- Added distance vector inverse path test case.

- Enhanced port forwarding configuration to restrict port forwarding to specific source IPs. - Add configuration for counting additional connections per peer. - Added caching for Core Messages, if confirmed virtual link is missing. - Added caching for DV forwarding, if confirmed virtual link is missing. - Fixed bug in fragmentation logic. - Fixed bug in queueing logic. - Fixed bug in flow control logic. - Fixed Bug with lifetime of DV learn message. (Validation against replay attack still missing) - removed make warnings - fixed coverty findings
author: t3sserakt <t3ss@posteo.de> 2022-10-04 14:28:51 +0200
committer: t3sserakt <t3ss@posteo.de> 2022-10-05 13:23:32 +0200
commit: 247230d737e3e4709392148bfabbde25871b6914 (patch)
tree: c18f51cafb00b9436af050fffbc7d56d3f09bf95 /contrib
parent: b47e578091e7451fd5c98cc56447d0fadba15b00 (diff)
download: gnunet-247230d737e3e4709392148bfabbde25871b6914.tar.gz
gnunet-247230d737e3e4709392148bfabbde25871b6914.zip
2 files changed, 97 insertions, 27 deletions
diff --git a/contrib/netjail/netjail_start.sh b/contrib/netjail/netjail_start.sh
index e2d5fd634..d03fa1c87 100755
--- a/contrib/netjail/netjail_start.sh
+++ b/contrib/netjail/netjail_start.sh
@@ -79,14 +79,46 @@ for N in $(seq $GLOBAL_N); do
    then
        #ip netns exec ${ROUTERS[$N]} nft add rule ip nat prerouting ip daddr $GLOBAL_GROUP.$N tcp dport 60002 counter dnat to $LOCAL_GROUP.1
        #ip netns exec ${ROUTERS[$N]} nft add rule ip filter FORWARD ip daddr $LOCAL_GROUP.1 ct state new,related,established  counter accept
-        ip netns exec ${ROUTERS[$N]} iptables -t nat -A PREROUTING -p tcp -d $GLOBAL_GROUP.$N --dport 60002 -j DNAT --to $LOCAL_GROUP.1
+        if [ "0" == "${R_TCP_ALLOWED_NUMBER[$N]}" ]; then
+            ip netns exec ${ROUTERS[$N]} iptables -t nat -A PREROUTING -p tcp -d $GLOBAL_GROUP.$N --dport 60002 -j DNAT --to $LOCAL_GROUP.1
+        else
+            delimiter=","
+            sources=$GLOBAL_GROUP."${R_TCP_ALLOWED[$N,1,1]}"
+            if [ "1" -lt "${R_TCP_ALLOWED_NUMBER[$N]}" ]
+            then
+               for ((i = 2; i <= ${R_TCP_ALLOWED_NUMBER[$N]}; i++))
+               do
+                   echo $i
+                   temp=$delimiter$GLOBAL_GROUP."${R_TCP_ALLOWED[$N,$i,1]}"
+                   sources=$sources$temp
+               done
+            fi
+            echo $sources
+            ip netns exec ${ROUTERS[$N]} iptables -t nat -A PREROUTING -p tcp -s $sources -d $GLOBAL_GROUP.$N --dport 60002 -j DNAT --to $LOCAL_GROUP.1
+        fi
        ip netns exec ${ROUTERS[$N]} iptables -A FORWARD -d $LOCAL_GROUP.1  -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
    fi
    if [ "1" == "${R_UDP[$N]}" ]
    then
        #ip netns exec ${ROUTERS[$N]} nft add rule ip nat prerouting ip daddr $GLOBAL_GROUP.$N udp dport $PORT counter dnat to $LOCAL_GROUP.1
        #ip netns exec ${ROUTERS[$N]} nft add rule ip filter FORWARD ip daddr $LOCAL_GROUP.1 ct state new,related,established  counter accept
-        ip netns exec ${ROUTERS[$N]} iptables -t nat -A PREROUTING -p udp -d $GLOBAL_GROUP.$N --dport $PORT -j DNAT --to $LOCAL_GROUP.1
+        if [ "0" == "${R_UDP_ALLOWED_NUMBER[$N]}" ]; then
+            ip netns exec ${ROUTERS[$N]} iptables -t nat -A PREROUTING -p udp -d $GLOBAL_GROUP.$N --dport $PORT -j DNAT --to $LOCAL_GROUP.1
+        else
+            delimiter=","
+            sources=$GLOBAL_GROUP."${R_UDP_ALLOWED[$N,1,1]}"
+            if [ "1" -lt "${R_UDP_ALLOWED_NUMBER[$N]}" ]
+            then
+               for ((i = 2; i <= ${R_UDP_ALLOWED_NUMBER[$N]}; i++))
+               do
+                   echo $i
+                   temp=$delimiter$GLOBAL_GROUP."${R_UDP_ALLOWED[$N,$i,1]}"
+                   sources=$sources$temp
+               done
+            fi
+            echo $sources
+            ip netns exec ${ROUTERS[$N]} iptables -t nat -A PREROUTING -p udp -s $GLOBAL_GROUP.$sources -d $GLOBAL_GROUP.$N --dport $PORT -j DNAT --to $LOCAL_GROUP.1
+        fi
        ip netns exec ${ROUTERS[$N]} iptables -A FORWARD -d $LOCAL_GROUP.1  -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
    fi
 done
diff --git a/contrib/netjail/topo.sh b/contrib/netjail/topo.sh
index d7586d425..d94fa0bac 100755
--- a/contrib/netjail/topo.sh
+++ b/contrib/netjail/topo.sh
@@ -2,14 +2,18 @@
 declare -A K_PLUGIN
 declare -A R_TCP
+declare -A R_TCP_ALLOWED
+declare -i -A R_TCP_ALLOWED_NUMBER
 declare -A R_UDP
+declare -A R_UDP_ALLOWED
+declare -i -A R_UDP_ALLOWED_NUMBER
 declare -A P_PLUGIN
 extract_attributes()
 {
    line_key=$1
    line=$2
-    
    if [ "$line_key" = "P" ]
    then
        n=$(echo $line|cut -d \| -f 1|awk -F: '{print $2}')
@@ -21,34 +25,68 @@ extract_attributes()
        echo $number
    fi
-    nf=$(echo $line|awk -F: '{print NF}')
+    #nf=$(echo $line|awk -F: '{print NF}')
+    nf=$(echo $line|awk -F\| '{print NF}')
    for ((i=2;i<=$nf;i++))
    do
-        entry=$(echo $line |awk -v i=$i -F\| '{print $i}')
+        entry=$(echo $line |awk -v i=$i -F\| '{print $i}')
+        echo $entry
+        if [ "$(echo $entry|grep P)" = "" ]; then
+                key=$(echo $entry|cut -d { -f 2|cut -d } -f 1|cut -d : -f 1)
+                echo $key
+                value=$(echo $entry|cut -d { -f 2|cut -d } -f 1|cut -d : -f 2)
+                echo $value
+            if [ "$key" = "tcp_port" ]
+                then
+                R_TCP_ALLOWED_NUMBER[$number]=0
+                    echo tcp port: $value
+                    R_TCP[$number]=$value
+                elif [ "$key" = "udp_port" ]
+                then
+                R_UDP_ALLOWED_NUMBER[$number]=0
+                    echo udp port: $value
+                    R_UDP[$number]=$value
+                elif [ "$key" = "plugin" ]
+                then
+                    echo plugin: $value
+                    echo $line_key
+                    if [ "$line_key" = "P" ]
+                    then
+                            P_PLUGIN[$n,$m]=$value
+                            echo $n $m ${P_PLUGIN[$n,$m]}
+                    elif [ "$line_key" = "K" ]
+                    then
+                            K_PLUGIN[$number]=$value
+                    fi
+                fi
+        else
+                p1=$(echo $entry|cut -d P -f 2|cut -d } -f 1|cut -d : -f 2)
+            echo $p1
+            p2=$(echo $entry|cut -d P -f 2|cut -d } -f 1|cut -d : -f 3)
+                echo $p2
+            if [ "$key" = "tcp_port" ]
+                then
+                R_TCP_ALLOWED_NUMBER[$number]+=1
+                    R_TCP_ALLOWED[$number,${R_TCP_ALLOWED_NUMBER[$number]},1]=$p1
+                R_TCP_ALLOWED[$number,${R_TCP_ALLOWED_NUMBER[$number]},2]=$p2
+                echo ${R_TCP_ALLOWED_NUMBER[$number]}
+                echo ${R_TCP_ALLOWED[$number,${R_TCP_ALLOWED_NUMBER[$number]},1]}
+                echo ${R_TCP_ALLOWED[$number,${R_TCP_ALLOWED_NUMBER[$number]},2]}
+                elif [ "$key" = "udp_port" ]
+                then
+                R_UDP_ALLOWED_NUMBER[$number]+=1
+                    R_UDP_ALLOWED[$number,${R_UDP_ALLOWED_NUMBER[$number]},1]=$p1
+                R_UDP_ALLOWED[$number,${R_UDP_ALLOWED_NUMBER[$number]},2]=$p2
+            fi
+        fi
+    done
+    #for ((i=2;i<=$nf;i++))
+    # do
+        #entry=$(echo $line |awk -v i=$i -F\| '{print $i}')
        key=$(echo $entry|cut -d { -f 2|cut -d } -f 1|cut -d : -f 1)
        value=$(echo $entry|cut -d { -f 2|cut -d } -f 1|cut -d : -f 2)
-        if [ "$key" = "tcp_port" ]
+        
-        then
+    #done
-            echo tcp port: $value
-            R_TCP[$number]=$value
-        elif [ "$key" = "udp_port" ]
-        then
-            echo udp port: $value
-            R_UDP[$number]=$value
-        elif [ "$key" = "plugin" ]
-        then
-            echo plugin: $value
-            echo $line_key
-            if [ "$line_key" = "P" ]
-            then
-                P_PLUGIN[$n,$m]=$value
-                echo $n $m ${P_PLUGIN[$n,$m]}
-            elif [ "$line_key" = "K" ]
-            then
-                K_PLUGIN[$number]=$value
-            fi
-        fi
-    done
 }
 parse_line(){
author	t3sserakt <t3ss@posteo.de>	2022-10-04 14:28:51 +0200
committer	t3sserakt <t3ss@posteo.de>	2022-10-05 13:23:32 +0200
commit	247230d737e3e4709392148bfabbde25871b6914 (patch)
tree	c18f51cafb00b9436af050fffbc7d56d3f09bf95 /contrib
parent	b47e578091e7451fd5c98cc56447d0fadba15b00 (diff)
download	gnunet-247230d737e3e4709392148bfabbde25871b6914.tar.gz gnunet-247230d737e3e4709392148bfabbde25871b6914.zip

diff --git a/contrib/netjail/netjail_start.sh b/contrib/netjail/netjail_start.sh index e2d5fd634..d03fa1c87 100755 --- a/contrib/netjail/netjail_start.sh +++ b/contrib/netjail/netjail_start.sh
@@ -79,14 +79,46 @@ for N in $(seq $GLOBAL_N); do
79	then	79	then
80	#ip netns exec ${ROUTERS[$N]} nft add rule ip nat prerouting ip daddr $GLOBAL_GROUP.$N tcp dport 60002 counter dnat to $LOCAL_GROUP.1	80	#ip netns exec ${ROUTERS[$N]} nft add rule ip nat prerouting ip daddr $GLOBAL_GROUP.$N tcp dport 60002 counter dnat to $LOCAL_GROUP.1
81	#ip netns exec ${ROUTERS[$N]} nft add rule ip filter FORWARD ip daddr $LOCAL_GROUP.1 ct state new,related,established counter accept	81	#ip netns exec ${ROUTERS[$N]} nft add rule ip filter FORWARD ip daddr $LOCAL_GROUP.1 ct state new,related,established counter accept
82	ip netns exec ${ROUTERS[$N]} iptables -t nat -A PREROUTING -p tcp -d $GLOBAL_GROUP.$N --dport 60002 -j DNAT --to $LOCAL_GROUP.1	82	if [ "0" == "${R_TCP_ALLOWED_NUMBER[$N]}" ]; then
		83	ip netns exec ${ROUTERS[$N]} iptables -t nat -A PREROUTING -p tcp -d $GLOBAL_GROUP.$N --dport 60002 -j DNAT --to $LOCAL_GROUP.1
		84	else
		85	delimiter=","
		86	sources=$GLOBAL_GROUP."${R_TCP_ALLOWED[$N,1,1]}"
		87	if [ "1" -lt "${R_TCP_ALLOWED_NUMBER[$N]}" ]
		88	then
		89	for ((i = 2; i <= ${R_TCP_ALLOWED_NUMBER[$N]}; i++))
		90	do
		91	echo $i
		92	temp=$delimiter$GLOBAL_GROUP."${R_TCP_ALLOWED[$N,$i,1]}"
		93	sources=$sources$temp
		94	done
		95	fi
		96	echo $sources
		97	ip netns exec ${ROUTERS[$N]} iptables -t nat -A PREROUTING -p tcp -s $sources -d $GLOBAL_GROUP.$N --dport 60002 -j DNAT --to $LOCAL_GROUP.1
		98	fi
83	ip netns exec ${ROUTERS[$N]} iptables -A FORWARD -d $LOCAL_GROUP.1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT	99	ip netns exec ${ROUTERS[$N]} iptables -A FORWARD -d $LOCAL_GROUP.1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
84	fi	100	fi
85	if [ "1" == "${R_UDP[$N]}" ]	101	if [ "1" == "${R_UDP[$N]}" ]
86	then	102	then
87	#ip netns exec ${ROUTERS[$N]} nft add rule ip nat prerouting ip daddr $GLOBAL_GROUP.$N udp dport $PORT counter dnat to $LOCAL_GROUP.1	103	#ip netns exec ${ROUTERS[$N]} nft add rule ip nat prerouting ip daddr $GLOBAL_GROUP.$N udp dport $PORT counter dnat to $LOCAL_GROUP.1
88	#ip netns exec ${ROUTERS[$N]} nft add rule ip filter FORWARD ip daddr $LOCAL_GROUP.1 ct state new,related,established counter accept	104	#ip netns exec ${ROUTERS[$N]} nft add rule ip filter FORWARD ip daddr $LOCAL_GROUP.1 ct state new,related,established counter accept
89	ip netns exec ${ROUTERS[$N]} iptables -t nat -A PREROUTING -p udp -d $GLOBAL_GROUP.$N --dport $PORT -j DNAT --to $LOCAL_GROUP.1	105	if [ "0" == "${R_UDP_ALLOWED_NUMBER[$N]}" ]; then
		106	ip netns exec ${ROUTERS[$N]} iptables -t nat -A PREROUTING -p udp -d $GLOBAL_GROUP.$N --dport $PORT -j DNAT --to $LOCAL_GROUP.1
		107	else
		108	delimiter=","
		109	sources=$GLOBAL_GROUP."${R_UDP_ALLOWED[$N,1,1]}"
		110	if [ "1" -lt "${R_UDP_ALLOWED_NUMBER[$N]}" ]
		111	then
		112	for ((i = 2; i <= ${R_UDP_ALLOWED_NUMBER[$N]}; i++))
		113	do
		114	echo $i
		115	temp=$delimiter$GLOBAL_GROUP."${R_UDP_ALLOWED[$N,$i,1]}"
		116	sources=$sources$temp
		117	done
		118	fi
		119	echo $sources
		120	ip netns exec ${ROUTERS[$N]} iptables -t nat -A PREROUTING -p udp -s $GLOBAL_GROUP.$sources -d $GLOBAL_GROUP.$N --dport $PORT -j DNAT --to $LOCAL_GROUP.1
		121	fi
90	ip netns exec ${ROUTERS[$N]} iptables -A FORWARD -d $LOCAL_GROUP.1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT	122	ip netns exec ${ROUTERS[$N]} iptables -A FORWARD -d $LOCAL_GROUP.1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
91	fi	123	fi
92	done	124	done


diff --git a/contrib/netjail/topo.sh b/contrib/netjail/topo.sh index d7586d425..d94fa0bac 100755 --- a/contrib/netjail/topo.sh +++ b/contrib/netjail/topo.sh
@@ -2,14 +2,18 @@
2		2
3	declare -A K_PLUGIN	3	declare -A K_PLUGIN
4	declare -A R_TCP	4	declare -A R_TCP
		5	declare -A R_TCP_ALLOWED
		6	declare -i -A R_TCP_ALLOWED_NUMBER
5	declare -A R_UDP	7	declare -A R_UDP
		8	declare -A R_UDP_ALLOWED
		9	declare -i -A R_UDP_ALLOWED_NUMBER
6	declare -A P_PLUGIN	10	declare -A P_PLUGIN
7		11
8	extract_attributes()	12	extract_attributes()
9	{	13	{
10	line_key=$1	14	line_key=$1
11	line=$2	15	line=$2
12		16
13	if [ "$line_key" = "P" ]	17	if [ "$line_key" = "P" ]
14	then	18	then
15	n=$(echo $line\|cut -d \\| -f 1\|awk -F: '{print $2}')	19	n=$(echo $line\|cut -d \\| -f 1\|awk -F: '{print $2}')
@@ -21,34 +25,68 @@ extract_attributes()
21	echo $number	25	echo $number
22	fi	26	fi
23		27
24	nf=$(echo $line\|awk -F: '{print NF}')	28	#nf=$(echo $line\|awk -F: '{print NF}')
		29	nf=$(echo $line\|awk -F\\| '{print NF}')
25	for ((i=2;i<=$nf;i++))	30	for ((i=2;i<=$nf;i++))
26	do	31	do
27	entry=$(echo $line \|awk -v i=$i -F\\| '{print $i}')	32	entry=$(echo $line \|awk -v i=$i -F\\| '{print $i}')
		33	echo $entry
		34	if [ "$(echo $entry\|grep P)" = "" ]; then
		35	key=$(echo $entry\|cut -d { -f 2\|cut -d } -f 1\|cut -d : -f 1)
		36	echo $key
		37	value=$(echo $entry\|cut -d { -f 2\|cut -d } -f 1\|cut -d : -f 2)
		38	echo $value
		39	if [ "$key" = "tcp_port" ]
		40	then
		41	R_TCP_ALLOWED_NUMBER[$number]=0
		42	echo tcp port: $value
		43	R_TCP[$number]=$value
		44	elif [ "$key" = "udp_port" ]
		45	then
		46	R_UDP_ALLOWED_NUMBER[$number]=0
		47	echo udp port: $value
		48	R_UDP[$number]=$value
		49	elif [ "$key" = "plugin" ]
		50	then
		51	echo plugin: $value
		52	echo $line_key
		53	if [ "$line_key" = "P" ]
		54	then
		55	P_PLUGIN[$n,$m]=$value
		56	echo $n $m ${P_PLUGIN[$n,$m]}
		57	elif [ "$line_key" = "K" ]
		58	then
		59	K_PLUGIN[$number]=$value
		60	fi
		61	fi
		62	else
		63	p1=$(echo $entry\|cut -d P -f 2\|cut -d } -f 1\|cut -d : -f 2)
		64	echo $p1
		65	p2=$(echo $entry\|cut -d P -f 2\|cut -d } -f 1\|cut -d : -f 3)
		66	echo $p2
		67	if [ "$key" = "tcp_port" ]
		68	then
		69	R_TCP_ALLOWED_NUMBER[$number]+=1
		70	R_TCP_ALLOWED[$number,${R_TCP_ALLOWED_NUMBER[$number]},1]=$p1
		71	R_TCP_ALLOWED[$number,${R_TCP_ALLOWED_NUMBER[$number]},2]=$p2
		72	echo ${R_TCP_ALLOWED_NUMBER[$number]}
		73	echo ${R_TCP_ALLOWED[$number,${R_TCP_ALLOWED_NUMBER[$number]},1]}
		74	echo ${R_TCP_ALLOWED[$number,${R_TCP_ALLOWED_NUMBER[$number]},2]}
		75	elif [ "$key" = "udp_port" ]
		76	then
		77	R_UDP_ALLOWED_NUMBER[$number]+=1
		78	R_UDP_ALLOWED[$number,${R_UDP_ALLOWED_NUMBER[$number]},1]=$p1
		79	R_UDP_ALLOWED[$number,${R_UDP_ALLOWED_NUMBER[$number]},2]=$p2
		80	fi
		81	fi
		82	done
		83	#for ((i=2;i<=$nf;i++))
		84	# do
		85	#entry=$(echo $line \|awk -v i=$i -F\\| '{print $i}')
28	key=$(echo $entry\|cut -d { -f 2\|cut -d } -f 1\|cut -d : -f 1)	86	key=$(echo $entry\|cut -d { -f 2\|cut -d } -f 1\|cut -d : -f 1)
29	value=$(echo $entry\|cut -d { -f 2\|cut -d } -f 1\|cut -d : -f 2)	87	value=$(echo $entry\|cut -d { -f 2\|cut -d } -f 1\|cut -d : -f 2)
30	if [ "$key" = "tcp_port" ]	88
31	then	89	#done
32	echo tcp port: $value
33	R_TCP[$number]=$value
34	elif [ "$key" = "udp_port" ]
35	then
36	echo udp port: $value
37	R_UDP[$number]=$value
38	elif [ "$key" = "plugin" ]
39	then
40	echo plugin: $value
41	echo $line_key
42	if [ "$line_key" = "P" ]
43	then
44	P_PLUGIN[$n,$m]=$value
45	echo $n $m ${P_PLUGIN[$n,$m]}
46	elif [ "$line_key" = "K" ]
47	then
48	K_PLUGIN[$number]=$value
49	fi
50	fi
51	done
52	}	90	}
53		91
54	parse_line(){	92	parse_line(){