diff options
author | TheJackiMonster <thejackimonster@gmail.com> | 2021-04-19 21:21:09 +0200 |
---|---|---|
committer | TheJackiMonster <thejackimonster@gmail.com> | 2021-04-19 21:21:09 +0200 |
commit | 1fc1b732d334d86d16c5284a9363033bce678096 (patch) | |
tree | 48d7f1dad827b589513f4a56df15568dc0f4ac7c | |
parent | f022b206a5378f4c9d0e12c4cffc51801fbc83bf (diff) | |
download | gnunet-1fc1b732d334d86d16c5284a9363033bce678096.tar.gz gnunet-1fc1b732d334d86d16c5284a9363033bce678096.zip |
-first netjail setup with NATs integrated
Signed-off-by: TheJackiMonster <thejackimonster@gmail.com>
-rwxr-xr-x | contrib/scripts/netjail/netjail_core.sh | 100 | ||||
-rwxr-xr-x | contrib/scripts/netjail/netjail_setup_internet.sh | 81 |
2 files changed, 181 insertions, 0 deletions
diff --git a/contrib/scripts/netjail/netjail_core.sh b/contrib/scripts/netjail/netjail_core.sh new file mode 100755 index 000000000..6a18ea902 --- /dev/null +++ b/contrib/scripts/netjail/netjail_core.sh | |||
@@ -0,0 +1,100 @@ | |||
1 | #!/bin/sh | ||
2 | # | ||
3 | |||
4 | JAILOR=${SUDO_USER:?must run in sudo} | ||
5 | |||
6 | # running with `sudo` is required to be | ||
7 | # able running the actual commands as the | ||
8 | # original user. | ||
9 | |||
10 | export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" | ||
11 | |||
12 | netjail_check() { | ||
13 | NODE_COUNT=$1 | ||
14 | |||
15 | FD_COUNT=$(($(ls /proc/self/fd | wc -w) - 4)) | ||
16 | |||
17 | # quit if `$FD_COUNT < ($LOCAL_M * $GLOBAL_N * 2)`: | ||
18 | # the script also requires `sudo -C ($FD_COUNT + 4)` | ||
19 | # so you need 'Defaults closefrom_override' in the | ||
20 | # sudoers file. | ||
21 | |||
22 | if [ $FD_COUNT -lt $(($NODE_COUNT * 2)) ]; then | ||
23 | echo "File descriptors do not match requirements!" >&2 | ||
24 | exit 1 | ||
25 | fi | ||
26 | } | ||
27 | |||
28 | netjail_print_name() { | ||
29 | printf "%s%02x%02x" $1 $2 ${3:-0} | ||
30 | } | ||
31 | |||
32 | netjail_bridge() { | ||
33 | BRIDGE=$1 | ||
34 | |||
35 | ip link add $BRIDGE type bridge | ||
36 | ip link set dev $BRIDGE up | ||
37 | } | ||
38 | |||
39 | netjail_bridge_clear() { | ||
40 | BRIDGE=$1 | ||
41 | |||
42 | ip link delete $BRIDGE | ||
43 | } | ||
44 | |||
45 | netjail_node() { | ||
46 | NODE=$1 | ||
47 | |||
48 | ip netns add $NODE | ||
49 | } | ||
50 | |||
51 | netjail_node_clear() { | ||
52 | NODE=$1 | ||
53 | |||
54 | ip netns delete $NODE | ||
55 | } | ||
56 | |||
57 | netjail_node_link_bridge() { | ||
58 | NODE=$1 | ||
59 | BRIDGE=$2 | ||
60 | ADDRESS=$3 | ||
61 | MASK=$4 | ||
62 | |||
63 | LINK_IF="$NODE-$BRIDGE-0" | ||
64 | LINK_BR="$NODE-$BRIDGE-1" | ||
65 | |||
66 | ip link add $LINK_IF type veth peer name $LINK_BR | ||
67 | ip link set $LINK_IF netns $NODE | ||
68 | ip link set $LINK_BR master $BRIDGE | ||
69 | |||
70 | ip -n $NODE addr add "$ADDRESS/$MASK" dev $LINK_IF | ||
71 | ip -n $NODE link set $LINK_IF up | ||
72 | ip -n $NODE link set up dev lo | ||
73 | |||
74 | ip link set $LINK_BR up | ||
75 | } | ||
76 | |||
77 | netjail_node_add_nat() { | ||
78 | NODE=$1 | ||
79 | ADDRESS=$2 | ||
80 | MASK=$3 | ||
81 | |||
82 | ip netns exec $NODE iptables -t nat -A POSTROUTING -s "$ADDRESS/$MASK" -j MASQUERADE | ||
83 | } | ||
84 | |||
85 | netjail_node_add_default() { | ||
86 | NODE=$1 | ||
87 | ADDRESS=$2 | ||
88 | |||
89 | ip -n $NODE route add default via $ADDRESS | ||
90 | } | ||
91 | |||
92 | netjail_node_exec() { | ||
93 | NODE=$1 | ||
94 | FD_IN=$2 | ||
95 | FD_OUT=$3 | ||
96 | shift 3 | ||
97 | |||
98 | unshare -fp --kill-child -- ip netns exec $NODE sudo -u $JAILOR -- $@ 1>& $FD_OUT 0<& $FD_IN | ||
99 | } | ||
100 | |||
diff --git a/contrib/scripts/netjail/netjail_setup_internet.sh b/contrib/scripts/netjail/netjail_setup_internet.sh new file mode 100755 index 000000000..d99709555 --- /dev/null +++ b/contrib/scripts/netjail/netjail_setup_internet.sh | |||
@@ -0,0 +1,81 @@ | |||
1 | #!/bin/sh | ||
2 | . "./netjail_core.sh" | ||
3 | |||
4 | set -eu | ||
5 | set -x | ||
6 | |||
7 | export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" | ||
8 | |||
9 | LOCAL_M=$1 | ||
10 | GLOBAL_N=$2 | ||
11 | |||
12 | # TODO: stunserver? ..and globally known peer? | ||
13 | |||
14 | shift 2 | ||
15 | |||
16 | netjail_check $(($LOCAL_M * $GLOBAL_N)) | ||
17 | |||
18 | LOCAL_GROUP="192.168.15" | ||
19 | GLOBAL_GROUP="92.68.150" | ||
20 | |||
21 | echo "Start [local: $LOCAL_GROUP.0/24, global: $GLOBAL_GROUP.0/24]" | ||
22 | |||
23 | NETWORK_NET=$(netjail_print_name "n" $GLOBAL_N $LOCAL_M) | ||
24 | |||
25 | netjail_bridge $NETWORK_NET | ||
26 | |||
27 | for N in $(seq $GLOBAL_N); do | ||
28 | ROUTER=$(netjail_print_name "R" $N) | ||
29 | |||
30 | netjail_node $ROUTER | ||
31 | netjail_node_link_bridge $ROUTER $NETWORK_NET "$GLOBAL_GROUP.$N" 24 | ||
32 | |||
33 | ROUTER_NET=$(netjail_print_name "r" $N) | ||
34 | |||
35 | netjail_bridge $ROUTER_NET | ||
36 | |||
37 | for M in $(seq $LOCAL_M); do | ||
38 | NODE=$(netjail_print_name "N" $N $M) | ||
39 | |||
40 | netjail_node $NODE | ||
41 | netjail_node_link_bridge $NODE $ROUTER_NET "$LOCAL_GROUP.$M" 24 | ||
42 | done | ||
43 | |||
44 | ROUTER_ADDR="$LOCAL_GROUP.$(($LOCAL_M+1))" | ||
45 | |||
46 | netjail_node_link_bridge $ROUTER $ROUTER_NET $ROUTER_ADDR 24 | ||
47 | netjail_node_add_nat $ROUTER $ROUTER_ADDR 24 | ||
48 | |||
49 | for M in $(seq $LOCAL_M); do | ||
50 | NODE=$(netjail_print_name "N" $N $M) | ||
51 | |||
52 | netjail_node_add_default $NODE $ROUTER_ADDR | ||
53 | done | ||
54 | done | ||
55 | |||
56 | for N in $(seq $GLOBAL_N); do | ||
57 | for M in $(seq $LOCAL_M); do | ||
58 | NODE=$(netjail_print_name "N" $N $M) | ||
59 | INDEX=$(($LOCAL_M * ($N - 1) + $M - 1)) | ||
60 | |||
61 | FD_X=$(($INDEX * 2 + 3 + 0)) | ||
62 | FD_Y=$(($INDEX * 2 + 3 + 1)) | ||
63 | |||
64 | netjail_node_exec $NODE $FD_X $FD_Y $@ & | ||
65 | done | ||
66 | done | ||
67 | |||
68 | wait | ||
69 | |||
70 | for N in $(seq $GLOBAL_N); do | ||
71 | for M in $(seq $LOCAL_M); do | ||
72 | netjail_node_clear $(netjail_print_name "N" $N $M) | ||
73 | done | ||
74 | |||
75 | netjail_bridge_clear $(netjail_print_name "r" $N) | ||
76 | netjail_node_clear $(netjail_print_name "R" $N) | ||
77 | done | ||
78 | |||
79 | netjail_bridge_clear $NETWORK_NET | ||
80 | |||
81 | echo "Done" | ||