dnstrace and snitrace

README.md

@@ -221,6 +221,58 @@ Milestone page: https://github.com/netblue30/firejail/milestone/1
               kernel.  For more information, please see APPARMOR  section  be‐
 `````
 
+### dnstrace
+`````
+      --dnstrace[=name|pid]
+              Monitor DNS queries. The sandbox can be  specified  by  name  or
+              pid.  Only networked sandboxes created with --net are supported.
+              This option is only available when running the sandbox as root.
+
+              Without a name/pid, Firejail will monitor the main  system  net‐
+              work namespace.
+
+              $ sudo firejail --dnstrace=browser
+              11:31:43  9.9.9.9        linux.com (type 1)
+              11:31:45  9.9.9.9        fonts.googleapis.com (type 1) NXDOMAIN
+              11:31:45  9.9.9.9        js.hs-scripts.com (type 1) NXDOMAIN
+              11:31:45  9.9.9.9        www.linux.com (type 1)
+              11:31:45  9.9.9.9        fonts.googleapis.com (type 1) NXDOMAIN
+              11:31:52  9.9.9.9        js.hs-scripts.com (type 1) NXDOMAIN
+              11:32:05  9.9.9.9        secure.gravatar.com (type 1)
+              11:32:06  9.9.9.9        secure.gravatar.com (type 1)
+              11:32:08  9.9.9.9        taikai.network (type 1)
+              11:32:08  9.9.9.9        cdn.jsdelivr.net (type 1)
+              11:32:08  9.9.9.9        taikai.azureedge.net (type 1)
+              11:32:08  9.9.9.9        www.youtube.com (type 1)
+`````
+
+### snitrace
+`````
+     --snitrace[=name|pid]
+              Monitor Server Name Indication (TLS/SNI).  The  sandbox  can  be
+              specified  by name or pid. Only networked sandboxes created with
+              --net are supported. This option is only available when  running
+              the sandbox as root.
+
+              Without  a  name/pid, Firejail will monitor the main system net‐
+              work namespace.
+
+              $ sudo firejail --snitrace=browser
+              07:49:51  23.185.0.3       linux.com
+              07:49:51  23.185.0.3       www.linux.com
+              07:50:05  192.0.73.2       secure.gravatar.com
+              07:52:35  172.67.68.93     www.howtoforge.com
+              07:52:37  13.225.103.59    sf.ezoiccdn.com
+              07:52:42  142.250.176.3    www.gstatic.com
+              07:53:03  173.236.250.32   www.linuxlinks.com
+              07:53:05  192.0.77.37      c0.wp.com
+              07:53:08  192.0.78.32      jetpack.wordpress.com
+              07:53:09  192.0.77.32      s0.wp.com
+              07:53:09  192.0.77.2       i0.wp.com
+              07:53:10  192.0.77.2       i0.wp.com
+              07:53:11  192.0.73.2       1.gravatar.com
+`````
+
 ### Profile Statistics
 
 A small tool to print profile statistics. Compile and install as usual. The tool is installed in /usr/lib/firejail directory.

RELNOTES

@@ -7,6 +7,7 @@ firejail (0.9.71) baseline; urgency=low
   * feature: support for custom AppArmor profiles (--apparmor=) (#5274 #5316
     #5317)
   * feature: added support for ICMP in nettrace
+  * feature: --dnstrace and --snitrace
   * modif: removed --cgroup= command (#5190 #5200)
   * modif: set --shell=none as the default (#5190)
   * modif: removed --shell= command (#5190 #5196 #5209)

src/firejail/main.c

@@ -438,10 +438,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
 			exit_err_feature("networking");
 		exit(0);
 	}
-	else if (strcmp(argv[i], "--nettrace-dns") == 0) {
+	else if (strcmp(argv[i], "--dnstrace") == 0) {
 		if (checkcfg(CFG_NETWORK)) {
 			if (getuid() != 0) {
-				fprintf(stderr, "Error: --nettrace-dns is only available to root user\n");
+				fprintf(stderr, "Error: --dnstrace is only available to root user\n");
 				exit(1);
 			}
 			netfilter_trace(0, LIBDIR "/firejail/fnettrace-dns");
@@ -450,10 +450,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
 			exit_err_feature("networking");
 		exit(0);
 	}
-	else if (strncmp(argv[i], "--nettrace-dns=", 15) == 0) {
+	else if (strncmp(argv[i], "--dnstrace=", 15) == 0) {
 		if (checkcfg(CFG_NETWORK)) {
 			if (getuid() != 0) {
-				fprintf(stderr, "Error: --nettrace is only available to root user\n");
+				fprintf(stderr, "Error: --dnstrace is only available to root user\n");
 				exit(1);
 			}
 			pid_t pid = require_pid(argv[i] + 15);
@@ -463,10 +463,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
 			exit_err_feature("networking");
 		exit(0);
 	}
-	else if (strcmp(argv[i], "--nettrace-sni") == 0) {
+	else if (strcmp(argv[i], "--snitrace") == 0) {
 		if (checkcfg(CFG_NETWORK)) {
 			if (getuid() != 0) {
-				fprintf(stderr, "Error: --nettrace is only available to root user\n");
+				fprintf(stderr, "Error: --snitrace is only available to root user\n");
 				exit(1);
 			}
 			netfilter_trace(0, LIBDIR "/firejail/fnettrace-sni");
@@ -475,10 +475,10 @@ static void run_cmd_and_exit(int i, int argc, char **argv) {
 			exit_err_feature("networking");
 		exit(0);
 	}
-	else if (strncmp(argv[i], "--nettrace-sni=", 15) == 0) {
+	else if (strncmp(argv[i], "--snitrace=", 15) == 0) {
 		if (checkcfg(CFG_NETWORK)) {
 			if (getuid() != 0) {
-				fprintf(stderr, "Error: --nettrace is only available to root user\n");
+				fprintf(stderr, "Error: --snitrace is only available to root user\n");
 				exit(1);
 			}
 			pid_t pid = require_pid(argv[i] + 15);

src/fnettrace/static-ip-map

@@ -184,12 +184,13 @@
 208.80.152.0/22 Wikipedia
 
 # WholeSale Internet
+69.30.192.0/18 WholeSale Internet
 69.197.128.0/18 WholeSale Internet
 173.208.128.0/17 WholeSale Internet
 204.12.192.0/18 WholeSale Internet
+208.67.0.0/21 WholeSale Internet
 208.110.64.0/19 WholeSale Internet
 208.110.91.0/24 WholeSale Internet
-208.67.0.0/21 WholeSale Internet
 
 # StackPath
 69.16.173.0/24 StackPath

src/man/firejail.txt

@@ -779,6 +779,46 @@ $ firejail \-\-list
 .br
 $ firejail \-\-dns.print=3272
 
+#ifdef HAVE_NETWORK
+.TP
+\fB\-\-dnstrace[=name|pid]
+Monitor DNS queries. The sandbox can be specified by name or pid. Only networked sandboxes
+created with \-\-net are supported. This option is only available when running the sandbox as root.
+.br
+
+.br
+Without a name/pid, Firejail will monitor the main system network namespace.
+.br
+
+.br
+$ sudo firejail --dnstrace=browser
+.br
+11:31:43  9.9.9.9        linux.com (type 1)
+.br
+11:31:45  9.9.9.9        fonts.googleapis.com (type 1) NXDOMAIN
+.br
+11:31:45  9.9.9.9        js.hs-scripts.com (type 1) NXDOMAIN
+.br
+11:31:45  9.9.9.9        www.linux.com (type 1)
+.br
+11:31:45  9.9.9.9        fonts.googleapis.com (type 1) NXDOMAIN
+.br
+11:31:52  9.9.9.9        js.hs-scripts.com (type 1) NXDOMAIN
+.br
+11:32:05  9.9.9.9        secure.gravatar.com (type 1)
+.br
+11:32:06  9.9.9.9        secure.gravatar.com (type 1)
+.br
+11:32:08  9.9.9.9        taikai.network (type 1)
+.br
+11:32:08  9.9.9.9        cdn.jsdelivr.net (type 1)
+.br
+11:32:08  9.9.9.9        taikai.azureedge.net (type 1)
+.br
+11:32:08  9.9.9.9        www.youtube.com (type 1)
+.br
+#endif
+
 .TP
 \fB\-\-env=name=value
 Set environment variable in the new sandbox.
@@ -1578,82 +1618,6 @@ the country the traffic originates from is added to the trace.
 We also use the static IP map in /usr/lib/firejail/static-ip-map
 to print the domain names for some of the more common websites and cloud platforms.
 No external services are contacted for reverse IP lookup.
-.TP
-\fB\-\-nettrace-dns[=name|pid]
-Monitor DNS queries. The sandbox can be specified by name or pid. Only networked sandboxes
-created with \-\-net are supported. This option is only available when running the sandbox as root.
-.br
-
-.br
-Without a name/pid, Firejail will monitor the main system network namespace.
-.br
-
-.br
-$ sudo firejail --nettrace-dns=browser
-.br
-11:31:43  9.9.9.9        linux.com (type 1)
-.br
-11:31:45  9.9.9.9        fonts.googleapis.com (type 1) NXDOMAIN
-.br
-11:31:45  9.9.9.9        js.hs-scripts.com (type 1) NXDOMAIN
-.br
-11:31:45  9.9.9.9        www.linux.com (type 1)
-.br
-11:31:45  9.9.9.9        fonts.googleapis.com (type 1) NXDOMAIN
-.br
-11:31:52  9.9.9.9        js.hs-scripts.com (type 1) NXDOMAIN
-.br
-11:32:05  9.9.9.9        secure.gravatar.com (type 1)
-.br
-11:32:06  9.9.9.9        secure.gravatar.com (type 1)
-.br
-11:32:08  9.9.9.9        taikai.network (type 1)
-.br
-11:32:08  9.9.9.9        cdn.jsdelivr.net (type 1)
-.br
-11:32:08  9.9.9.9        taikai.azureedge.net (type 1)
-.br
-11:32:08  9.9.9.9        www.youtube.com (type 1)
-.br
-.TP
-\fB\-\-nettrace-sni[=name|pid]
-Monitor Server Name Indication (TLS/SNI). The sandbox can be specified by name or pid. Only networked sandboxes
-created with \-\-net are supported. This option is only available when running the sandbox as root.
-.br
-
-.br
-Without a name/pid, Firejail will monitor the main system network namespace.
-.br
-
-.br
-$ sudo firejail --nettrace-sni=browser
-.br
-07:49:51  23.185.0.3       linux.com
-.br
-07:49:51  23.185.0.3       www.linux.com
-.br
-07:50:05  192.0.73.2       secure.gravatar.com
-.br
-07:52:35  172.67.68.93     www.howtoforge.com
-.br
-07:52:37  13.225.103.59    sf.ezoiccdn.com
-.br
-07:52:42  142.250.176.3    www.gstatic.com
-.br
-07:53:03  173.236.250.32   www.linuxlinks.com
-.br
-07:53:05  192.0.77.37      c0.wp.com
-.br
-07:53:08  192.0.78.32      jetpack.wordpress.com
-.br
-07:53:09  192.0.77.32      s0.wp.com
-.br
-07:53:09  192.0.77.2       i0.wp.com
-.br
-07:53:10  192.0.77.2       i0.wp.com
-.br
-07:53:11  192.0.73.2       1.gravatar.com
-.br
 #endif
 .TP
 \fB\-\-nice=value
@@ -2833,6 +2797,49 @@ $ firejail \-\-list
 3272:netblue::firejail \-\-private firefox
 .br
 $ firejail \-\-shutdown=3272
+
+#ifdef HAVE_NETWORK
+.TP
+\fB\-\-snitrace[=name|pid]
+Monitor Server Name Indication (TLS/SNI). The sandbox can be specified by name or pid. Only networked sandboxes
+created with \-\-net are supported. This option is only available when running the sandbox as root.
+.br
+
+.br
+Without a name/pid, Firejail will monitor the main system network namespace.
+.br
+
+.br
+$ sudo firejail --snitrace=browser
+.br
+07:49:51  23.185.0.3       linux.com
+.br
+07:49:51  23.185.0.3       www.linux.com
+.br
+07:50:05  192.0.73.2       secure.gravatar.com
+.br
+07:52:35  172.67.68.93     www.howtoforge.com
+.br
+07:52:37  13.225.103.59    sf.ezoiccdn.com
+.br
+07:52:42  142.250.176.3    www.gstatic.com
+.br
+07:53:03  173.236.250.32   www.linuxlinks.com
+.br
+07:53:05  192.0.77.37      c0.wp.com
+.br
+07:53:08  192.0.78.32      jetpack.wordpress.com
+.br
+07:53:09  192.0.77.32      s0.wp.com
+.br
+07:53:09  192.0.77.2       i0.wp.com
+.br
+07:53:10  192.0.77.2       i0.wp.com
+.br
+07:53:11  192.0.73.2       1.gravatar.com
+.br
+#endif
+
 .TP
 \fB\-\-tab
 Enable shell tab completion in sandboxes using private or whitelisted home directories.