1 files changed, 167 insertions, 0 deletions
diff --git a/scripts/netjail/netjail_start.sh b/scripts/netjail/netjail_start.sh
new file mode 100755
index 000000000..35e51abb4
--- /dev/null
+++ b/scripts/netjail/netjail_start.sh
@@ -0,0 +1,167 @@
+#!/bin/bash
+. "$(dirname $0)/netjail_core.sh"
+. "$(dirname $0)/topo.sh"
+set -eu
+set -x
+export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+filename=$1
+PREFIX=$2
+readfile=$3
+BROADCAST=0
+if [ $readfile -eq 0 ]
+then
+    read_topology_string "$filename"
+else
+    echo read file
+    read_topology $filename
+fi
+shift 2
+LOCAL_GROUP="192.168.15"
+GLOBAL_GROUP="92.68.150"
+KNOWN_GROUP="92.68.151"
+# Use the IP addresses below instead of the public ones,
+# if the script was not started from within a new namespace
+# created by unshare. The UPNP test case needs public IP
+# addresse for miniupnpd to function.
+# FIXME The ip addresses are used in the c code too. We should
+# introduce a switch indicating if public addresses should be
+# used or not. This info has to be propagated to the c code.
+#GLOBAL_GROUP="172.16.150"
+#KNOWN_GROUP="172.16.151"
+if [ $BROADCAST -eq 0  ]; then
+   PORT="60002"
+else
+    PORT="2086"
+fi
+echo "Start [local: $LOCAL_GROUP.0/24, global: $GLOBAL_GROUP.0/16]"
+netjail_bridge
+NETWORK_NET=$RESULT
+for X in $(seq $KNOWN); do
+        netjail_node
+        KNOWN_NODES[$X]=$RESULT
+        netjail_node_link_bridge ${KNOWN_NODES[$X]} $NETWORK_NET "$KNOWN_GROUP.$X" 16
+        KNOWN_LINKS[$X]=$RESULT
+    # Execute echo 1 > /proc/sys/net/netfilter/nf_log_all_netns to make itables log to the host.
+    #ip netns exec ${KNOWN_NODES[$X]} iptables -A INPUT -j LOG --log-prefix '** Known ${KNOWN_NODES[$X]}  **'
+    #ip netns exec ${KNOWN_NODES[$X]} iptables -A OUTPUT -j LOG --log-prefix '** Known ${KNOWN_NODES[$X]}  **'
+    ip netns exec ${KNOWN_NODES[$X]} iptables -A OUTPUT -p icmp -j ACCEPT
+    ip netns exec ${KNOWN_NODES[$X]} iptables -A INPUT -p icmp -j ACCEPT
+    
+done
+declare -A NODES
+declare -A NODE_LINKS
+for N in $(seq $GLOBAL_N); do
+        netjail_node
+        ROUTERS[$N]=$RESULT
+        netjail_node_link_bridge ${ROUTERS[$N]} $NETWORK_NET "$GLOBAL_GROUP.$N" 16
+        ROUTER_EXT_IF[$N]=$RESULT
+        netjail_bridge
+        ROUTER_NETS[$N]=$RESULT
+    #ip netns exec ${ROUTERS[$N]} iptables -A INPUT -j LOG --log-prefix '** Router ${ROUTERS[$N]}  **'
+    ip netns exec ${ROUTERS[$N]} iptables -A INPUT -p icmp -j ACCEPT
+    ip netns exec ${ROUTERS[$N]} iptables -t nat -A PREROUTING -p icmp -d $GLOBAL_GROUP.$N -j DNAT --to $LOCAL_GROUP.1
+    ip netns exec ${ROUTERS[$N]} iptables -A FORWARD -p icmp -d $LOCAL_GROUP.1  -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
+    #ip netns exec ${ROUTERS[$N]} iptables -A OUTPUT -j LOG --log-prefix '** Router ${ROUTERS[$N]}  **'
+    ip netns exec ${ROUTERS[$N]} iptables -A OUTPUT -p icmp -j ACCEPT
+    
+        for M in $(seq $LOCAL_M); do
+                netjail_node
+                NODES[$N,$M]=$RESULT
+                netjail_node_link_bridge ${NODES[$N,$M]} ${ROUTER_NETS[$N]} "$LOCAL_GROUP.$M" 24
+                NODE_LINKS[$N,$M]=$RESULT
+        #ip netns exec ${NODES[$N,$M]} iptables -A INPUT -j LOG --log-prefix '** Node ${NODES[$N,$M]}  **'
+        #ip netns exec ${NODES[$N,$M]} iptables -A OUTPUT -j LOG --log-prefix '** Node ${NODES[$N,$M]}  **'
+        ip netns exec ${NODES[$N,$M]} iptables -A OUTPUT -p icmp -j ACCEPT
+        ip netns exec ${NODES[$N,$M]} iptables -A INPUT -p icmp -j ACCEPT 
+        done
+        ROUTER_ADDR="$LOCAL_GROUP.$(($LOCAL_M+1))"
+    let X=$KNOWN+1
+    ip netns exec ${ROUTERS[$N]} ip route add "$KNOWN_GROUP.$X" dev ${ROUTER_EXT_IF[$N]}
+    ip netns exec ${ROUTERS[$N]} ip route add default via "$KNOWN_GROUP.$X"
+    
+        netjail_node_link_bridge ${ROUTERS[$N]} ${ROUTER_NETS[$N]} $ROUTER_ADDR 24
+        ROUTER_LINKS[$N]=$RESULT
+        
+        netjail_node_add_nat ${ROUTERS[$N]} $ROUTER_ADDR 24
+        
+        for M in $(seq $LOCAL_M); do
+                netjail_node_add_default ${NODES[$N,$M]} $ROUTER_ADDR
+        done
+    # TODO Topology configuration must be enhanced to configure forwarding to more than one subnet node via different ports.
+    
+    if [ "1" == "${R_TCP[$N]}" ]
+    then
+        #ip netns exec ${ROUTERS[$N]} nft add rule ip nat prerouting ip daddr $GLOBAL_GROUP.$N tcp dport 60002 counter dnat to $LOCAL_GROUP.1
+        #ip netns exec ${ROUTERS[$N]} nft add rule ip filter FORWARD ip daddr $LOCAL_GROUP.1 ct state new,related,established  counter accept
+        if [ "0" == "${R_TCP_ALLOWED_NUMBER[$N]}" ]; then
+            ip netns exec ${ROUTERS[$N]} iptables -t nat -A PREROUTING -p tcp -d $GLOBAL_GROUP.$N --dport 60002 -j DNAT --to $LOCAL_GROUP.1
+        else
+            delimiter=","
+            sources=$GLOBAL_GROUP."${R_TCP_ALLOWED[$N,1,1]}"
+            if [ "1" -lt "${R_TCP_ALLOWED_NUMBER[$N]}" ]
+            then
+               for ((i = 2; i <= ${R_TCP_ALLOWED_NUMBER[$N]}; i++))
+               do
+                   echo $i
+                   temp=$delimiter$GLOBAL_GROUP."${R_TCP_ALLOWED[$N,$i,1]}"
+                   sources=$sources$temp
+               done
+            fi
+            echo $sources
+            ip netns exec ${ROUTERS[$N]} iptables -t nat -A PREROUTING -p tcp -s $sources -d $GLOBAL_GROUP.$N --dport 60002 -j DNAT --to $LOCAL_GROUP.1
+        fi
+        ip netns exec ${ROUTERS[$N]} iptables -A FORWARD -d $LOCAL_GROUP.1  -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
+    fi
+    if [ "1" == "${R_UDP[$N]}" ]
+    then
+        #ip netns exec ${ROUTERS[$N]} nft add rule ip nat prerouting ip daddr $GLOBAL_GROUP.$N udp dport $PORT counter dnat to $LOCAL_GROUP.1
+        #ip netns exec ${ROUTERS[$N]} nft add rule ip filter FORWARD ip daddr $LOCAL_GROUP.1 ct state new,related,established  counter accept
+        if [ "0" == "${R_UDP_ALLOWED_NUMBER[$N]}" ]; then
+            ip netns exec ${ROUTERS[$N]} iptables -t nat -A PREROUTING -p udp -d $GLOBAL_GROUP.$N --dport $PORT -j DNAT --to $LOCAL_GROUP.1
+        else
+            delimiter=","
+            sources=$GLOBAL_GROUP."${R_UDP_ALLOWED[$N,1,1]}"
+            if [ "1" -lt "${R_UDP_ALLOWED_NUMBER[$N]}" ]
+            then
+               for ((i = 2; i <= ${R_UDP_ALLOWED_NUMBER[$N]}; i++))
+               do
+                   echo $i
+                   temp=$delimiter$GLOBAL_GROUP."${R_UDP_ALLOWED[$N,$i,1]}"
+                   sources=$sources$temp
+               done
+            fi
+            echo $sources
+            ip netns exec ${ROUTERS[$N]} iptables -t nat -A PREROUTING -p udp -s $GLOBAL_GROUP.$sources -d $GLOBAL_GROUP.$N --dport $PORT -j DNAT --to $LOCAL_GROUP.1
+        fi
+        ip netns exec ${ROUTERS[$N]} iptables -A FORWARD -d $LOCAL_GROUP.1  -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
+    fi
+    if [ "" != "${R_SCRIPT[$N]}" ]
+    then
+        ip netns exec ${ROUTERS[$N]} ./${R_SCRIPT[$N]} ${ROUTER_NETS[$N]} 1
+    fi
+done
+# We like to have a node acting as a gateway for all router nodes. This is especially needed for sending fake ICMP packets.
+netjail_node
+GATEWAY=$RESULT
+netjail_node_link_bridge $GATEWAY $NETWORK_NET "$KNOWN_GROUP.$X" 16

diff --git a/scripts/netjail/netjail_start.sh b/scripts/netjail/netjail_start.sh new file mode 100755 index 000000000..35e51abb4 --- /dev/null +++ b/scripts/netjail/netjail_start.sh
@@ -0,0 +1,167 @@
	1	#!/bin/bash
	2	. "$(dirname $0)/netjail_core.sh"
	3	. "$(dirname $0)/topo.sh"
	4
	5	set -eu
	6	set -x
	7
	8	export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
	9
	10	filename=$1
	11	PREFIX=$2
	12	readfile=$3
	13
	14	BROADCAST=0
	15
	16	if [ $readfile -eq 0 ]
	17	then
	18	read_topology_string "$filename"
	19	else
	20	echo read file
	21	read_topology $filename
	22	fi
	23
	24	shift 2
	25
	26	LOCAL_GROUP="192.168.15"
	27	GLOBAL_GROUP="92.68.150"
	28	KNOWN_GROUP="92.68.151"
	29	# Use the IP addresses below instead of the public ones,
	30	# if the script was not started from within a new namespace
	31	# created by unshare. The UPNP test case needs public IP
	32	# addresse for miniupnpd to function.
	33	# FIXME The ip addresses are used in the c code too. We should
	34	# introduce a switch indicating if public addresses should be
	35	# used or not. This info has to be propagated to the c code.
	36	#GLOBAL_GROUP="172.16.150"
	37	#KNOWN_GROUP="172.16.151"
	38
	39	if [ $BROADCAST -eq 0 ]; then
	40	PORT="60002"
	41	else
	42	PORT="2086"
	43	fi
	44
	45	echo "Start [local: $LOCAL_GROUP.0/24, global: $GLOBAL_GROUP.0/16]"
	46
	47	netjail_bridge
	48	NETWORK_NET=$RESULT
	49
	50	for X in $(seq $KNOWN); do
	51	netjail_node
	52	KNOWN_NODES[$X]=$RESULT
	53	netjail_node_link_bridge ${KNOWN_NODES[$X]} $NETWORK_NET "$KNOWN_GROUP.$X" 16
	54	KNOWN_LINKS[$X]=$RESULT
	55
	56	# Execute echo 1 > /proc/sys/net/netfilter/nf_log_all_netns to make itables log to the host.
	57	#ip netns exec ${KNOWN_NODES[$X]} iptables -A INPUT -j LOG --log-prefix ' Known ${KNOWN_NODES[$X]} '
	58	#ip netns exec ${KNOWN_NODES[$X]} iptables -A OUTPUT -j LOG --log-prefix ' Known ${KNOWN_NODES[$X]} '
	59	ip netns exec ${KNOWN_NODES[$X]} iptables -A OUTPUT -p icmp -j ACCEPT
	60	ip netns exec ${KNOWN_NODES[$X]} iptables -A INPUT -p icmp -j ACCEPT
	61
	62	done
	63
	64	declare -A NODES
	65	declare -A NODE_LINKS
	66
	67	for N in $(seq $GLOBAL_N); do
	68	netjail_node
	69	ROUTERS[$N]=$RESULT
	70	netjail_node_link_bridge ${ROUTERS[$N]} $NETWORK_NET "$GLOBAL_GROUP.$N" 16
	71	ROUTER_EXT_IF[$N]=$RESULT
	72	netjail_bridge
	73	ROUTER_NETS[$N]=$RESULT
	74
	75	#ip netns exec ${ROUTERS[$N]} iptables -A INPUT -j LOG --log-prefix ' Router ${ROUTERS[$N]} '
	76	ip netns exec ${ROUTERS[$N]} iptables -A INPUT -p icmp -j ACCEPT
	77	ip netns exec ${ROUTERS[$N]} iptables -t nat -A PREROUTING -p icmp -d $GLOBAL_GROUP.$N -j DNAT --to $LOCAL_GROUP.1
	78	ip netns exec ${ROUTERS[$N]} iptables -A FORWARD -p icmp -d $LOCAL_GROUP.1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
	79	#ip netns exec ${ROUTERS[$N]} iptables -A OUTPUT -j LOG --log-prefix ' Router ${ROUTERS[$N]} '
	80	ip netns exec ${ROUTERS[$N]} iptables -A OUTPUT -p icmp -j ACCEPT
	81
	82	for M in $(seq $LOCAL_M); do
	83	netjail_node
	84	NODES[$N,$M]=$RESULT
	85	netjail_node_link_bridge ${NODES[$N,$M]} ${ROUTER_NETS[$N]} "$LOCAL_GROUP.$M" 24
	86	NODE_LINKS[$N,$M]=$RESULT
	87
	88	#ip netns exec ${NODES[$N,$M]} iptables -A INPUT -j LOG --log-prefix ' Node ${NODES[$N,$M]} '
	89	#ip netns exec ${NODES[$N,$M]} iptables -A OUTPUT -j LOG --log-prefix ' Node ${NODES[$N,$M]} '
	90	ip netns exec ${NODES[$N,$M]} iptables -A OUTPUT -p icmp -j ACCEPT
	91	ip netns exec ${NODES[$N,$M]} iptables -A INPUT -p icmp -j ACCEPT
	92	done
	93
	94	ROUTER_ADDR="$LOCAL_GROUP.$(($LOCAL_M+1))"
	95
	96	let X=$KNOWN+1
	97	ip netns exec ${ROUTERS[$N]} ip route add "$KNOWN_GROUP.$X" dev ${ROUTER_EXT_IF[$N]}
	98	ip netns exec ${ROUTERS[$N]} ip route add default via "$KNOWN_GROUP.$X"
	99
	100
	101	netjail_node_link_bridge ${ROUTERS[$N]} ${ROUTER_NETS[$N]} $ROUTER_ADDR 24
	102	ROUTER_LINKS[$N]=$RESULT
	103
	104	netjail_node_add_nat ${ROUTERS[$N]} $ROUTER_ADDR 24
	105
	106	for M in $(seq $LOCAL_M); do
	107	netjail_node_add_default ${NODES[$N,$M]} $ROUTER_ADDR
	108	done
	109
	110	# TODO Topology configuration must be enhanced to configure forwarding to more than one subnet node via different ports.
	111
	112	if [ "1" == "${R_TCP[$N]}" ]
	113	then
	114	#ip netns exec ${ROUTERS[$N]} nft add rule ip nat prerouting ip daddr $GLOBAL_GROUP.$N tcp dport 60002 counter dnat to $LOCAL_GROUP.1
	115	#ip netns exec ${ROUTERS[$N]} nft add rule ip filter FORWARD ip daddr $LOCAL_GROUP.1 ct state new,related,established counter accept
	116	if [ "0" == "${R_TCP_ALLOWED_NUMBER[$N]}" ]; then
	117	ip netns exec ${ROUTERS[$N]} iptables -t nat -A PREROUTING -p tcp -d $GLOBAL_GROUP.$N --dport 60002 -j DNAT --to $LOCAL_GROUP.1
	118	else
	119	delimiter=","
	120	sources=$GLOBAL_GROUP."${R_TCP_ALLOWED[$N,1,1]}"
	121	if [ "1" -lt "${R_TCP_ALLOWED_NUMBER[$N]}" ]
	122	then
	123	for ((i = 2; i <= ${R_TCP_ALLOWED_NUMBER[$N]}; i++))
	124	do
	125	echo $i
	126	temp=$delimiter$GLOBAL_GROUP."${R_TCP_ALLOWED[$N,$i,1]}"
	127	sources=$sources$temp
	128	done
	129	fi
	130	echo $sources
	131	ip netns exec ${ROUTERS[$N]} iptables -t nat -A PREROUTING -p tcp -s $sources -d $GLOBAL_GROUP.$N --dport 60002 -j DNAT --to $LOCAL_GROUP.1
	132	fi
	133	ip netns exec ${ROUTERS[$N]} iptables -A FORWARD -d $LOCAL_GROUP.1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
	134	fi
	135	if [ "1" == "${R_UDP[$N]}" ]
	136	then
	137	#ip netns exec ${ROUTERS[$N]} nft add rule ip nat prerouting ip daddr $GLOBAL_GROUP.$N udp dport $PORT counter dnat to $LOCAL_GROUP.1
	138	#ip netns exec ${ROUTERS[$N]} nft add rule ip filter FORWARD ip daddr $LOCAL_GROUP.1 ct state new,related,established counter accept
	139	if [ "0" == "${R_UDP_ALLOWED_NUMBER[$N]}" ]; then
	140	ip netns exec ${ROUTERS[$N]} iptables -t nat -A PREROUTING -p udp -d $GLOBAL_GROUP.$N --dport $PORT -j DNAT --to $LOCAL_GROUP.1
	141	else
	142	delimiter=","
	143	sources=$GLOBAL_GROUP."${R_UDP_ALLOWED[$N,1,1]}"
	144	if [ "1" -lt "${R_UDP_ALLOWED_NUMBER[$N]}" ]
	145	then
	146	for ((i = 2; i <= ${R_UDP_ALLOWED_NUMBER[$N]}; i++))
	147	do
	148	echo $i
	149	temp=$delimiter$GLOBAL_GROUP."${R_UDP_ALLOWED[$N,$i,1]}"
	150	sources=$sources$temp
	151	done
	152	fi
	153	echo $sources
	154	ip netns exec ${ROUTERS[$N]} iptables -t nat -A PREROUTING -p udp -s $GLOBAL_GROUP.$sources -d $GLOBAL_GROUP.$N --dport $PORT -j DNAT --to $LOCAL_GROUP.1
	155	fi
	156	ip netns exec ${ROUTERS[$N]} iptables -A FORWARD -d $LOCAL_GROUP.1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
	157	fi
	158	if [ "" != "${R_SCRIPT[$N]}" ]
	159	then
	160	ip netns exec ${ROUTERS[$N]} ./${R_SCRIPT[$N]} ${ROUTER_NETS[$N]} 1
	161	fi
	162	done
	163
	164	# We like to have a node acting as a gateway for all router nodes. This is especially needed for sending fake ICMP packets.
	165	netjail_node
	166	GATEWAY=$RESULT
	167	netjail_node_link_bridge $GATEWAY $NETWORK_NET "$KNOWN_GROUP.$X" 16