sanebox: pasta/bwrap: route DNS to the host's server if asked (via --sanebox-dns host)
This commit is contained in:
@@ -125,7 +125,7 @@ usage() {
|
|||||||
echo ' --sanebox-pasta-arg <arg>'
|
echo ' --sanebox-pasta-arg <arg>'
|
||||||
echo ' --sanebox-net-dev <iface>|all'
|
echo ' --sanebox-net-dev <iface>|all'
|
||||||
echo ' --sanebox-net-gateway <ip-address>'
|
echo ' --sanebox-net-gateway <ip-address>'
|
||||||
echo ' --sanebox-dns <server>'
|
echo ' --sanebox-dns <server>|host'
|
||||||
echo ' --sanebox-keep-namespace <cgroup|ipc|pid|uts|all>'
|
echo ' --sanebox-keep-namespace <cgroup|ipc|pid|uts|all>'
|
||||||
echo ' do not unshare the provided linux namespace'
|
echo ' do not unshare the provided linux namespace'
|
||||||
echo ' --sanebox-path <path>'
|
echo ' --sanebox-path <path>'
|
||||||
@@ -858,6 +858,7 @@ capshonlyGetCli() {
|
|||||||
|
|
||||||
pastaArgs=()
|
pastaArgs=()
|
||||||
pastaNetSetup=
|
pastaNetSetup=
|
||||||
|
pastaOutboundPorts=()
|
||||||
pastaonlySetup() {
|
pastaonlySetup() {
|
||||||
debug "pastaonlySetup: noop"
|
debug "pastaonlySetup: noop"
|
||||||
}
|
}
|
||||||
@@ -878,10 +879,21 @@ pastaonlyIngestNetGateway() {
|
|||||||
pastaArgs+=(--gateway "$1")
|
pastaArgs+=(--gateway "$1")
|
||||||
}
|
}
|
||||||
pastaonlyIngestDns() {
|
pastaonlyIngestDns() {
|
||||||
# NAT DNS requests to localhost to the VPN's DNS resolver
|
local dns=$1
|
||||||
# claim the whole 127.0.0.x space, because some setups place the DNS on a different address of localhost.
|
case "$dns" in
|
||||||
pastaNetSetup="iptables -A OUTPUT -t nat -p udp --dport 53 -m iprange --dst-range 127.0.0.1-127.0.0.255 -j DNAT --to-destination $1:53; $pastaNetSetup"
|
(host)
|
||||||
pastaNetSetup="ip addr del 127.0.0.1/8 dev lo; $pastaNetSetup"
|
# use the host's DNS resolver
|
||||||
|
if ! contains 53 "${pastaOutboundPorts[@]}"; then
|
||||||
|
pastaOutboundPorts+=(53)
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
(*)
|
||||||
|
# NAT DNS requests to localhost to the VPN's DNS resolver
|
||||||
|
# claim the whole 127.0.0.x space, because some setups place the DNS on a different address of localhost.
|
||||||
|
pastaNetSetup="iptables -A OUTPUT -t nat -p udp --dport 53 -m iprange --dst-range 127.0.0.1-127.0.0.255 -j DNAT --to-destination $1:53; $pastaNetSetup"
|
||||||
|
pastaNetSetup="ip addr del 127.0.0.1/8 dev lo; $pastaNetSetup"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
}
|
}
|
||||||
pastaonlyIngestKeepNamespace() {
|
pastaonlyIngestKeepNamespace() {
|
||||||
:
|
:
|
||||||
@@ -896,8 +908,13 @@ pastaonlyGetCli() {
|
|||||||
"${cliArgs[@]}"
|
"${cliArgs[@]}"
|
||||||
)
|
)
|
||||||
locate _pasta "pasta" "$PASTA_FALLBACK"
|
locate _pasta "pasta" "$PASTA_FALLBACK"
|
||||||
|
local pastaOutboundPortsStr=none
|
||||||
|
if [ "${#pastaOutboundPorts[@]}" -ne 0 ]; then
|
||||||
|
pastaOutboundPortsStr="${pastaOutboundPorts[*]}"
|
||||||
|
pastaOutboundPortsStr="${pastaOutboundPortsStr// /,}"
|
||||||
|
fi
|
||||||
cliArgs=(
|
cliArgs=(
|
||||||
"$_pasta" --ipv4-only -U none -T none -u none -t none --config-net
|
"$_pasta" --ipv4-only -U "$pastaOutboundPortsStr" -T "$pastaOutboundPortsStr" -u none -t none --config-net
|
||||||
"${pastaArgs[@]}" --
|
"${pastaArgs[@]}" --
|
||||||
"${cliArgs[@]}"
|
"${cliArgs[@]}"
|
||||||
)
|
)
|
||||||
|
|||||||
Reference in New Issue
Block a user