diff options
Diffstat (limited to 'contrib')
-rwxr-xr-x | contrib/scripts/netjail/netjail_core.sh | 117 | ||||
-rwxr-xr-x | contrib/scripts/netjail/netjail_setup_internet.sh | 78 |
2 files changed, 163 insertions, 32 deletions
diff --git a/contrib/scripts/netjail/netjail_core.sh b/contrib/scripts/netjail/netjail_core.sh index 6a18ea902..1cdbca816 100755 --- a/contrib/scripts/netjail/netjail_core.sh +++ b/contrib/scripts/netjail/netjail_core.sh | |||
@@ -9,10 +9,28 @@ JAILOR=${SUDO_USER:?must run in sudo} | |||
9 | 9 | ||
10 | export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" | 10 | export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" |
11 | 11 | ||
12 | netjail_check() { | 12 | netjail_opt() { |
13 | NODE_COUNT=$1 | 13 | local OPT=$1 |
14 | shift 1 | ||
15 | |||
16 | INDEX=1 | ||
17 | |||
18 | while [ $# -gt 0 ]; do | ||
19 | if [ "$1" = "$OPT" ]; then | ||
20 | printf "%d" $INDEX | ||
21 | return | ||
22 | fi | ||
23 | |||
24 | INDEX=$(($INDEX + 1)) | ||
25 | shift 1 | ||
26 | done | ||
14 | 27 | ||
15 | FD_COUNT=$(($(ls /proc/self/fd | wc -w) - 4)) | 28 | printf "%d" 0 |
29 | } | ||
30 | |||
31 | netjail_check() { | ||
32 | local NODE_COUNT=$1 | ||
33 | local FD_COUNT=$(($(ls /proc/self/fd | wc -w) - 4)) | ||
16 | 34 | ||
17 | # quit if `$FD_COUNT < ($LOCAL_M * $GLOBAL_N * 2)`: | 35 | # quit if `$FD_COUNT < ($LOCAL_M * $GLOBAL_N * 2)`: |
18 | # the script also requires `sudo -C ($FD_COUNT + 4)` | 36 | # the script also requires `sudo -C ($FD_COUNT + 4)` |
@@ -25,43 +43,56 @@ netjail_check() { | |||
25 | fi | 43 | fi |
26 | } | 44 | } |
27 | 45 | ||
46 | netjail_check_bin() { | ||
47 | local PROGRAM=$1 | ||
48 | local MATCH=$(ls $(echo $PATH | tr ":" "\n") | grep "^$PROGRAM\$" | tr "\n" " " | awk '{ print $1 }') | ||
49 | |||
50 | # quit if the required binary $PROGRAM can not be | ||
51 | # found in the used $PATH. | ||
52 | |||
53 | if [ "$MATCH" != "$PROGRAM" ]; then | ||
54 | echo "Required binary not found: $PROGRAM" >&2 | ||
55 | exit 1 | ||
56 | fi | ||
57 | } | ||
58 | |||
28 | netjail_print_name() { | 59 | netjail_print_name() { |
29 | printf "%s%02x%02x" $1 $2 ${3:-0} | 60 | printf "%s%02x%02x" $1 $2 ${3:-0} |
30 | } | 61 | } |
31 | 62 | ||
32 | netjail_bridge() { | 63 | netjail_bridge() { |
33 | BRIDGE=$1 | 64 | local BRIDGE=$1 |
34 | 65 | ||
35 | ip link add $BRIDGE type bridge | 66 | ip link add $BRIDGE type bridge |
36 | ip link set dev $BRIDGE up | 67 | ip link set dev $BRIDGE up |
37 | } | 68 | } |
38 | 69 | ||
39 | netjail_bridge_clear() { | 70 | netjail_bridge_clear() { |
40 | BRIDGE=$1 | 71 | local BRIDGE=$1 |
41 | 72 | ||
42 | ip link delete $BRIDGE | 73 | ip link delete $BRIDGE |
43 | } | 74 | } |
44 | 75 | ||
45 | netjail_node() { | 76 | netjail_node() { |
46 | NODE=$1 | 77 | local NODE=$1 |
47 | 78 | ||
48 | ip netns add $NODE | 79 | ip netns add $NODE |
49 | } | 80 | } |
50 | 81 | ||
51 | netjail_node_clear() { | 82 | netjail_node_clear() { |
52 | NODE=$1 | 83 | local NODE=$1 |
53 | 84 | ||
54 | ip netns delete $NODE | 85 | ip netns delete $NODE |
55 | } | 86 | } |
56 | 87 | ||
57 | netjail_node_link_bridge() { | 88 | netjail_node_link_bridge() { |
58 | NODE=$1 | 89 | local NODE=$1 |
59 | BRIDGE=$2 | 90 | local BRIDGE=$2 |
60 | ADDRESS=$3 | 91 | local ADDRESS=$3 |
61 | MASK=$4 | 92 | local MASK=$4 |
62 | 93 | ||
63 | LINK_IF="$NODE-$BRIDGE-0" | 94 | local LINK_IF="$NODE-$BRIDGE-0" |
64 | LINK_BR="$NODE-$BRIDGE-1" | 95 | local LINK_BR="$NODE-$BRIDGE-1" |
65 | 96 | ||
66 | ip link add $LINK_IF type veth peer name $LINK_BR | 97 | ip link add $LINK_IF type veth peer name $LINK_BR |
67 | ip link set $LINK_IF netns $NODE | 98 | ip link set $LINK_IF netns $NODE |
@@ -74,27 +105,71 @@ netjail_node_link_bridge() { | |||
74 | ip link set $LINK_BR up | 105 | ip link set $LINK_BR up |
75 | } | 106 | } |
76 | 107 | ||
108 | netjail_node_unlink_bridge() { | ||
109 | local NODE=$1 | ||
110 | local BRIDGE=$2 | ||
111 | |||
112 | local LINK_BR="$NODE-$BRIDGE-1" | ||
113 | |||
114 | ip link delete $LINK_BR | ||
115 | } | ||
116 | |||
77 | netjail_node_add_nat() { | 117 | netjail_node_add_nat() { |
78 | NODE=$1 | 118 | local NODE=$1 |
79 | ADDRESS=$2 | 119 | local ADDRESS=$2 |
80 | MASK=$3 | 120 | local MASK=$3 |
81 | 121 | ||
82 | ip netns exec $NODE iptables -t nat -A POSTROUTING -s "$ADDRESS/$MASK" -j MASQUERADE | 122 | ip netns exec $NODE iptables -t nat -A POSTROUTING -s "$ADDRESS/$MASK" -j MASQUERADE |
83 | } | 123 | } |
84 | 124 | ||
85 | netjail_node_add_default() { | 125 | netjail_node_add_default() { |
86 | NODE=$1 | 126 | local NODE=$1 |
87 | ADDRESS=$2 | 127 | local ADDRESS=$2 |
88 | 128 | ||
89 | ip -n $NODE route add default via $ADDRESS | 129 | ip -n $NODE route add default via $ADDRESS |
90 | } | 130 | } |
91 | 131 | ||
92 | netjail_node_exec() { | 132 | netjail_node_exec() { |
93 | NODE=$1 | 133 | local NODE=$1 |
94 | FD_IN=$2 | 134 | local FD_IN=$2 |
95 | FD_OUT=$3 | 135 | local FD_OUT=$3 |
96 | shift 3 | 136 | shift 3 |
97 | 137 | ||
98 | unshare -fp --kill-child -- ip netns exec $NODE sudo -u $JAILOR -- $@ 1>& $FD_OUT 0<& $FD_IN | 138 | unshare -fp --kill-child -- ip netns exec $NODE sudo -u $JAILOR -- $@ 1>& $FD_OUT 0<& $FD_IN |
99 | } | 139 | } |
100 | 140 | ||
141 | netjail_kill() { | ||
142 | local PID=$1 | ||
143 | local MATCH=$(ps --pid $PID | awk "{ if ( \$1 == $PID ) { print \$1 } }" | wc -l) | ||
144 | |||
145 | if [ $MATCH -gt 0 ]; then | ||
146 | kill -n 19 $PID | ||
147 | |||
148 | for CHILD in $(ps -o pid,ppid -ax | awk "{ if ( \$2 == $PID ) { print \$1 } }"); do | ||
149 | netjail_kill $CHILD | ||
150 | done | ||
151 | |||
152 | kill $PID | ||
153 | fi | ||
154 | } | ||
155 | |||
156 | netjail_killall() { | ||
157 | if [ $# -gt 0 ]; then | ||
158 | local PIDS=$1 | ||
159 | |||
160 | for PID in $PIDS; do | ||
161 | netjail_kill $PID | ||
162 | done | ||
163 | fi | ||
164 | } | ||
165 | |||
166 | netjail_waitall() { | ||
167 | if [ $# -gt 0 ]; then | ||
168 | local PIDS=$1 | ||
169 | |||
170 | for PID in $PIDS; do | ||
171 | wait $PID | ||
172 | done | ||
173 | fi | ||
174 | } | ||
175 | |||
diff --git a/contrib/scripts/netjail/netjail_setup_internet.sh b/contrib/scripts/netjail/netjail_setup_internet.sh index d99709555..de8ef8f15 100755 --- a/contrib/scripts/netjail/netjail_setup_internet.sh +++ b/contrib/scripts/netjail/netjail_setup_internet.sh | |||
@@ -9,16 +9,30 @@ export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" | |||
9 | LOCAL_M=$1 | 9 | LOCAL_M=$1 |
10 | GLOBAL_N=$2 | 10 | GLOBAL_N=$2 |
11 | 11 | ||
12 | # TODO: stunserver? ..and globally known peer? | 12 | # TODO: globally known peer? |
13 | 13 | ||
14 | shift 2 | 14 | shift 2 |
15 | 15 | ||
16 | netjail_check $(($LOCAL_M * $GLOBAL_N)) | 16 | netjail_check $(($LOCAL_M * $GLOBAL_N)) |
17 | 17 | ||
18 | # Starts optionally 'stunserver' on "92.68.150.$(($GLOBAL_N + 1))": | ||
19 | STUN=$(netjail_opt '--stun' $@) | ||
20 | |||
21 | if [ $STUN -gt 0 ]; then | ||
22 | netjail_check_bin stunserver | ||
23 | |||
24 | shift 1 | ||
25 | |||
26 | STUN_NODE=$(netjail_print_name "S" 254) | ||
27 | fi | ||
28 | |||
29 | netjail_check_bin $1 | ||
30 | |||
18 | LOCAL_GROUP="192.168.15" | 31 | LOCAL_GROUP="192.168.15" |
19 | GLOBAL_GROUP="92.68.150" | 32 | GLOBAL_GROUP="92.68.150" |
20 | 33 | ||
21 | echo "Start [local: $LOCAL_GROUP.0/24, global: $GLOBAL_GROUP.0/24]" | 34 | CLEANUP=0 |
35 | echo "Start [local: $LOCAL_GROUP.0/24, global: $GLOBAL_GROUP.0/24, stun: $STUN]" | ||
22 | 36 | ||
23 | NETWORK_NET=$(netjail_print_name "n" $GLOBAL_N $LOCAL_M) | 37 | NETWORK_NET=$(netjail_print_name "n" $GLOBAL_N $LOCAL_M) |
24 | 38 | ||
@@ -53,6 +67,17 @@ for N in $(seq $GLOBAL_N); do | |||
53 | done | 67 | done |
54 | done | 68 | done |
55 | 69 | ||
70 | WAITING="" | ||
71 | KILLING="" | ||
72 | |||
73 | if [ $STUN -gt 0 ]; then | ||
74 | netjail_node $STUN_NODE | ||
75 | netjail_node_link_bridge $STUN_NODE $NETWORK_NET "$GLOBAL_GROUP.254" 24 | ||
76 | |||
77 | netjail_node_exec $STUN_NODE 0 1 stunserver & | ||
78 | KILLING="$!" | ||
79 | fi | ||
80 | |||
56 | for N in $(seq $GLOBAL_N); do | 81 | for N in $(seq $GLOBAL_N); do |
57 | for M in $(seq $LOCAL_M); do | 82 | for M in $(seq $LOCAL_M); do |
58 | NODE=$(netjail_print_name "N" $N $M) | 83 | NODE=$(netjail_print_name "N" $N $M) |
@@ -62,20 +87,51 @@ for N in $(seq $GLOBAL_N); do | |||
62 | FD_Y=$(($INDEX * 2 + 3 + 1)) | 87 | FD_Y=$(($INDEX * 2 + 3 + 1)) |
63 | 88 | ||
64 | netjail_node_exec $NODE $FD_X $FD_Y $@ & | 89 | netjail_node_exec $NODE $FD_X $FD_Y $@ & |
90 | WAITING="$! $WAITING" | ||
65 | done | 91 | done |
66 | done | 92 | done |
67 | 93 | ||
68 | wait | 94 | cleanup() { |
95 | if [ $STUN -gt 0 ]; then | ||
96 | STUN_NODE=$(netjail_print_name "S" 254) | ||
69 | 97 | ||
70 | for N in $(seq $GLOBAL_N); do | 98 | netjail_node_unlink_bridge $STUN_NODE $NETWORK_NET |
71 | for M in $(seq $LOCAL_M); do | 99 | netjail_node_clear $STUN_NODE |
72 | netjail_node_clear $(netjail_print_name "N" $N $M) | 100 | fi |
101 | |||
102 | for N in $(seq $GLOBAL_N); do | ||
103 | ROUTER_NET=$(netjail_print_name "r" $N) | ||
104 | |||
105 | for M in $(seq $LOCAL_M); do | ||
106 | NODE=$(netjail_print_name "N" $N $M) | ||
107 | |||
108 | netjail_node_unlink_bridge $NODE $ROUTER_NET | ||
109 | netjail_node_clear $NODE | ||
110 | done | ||
111 | |||
112 | ROUTER=$(netjail_print_name "R" $N) | ||
113 | |||
114 | netjail_bridge_clear $ROUTER_NET | ||
115 | netjail_node_unlink_bridge $ROUTER $NETWORK_NET | ||
116 | netjail_node_clear $ROUTER | ||
73 | done | 117 | done |
74 | |||
75 | netjail_bridge_clear $(netjail_print_name "r" $N) | ||
76 | netjail_node_clear $(netjail_print_name "R" $N) | ||
77 | done | ||
78 | 118 | ||
79 | netjail_bridge_clear $NETWORK_NET | 119 | netjail_bridge_clear $NETWORK_NET |
120 | } | ||
121 | |||
122 | trapped_cleanup() { | ||
123 | netjail_killall $WAITING | ||
124 | netjail_killall $KILLING | ||
125 | |||
126 | cleanup | ||
127 | } | ||
128 | |||
129 | trap 'trapped_cleanup' 2 | ||
130 | |||
131 | netjail_waitall $WAITING | ||
132 | netjail_killall $KILLING | ||
133 | wait | ||
134 | |||
135 | cleanup | ||
80 | 136 | ||
81 | echo "Done" | 137 | echo "Done" |