diff options
Diffstat (limited to 'contrib/netjail/netjail_core.sh')
-rwxr-xr-x | contrib/netjail/netjail_core.sh | 260 |
1 files changed, 260 insertions, 0 deletions
diff --git a/contrib/netjail/netjail_core.sh b/contrib/netjail/netjail_core.sh new file mode 100755 index 000000000..ed363cf35 --- /dev/null +++ b/contrib/netjail/netjail_core.sh | |||
@@ -0,0 +1,260 @@ | |||
1 | #!/bin/sh | ||
2 | # | ||
3 | |||
4 | |||
5 | PREFIX=${PPID:?must run from a parent process} | ||
6 | |||
7 | # running with `sudo` is required to be | ||
8 | # able running the actual commands as the | ||
9 | # original user. | ||
10 | |||
11 | export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" | ||
12 | |||
13 | export RESULT= | ||
14 | export NAMESPACE_NUM=0 | ||
15 | export INTERFACE_NUM=0 | ||
16 | |||
17 | netjail_next_namespace() { | ||
18 | local NUM=$NAMESPACE_NUM | ||
19 | NAMESPACE_NUM=$(($NAMESPACE_NUM + 1)) | ||
20 | RESULT=$NUM | ||
21 | } | ||
22 | |||
23 | netjail_next_interface() { | ||
24 | local NUM=$INTERFACE_NUM | ||
25 | INTERFACE_NUM=$(($INTERFACE_NUM + 1)) | ||
26 | RESULT=$NUM | ||
27 | } | ||
28 | |||
29 | netjail_opt() { | ||
30 | local OPT=$1 | ||
31 | shift 1 | ||
32 | |||
33 | INDEX=1 | ||
34 | |||
35 | while [ $# -gt 0 ]; do | ||
36 | if [ "$1" = "$OPT" ]; then | ||
37 | RESULT=$INDEX | ||
38 | return | ||
39 | fi | ||
40 | |||
41 | INDEX=$(($INDEX + 1)) | ||
42 | shift 1 | ||
43 | done | ||
44 | |||
45 | RESULT=0 | ||
46 | } | ||
47 | |||
48 | netjail_opts() { | ||
49 | local OPT=$1 | ||
50 | local DEF=$2 | ||
51 | shift 2 | ||
52 | |||
53 | while [ $# -gt 0 ]; do | ||
54 | if [ "$1" = "$OPT" ]; then | ||
55 | printf "$2" | ||
56 | return | ||
57 | fi | ||
58 | |||
59 | shift 1 | ||
60 | done | ||
61 | |||
62 | RESULT="$DEF" | ||
63 | } | ||
64 | |||
65 | netjail_check() { | ||
66 | local NODE_COUNT=$1 | ||
67 | local FD_COUNT=$(($(ls /proc/self/fd | wc -w) - 4)) | ||
68 | |||
69 | # quit if `$FD_COUNT < ($LOCAL_M * $GLOBAL_N * 2)`: | ||
70 | # the script also requires `sudo -C ($FD_COUNT + 4)` | ||
71 | # so you need 'Defaults closefrom_override' in the | ||
72 | # sudoers file. | ||
73 | |||
74 | if [ $FD_COUNT -lt $(($NODE_COUNT * 2)) ]; then | ||
75 | echo "File descriptors do not match requirements!" >&2 | ||
76 | exit 1 | ||
77 | fi | ||
78 | } | ||
79 | |||
80 | netjail_check_bin() { | ||
81 | local PROGRAM=$1 | ||
82 | local MATCH=$(ls $(echo $PATH | tr ":" "\n") | grep "^$PROGRAM\$" | tr "\n" " " | awk '{ print $1 }') | ||
83 | |||
84 | # quit if the required binary $PROGRAM can not be | ||
85 | # found in the used $PATH. | ||
86 | |||
87 | if [ "$MATCH" != "$PROGRAM" ]; then | ||
88 | echo "Required binary not found: $PROGRAM" >&2 | ||
89 | exit 1 | ||
90 | fi | ||
91 | } | ||
92 | |||
93 | netjail_bridge() { | ||
94 | netjail_next_interface | ||
95 | local NUM=$RESULT | ||
96 | local BRIDGE=$(printf "%06x-%08x" $PREFIX $NUM) | ||
97 | |||
98 | ip link add $BRIDGE type bridge | ||
99 | ip link set dev $BRIDGE up | ||
100 | |||
101 | RESULT=$BRIDGE | ||
102 | } | ||
103 | |||
104 | netjail_bridge_name() { | ||
105 | netjail_next_interface | ||
106 | local NUM=$RESULT | ||
107 | local BRIDGE=$(printf "%06x-%08x" $PREFIX $NUM) | ||
108 | |||
109 | RESULT=$BRIDGE | ||
110 | } | ||
111 | |||
112 | netjail_bridge_clear() { | ||
113 | local BRIDGE=$1 | ||
114 | |||
115 | ip link delete $BRIDGE | ||
116 | } | ||
117 | |||
118 | netjail_node() { | ||
119 | netjail_next_namespace | ||
120 | local NUM=$RESULT | ||
121 | local NODE=$(printf "%06x-%08x" $PREFIX $NUM) | ||
122 | |||
123 | ip netns add $NODE | ||
124 | |||
125 | RESULT=$NODE | ||
126 | } | ||
127 | |||
128 | netjail_node_name() { | ||
129 | netjail_next_namespace | ||
130 | local NUM=$RESULT | ||
131 | local NODE=$(printf "%06x-%08x" $PREFIX $NUM) | ||
132 | |||
133 | RESULT=$NODE | ||
134 | } | ||
135 | |||
136 | netjail_node_clear() { | ||
137 | local NODE=$1 | ||
138 | |||
139 | ip netns delete $NODE | ||
140 | } | ||
141 | |||
142 | netjail_node_link_bridge() { | ||
143 | local NODE=$1 | ||
144 | local BRIDGE=$2 | ||
145 | local ADDRESS=$3 | ||
146 | local MASK=$4 | ||
147 | |||
148 | netjail_next_interface | ||
149 | local NUM_IF=$RESULT | ||
150 | netjail_next_interface | ||
151 | local NUM_BR=$RESULT | ||
152 | |||
153 | local LINK_IF=$(printf "%06x-%08x" $PREFIX $NUM_IF) | ||
154 | local LINK_BR=$(printf "%06x-%08x" $PREFIX $NUM_BR) | ||
155 | |||
156 | ip link add $LINK_IF type veth peer name $LINK_BR | ||
157 | ip link set $LINK_IF netns $NODE | ||
158 | ip link set $LINK_BR master $BRIDGE | ||
159 | |||
160 | ip -n $NODE addr add "$ADDRESS/$MASK" broadcast + dev $LINK_IF | ||
161 | ip -n $NODE link set $LINK_IF up | ||
162 | ip -n $NODE link set up dev lo | ||
163 | |||
164 | ip link set $LINK_BR up | ||
165 | |||
166 | RESULT=$LINK_BR | ||
167 | } | ||
168 | |||
169 | netjail_node_link_bridge_name() { | ||
170 | |||
171 | netjail_next_interface | ||
172 | netjail_next_interface | ||
173 | local NUM_BR=$RESULT | ||
174 | |||
175 | local LINK_BR=$(printf "%06x-%08x" $PREFIX $NUM_BR) | ||
176 | |||
177 | RESULT=$LINK_BR | ||
178 | } | ||
179 | |||
180 | netjail_node_unlink_bridge() { | ||
181 | local LINK_BR=$1 | ||
182 | |||
183 | ip link delete $LINK_BR | ||
184 | } | ||
185 | |||
186 | netjail_node_add_nat() { | ||
187 | local NODE=$1 | ||
188 | local ADDRESS=$2 | ||
189 | local MASK=$3 | ||
190 | |||
191 | ip netns exec $NODE iptables -t nat -A POSTROUTING -s "$ADDRESS/$MASK" -j MASQUERADE | ||
192 | } | ||
193 | |||
194 | netjail_node_add_default() { | ||
195 | local NODE=$1 | ||
196 | local ADDRESS=$2 | ||
197 | |||
198 | ip -n $NODE route add default via $ADDRESS | ||
199 | } | ||
200 | |||
201 | netjail_node_exec() { | ||
202 | JAILOR=${SUDO_USER:?must run in sudo} | ||
203 | local NODE=$1 | ||
204 | local FD_IN=$2 | ||
205 | local FD_OUT=$3 | ||
206 | shift 3 | ||
207 | |||
208 | ip netns exec $NODE sudo -u $JAILOR -- $@ 1>& $FD_OUT 0<& $FD_IN | ||
209 | } | ||
210 | |||
211 | netjail_node_exec_without_fds() { | ||
212 | JAILOR=${SUDO_USER:?must run in sudo} | ||
213 | NODE=$1 | ||
214 | shift 1 | ||
215 | |||
216 | ip netns exec $NODE sudo -u $JAILOR -- $@ | ||
217 | } | ||
218 | |||
219 | netjail_node_exec_without_fds_and_sudo() { | ||
220 | NODE=$1 | ||
221 | shift 1 | ||
222 | |||
223 | ip netns exec $NODE $@ | ||
224 | } | ||
225 | |||
226 | netjail_kill() { | ||
227 | local PID=$1 | ||
228 | local MATCH=$(ps --pid $PID | awk "{ if ( \$1 == $PID ) { print \$1 } }" | wc -l) | ||
229 | |||
230 | if [ $MATCH -gt 0 ]; then | ||
231 | kill -n 19 $PID | ||
232 | |||
233 | for CHILD in $(ps -o pid,ppid -ax | awk "{ if ( \$2 == $PID ) { print \$1 } }"); do | ||
234 | netjail_kill $CHILD | ||
235 | done | ||
236 | |||
237 | kill $PID | ||
238 | fi | ||
239 | } | ||
240 | |||
241 | netjail_killall() { | ||
242 | if [ $# -gt 0 ]; then | ||
243 | local PIDS=$1 | ||
244 | |||
245 | for PID in $PIDS; do | ||
246 | netjail_kill $PID | ||
247 | done | ||
248 | fi | ||
249 | } | ||
250 | |||
251 | netjail_waitall() { | ||
252 | if [ $# -gt 0 ]; then | ||
253 | local PIDS=$1 | ||
254 | |||
255 | for PID in $PIDS; do | ||
256 | wait $PID | ||
257 | done | ||
258 | fi | ||
259 | } | ||
260 | |||