colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

sanebox: pasta/bwrap: route DNS to the host's server if asked (via --sanebox-dns host)

Browse Source
This commit is contained in:
Colin
2024-07-21 23:13:03 +00:00
parent f123be98b2
commit c0d1f7711a
1 changed files with 23 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
pkgs/additional/sanebox/sanebox
View File

@@ -125,7 +125,7 @@ usage() {
echo ' --sanebox-pasta-arg <arg>'
echo ' --sanebox-net-dev <iface>|all'
echo ' --sanebox-net-gateway <ip-address>'
echo ' --sanebox-dns <server>'
echo ' --sanebox-dns <server>|host'
echo ' --sanebox-keep-namespace <cgroup|ipc|pid|uts|all>'
echo ' do not unshare the provided linux namespace'
echo ' --sanebox-path <path>'
@@ -858,6 +858,7 @@ capshonlyGetCli() {
pastaArgs=()
pastaNetSetup=
pastaOutboundPorts=()
pastaonlySetup() {
debug "pastaonlySetup: noop"
}
@@ -878,10 +879,21 @@ pastaonlyIngestNetGateway() {
pastaArgs+=(--gateway "$1")
}
pastaonlyIngestDns() {
# NAT DNS requests to localhost to the VPN's DNS resolver
# claim the whole 127.0.0.x space, because some setups place the DNS on a different address of localhost.
pastaNetSetup="iptables -A OUTPUT -t nat -p udp --dport 53 -m iprange --dst-range 127.0.0.1-127.0.0.255 -j DNAT --to-destination $1:53; $pastaNetSetup"
pastaNetSetup="ip addr del 127.0.0.1/8 dev lo; $pastaNetSetup"
local dns=$1
case "$dns" in
(host)
# use the host's DNS resolver
if ! contains 53 "${pastaOutboundPorts[@]}"; then
pastaOutboundPorts+=(53)
fi
;;
(*)
# NAT DNS requests to localhost to the VPN's DNS resolver
# claim the whole 127.0.0.x space, because some setups place the DNS on a different address of localhost.
pastaNetSetup="iptables -A OUTPUT -t nat -p udp --dport 53 -m iprange --dst-range 127.0.0.1-127.0.0.255 -j DNAT --to-destination $1:53; $pastaNetSetup"
pastaNetSetup="ip addr del 127.0.0.1/8 dev lo; $pastaNetSetup"
;;
esac
}
pastaonlyIngestKeepNamespace() {
:
@@ -896,8 +908,13 @@ pastaonlyGetCli() {
"${cliArgs[@]}"
)
locate _pasta "pasta" "$PASTA_FALLBACK"
local pastaOutboundPortsStr=none
if [ "${#pastaOutboundPorts[@]}" -ne 0 ]; then
pastaOutboundPortsStr="${pastaOutboundPorts[*]}"
pastaOutboundPortsStr="${pastaOutboundPortsStr// /,}"
fi
cliArgs=(
"$_pasta" --ipv4-only -U none -T none -u none -t none --config-net
"$_pasta" --ipv4-only -U "$pastaOutboundPortsStr" -T "$pastaOutboundPortsStr" -u none -t none --config-net
"${pastaArgs[@]}" --
"${cliArgs[@]}"
)