diff options
Diffstat (limited to 'contrib/scripts/netjail/netjail_core.sh')
-rwxr-xr-x | contrib/scripts/netjail/netjail_core.sh | 117 |
1 files changed, 96 insertions, 21 deletions
diff --git a/contrib/scripts/netjail/netjail_core.sh b/contrib/scripts/netjail/netjail_core.sh index 6a18ea902..1cdbca816 100755 --- a/contrib/scripts/netjail/netjail_core.sh +++ b/contrib/scripts/netjail/netjail_core.sh | |||
@@ -9,10 +9,28 @@ JAILOR=${SUDO_USER:?must run in sudo} | |||
9 | 9 | ||
10 | export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" | 10 | export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" |
11 | 11 | ||
12 | netjail_check() { | 12 | netjail_opt() { |
13 | NODE_COUNT=$1 | 13 | local OPT=$1 |
14 | shift 1 | ||
15 | |||
16 | INDEX=1 | ||
17 | |||
18 | while [ $# -gt 0 ]; do | ||
19 | if [ "$1" = "$OPT" ]; then | ||
20 | printf "%d" $INDEX | ||
21 | return | ||
22 | fi | ||
23 | |||
24 | INDEX=$(($INDEX + 1)) | ||
25 | shift 1 | ||
26 | done | ||
14 | 27 | ||
15 | FD_COUNT=$(($(ls /proc/self/fd | wc -w) - 4)) | 28 | printf "%d" 0 |
29 | } | ||
30 | |||
31 | netjail_check() { | ||
32 | local NODE_COUNT=$1 | ||
33 | local FD_COUNT=$(($(ls /proc/self/fd | wc -w) - 4)) | ||
16 | 34 | ||
17 | # quit if `$FD_COUNT < ($LOCAL_M * $GLOBAL_N * 2)`: | 35 | # quit if `$FD_COUNT < ($LOCAL_M * $GLOBAL_N * 2)`: |
18 | # the script also requires `sudo -C ($FD_COUNT + 4)` | 36 | # the script also requires `sudo -C ($FD_COUNT + 4)` |
@@ -25,43 +43,56 @@ netjail_check() { | |||
25 | fi | 43 | fi |
26 | } | 44 | } |
27 | 45 | ||
46 | netjail_check_bin() { | ||
47 | local PROGRAM=$1 | ||
48 | local MATCH=$(ls $(echo $PATH | tr ":" "\n") | grep "^$PROGRAM\$" | tr "\n" " " | awk '{ print $1 }') | ||
49 | |||
50 | # quit if the required binary $PROGRAM can not be | ||
51 | # found in the used $PATH. | ||
52 | |||
53 | if [ "$MATCH" != "$PROGRAM" ]; then | ||
54 | echo "Required binary not found: $PROGRAM" >&2 | ||
55 | exit 1 | ||
56 | fi | ||
57 | } | ||
58 | |||
28 | netjail_print_name() { | 59 | netjail_print_name() { |
29 | printf "%s%02x%02x" $1 $2 ${3:-0} | 60 | printf "%s%02x%02x" $1 $2 ${3:-0} |
30 | } | 61 | } |
31 | 62 | ||
32 | netjail_bridge() { | 63 | netjail_bridge() { |
33 | BRIDGE=$1 | 64 | local BRIDGE=$1 |
34 | 65 | ||
35 | ip link add $BRIDGE type bridge | 66 | ip link add $BRIDGE type bridge |
36 | ip link set dev $BRIDGE up | 67 | ip link set dev $BRIDGE up |
37 | } | 68 | } |
38 | 69 | ||
39 | netjail_bridge_clear() { | 70 | netjail_bridge_clear() { |
40 | BRIDGE=$1 | 71 | local BRIDGE=$1 |
41 | 72 | ||
42 | ip link delete $BRIDGE | 73 | ip link delete $BRIDGE |
43 | } | 74 | } |
44 | 75 | ||
45 | netjail_node() { | 76 | netjail_node() { |
46 | NODE=$1 | 77 | local NODE=$1 |
47 | 78 | ||
48 | ip netns add $NODE | 79 | ip netns add $NODE |
49 | } | 80 | } |
50 | 81 | ||
51 | netjail_node_clear() { | 82 | netjail_node_clear() { |
52 | NODE=$1 | 83 | local NODE=$1 |
53 | 84 | ||
54 | ip netns delete $NODE | 85 | ip netns delete $NODE |
55 | } | 86 | } |
56 | 87 | ||
57 | netjail_node_link_bridge() { | 88 | netjail_node_link_bridge() { |
58 | NODE=$1 | 89 | local NODE=$1 |
59 | BRIDGE=$2 | 90 | local BRIDGE=$2 |
60 | ADDRESS=$3 | 91 | local ADDRESS=$3 |
61 | MASK=$4 | 92 | local MASK=$4 |
62 | 93 | ||
63 | LINK_IF="$NODE-$BRIDGE-0" | 94 | local LINK_IF="$NODE-$BRIDGE-0" |
64 | LINK_BR="$NODE-$BRIDGE-1" | 95 | local LINK_BR="$NODE-$BRIDGE-1" |
65 | 96 | ||
66 | ip link add $LINK_IF type veth peer name $LINK_BR | 97 | ip link add $LINK_IF type veth peer name $LINK_BR |
67 | ip link set $LINK_IF netns $NODE | 98 | ip link set $LINK_IF netns $NODE |
@@ -74,27 +105,71 @@ netjail_node_link_bridge() { | |||
74 | ip link set $LINK_BR up | 105 | ip link set $LINK_BR up |
75 | } | 106 | } |
76 | 107 | ||
108 | netjail_node_unlink_bridge() { | ||
109 | local NODE=$1 | ||
110 | local BRIDGE=$2 | ||
111 | |||
112 | local LINK_BR="$NODE-$BRIDGE-1" | ||
113 | |||
114 | ip link delete $LINK_BR | ||
115 | } | ||
116 | |||
77 | netjail_node_add_nat() { | 117 | netjail_node_add_nat() { |
78 | NODE=$1 | 118 | local NODE=$1 |
79 | ADDRESS=$2 | 119 | local ADDRESS=$2 |
80 | MASK=$3 | 120 | local MASK=$3 |
81 | 121 | ||
82 | ip netns exec $NODE iptables -t nat -A POSTROUTING -s "$ADDRESS/$MASK" -j MASQUERADE | 122 | ip netns exec $NODE iptables -t nat -A POSTROUTING -s "$ADDRESS/$MASK" -j MASQUERADE |
83 | } | 123 | } |
84 | 124 | ||
85 | netjail_node_add_default() { | 125 | netjail_node_add_default() { |
86 | NODE=$1 | 126 | local NODE=$1 |
87 | ADDRESS=$2 | 127 | local ADDRESS=$2 |
88 | 128 | ||
89 | ip -n $NODE route add default via $ADDRESS | 129 | ip -n $NODE route add default via $ADDRESS |
90 | } | 130 | } |
91 | 131 | ||
92 | netjail_node_exec() { | 132 | netjail_node_exec() { |
93 | NODE=$1 | 133 | local NODE=$1 |
94 | FD_IN=$2 | 134 | local FD_IN=$2 |
95 | FD_OUT=$3 | 135 | local FD_OUT=$3 |
96 | shift 3 | 136 | shift 3 |
97 | 137 | ||
98 | unshare -fp --kill-child -- ip netns exec $NODE sudo -u $JAILOR -- $@ 1>& $FD_OUT 0<& $FD_IN | 138 | unshare -fp --kill-child -- ip netns exec $NODE sudo -u $JAILOR -- $@ 1>& $FD_OUT 0<& $FD_IN |
99 | } | 139 | } |
100 | 140 | ||
141 | netjail_kill() { | ||
142 | local PID=$1 | ||
143 | local MATCH=$(ps --pid $PID | awk "{ if ( \$1 == $PID ) { print \$1 } }" | wc -l) | ||
144 | |||
145 | if [ $MATCH -gt 0 ]; then | ||
146 | kill -n 19 $PID | ||
147 | |||
148 | for CHILD in $(ps -o pid,ppid -ax | awk "{ if ( \$2 == $PID ) { print \$1 } }"); do | ||
149 | netjail_kill $CHILD | ||
150 | done | ||
151 | |||
152 | kill $PID | ||
153 | fi | ||
154 | } | ||
155 | |||
156 | netjail_killall() { | ||
157 | if [ $# -gt 0 ]; then | ||
158 | local PIDS=$1 | ||
159 | |||
160 | for PID in $PIDS; do | ||
161 | netjail_kill $PID | ||
162 | done | ||
163 | fi | ||
164 | } | ||
165 | |||
166 | netjail_waitall() { | ||
167 | if [ $# -gt 0 ]; then | ||
168 | local PIDS=$1 | ||
169 | |||
170 | for PID in $PIDS; do | ||
171 | wait $PID | ||
172 | done | ||
173 | fi | ||
174 | } | ||
175 | |||