diff options
author | t3sserakt <t3ss@posteo.de> | 2022-10-04 14:28:51 +0200 |
---|---|---|
committer | t3sserakt <t3ss@posteo.de> | 2022-10-05 13:23:32 +0200 |
commit | 247230d737e3e4709392148bfabbde25871b6914 (patch) | |
tree | c18f51cafb00b9436af050fffbc7d56d3f09bf95 /contrib | |
parent | b47e578091e7451fd5c98cc56447d0fadba15b00 (diff) | |
download | gnunet-247230d737e3e4709392148bfabbde25871b6914.tar.gz gnunet-247230d737e3e4709392148bfabbde25871b6914.zip |
- Added distance vector inverse path test case.
- Enhanced port forwarding configuration to restrict port forwarding to specific source IPs.
- Add configuration for counting additional connections per peer.
- Added caching for Core Messages, if confirmed virtual link is missing.
- Added caching for DV forwarding, if confirmed virtual link is missing.
- Fixed bug in fragmentation logic.
- Fixed bug in queueing logic.
- Fixed bug in flow control logic.
- Fixed Bug with lifetime of DV learn message. (Validation against replay attack still missing)
- removed make warnings
- fixed coverty findings
Diffstat (limited to 'contrib')
-rwxr-xr-x | contrib/netjail/netjail_start.sh | 36 | ||||
-rwxr-xr-x | contrib/netjail/topo.sh | 88 |
2 files changed, 97 insertions, 27 deletions
diff --git a/contrib/netjail/netjail_start.sh b/contrib/netjail/netjail_start.sh index e2d5fd634..d03fa1c87 100755 --- a/contrib/netjail/netjail_start.sh +++ b/contrib/netjail/netjail_start.sh | |||
@@ -79,14 +79,46 @@ for N in $(seq $GLOBAL_N); do | |||
79 | then | 79 | then |
80 | #ip netns exec ${ROUTERS[$N]} nft add rule ip nat prerouting ip daddr $GLOBAL_GROUP.$N tcp dport 60002 counter dnat to $LOCAL_GROUP.1 | 80 | #ip netns exec ${ROUTERS[$N]} nft add rule ip nat prerouting ip daddr $GLOBAL_GROUP.$N tcp dport 60002 counter dnat to $LOCAL_GROUP.1 |
81 | #ip netns exec ${ROUTERS[$N]} nft add rule ip filter FORWARD ip daddr $LOCAL_GROUP.1 ct state new,related,established counter accept | 81 | #ip netns exec ${ROUTERS[$N]} nft add rule ip filter FORWARD ip daddr $LOCAL_GROUP.1 ct state new,related,established counter accept |
82 | ip netns exec ${ROUTERS[$N]} iptables -t nat -A PREROUTING -p tcp -d $GLOBAL_GROUP.$N --dport 60002 -j DNAT --to $LOCAL_GROUP.1 | 82 | if [ "0" == "${R_TCP_ALLOWED_NUMBER[$N]}" ]; then |
83 | ip netns exec ${ROUTERS[$N]} iptables -t nat -A PREROUTING -p tcp -d $GLOBAL_GROUP.$N --dport 60002 -j DNAT --to $LOCAL_GROUP.1 | ||
84 | else | ||
85 | delimiter="," | ||
86 | sources=$GLOBAL_GROUP."${R_TCP_ALLOWED[$N,1,1]}" | ||
87 | if [ "1" -lt "${R_TCP_ALLOWED_NUMBER[$N]}" ] | ||
88 | then | ||
89 | for ((i = 2; i <= ${R_TCP_ALLOWED_NUMBER[$N]}; i++)) | ||
90 | do | ||
91 | echo $i | ||
92 | temp=$delimiter$GLOBAL_GROUP."${R_TCP_ALLOWED[$N,$i,1]}" | ||
93 | sources=$sources$temp | ||
94 | done | ||
95 | fi | ||
96 | echo $sources | ||
97 | ip netns exec ${ROUTERS[$N]} iptables -t nat -A PREROUTING -p tcp -s $sources -d $GLOBAL_GROUP.$N --dport 60002 -j DNAT --to $LOCAL_GROUP.1 | ||
98 | fi | ||
83 | ip netns exec ${ROUTERS[$N]} iptables -A FORWARD -d $LOCAL_GROUP.1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | 99 | ip netns exec ${ROUTERS[$N]} iptables -A FORWARD -d $LOCAL_GROUP.1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT |
84 | fi | 100 | fi |
85 | if [ "1" == "${R_UDP[$N]}" ] | 101 | if [ "1" == "${R_UDP[$N]}" ] |
86 | then | 102 | then |
87 | #ip netns exec ${ROUTERS[$N]} nft add rule ip nat prerouting ip daddr $GLOBAL_GROUP.$N udp dport $PORT counter dnat to $LOCAL_GROUP.1 | 103 | #ip netns exec ${ROUTERS[$N]} nft add rule ip nat prerouting ip daddr $GLOBAL_GROUP.$N udp dport $PORT counter dnat to $LOCAL_GROUP.1 |
88 | #ip netns exec ${ROUTERS[$N]} nft add rule ip filter FORWARD ip daddr $LOCAL_GROUP.1 ct state new,related,established counter accept | 104 | #ip netns exec ${ROUTERS[$N]} nft add rule ip filter FORWARD ip daddr $LOCAL_GROUP.1 ct state new,related,established counter accept |
89 | ip netns exec ${ROUTERS[$N]} iptables -t nat -A PREROUTING -p udp -d $GLOBAL_GROUP.$N --dport $PORT -j DNAT --to $LOCAL_GROUP.1 | 105 | if [ "0" == "${R_UDP_ALLOWED_NUMBER[$N]}" ]; then |
106 | ip netns exec ${ROUTERS[$N]} iptables -t nat -A PREROUTING -p udp -d $GLOBAL_GROUP.$N --dport $PORT -j DNAT --to $LOCAL_GROUP.1 | ||
107 | else | ||
108 | delimiter="," | ||
109 | sources=$GLOBAL_GROUP."${R_UDP_ALLOWED[$N,1,1]}" | ||
110 | if [ "1" -lt "${R_UDP_ALLOWED_NUMBER[$N]}" ] | ||
111 | then | ||
112 | for ((i = 2; i <= ${R_UDP_ALLOWED_NUMBER[$N]}; i++)) | ||
113 | do | ||
114 | echo $i | ||
115 | temp=$delimiter$GLOBAL_GROUP."${R_UDP_ALLOWED[$N,$i,1]}" | ||
116 | sources=$sources$temp | ||
117 | done | ||
118 | fi | ||
119 | echo $sources | ||
120 | ip netns exec ${ROUTERS[$N]} iptables -t nat -A PREROUTING -p udp -s $GLOBAL_GROUP.$sources -d $GLOBAL_GROUP.$N --dport $PORT -j DNAT --to $LOCAL_GROUP.1 | ||
121 | fi | ||
90 | ip netns exec ${ROUTERS[$N]} iptables -A FORWARD -d $LOCAL_GROUP.1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | 122 | ip netns exec ${ROUTERS[$N]} iptables -A FORWARD -d $LOCAL_GROUP.1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT |
91 | fi | 123 | fi |
92 | done | 124 | done |
diff --git a/contrib/netjail/topo.sh b/contrib/netjail/topo.sh index d7586d425..d94fa0bac 100755 --- a/contrib/netjail/topo.sh +++ b/contrib/netjail/topo.sh | |||
@@ -2,14 +2,18 @@ | |||
2 | 2 | ||
3 | declare -A K_PLUGIN | 3 | declare -A K_PLUGIN |
4 | declare -A R_TCP | 4 | declare -A R_TCP |
5 | declare -A R_TCP_ALLOWED | ||
6 | declare -i -A R_TCP_ALLOWED_NUMBER | ||
5 | declare -A R_UDP | 7 | declare -A R_UDP |
8 | declare -A R_UDP_ALLOWED | ||
9 | declare -i -A R_UDP_ALLOWED_NUMBER | ||
6 | declare -A P_PLUGIN | 10 | declare -A P_PLUGIN |
7 | 11 | ||
8 | extract_attributes() | 12 | extract_attributes() |
9 | { | 13 | { |
10 | line_key=$1 | 14 | line_key=$1 |
11 | line=$2 | 15 | line=$2 |
12 | 16 | ||
13 | if [ "$line_key" = "P" ] | 17 | if [ "$line_key" = "P" ] |
14 | then | 18 | then |
15 | n=$(echo $line|cut -d \| -f 1|awk -F: '{print $2}') | 19 | n=$(echo $line|cut -d \| -f 1|awk -F: '{print $2}') |
@@ -21,34 +25,68 @@ extract_attributes() | |||
21 | echo $number | 25 | echo $number |
22 | fi | 26 | fi |
23 | 27 | ||
24 | nf=$(echo $line|awk -F: '{print NF}') | 28 | #nf=$(echo $line|awk -F: '{print NF}') |
29 | nf=$(echo $line|awk -F\| '{print NF}') | ||
25 | for ((i=2;i<=$nf;i++)) | 30 | for ((i=2;i<=$nf;i++)) |
26 | do | 31 | do |
27 | entry=$(echo $line |awk -v i=$i -F\| '{print $i}') | 32 | entry=$(echo $line |awk -v i=$i -F\| '{print $i}') |
33 | echo $entry | ||
34 | if [ "$(echo $entry|grep P)" = "" ]; then | ||
35 | key=$(echo $entry|cut -d { -f 2|cut -d } -f 1|cut -d : -f 1) | ||
36 | echo $key | ||
37 | value=$(echo $entry|cut -d { -f 2|cut -d } -f 1|cut -d : -f 2) | ||
38 | echo $value | ||
39 | if [ "$key" = "tcp_port" ] | ||
40 | then | ||
41 | R_TCP_ALLOWED_NUMBER[$number]=0 | ||
42 | echo tcp port: $value | ||
43 | R_TCP[$number]=$value | ||
44 | elif [ "$key" = "udp_port" ] | ||
45 | then | ||
46 | R_UDP_ALLOWED_NUMBER[$number]=0 | ||
47 | echo udp port: $value | ||
48 | R_UDP[$number]=$value | ||
49 | elif [ "$key" = "plugin" ] | ||
50 | then | ||
51 | echo plugin: $value | ||
52 | echo $line_key | ||
53 | if [ "$line_key" = "P" ] | ||
54 | then | ||
55 | P_PLUGIN[$n,$m]=$value | ||
56 | echo $n $m ${P_PLUGIN[$n,$m]} | ||
57 | elif [ "$line_key" = "K" ] | ||
58 | then | ||
59 | K_PLUGIN[$number]=$value | ||
60 | fi | ||
61 | fi | ||
62 | else | ||
63 | p1=$(echo $entry|cut -d P -f 2|cut -d } -f 1|cut -d : -f 2) | ||
64 | echo $p1 | ||
65 | p2=$(echo $entry|cut -d P -f 2|cut -d } -f 1|cut -d : -f 3) | ||
66 | echo $p2 | ||
67 | if [ "$key" = "tcp_port" ] | ||
68 | then | ||
69 | R_TCP_ALLOWED_NUMBER[$number]+=1 | ||
70 | R_TCP_ALLOWED[$number,${R_TCP_ALLOWED_NUMBER[$number]},1]=$p1 | ||
71 | R_TCP_ALLOWED[$number,${R_TCP_ALLOWED_NUMBER[$number]},2]=$p2 | ||
72 | echo ${R_TCP_ALLOWED_NUMBER[$number]} | ||
73 | echo ${R_TCP_ALLOWED[$number,${R_TCP_ALLOWED_NUMBER[$number]},1]} | ||
74 | echo ${R_TCP_ALLOWED[$number,${R_TCP_ALLOWED_NUMBER[$number]},2]} | ||
75 | elif [ "$key" = "udp_port" ] | ||
76 | then | ||
77 | R_UDP_ALLOWED_NUMBER[$number]+=1 | ||
78 | R_UDP_ALLOWED[$number,${R_UDP_ALLOWED_NUMBER[$number]},1]=$p1 | ||
79 | R_UDP_ALLOWED[$number,${R_UDP_ALLOWED_NUMBER[$number]},2]=$p2 | ||
80 | fi | ||
81 | fi | ||
82 | done | ||
83 | #for ((i=2;i<=$nf;i++)) | ||
84 | # do | ||
85 | #entry=$(echo $line |awk -v i=$i -F\| '{print $i}') | ||
28 | key=$(echo $entry|cut -d { -f 2|cut -d } -f 1|cut -d : -f 1) | 86 | key=$(echo $entry|cut -d { -f 2|cut -d } -f 1|cut -d : -f 1) |
29 | value=$(echo $entry|cut -d { -f 2|cut -d } -f 1|cut -d : -f 2) | 87 | value=$(echo $entry|cut -d { -f 2|cut -d } -f 1|cut -d : -f 2) |
30 | if [ "$key" = "tcp_port" ] | 88 | |
31 | then | 89 | #done |
32 | echo tcp port: $value | ||
33 | R_TCP[$number]=$value | ||
34 | elif [ "$key" = "udp_port" ] | ||
35 | then | ||
36 | echo udp port: $value | ||
37 | R_UDP[$number]=$value | ||
38 | elif [ "$key" = "plugin" ] | ||
39 | then | ||
40 | echo plugin: $value | ||
41 | echo $line_key | ||
42 | if [ "$line_key" = "P" ] | ||
43 | then | ||
44 | P_PLUGIN[$n,$m]=$value | ||
45 | echo $n $m ${P_PLUGIN[$n,$m]} | ||
46 | elif [ "$line_key" = "K" ] | ||
47 | then | ||
48 | K_PLUGIN[$number]=$value | ||
49 | fi | ||
50 | fi | ||
51 | done | ||
52 | } | 90 | } |
53 | 91 | ||
54 | parse_line(){ | 92 | parse_line(){ |