:42:43 +02:00
|
|
|
strncpy(s->n, p, sizeof(c->dns_search[0]));
|
|
|
|
s++;
|
2021-09-26 23:22:31 +02:00
|
|
|
*s->n = 0;
|
2021-08-12 15:42:43 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-10-14 01:21:29 +02:00
|
|
|
close(fd);
|
2021-08-12 15:42:43 +02:00
|
|
|
|
|
|
|
out:
|
|
|
|
if (!dns_set && dns4 == c->dns4 && dns6 == c->dns6)
|
|
|
|
warn("Couldn't get any nameserver address");
|
|
|
|
}
|
|
|
|
|
2021-09-29 16:11:06 +02:00
|
|
|
/**
|
|
|
|
* conf_ns_check() - Check if we can enter configured namespaces
|
|
|
|
* @arg: Execution context
|
|
|
|
*
|
|
|
|
* Return: 0
|
|
|
|
*/
|
|
|
|
static int conf_ns_check(void *arg)
|
|
|
|
{
|
|
|
|
struct ctx *c = (struct ctx *)arg;
|
|
|
|
|
2022-01-25 20:08:00 +01:00
|
|
|
if ((!c->netns_only && setns(c->pasta_userns_fd, CLONE_NEWUSER)) ||
|
|
|
|
setns(c->pasta_netns_fd, CLONE_NEWNET))
|
2021-09-29 16:11:06 +02:00
|
|
|
c->pasta_userns_fd = c->pasta_netns_fd = -1;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* conf_ns_opt() - Open network, user namespaces descriptors from configuration
|
|
|
|
* @c: Execution context
|
|
|
|
* @nsdir: --nsrun-dir argument, can be an empty string
|
|
|
|
* @conf_userns: --userns argument, can be an empty string
|
|
|
|
* @optarg: PID, path or name of namespace
|
|
|
|
*
|
|
|
|
* Return: 0 on success, negative error code otherwise
|
|
|
|
*/
|
|
|
|
static int conf_ns_opt(struct ctx *c,
|
|
|
|
char *nsdir, char *conf_userns, const char *optarg)
|
|
|
|
{
|
2021-10-14 12:12:33 +02:00
|
|
|
int ufd = 0, nfd = 0, try, ret, netns_only_reset = c->netns_only;
|
2021-10-19 19:18:04 +02:00
|
|
|
char userns[PATH_MAX] = { 0 }, netns[PATH_MAX];
|
2021-09-29 16:11:06 +02:00
|
|
|
char *endptr;
|
|
|
|
pid_t pid;
|
|
|
|
|
|
|
|
if (c->netns_only && *conf_userns) {
|
|
|
|
err("Both --userns and --netns-only given");
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* It might be a PID, a netns path, or a netns name */
|
|
|
|
for (try = 0; try < 3; try++) {
|
|
|
|
if (try == 0) {
|
|
|
|
pid = strtol(optarg, &endptr, 10);
|
|
|
|
if (*endptr || pid > INT_MAX)
|
|
|
|
continue;
|
|
|
|
|
|
|
|
if (!*conf_userns && !c->netns_only) {
|
|
|
|
ret = snprintf(userns, PATH_MAX,
|
|
|
|
"/proc/%i/ns/user", pid);
|
|
|
|
if (ret <= 0 || ret > (int)sizeof(userns))
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
ret = snprintf(netns, PATH_MAX, "/proc/%i/ns/net", pid);
|
|
|
|
if (ret <= 0 || ret > (int)sizeof(netns))
|
|
|
|
continue;
|
|
|
|
} else if (try == 1) {
|
|
|
|
if (!*conf_userns)
|
|
|
|
c->netns_only = 1;
|
|
|
|
|
|
|
|
ret = snprintf(netns, PATH_MAX, "%s", optarg);
|
|
|
|
if (ret <= 0 || ret > (int)sizeof(userns))
|
|
|
|
continue;
|
|
|
|
} else if (try == 2) {
|
|
|
|
ret = snprintf(netns, PATH_MAX, "%s/%s",
|
|
|
|
*nsdir ? nsdir : NETNS_RUN_DIR, optarg);
|
|
|
|
if (ret <= 0 || ret > (int)sizeof(netns))
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!c->netns_only) {
|
|
|
|
if (*conf_userns)
|
|
|
|
ufd = open(conf_userns, O_RDONLY);
|
|
|
|
else if (*userns)
|
|
|
|
ufd = open(userns, O_RDONLY);
|
|
|
|
}
|
|
|
|
|
|
|
|
nfd = open(netns, O_RDONLY);
|
|
|
|
|
|
|
|
if (nfd >= 0 && ufd >= 0) {
|
|
|
|
c->pasta_netns_fd = nfd;
|
|
|
|
c->pasta_userns_fd = ufd;
|
|
|
|
|
|
|
|
NS_CALL(conf_ns_check, c);
|
|
|
|
if (c->pasta_netns_fd >= 0)
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (nfd > 0)
|
|
|
|
close(nfd);
|
|
|
|
|
|
|
|
if (ufd > 0)
|
|
|
|
close(ufd);
|
|
|
|
}
|
|
|
|
|
2021-10-14 12:12:33 +02:00
|
|
|
c->netns_only = netns_only_reset;
|
|
|
|
|
2021-09-29 16:11:06 +02:00
|
|
|
return -ENOENT;
|
|
|
|
}
|
|
|
|
|
2021-10-11 12:01:31 +02:00
|
|
|
/**
|
|
|
|
* conf_ip() - Verify or detect IPv4/IPv6 support, get relevant addresses
|
|
|
|
* @c: Execution context
|
|
|
|
*/
|
|
|
|
static void conf_ip(struct ctx *c)
|
|
|
|
{
|
|
|
|
int v4, v6;
|
|
|
|
|
|
|
|
if (c->v4) {
|
|
|
|
c->v4 = IP_VERSION_ENABLED;
|
|
|
|
v4 = IP_VERSION_PROBE;
|
|
|
|
v6 = c->v6 = IP_VERSION_DISABLED;
|
|
|
|
} else if (c->v6) {
|
|
|
|
c->v6 = IP_VERSION_ENABLED;
|
|
|
|
v6 = IP_VERSION_PROBE;
|
|
|
|
v4 = c->v4 = IP_VERSION_DISABLED;
|
|
|
|
} else {
|
|
|
|
c->v4 = c->v6 = IP_VERSION_ENABLED;
|
|
|
|
v4 = v6 = IP_VERSION_PROBE;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!c->ifi)
|
|
|
|
c->ifi = nl_get_ext_if(&v4, &v6);
|
|
|
|
|
|
|
|
if (v4 != IP_VERSION_DISABLED) {
|
|
|
|
if (!c->gw4)
|
|
|
|
nl_route(0, c->ifi, AF_INET, &c->gw4);
|
|
|
|
|
|
|
|
if (!c->addr4) {
|
2021-10-19 09:01:27 +02:00
|
|
|
int mask_len = 0;
|
|
|
|
|
|
|
|
nl_addr(0, c->ifi, AF_INET, &c->addr4, &mask_len, NULL);
|
|
|
|
c->mask4 = htonl(0xffffffff << (32 - mask_len));
|
|
|
|
|
2021-10-11 12:01:31 +02:00
|
|
|
if (!c->mask4) {
|
|
|
|
if (IN_CLASSA(ntohl(c->addr4)))
|
|
|
|
c->mask4 = htonl(IN_CLASSA_NET);
|
|
|
|
else if (IN_CLASSB(ntohl(c->addr4)))
|
|
|
|
c->mask4 = htonl(IN_CLASSB_NET);
|
|
|
|
else if (IN_CLASSC(ntohl(c->addr4)))
|
|
|
|
c->mask4 = htonl(IN_CLASSC_NET);
|
|
|
|
else
|
|
|
|
c->mask4 = 0xffffffff;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
memcpy(&c->addr4_seen, &c->addr4, sizeof(c->addr4_seen));
|
|
|
|
|
|
|
|
if (!memcmp(c->mac, MAC_ZERO, ETH_ALEN))
|
2021-10-14 13:05:56 +02:00
|
|
|
nl_link(0, c->ifi, c->mac, 0, 0);
|
2021-10-11 12:01:31 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
if (c->mode == MODE_PASST)
|
|
|
|
memset(&c->mac_guest, 0xff, sizeof(c->mac_guest));
|
|
|
|
|
|
|
|
if (v6 != IP_VERSION_DISABLED) {
|
2021-10-19 09:01:27 +02:00
|
|
|
int prefix_len = 0;
|
|
|
|
|
2021-10-11 12:01:31 +02:00
|
|
|
if (IN6_IS_ADDR_UNSPECIFIED(&c->gw6))
|
|
|
|
nl_route(0, c->ifi, AF_INET6, &c->gw6);
|
|
|
|
|
|
|
|
nl_addr(0, c->ifi, AF_INET6,
|
|
|
|
IN6_IS_ADDR_UNSPECIFIED(&c->addr6) ? &c->addr6 : NULL,
|
2021-10-19 09:01:27 +02:00
|
|
|
&prefix_len, &c->addr6_ll);
|
2021-10-11 12:01:31 +02:00
|
|
|
|
|
|
|
memcpy(&c->addr6_seen, &c->addr6, sizeof(c->addr4_seen));
|
|
|
|
memcpy(&c->addr6_ll_seen, &c->addr6, sizeof(c->addr4_seen));
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!c->gw4 || !c->addr4 ||
|
|
|
|
!memcmp(c->mac, ((uint8_t [ETH_ALEN]){ 0 }), ETH_ALEN))
|
|
|
|
v4 = IP_VERSION_DISABLED;
|
|
|
|
else
|
|
|
|
v4 = IP_VERSION_ENABLED;
|
|
|
|
|
|
|
|
if (IN6_IS_ADDR_UNSPECIFIED(&c->gw6) ||
|
|
|
|
IN6_IS_ADDR_UNSPECIFIED(&c->addr6) ||
|
|
|
|
IN6_IS_ADDR_UNSPECIFIED(&c->addr6_ll))
|
|
|
|
v6 = IP_VERSION_DISABLED;
|
|
|
|
else
|
|
|
|
v6 = IP_VERSION_ENABLED;
|
|
|
|
|
|
|
|
if ((v4 == IP_VERSION_DISABLED) && (v6 == IP_VERSION_DISABLED)) {
|
|
|
|
err("External interface not usable");
|
|
|
|
exit(EXIT_FAILURE);
|
|
|
|
}
|
|
|
|
|
|
|
|
c->v4 = v4;
|
|
|
|
c->v6 = v6;
|
|
|
|
}
|
|
|
|
|
2021-08-12 15:42:43 +02:00
|
|
|
/**
|
|
|
|
* usage() - Print usage and exit
|
|
|
|
* @name: Executable name
|
|
|
|
*/
|
|
|
|
static void usage(const char *name)
|
|
|
|
{
|
|
|
|
if (strstr(name, "pasta") || strstr(name, "passt4netns")) {
|
2021-09-29 16:11:06 +02:00
|
|
|
info("Usage: %s [OPTION]... [PID|PATH|NAME]", name);
|
2021-08-12 15:42:43 +02:00
|
|
|
info("");
|
2021-09-29 16:11:06 +02:00
|
|
|
info("Without PID|PATH|NAME, run the default shell in a new");
|
|
|
|
info("network and user namespace, and connect it via pasta.");
|
2021-08-12 15:42:43 +02:00
|
|
|
} else {
|
|
|
|
info("Usage: %s [OPTION]...", name);
|
|
|
|
}
|
|
|
|
info("");
|
|
|
|
|
|
|
|
info( " -d, --debug Be verbose, don't run in background");
|
|
|
|
info( " -q, --quiet Don't print informational messages");
|
|
|
|
info( " -f, --foreground Don't run in background");
|
|
|
|
info( " default: run in background if started from a TTY");
|
|
|
|
info( " -e, --stderr Log to stderr too");
|
|
|
|
info( " default: log to system logger only if started from a TTY");
|
|
|
|
info( " -h, --help Display this help message and exit");
|
|
|
|
|
|
|
|
if (strstr(name, "pasta") || strstr(name, "passt4netns")) {
|
|
|
|
info( " -I, --ns-ifname NAME namespace interface name");
|
|
|
|
info( " default: same interface name as external one");
|
|
|
|
} else {
|
|
|
|
info( " -s, --socket PATH UNIX domain socket path");
|
|
|
|
info( " default: probe free path starting from "
|
|
|
|
UNIX_SOCK_PATH, 1);
|
|
|
|
}
|
|
|
|
|
|
|
|
info( " -p, --pcap [FILE] Log tap-facing traffic to pcap file");
|
|
|
|
info( " if FILE is not given, log to:");
|
|
|
|
|
|
|
|
if (strstr(name, "pasta") || strstr(name, "passt4netns"))
|
2021-08-19 19:46:01 +02:00
|
|
|
info(" /tmp/pasta_ISO8601-TIMESTAMP_INSTANCE-NUMBER.pcap");
|
2021-08-12 15:42:43 +02:00
|
|
|
else
|
2021-08-19 19:46:01 +02:00
|
|
|
info(" /tmp/passt_ISO8601-TIMESTAMP_INSTANCE-NUMBER.pcap");
|
2021-08-12 15:42:43 +02:00
|
|
|
|
2021-10-14 12:17:47 +02:00
|
|
|
info( " -P, --pid FILE Write own PID to the given file");
|
2021-08-12 15:42:43 +02:00
|
|
|
info( " -m, --mtu MTU Assign MTU via DHCP/NDP");
|
2021-09-07 11:19:57 +02:00
|
|
|
info( " a zero value disables assignment");
|
|
|
|
info( " default: 65520: maximum 802.3 MTU minus 802.3 header");
|
|
|
|
info( " length, rounded to 32 bits (IPv4 words)");
|
2021-08-12 15:42:43 +02:00
|
|
|
info( " -a, --address ADDR Assign IPv4 or IPv6 address ADDR");
|
|
|
|
info( " can be specified zero to two times (for IPv4 and IPv6)");
|
|
|
|
info( " default: use addresses from interface with default route");
|
|
|
|
info( " -n, --netmask MASK Assign IPv4 MASK, dot-decimal or bits");
|
|
|
|
info( " default: netmask from matching address on the host");
|
|
|
|
info( " -M, --mac-addr ADDR Use source MAC address ADDR");
|
|
|
|
info( " default: MAC address from interface with default route");
|
|
|
|
info( " -g, --gateway ADDR Pass IPv4 or IPv6 address as gateway");
|
|
|
|
info( " default: gateway from interface with default route");
|
|
|
|
info( " -i, --interface NAME Interface for addresses and routes");
|
|
|
|
info( " default: interface with first default route");
|
|
|
|
info( " -D, --dns ADDR Pass IPv4 or IPv6 address as DNS");
|
|
|
|
info( " can be specified multiple times");
|
|
|
|
info( " a single, empty option disables DNS information");
|
|
|
|
if (strstr(name, "pasta") || strstr(name, "passt4netns"))
|
|
|
|
info( " default: don't send any addresses");
|
|
|
|
else
|
|
|
|
info( " default: use addresses from /etc/resolv.conf");
|
|
|
|
|
|
|
|
info( " -S, --search LIST Space-separated list, search domains");
|
|
|
|
info( " a single, empty option disables the DNS search list");
|
|
|
|
if (strstr(name, "pasta") || strstr(name, "passt4netns"))
|
|
|
|
info( " default: don't send any search list");
|
|
|
|
else
|
|
|
|
info( " default: use search list from /etc/resolv.conf");
|
|
|
|
|
|
|
|
info( " --no-tcp Disable TCP protocol handler");
|
|
|
|
info( " --no-udp Disable UDP protocol handler");
|
|
|
|
info( " --no-icmp Disable ICMP/ICMPv6 protocol handler");
|
|
|
|
info( " --no-dhcp Disable DHCP server");
|
|
|
|
info( " --no-ndp Disable NDP responses");
|
|
|
|
info( " --no-dhcpv6 Disable DHCPv6 server");
|
|
|
|
info( " --no-ra Disable router advertisements");
|
2021-10-14 05:26:37 +02:00
|
|
|
info( " --no-map-gw Don't map gateway address to host");
|
2021-08-12 15:42:43 +02:00
|
|
|
info( " -4, --ipv4-only Enable IPv4 operation only");
|
|
|
|
info( " -6, --ipv6-only Enable IPv6 operation only");
|
|
|
|
|
|
|
|
if (strstr(name, "pasta") || strstr(name, "passt4netns"))
|
2021-09-29 16:11:06 +02:00
|
|
|
goto pasta_opts;
|
2021-08-12 15:42:43 +02:00
|
|
|
|
|
|
|
info( " -t, --tcp-ports SPEC TCP port forwarding to guest");
|
|
|
|
info( " can be specified multiple times");
|
|
|
|
info( " SPEC can be:");
|
|
|
|
info( " 'none': don't forward any ports");
|
|
|
|
info( " 'all': forward all unbound, non-ephemeral ports");
|
2021-08-19 19:46:01 +02:00
|
|
|
info( " a comma-separated list, optionally ranged with '-'");
|
2021-08-12 15:42:43 +02:00
|
|
|
info( " and optional target ports after ':'. Examples:");
|
|
|
|
info( " -t 22 Forward local port 22 to 22 on guest");
|
|
|
|
info( " -t 22:23 Forward local port 22 to 23 on guest");
|
|
|
|
info( " -t 22,25 Forward ports 22, 25 to ports 22, 25");
|
|
|
|
info( " -t 22-80 Forward ports 22 to 80");
|
|
|
|
info( " -t 22-80:32-90 Forward ports 22 to 80 to");
|
|
|
|
info( " corresponding port numbers plus 10");
|
|
|
|
info( " default: none");
|
|
|
|
info( " -u, --udp-ports SPEC UDP port forwarding to guest");
|
|
|
|
info( " SPEC is as described for TCP above");
|
|
|
|
info( " default: none");
|
|
|
|
|
|
|
|
exit(EXIT_FAILURE);
|
|
|
|
|
2021-09-29 16:11:06 +02:00
|
|
|
pasta_opts:
|
2021-08-12 15:42:43 +02:00
|
|
|
info( " -t, --tcp-ports SPEC TCP port forwarding to namespace");
|
|
|
|
info( " can be specified multiple times");
|
|
|
|
info( " SPEC can be:");
|
|
|
|
info( " 'none': don't forward any ports");
|
|
|
|
info( " 'auto': forward all ports currently bound in namespace");
|
2021-08-19 19:46:01 +02:00
|
|
|
info( " a comma-separated list, optionally ranged with '-'");
|
2021-08-12 15:42:43 +02:00
|
|
|
info( " and optional target ports after ':'. Examples:");
|
|
|
|
info( " -t 22 Forward local port 22 to port 22 in netns");
|
|
|
|
info( " -t 22:23 Forward local port 22 to port 23");
|
|
|
|
info( " -t 22,25 Forward ports 22, 25 to ports 22, 25");
|
|
|
|
info( " -t 22-80 Forward ports 22 to 80");
|
|
|
|
info( " -t 22-80:32-90 Forward ports 22 to 80 to");
|
|
|
|
info( " corresponding port numbers plus 10");
|
|
|
|
info( " default: auto");
|
|
|
|
info( " IPv6 bound ports are also forwarded for IPv4");
|
|
|
|
info( " -u, --udp-ports SPEC UDP port forwarding to namespace");
|
|
|
|
info( " SPEC is as described for TCP above");
|
|
|
|
info( " default: auto");
|
2021-09-07 11:28:57 +02:00
|
|
|
info( " IPv6 bound ports are also forwarded for IPv4");
|
|
|
|
info( " unless specified, with '-t auto', UDP ports with numbers");
|
|
|
|
info( " corresponding to forwarded TCP port numbers are");
|
|
|
|
info( " forwarded too");
|
2021-08-12 15:42:43 +02:00
|
|
|
info( " -T, --tcp-ns SPEC TCP port forwarding to init namespace");
|
|
|
|
info( " SPEC is as described above");
|
|
|
|
info( " default: auto");
|
|
|
|
info( " -U, --udp-ns SPEC UDP port forwarding to init namespace");
|
|
|
|
info( " SPEC is as described above");
|
|
|
|
info( " default: auto");
|
2021-09-29 16:11:06 +02:00
|
|
|
info( " --userns NSPATH Target user namespace to join");
|
|
|
|
info( " --netns-only Don't join or create user namespace");
|
|
|
|
info( " implied if PATH or NAME are given without --userns");
|
|
|
|
info( " --nsrun-dir Directory for nsfs mountpoints");
|
|
|
|
info( " default: " NETNS_RUN_DIR);
|
2021-10-11 12:01:31 +02:00
|
|
|
info( " --config-net Configure tap interface in namespace");
|
|
|
|
info( " --ns-mac-addr ADDR Set MAC address on tap interface");
|
2021-08-12 15:42:43 +02:00
|
|
|
|
|
|
|
exit(EXIT_FAILURE);
|
|
|
|
}
|
|
|
|
|
|
|
|
void conf_print(struct ctx *c)
|
|
|
|
{
|
2021-10-21 09:41:13 +02:00
|
|
|
char buf4[INET_ADDRSTRLEN], ifn[IFNAMSIZ];
|
2021-08-12 15:42:43 +02:00
|
|
|
int i;
|
|
|
|
|
|
|
|
if (c->mode == MODE_PASTA) {
|
|
|
|
info("Outbound interface: %s, namespace interface: %s",
|
2021-10-11 12:01:31 +02:00
|
|
|
if_indextoname(c->ifi, ifn), c->pasta_ifn);
|
2021-08-12 15:42:43 +02:00
|
|
|
} else {
|
2021-10-11 12:01:31 +02:00
|
|
|
info("Outbound interface: %s", if_indextoname(c->ifi, ifn));
|
2021-08-12 15:42:43 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
if (c->v4) {
|
|
|
|
info("ARP:");
|
|
|
|
info(" address: %02x:%02x:%02x:%02x:%02x:%02x",
|
|
|
|
c->mac[0], c->mac[1], c->mac[2],
|
|
|
|
c->mac[3], c->mac[4], c->mac[5]);
|
|
|
|
|
|
|
|
if (!c->no_dhcp) {
|
|
|
|
info("DHCP:");
|
|
|
|
info(" assign: %s",
|
|
|
|
inet_ntop(AF_INET, &c->addr4, buf4, sizeof(buf4)));
|
|
|
|
info(" mask: %s",
|
|
|
|
inet_ntop(AF_INET, &c->mask4, buf4, sizeof(buf4)));
|
|
|
|
info(" router: %s",
|
|
|
|
inet_ntop(AF_INET, &c->gw4, buf4, sizeof(buf4)));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!c->no_dns && !(c->no_dhcp && c->no_ndp && c->no_dhcpv6)) {
|
|
|
|
for (i = 0; c->dns4[i]; i++) {
|
|
|
|
if (!i)
|
|
|
|
info(" DNS:");
|
|
|
|
inet_ntop(AF_INET, &c->dns4[i], buf4, sizeof(buf4));
|
|
|
|
info(" %s", buf4);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!c->no_dns_search && !(c->no_dhcp && c->no_ndp && c->no_dhcpv6)) {
|
|
|
|
for (i = 0; *c->dns_search[i].n; i++) {
|
|
|
|
if (!i)
|
|
|
|
info(" search:");
|
|
|
|
info(" %s", c->dns_search[i].n);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (c->v6) {
|
2021-10-21 09:41:13 +02:00
|
|
|
char buf6[INET6_ADDRSTRLEN];
|
|
|
|
|
2021-08-12 15:42:43 +02:00
|
|
|
if (!c->no_ndp && !c->no_dhcpv6)
|
|
|
|
info("NDP/DHCPv6:");
|
|
|
|
else if (!c->no_ndp)
|
|
|
|
info("DHCPv6:");
|
|
|
|
else if (!c->no_dhcpv6)
|
|
|
|
info("NDP:");
|
|
|
|
else
|
|
|
|
return;
|
|
|
|
|
|
|
|
info(" assign: %s",
|
|
|
|
inet_ntop(AF_INET6, &c->addr6, buf6, sizeof(buf6)));
|
|
|
|
info(" router: %s",
|
|
|
|
inet_ntop(AF_INET6, &c->gw6, buf6, sizeof(buf6)));
|
2021-10-10 01:09:25 +02:00
|
|
|
info(" our link-local: %s",
|
|
|
|
inet_ntop(AF_INET6, &c->addr6_ll, buf6, sizeof(buf6)));
|
2021-08-12 15:42:43 +02:00
|
|
|
|
|
|
|
for (i = 0; !IN6_IS_ADDR_UNSPECIFIED(&c->dns6[i]); i++) {
|
|
|
|
if (!i)
|
|
|
|
info(" DNS:");
|
|
|
|
inet_ntop(AF_INET6, &c->dns6[i], buf6, sizeof(buf6));
|
|
|
|
info(" %s", buf6);
|
|
|
|
}
|
|
|
|
|
|
|
|
for (i = 0; *c->dns_search[i].n; i++) {
|
|
|
|
if (!i)
|
|
|
|
info(" search:");
|
|
|
|
info(" %s", c->dns_search[i].n);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* conf() - Process command-line arguments and set configuration
|
|
|
|
* @c: Execution context
|
|
|
|
* @argc: Argument count
|
|
|
|
* @argv: Options, plus target PID for pasta mode
|
|
|
|
*/
|
|
|
|
void conf(struct ctx *c, int argc, char **argv)
|
|
|
|
{
|
|
|
|
struct option options[] = {
|
|
|
|
{"debug", no_argument, NULL, 'd' },
|
2021-10-07 04:07:59 +02:00
|
|
|
{"quiet", no_argument, NULL, 'q' },
|
2021-08-12 15:42:43 +02:00
|
|
|
{"foreground", no_argument, NULL, 'f' },
|
2022-01-27 16:42:19 +01:00
|
|
|
{"stderr", no_argument, NULL, 'e' },
|
2021-08-12 15:42:43 +02:00
|
|
|
{"help", no_argument, NULL, 'h' },
|
|
|
|
{"socket", required_argument, NULL, 's' },
|
|
|
|
{"ns-ifname", required_argument, NULL, 'I' },
|
|
|
|
{"pcap", optional_argument, NULL, 'p' },
|
2021-10-14 12:17:47 +02:00
|
|
|
{"pid", required_argument, NULL, 'P' },
|
2021-08-12 15:42:43 +02:00
|
|
|
{"mtu", required_argument, NULL, 'm' },
|
|
|
|
{"address", required_argument, NULL, 'a' },
|
|
|
|
{"netmask", required_argument, NULL, 'n' },
|
|
|
|
{"mac-addr", required_argument, NULL, 'M' },
|
|
|
|
{"gateway", required_argument, NULL, 'g' },
|
|
|
|
{"interface", required_argument, NULL, 'i' },
|
|
|
|
{"dns", optional_argument, NULL, 'D' },
|
|
|
|
{"search", optional_argument, NULL, 'S' },
|
|
|
|
{"no-tcp", no_argument, &c->no_tcp, 1 },
|
|
|
|
{"no-udp", no_argument, &c->no_udp, 1 },
|
|
|
|
{"no-icmp", no_argument, &c->no_icmp, 1 },
|
|
|
|
{"no-dhcp", no_argument, &c->no_dhcp, 1 },
|
|
|
|
{"no-dhcpv6", no_argument, &c->no_dhcpv6, 1 },
|
|
|
|
{"no-ndp", no_argument, &c->no_ndp, 1 },
|
|
|
|
{"no-ra", no_argument, &c->no_ra, 1 },
|
2021-10-14 05:26:37 +02:00
|
|
|
{"no-map-gw", no_argument, &c->no_map_gw, 1 },
|
2021-08-12 15:42:43 +02:00
|
|
|
{"ipv4-only", no_argument, &c->v4, '4' },
|
|
|
|
{"ipv6-only", no_argument, &c->v6, '6' },
|
|
|
|
{"tcp-ports", required_argument, NULL, 't' },
|
|
|
|
{"udp-ports", required_argument, NULL, 'u' },
|
|
|
|
{"tcp-ns", required_argument, NULL, 'T' },
|
|
|
|
{"udp-ns", required_argument, NULL, 'U' },
|
2021-09-29 16:11:06 +02:00
|
|
|
{"userns", required_argument, NULL, 2 },
|
|
|
|
{"netns-only", no_argument, &c->netns_only, 1 },
|
|
|
|
{"nsrun-dir", required_argument, NULL, 3 },
|
2021-10-11 12:01:31 +02:00
|
|
|
{"config-net", no_argument, &c->pasta_conf_ns, 1 },
|
|
|
|
{"ns-mac-addr", required_argument, NULL, 4 },
|
2021-08-12 15:42:43 +02:00
|
|
|
{ 0 },
|
|
|
|
};
|
|
|
|
struct get_bound_ports_ns_arg ns_ports_arg = { .c = c };
|
2021-09-29 16:11:06 +02:00
|
|
|
char nsdir[PATH_MAX] = { 0 }, userns[PATH_MAX] = { 0 };
|
2021-08-12 15:42:43 +02:00
|
|
|
enum conf_port_type tcp_tap = 0, tcp_init = 0;
|
|
|
|
enum conf_port_type udp_tap = 0, udp_init = 0;
|
|
|
|
struct fqdn *dnss = c->dns_search;
|
|
|
|
struct in6_addr *dns6 = c->dns6;
|
|
|
|
int name, ret, mask, b, i;
|
|
|
|
uint32_t *dns4 = c->dns4;
|
|
|
|
|
|
|
|
do {
|
2021-10-05 21:22:09 +02:00
|
|
|
enum conf_port_type *set = NULL;
|
2021-08-12 15:42:43 +02:00
|
|
|
const char *optstring;
|
|
|
|
|
|
|
|
if (c->mode == MODE_PASST)
|
2021-10-14 12:17:47 +02:00
|
|
|
optstring = "dqfehs:p::P:m:a:n:M:g:i:D::S::46t:u:";
|
2021-08-12 15:42:43 +02:00
|
|
|
else
|
2021-10-14 12:17:47 +02:00
|
|
|
optstring = "dqfehI:p::P:m:a:n:M:g:i:D::S::46t:u:T:U:";
|
2021-08-12 15:42:43 +02:00
|
|
|
|
|
|
|
name = getopt_long(argc, argv, optstring, options, NULL);
|
|
|
|
|
|
|
|
if ((name == 'p' || name == 'D' || name == 'S') && !optarg &&
|
|
|
|
optind < argc && *argv[optind] && *argv[optind] != '-') {
|
|
|
|
if (c->mode == MODE_PASTA) {
|
2021-09-29 16:11:06 +02:00
|
|
|
if (conf_ns_opt(c, nsdir, userns, argv[optind]))
|
2021-08-12 15:42:43 +02:00
|
|
|
optarg = argv[optind++];
|
|
|
|
} else {
|
|
|
|
optarg = argv[optind++];
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
switch (name) {
|
|
|
|
case -1:
|
|
|
|
case 0:
|
|
|
|
break;
|
2021-09-29 16:11:06 +02:00
|
|
|
case 2:
|
|
|
|
if (c->mode != MODE_PASTA) {
|
|
|
|
err("--userns is for pasta mode only");
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = snprintf(userns, sizeof(userns), "%s", optarg);
|
|
|
|
if (ret <= 0 || ret >= (int)sizeof(userns)) {
|
|
|
|
err("Invalid userns: %s", optarg);
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case 3:
|
|
|
|
if (c->mode != MODE_PASTA) {
|
|
|
|
err("--nsrun-dir is for pasta mode only");
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = snprintf(nsdir, sizeof(nsdir), "%s", optarg);
|
|
|
|
if (ret <= 0 || ret >= (int)sizeof(nsdir)) {
|
|
|
|
err("Invalid nsrun-dir: %s", optarg);
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
break;
|
2021-10-11 12:01:31 +02:00
|
|
|
case 4:
|
|
|
|
if (c->mode != MODE_PASTA) {
|
|
|
|
err("--ns-mac-addr is for pasta mode only");
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
|
|
|
|
for (i = 0; i < ETH_ALEN; i++) {
|
|
|
|
errno = 0;
|
|
|
|
b = strtol(optarg + i * 3, NULL, 16);
|
|
|
|
if (b < 0 || b > UCHAR_MAX || errno) {
|
|
|
|
err("Invalid MAC address: %s", optarg);
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
c->mac_guest[i] = b;
|
|
|
|
}
|
|
|
|
break;
|
2021-08-12 15:42:43 +02:00
|
|
|
case 'd':
|
|
|
|
if (c->debug) {
|
|
|
|
err("Multiple --debug options given");
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (c->quiet) {
|
|
|
|
err("Either --debug or --quiet");
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
|
|
|
|
c->debug = 1;
|
|
|
|
c->foreground = 1;
|
|
|
|
break;
|
2022-01-27 16:42:19 +01:00
|
|
|
case 'e':
|
|
|
|
if (c->stderr) {
|
|
|
|
err("Multiple --stderr options given");
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
|
|
|
|
c->stderr = 1;
|
|
|
|
break;
|
2021-08-12 15:42:43 +02:00
|
|
|
case 'q':
|
|
|
|
if (c->quiet) {
|
|
|
|
err("Multiple --quiet options given");
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (c->debug) {
|
|
|
|
err("Either --debug or --quiet");
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
|
|
|
|
c->quiet = 1;
|
|
|
|
break;
|
|
|
|
case 'f':
|
|
|
|
if (c->foreground && !c->debug) {
|
|
|
|
err("Multiple --foreground options given");
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
|
|
|
|
c->foreground = 1;
|
|
|
|
break;
|
|
|
|
case 's':
|
|
|
|
if (*c->sock_path) {
|
|
|
|
err("Multiple --socket options given");
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = snprintf(c->sock_path, sizeof(c->sock_path), "%s",
|
|
|
|
optarg);
|
|
|
|
if (ret <= 0 || ret >= (int)sizeof(c->pcap)) {
|
|
|
|
err("Invalid socket path: %s", optarg);
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case 'I':
|
|
|
|
if (*c->pasta_ifn) {
|
|
|
|
err("Multiple --ns-ifname options given");
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = snprintf(c->pasta_ifn, sizeof(c->pasta_ifn), "%s",
|
|
|
|
optarg);
|
|
|
|
if (ret <= 0 || ret >= (int)sizeof(c->pasta_ifn)) {
|
|
|
|
err("Invalid interface name: %s", optarg);
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case 'p':
|
|
|
|
if (*c->pcap) {
|
|
|
|
err("Multiple --pcap options given");
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!optarg) {
|
|
|
|
*c->pcap = 1;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = snprintf(c->pcap, sizeof(c->pcap), "%s", optarg);
|
|
|
|
if (ret <= 0 || ret >= (int)sizeof(c->pcap)) {
|
|
|
|
err("Invalid pcap path: %s", optarg);
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
break;
|
2021-10-14 12:17:47 +02:00
|
|
|
case 'P':
|
|
|
|
if (*c->pid_file) {
|
|
|
|
err("Multiple --pid options given");
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = snprintf(c->pid_file, sizeof(c->pid_file), "%s",
|
|
|
|
optarg);
|
|
|
|
if (ret <= 0 || ret >= (int)sizeof(c->pid_file)) {
|
|
|
|
err("Invalid PID file: %s", optarg);
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
break;
|
2021-08-12 15:42:43 +02:00
|
|
|
case 'm':
|
|
|
|
if (c->mtu) {
|
|
|
|
err("Multiple --mtu options given");
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
|
|
|
|
errno = 0;
|
|
|
|
c->mtu = strtol(optarg, NULL, 0);
|
2021-09-07 11:19:57 +02:00
|
|
|
|
|
|
|
if (!c->mtu) {
|
|
|
|
c->mtu = -1;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
2021-08-12 15:42:43 +02:00
|
|
|
if (c->mtu < ETH_MIN_MTU || c->mtu > (int)ETH_MAX_MTU ||
|
|
|
|
errno) {
|
|
|
|
err("Invalid MTU: %s", optarg);
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case 'a':
|
|
|
|
if (IN6_IS_ADDR_UNSPECIFIED(&c->addr6) &&
|
|
|
|
inet_pton(AF_INET6, optarg, &c->addr6) &&
|
|
|
|
!IN6_IS_ADDR_UNSPECIFIED(&c->addr6) &&
|
|
|
|
!IN6_IS_ADDR_LOOPBACK(&c->addr6) &&
|
|
|
|
!IN6_IS_ADDR_V4MAPPED(&c->addr6) &&
|
|
|
|
!IN6_IS_ADDR_V4COMPAT(&c->addr6) &&
|
|
|
|
!IN6_IS_ADDR_MULTICAST(&c->addr6))
|
|
|
|
break;
|
|
|
|
|
|
|
|
if (c->addr4 == INADDR_ANY &&
|
|
|
|
inet_pton(AF_INET, optarg, &c->addr4) &&
|
|
|
|
c->addr4 != INADDR_ANY &&
|
|
|
|
c->addr4 != INADDR_BROADCAST &&
|
|
|
|
c->addr4 != INADDR_LOOPBACK &&
|
|
|
|
!IN_MULTICAST(c->addr4))
|
|
|
|
break;
|
|
|
|
|
|
|
|
err("Invalid address: %s", optarg);
|
|
|
|
usage(argv[0]);
|
|
|
|
break;
|
|
|
|
case 'n':
|
|
|
|
if (inet_pton(AF_INET, optarg, &c->mask4))
|
|
|
|
break;
|
|
|
|
|
|
|
|
errno = 0;
|
|
|
|
mask = strtol(optarg, NULL, 0);
|
2021-10-21 09:41:13 +02:00
|
|
|
if (mask > 0 && mask <= 32 && !errno) {
|
2021-08-12 15:42:43 +02:00
|
|
|
c->mask4 = htonl(0xffffffff << (32 - mask));
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
err("Invalid netmask: %s", optarg);
|
|
|
|
usage(argv[0]);
|
|
|
|
break;
|
|
|
|
case 'M':
|
|
|
|
for (i = 0; i < ETH_ALEN; i++) {
|
|
|
|
errno = 0;
|
|
|
|
b = strtol(optarg + i * 3, NULL, 16);
|
|
|
|
if (b < 0 || b > UCHAR_MAX || errno) {
|
|
|
|
err("Invalid MAC address: %s", optarg);
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
c->mac[i] = b;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case 'g':
|
|
|
|
if (IN6_IS_ADDR_UNSPECIFIED(&c->gw6) &&
|
|
|
|
inet_pton(AF_INET6, optarg, &c->gw6) &&
|
|
|
|
!IN6_IS_ADDR_UNSPECIFIED(&c->gw6) &&
|
|
|
|
!IN6_IS_ADDR_LOOPBACK(&c->gw6))
|
|
|
|
break;
|
|
|
|
|
|
|
|
if (c->gw4 == INADDR_ANY &&
|
|
|
|
inet_pton(AF_INET, optarg, &c->gw4) &&
|
|
|
|
c->gw4 != INADDR_ANY &&
|
|
|
|
c->gw4 != INADDR_BROADCAST &&
|
|
|
|
c->gw4 != INADDR_LOOPBACK)
|
|
|
|
break;
|
|
|
|
|
|
|
|
err("Invalid gateway address: %s", optarg);
|
|
|
|
usage(argv[0]);
|
|
|
|
break;
|
|
|
|
case 'i':
|
2021-10-11 12:01:31 +02:00
|
|
|
if (c->ifi) {
|
2021-08-12 15:42:43 +02:00
|
|
|
err("Redundant interface: %s", optarg);
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
|
2021-10-11 12:01:31 +02:00
|
|
|
if (!(c->ifi = if_nametoindex(optarg))) {
|
|
|
|
err("Invalid interface name %s: %s", optarg,
|
|
|
|
strerror(errno));
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
2021-08-12 15:42:43 +02:00
|
|
|
break;
|
|
|
|
case 'D':
|
|
|
|
if (c->no_dns ||
|
|
|
|
(!optarg && (dns4 - c->dns4 || dns6 - c->dns6))) {
|
|
|
|
err("Empty and non-empty DNS options given");
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!optarg) {
|
|
|
|
c->no_dns = 1;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (dns4 - &c->dns4[0] < ARRAY_SIZE(c->dns4) &&
|
|
|
|
inet_pton(AF_INET, optarg, dns4)) {
|
|
|
|
dns4++;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (dns6 - &c->dns6[0] < ARRAY_SIZE(c->dns6) &&
|
|
|
|
inet_pton(AF_INET6, optarg, dns6)) {
|
|
|
|
dns6++;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
err("Cannot use DNS address %s", optarg);
|
|
|
|
usage(argv[0]);
|
|
|
|
break;
|
|
|
|
case 'S':
|
|
|
|
if (c->no_dns_search ||
|
|
|
|
(!optarg && dnss != c->dns_search)) {
|
|
|
|
err("Empty and non-empty DNS search given");
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!optarg) {
|
|
|
|
c->no_dns_search = 1;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (dnss - c->dns_search < ARRAY_SIZE(c->dns_search)) {
|
|
|
|
ret = snprintf(dnss->n, sizeof(*c->dns_search),
|
|
|
|
"%s", optarg);
|
|
|
|
dnss++;
|
|
|
|
|
|
|
|
if (ret > 0 &&
|
|
|
|
ret < (int)sizeof(*c->dns_search))
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
err("Cannot use DNS search domain %s", optarg);
|
|
|
|
usage(argv[0]);
|
|
|
|
break;
|
|
|
|
case '4':
|
|
|
|
c->v4 = 1;
|
|
|
|
break;
|
|
|
|
case '6':
|
|
|
|
c->v6 = 1;
|
|
|
|
break;
|
|
|
|
case 't':
|
|
|
|
case 'u':
|
|
|
|
case 'T':
|
|
|
|
case 'U':
|
|
|
|
if (name == 't')
|
|
|
|
set = &tcp_tap;
|
|
|
|
else if (name == 'T')
|
|
|
|
set = &tcp_init;
|
|
|
|
else if (name == 'u')
|
|
|
|
set = &udp_tap;
|
|
|
|
else if (name == 'U')
|
|
|
|
set = &udp_init;
|
|
|
|
|
|
|
|
if (conf_ports(c, name, optarg, set))
|
|
|
|
usage(argv[0]);
|
|
|
|
|
|
|
|
break;
|
2021-10-20 00:05:11 +02:00
|
|
|
case '?':
|
|
|
|
case 'h':
|
|
|
|
default:
|
|
|
|
usage(argv[0]);
|
|
|
|
break;
|
2021-08-12 15:42:43 +02:00
|
|
|
}
|
|
|
|
} while (name != -1);
|
|
|
|
|
|
|
|
if (c->mode == MODE_PASTA && optind + 1 == argc) {
|
2021-09-29 16:11:06 +02:00
|
|
|
ret = conf_ns_opt(c, nsdir, userns, argv[optind]);
|
|
|
|
if (ret == -ENOENT)
|
|
|
|
err("Namespace %s not found", argv[optind]);
|
|
|
|
if (ret < 0)
|
2021-08-12 15:42:43 +02:00
|
|
|
usage(argv[0]);
|
2021-09-29 16:11:06 +02:00
|
|
|
} else if (c->mode == MODE_PASTA && *userns && optind == argc) {
|
|
|
|
err("--userns requires PID, PATH or NAME");
|
|
|
|
usage(argv[0]);
|
2021-08-12 15:42:43 +02:00
|
|
|
} else if (optind != argc) {
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (c->v4 && c->v6) {
|
|
|
|
err("Options ipv4-only and ipv6-only are mutually exclusive");
|
|
|
|
usage(argv[0]);
|
|
|
|
}
|
|
|
|
|
2021-10-15 17:07:16 +02:00
|
|
|
if (c->mode == MODE_PASTA && c->pasta_netns_fd <= 0)
|
2021-10-11 12:01:31 +02:00
|
|
|
pasta_start_ns(c);
|
2021-08-12 15:42:43 +02:00
|
|
|
|
2021-10-11 12:01:31 +02:00
|
|
|
if (nl_sock_init(c)) {
|
|
|
|
err("Failed to get netlink socket");
|
|
|
|
exit(EXIT_FAILURE);
|
2021-08-12 15:42:43 +02:00
|
|
|
}
|
|
|
|
|
2021-10-11 12:01:31 +02:00
|
|
|
conf_ip(c);
|
|
|
|
|
|
|
|
if (!c->v4)
|
|
|
|
c->no_dhcp = 1;
|
|
|
|
|
|
|
|
if (!c->v6) {
|
|
|
|
c->no_ndp = 1;
|
|
|
|
c->no_dhcpv6 = 1;
|
2021-09-07 11:19:57 +02:00
|
|
|
}
|
|
|
|
|
2021-10-11 12:01:31 +02:00
|
|
|
if (!c->mtu)
|
|
|
|
c->mtu = ROUND_DOWN(ETH_MAX_MTU - ETH_HLEN, sizeof(uint32_t));
|
2021-08-12 15:42:43 +02:00
|
|
|
|
|
|
|
if (c->mode == MODE_PASTA && dns4 == c->dns4 && dns6 == c->dns6)
|
|
|
|
c->no_dns = 1;
|
|
|
|
if (c->mode == MODE_PASTA && dnss == c->dns_search)
|
|
|
|
c->no_dns_search = 1;
|
|
|
|
get_dns(c);
|
|
|
|
|
|
|
|
if (!*c->pasta_ifn)
|
2021-10-11 12:01:31 +02:00
|
|
|
if_indextoname(c->ifi, c->pasta_ifn);
|
2021-08-12 15:42:43 +02:00
|
|
|
|
2021-09-01 15:58:17 +02:00
|
|
|
#ifdef PASST_LEGACY_NO_OPTIONS
|
|
|
|
if (c->mode == MODE_PASST) {
|
|
|
|
c->foreground = 1;
|
|
|
|
c->stderr = 1;
|
|
|
|
|
|
|
|
if (!tcp_tap) {
|
|
|
|
memset(c->tcp.port_to_tap, 0xff,
|
|
|
|
PORT_EPHEMERAL_MIN / 8);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2021-09-27 05:24:30 +02:00
|
|
|
c->tcp.ns_detect_ports = c->udp.ns_detect_ports = 0;
|
|
|
|
c->tcp.init_detect_ports = c->udp.init_detect_ports = 0;
|
|
|
|
|
2021-08-12 15:42:43 +02:00
|
|
|
if (c->mode == MODE_PASTA) {
|
|
|
|
if (!tcp_tap || tcp_tap == PORT_AUTO) {
|
2021-09-27 05:24:30 +02:00
|
|
|
c->tcp.ns_detect_ports = 1;
|
2021-08-12 15:42:43 +02:00
|
|
|
ns_ports_arg.proto = IPPROTO_TCP;
|
|
|
|
NS_CALL(get_bound_ports_ns, &ns_ports_arg);
|
|
|
|
}
|
|
|
|
if (!udp_tap || udp_tap == PORT_AUTO) {
|
2021-09-27 05:24:30 +02:00
|
|
|
c->udp.ns_detect_ports = 1;
|
2021-08-12 15:42:43 +02:00
|
|
|
ns_ports_arg.proto = IPPROTO_UDP;
|
|
|
|
NS_CALL(get_bound_ports_ns, &ns_ports_arg);
|
|
|
|
}
|
2021-09-27 05:24:30 +02:00
|
|
|
if (!tcp_init || tcp_init == PORT_AUTO) {
|
|
|
|
c->tcp.init_detect_ports = 1;
|
|
|
|
get_bound_ports(c, 0, IPPROTO_TCP);
|
|
|
|
}
|
|
|
|
if (!udp_init || udp_init == PORT_AUTO) {
|
|
|
|
c->udp.init_detect_ports = 1;
|
|
|
|
get_bound_ports(c, 0, IPPROTO_UDP);
|
|
|
|
}
|
2021-08-12 15:42:43 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
conf_print(c);
|
|
|
|
}
|