diff options
Diffstat (limited to 'contrib/scripts/netjail/netjail_core.sh')
| -rwxr-xr-x | contrib/scripts/netjail/netjail_core.sh | 57 |
1 files changed, 41 insertions, 16 deletions
diff --git a/contrib/scripts/netjail/netjail_core.sh b/contrib/scripts/netjail/netjail_core.sh index d070f7220..d53315052 100755 --- a/contrib/scripts/netjail/netjail_core.sh +++ b/contrib/scripts/netjail/netjail_core.sh | |||
| @@ -2,6 +2,7 @@ | |||
| 2 | # | 2 | # |
| 3 | 3 | ||
| 4 | JAILOR=${SUDO_USER:?must run in sudo} | 4 | JAILOR=${SUDO_USER:?must run in sudo} |
| 5 | PREFIX=${PPID:?must run from a parent process} | ||
| 5 | 6 | ||
| 6 | # running with `sudo` is required to be | 7 | # running with `sudo` is required to be |
| 7 | # able running the actual commands as the | 8 | # able running the actual commands as the |
| @@ -9,6 +10,22 @@ JAILOR=${SUDO_USER:?must run in sudo} | |||
| 9 | 10 | ||
| 10 | export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" | 11 | export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" |
| 11 | 12 | ||
| 13 | export RESULT= | ||
| 14 | export NAMESPACE_NUM=0 | ||
| 15 | export INTERFACE_NUM=0 | ||
| 16 | |||
| 17 | netjail_next_namespace() { | ||
| 18 | local NUM=$NAMESPACE_NUM | ||
| 19 | NAMESPACE_NUM=$(($NAMESPACE_NUM + 1)) | ||
| 20 | RESULT=$NUM | ||
| 21 | } | ||
| 22 | |||
| 23 | netjail_next_interface() { | ||
| 24 | local NUM=$INTERFACE_NUM | ||
| 25 | INTERFACE_NUM=$(($INTERFACE_NUM + 1)) | ||
| 26 | RESULT=$NUM | ||
| 27 | } | ||
| 28 | |||
| 12 | netjail_opt() { | 29 | netjail_opt() { |
| 13 | local OPT=$1 | 30 | local OPT=$1 |
| 14 | shift 1 | 31 | shift 1 |
| @@ -17,7 +34,7 @@ netjail_opt() { | |||
| 17 | 34 | ||
| 18 | while [ $# -gt 0 ]; do | 35 | while [ $# -gt 0 ]; do |
| 19 | if [ "$1" = "$OPT" ]; then | 36 | if [ "$1" = "$OPT" ]; then |
| 20 | printf "%d" $INDEX | 37 | RESULT=$INDEX |
| 21 | return | 38 | return |
| 22 | fi | 39 | fi |
| 23 | 40 | ||
| @@ -25,7 +42,7 @@ netjail_opt() { | |||
| 25 | shift 1 | 42 | shift 1 |
| 26 | done | 43 | done |
| 27 | 44 | ||
| 28 | printf "%d" 0 | 45 | RESULT=0 |
| 29 | } | 46 | } |
| 30 | 47 | ||
| 31 | netjail_opts() { | 48 | netjail_opts() { |
| @@ -42,7 +59,7 @@ netjail_opts() { | |||
| 42 | shift 1 | 59 | shift 1 |
| 43 | done | 60 | done |
| 44 | 61 | ||
| 45 | printf "$DEF" | 62 | RESULT="$DEF" |
| 46 | } | 63 | } |
| 47 | 64 | ||
| 48 | netjail_check() { | 65 | netjail_check() { |
| @@ -73,15 +90,15 @@ netjail_check_bin() { | |||
| 73 | fi | 90 | fi |
| 74 | } | 91 | } |
| 75 | 92 | ||
| 76 | netjail_print_name() { | ||
| 77 | printf "%s%02x%02x" $1 $2 ${3:-0} | ||
| 78 | } | ||
| 79 | |||
| 80 | netjail_bridge() { | 93 | netjail_bridge() { |
| 81 | local BRIDGE=$1 | 94 | netjail_next_interface |
| 95 | local NUM=$RESULT | ||
| 96 | local BRIDGE=$(printf "%06x-%08x" $PREFIX $NUM) | ||
| 82 | 97 | ||
| 83 | ip link add $BRIDGE type bridge | 98 | ip link add $BRIDGE type bridge |
| 84 | ip link set dev $BRIDGE up | 99 | ip link set dev $BRIDGE up |
| 100 | |||
| 101 | RESULT=$BRIDGE | ||
| 85 | } | 102 | } |
| 86 | 103 | ||
| 87 | netjail_bridge_clear() { | 104 | netjail_bridge_clear() { |
| @@ -91,9 +108,13 @@ netjail_bridge_clear() { | |||
| 91 | } | 108 | } |
| 92 | 109 | ||
| 93 | netjail_node() { | 110 | netjail_node() { |
| 94 | local NODE=$1 | 111 | netjail_next_namespace |
| 112 | local NUM=$RESULT | ||
| 113 | local NODE=$(printf "%06x-%08x" $PREFIX $NUM) | ||
| 95 | 114 | ||
| 96 | ip netns add $NODE | 115 | ip netns add $NODE |
| 116 | |||
| 117 | RESULT=$NODE | ||
| 97 | } | 118 | } |
| 98 | 119 | ||
| 99 | netjail_node_clear() { | 120 | netjail_node_clear() { |
| @@ -108,8 +129,13 @@ netjail_node_link_bridge() { | |||
| 108 | local ADDRESS=$3 | 129 | local ADDRESS=$3 |
| 109 | local MASK=$4 | 130 | local MASK=$4 |
| 110 | 131 | ||
| 111 | local LINK_IF="$NODE-$BRIDGE-0" | 132 | netjail_next_interface |
| 112 | local LINK_BR="$NODE-$BRIDGE-1" | 133 | local NUM_IF=$RESULT |
| 134 | netjail_next_interface | ||
| 135 | local NUM_BR=$RESULT | ||
| 136 | |||
| 137 | local LINK_IF=$(printf "%06x-%08x" $PREFIX $NUM_IF) | ||
| 138 | local LINK_BR=$(printf "%06x-%08x" $PREFIX $NUM_BR) | ||
| 113 | 139 | ||
| 114 | ip link add $LINK_IF type veth peer name $LINK_BR | 140 | ip link add $LINK_IF type veth peer name $LINK_BR |
| 115 | ip link set $LINK_IF netns $NODE | 141 | ip link set $LINK_IF netns $NODE |
| @@ -120,13 +146,12 @@ netjail_node_link_bridge() { | |||
| 120 | ip -n $NODE link set up dev lo | 146 | ip -n $NODE link set up dev lo |
| 121 | 147 | ||
| 122 | ip link set $LINK_BR up | 148 | ip link set $LINK_BR up |
| 149 | |||
| 150 | RESULT=$LINK_BR | ||
| 123 | } | 151 | } |
| 124 | 152 | ||
| 125 | netjail_node_unlink_bridge() { | 153 | netjail_node_unlink_bridge() { |
| 126 | local NODE=$1 | 154 | local LINK_BR=$1 |
| 127 | local BRIDGE=$2 | ||
| 128 | |||
| 129 | local LINK_BR="$NODE-$BRIDGE-1" | ||
| 130 | 155 | ||
| 131 | ip link delete $LINK_BR | 156 | ip link delete $LINK_BR |
| 132 | } | 157 | } |
| @@ -152,7 +177,7 @@ netjail_node_exec() { | |||
| 152 | local FD_OUT=$3 | 177 | local FD_OUT=$3 |
| 153 | shift 3 | 178 | shift 3 |
| 154 | 179 | ||
| 155 | unshare -fp --kill-child -- ip netns exec $NODE sudo -u $JAILOR -- $@ 1>& $FD_OUT 0<& $FD_IN | 180 | ip netns exec $NODE sudo -u $JAILOR -- $@ 1>& $FD_OUT 0<& $FD_IN |
| 156 | } | 181 | } |
| 157 | 182 | ||
| 158 | netjail_kill() { | 183 | netjail_kill() { |