diff options
Diffstat (limited to 'scripts/netjail/netjail_start.sh')
-rwxr-xr-x | scripts/netjail/netjail_start.sh | 167 |
1 files changed, 167 insertions, 0 deletions
diff --git a/scripts/netjail/netjail_start.sh b/scripts/netjail/netjail_start.sh new file mode 100755 index 000000000..35e51abb4 --- /dev/null +++ b/scripts/netjail/netjail_start.sh | |||
@@ -0,0 +1,167 @@ | |||
1 | #!/bin/bash | ||
2 | . "$(dirname $0)/netjail_core.sh" | ||
3 | . "$(dirname $0)/topo.sh" | ||
4 | |||
5 | set -eu | ||
6 | set -x | ||
7 | |||
8 | export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" | ||
9 | |||
10 | filename=$1 | ||
11 | PREFIX=$2 | ||
12 | readfile=$3 | ||
13 | |||
14 | BROADCAST=0 | ||
15 | |||
16 | if [ $readfile -eq 0 ] | ||
17 | then | ||
18 | read_topology_string "$filename" | ||
19 | else | ||
20 | echo read file | ||
21 | read_topology $filename | ||
22 | fi | ||
23 | |||
24 | shift 2 | ||
25 | |||
26 | LOCAL_GROUP="192.168.15" | ||
27 | GLOBAL_GROUP="92.68.150" | ||
28 | KNOWN_GROUP="92.68.151" | ||
29 | # Use the IP addresses below instead of the public ones, | ||
30 | # if the script was not started from within a new namespace | ||
31 | # created by unshare. The UPNP test case needs public IP | ||
32 | # addresse for miniupnpd to function. | ||
33 | # FIXME The ip addresses are used in the c code too. We should | ||
34 | # introduce a switch indicating if public addresses should be | ||
35 | # used or not. This info has to be propagated to the c code. | ||
36 | #GLOBAL_GROUP="172.16.150" | ||
37 | #KNOWN_GROUP="172.16.151" | ||
38 | |||
39 | if [ $BROADCAST -eq 0 ]; then | ||
40 | PORT="60002" | ||
41 | else | ||
42 | PORT="2086" | ||
43 | fi | ||
44 | |||
45 | echo "Start [local: $LOCAL_GROUP.0/24, global: $GLOBAL_GROUP.0/16]" | ||
46 | |||
47 | netjail_bridge | ||
48 | NETWORK_NET=$RESULT | ||
49 | |||
50 | for X in $(seq $KNOWN); do | ||
51 | netjail_node | ||
52 | KNOWN_NODES[$X]=$RESULT | ||
53 | netjail_node_link_bridge ${KNOWN_NODES[$X]} $NETWORK_NET "$KNOWN_GROUP.$X" 16 | ||
54 | KNOWN_LINKS[$X]=$RESULT | ||
55 | |||
56 | # Execute echo 1 > /proc/sys/net/netfilter/nf_log_all_netns to make itables log to the host. | ||
57 | #ip netns exec ${KNOWN_NODES[$X]} iptables -A INPUT -j LOG --log-prefix '** Known ${KNOWN_NODES[$X]} **' | ||
58 | #ip netns exec ${KNOWN_NODES[$X]} iptables -A OUTPUT -j LOG --log-prefix '** Known ${KNOWN_NODES[$X]} **' | ||
59 | ip netns exec ${KNOWN_NODES[$X]} iptables -A OUTPUT -p icmp -j ACCEPT | ||
60 | ip netns exec ${KNOWN_NODES[$X]} iptables -A INPUT -p icmp -j ACCEPT | ||
61 | |||
62 | done | ||
63 | |||
64 | declare -A NODES | ||
65 | declare -A NODE_LINKS | ||
66 | |||
67 | for N in $(seq $GLOBAL_N); do | ||
68 | netjail_node | ||
69 | ROUTERS[$N]=$RESULT | ||
70 | netjail_node_link_bridge ${ROUTERS[$N]} $NETWORK_NET "$GLOBAL_GROUP.$N" 16 | ||
71 | ROUTER_EXT_IF[$N]=$RESULT | ||
72 | netjail_bridge | ||
73 | ROUTER_NETS[$N]=$RESULT | ||
74 | |||
75 | #ip netns exec ${ROUTERS[$N]} iptables -A INPUT -j LOG --log-prefix '** Router ${ROUTERS[$N]} **' | ||
76 | ip netns exec ${ROUTERS[$N]} iptables -A INPUT -p icmp -j ACCEPT | ||
77 | ip netns exec ${ROUTERS[$N]} iptables -t nat -A PREROUTING -p icmp -d $GLOBAL_GROUP.$N -j DNAT --to $LOCAL_GROUP.1 | ||
78 | ip netns exec ${ROUTERS[$N]} iptables -A FORWARD -p icmp -d $LOCAL_GROUP.1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | ||
79 | #ip netns exec ${ROUTERS[$N]} iptables -A OUTPUT -j LOG --log-prefix '** Router ${ROUTERS[$N]} **' | ||
80 | ip netns exec ${ROUTERS[$N]} iptables -A OUTPUT -p icmp -j ACCEPT | ||
81 | |||
82 | for M in $(seq $LOCAL_M); do | ||
83 | netjail_node | ||
84 | NODES[$N,$M]=$RESULT | ||
85 | netjail_node_link_bridge ${NODES[$N,$M]} ${ROUTER_NETS[$N]} "$LOCAL_GROUP.$M" 24 | ||
86 | NODE_LINKS[$N,$M]=$RESULT | ||
87 | |||
88 | #ip netns exec ${NODES[$N,$M]} iptables -A INPUT -j LOG --log-prefix '** Node ${NODES[$N,$M]} **' | ||
89 | #ip netns exec ${NODES[$N,$M]} iptables -A OUTPUT -j LOG --log-prefix '** Node ${NODES[$N,$M]} **' | ||
90 | ip netns exec ${NODES[$N,$M]} iptables -A OUTPUT -p icmp -j ACCEPT | ||
91 | ip netns exec ${NODES[$N,$M]} iptables -A INPUT -p icmp -j ACCEPT | ||
92 | done | ||
93 | |||
94 | ROUTER_ADDR="$LOCAL_GROUP.$(($LOCAL_M+1))" | ||
95 | |||
96 | let X=$KNOWN+1 | ||
97 | ip netns exec ${ROUTERS[$N]} ip route add "$KNOWN_GROUP.$X" dev ${ROUTER_EXT_IF[$N]} | ||
98 | ip netns exec ${ROUTERS[$N]} ip route add default via "$KNOWN_GROUP.$X" | ||
99 | |||
100 | |||
101 | netjail_node_link_bridge ${ROUTERS[$N]} ${ROUTER_NETS[$N]} $ROUTER_ADDR 24 | ||
102 | ROUTER_LINKS[$N]=$RESULT | ||
103 | |||
104 | netjail_node_add_nat ${ROUTERS[$N]} $ROUTER_ADDR 24 | ||
105 | |||
106 | for M in $(seq $LOCAL_M); do | ||
107 | netjail_node_add_default ${NODES[$N,$M]} $ROUTER_ADDR | ||
108 | done | ||
109 | |||
110 | # TODO Topology configuration must be enhanced to configure forwarding to more than one subnet node via different ports. | ||
111 | |||
112 | if [ "1" == "${R_TCP[$N]}" ] | ||
113 | then | ||
114 | #ip netns exec ${ROUTERS[$N]} nft add rule ip nat prerouting ip daddr $GLOBAL_GROUP.$N tcp dport 60002 counter dnat to $LOCAL_GROUP.1 | ||
115 | #ip netns exec ${ROUTERS[$N]} nft add rule ip filter FORWARD ip daddr $LOCAL_GROUP.1 ct state new,related,established counter accept | ||
116 | if [ "0" == "${R_TCP_ALLOWED_NUMBER[$N]}" ]; then | ||
117 | ip netns exec ${ROUTERS[$N]} iptables -t nat -A PREROUTING -p tcp -d $GLOBAL_GROUP.$N --dport 60002 -j DNAT --to $LOCAL_GROUP.1 | ||
118 | else | ||
119 | delimiter="," | ||
120 | sources=$GLOBAL_GROUP."${R_TCP_ALLOWED[$N,1,1]}" | ||
121 | if [ "1" -lt "${R_TCP_ALLOWED_NUMBER[$N]}" ] | ||
122 | then | ||
123 | for ((i = 2; i <= ${R_TCP_ALLOWED_NUMBER[$N]}; i++)) | ||
124 | do | ||
125 | echo $i | ||
126 | temp=$delimiter$GLOBAL_GROUP."${R_TCP_ALLOWED[$N,$i,1]}" | ||
127 | sources=$sources$temp | ||
128 | done | ||
129 | fi | ||
130 | echo $sources | ||
131 | ip netns exec ${ROUTERS[$N]} iptables -t nat -A PREROUTING -p tcp -s $sources -d $GLOBAL_GROUP.$N --dport 60002 -j DNAT --to $LOCAL_GROUP.1 | ||
132 | fi | ||
133 | ip netns exec ${ROUTERS[$N]} iptables -A FORWARD -d $LOCAL_GROUP.1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | ||
134 | fi | ||
135 | if [ "1" == "${R_UDP[$N]}" ] | ||
136 | then | ||
137 | #ip netns exec ${ROUTERS[$N]} nft add rule ip nat prerouting ip daddr $GLOBAL_GROUP.$N udp dport $PORT counter dnat to $LOCAL_GROUP.1 | ||
138 | #ip netns exec ${ROUTERS[$N]} nft add rule ip filter FORWARD ip daddr $LOCAL_GROUP.1 ct state new,related,established counter accept | ||
139 | if [ "0" == "${R_UDP_ALLOWED_NUMBER[$N]}" ]; then | ||
140 | ip netns exec ${ROUTERS[$N]} iptables -t nat -A PREROUTING -p udp -d $GLOBAL_GROUP.$N --dport $PORT -j DNAT --to $LOCAL_GROUP.1 | ||
141 | else | ||
142 | delimiter="," | ||
143 | sources=$GLOBAL_GROUP."${R_UDP_ALLOWED[$N,1,1]}" | ||
144 | if [ "1" -lt "${R_UDP_ALLOWED_NUMBER[$N]}" ] | ||
145 | then | ||
146 | for ((i = 2; i <= ${R_UDP_ALLOWED_NUMBER[$N]}; i++)) | ||
147 | do | ||
148 | echo $i | ||
149 | temp=$delimiter$GLOBAL_GROUP."${R_UDP_ALLOWED[$N,$i,1]}" | ||
150 | sources=$sources$temp | ||
151 | done | ||
152 | fi | ||
153 | echo $sources | ||
154 | ip netns exec ${ROUTERS[$N]} iptables -t nat -A PREROUTING -p udp -s $GLOBAL_GROUP.$sources -d $GLOBAL_GROUP.$N --dport $PORT -j DNAT --to $LOCAL_GROUP.1 | ||
155 | fi | ||
156 | ip netns exec ${ROUTERS[$N]} iptables -A FORWARD -d $LOCAL_GROUP.1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT | ||
157 | fi | ||
158 | if [ "" != "${R_SCRIPT[$N]}" ] | ||
159 | then | ||
160 | ip netns exec ${ROUTERS[$N]} ./${R_SCRIPT[$N]} ${ROUTER_NETS[$N]} 1 | ||
161 | fi | ||
162 | done | ||
163 | |||
164 | # We like to have a node acting as a gateway for all router nodes. This is especially needed for sending fake ICMP packets. | ||
165 | netjail_node | ||
166 | GATEWAY=$RESULT | ||
167 | netjail_node_link_bridge $GATEWAY $NETWORK_NET "$KNOWN_GROUP.$X" 16 | ||