add new netup script and designnet

- design.md: new design idea to integrate all commands into wjail executable. - netup.sh: add all steps and options as used now. - netupgrade.sh: add upgrade steps that need to move to netup.sh - netdowngrade.sh: add downgrade steps that will move to netup.sh Signed-off-by: Aiden Woodruff <aiden@aidenw.net>
author: Aiden Woodruff <aiden@aidenw.net> 2025-12-28 18:28:21 +0000
committer: Aiden Woodruff <aiden@aidenw.net> 2025-12-28 18:28:21 +0000
commit: d1f9a0bf22485c751b43b9c5c4e019194fd26a4c (patch)
tree: 9bb24d20a7da9679e8e657bc38c96fb610c39a9d
parent: 581d8fdfdc4e33ca480bf0cc614f8ca5ca41ba20 (diff)
download: wjail-net.tar.gz
wjail-net.tar.bz2
wjail-net.zip
4 files changed, 118 insertions, 24 deletions
diff --git a/design.md b/design.md
new file mode 100644
index 0000000..26364d9
--- /dev/null
+++ b/design.md
@@ -0,0 +1,7 @@
+wjail start
+      stop
+      attach
+      net create
+          delete
+          masq
+          unmasq
diff --git a/netdowngrade.sh b/netdowngrade.sh
new file mode 100755
index 0000000..7b5ae3f
--- /dev/null
+++ b/netdowngrade.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+echo Removing iptables rule
+iptables -t nat -D POSTROUTING -s 10.2.1.1/24 -j MASQUERADE
+echo Remove container default gateway.
+ip netns exec www route del default gw 10.2.1.1
+echo Bring virtual interfaces down.
+ip netns exec www ip link set veth0 down
+ip link set veth-wjail-www down
diff --git a/netup.sh b/netup.sh
index 43a6c08..bd9ded8 100755
--- a/netup.sh
+++ b/netup.sh
@@ -1,41 +1,112 @@
 #!/bin/sh
-if [ "$(id -u)" -ne 0 ]; then
+# OPTIONS
-echo "You are not root."
+netup_host_ifname=
-exit 1
+netup_host_addr=10.1.1.1
+netup_ns=
+netup_ns_ifname=
+netup_ns_addr=10.1.1.2
+netup_pid=
+netup_pidfile=
+netup_quiet=
+netup_sandbox=
+print_usage () {
+        cat <<EOF
+USAGE: $0 [-fFhiInpPqs] ( (-p PIDFILE | -P PID) | (-u | -d) )
+EOF
+}
+print_help () {
+        cat <<EOF
+-f IFNAME   Set host interface name
+-F IFNAME   Set container interface name.
+-h          Print this help message.
+-i ADDR     Set host address (which is also the container default gateway,
+            except in sandbox mode).
+-I ADDR     Set container address.
+-n NETNS    Name for newly created network namespace to create
+-p PIDFILE  Container pidfile.
+-P PID      Container PID.
+-q          Quiet mode.
+-s          Sandbox mode (do not setup container gateway or NAT forwarding)
+EOF
+}
+OPTIND=0
+while getopts 'f:F:hi:I:n:p:P:qs' opt; do
+        case $opt in
+        f) netup_host_ifname=$OPTARG ;;
+        F) netup_ns_ifname=$OPTARG ;;
+        h) print_usage; print_help; exit 1 ;;
+        i) netup_host_addr=$OPTARG ;;
+        I) netup_ns_addr=$OPTARG ;;
+        n) netup_ns=$OPTARG ;;
+        p) netup_pidfile="$OPTARG" ;;
+        P) netup_pid=$OPTARG ;;
+        q) netup_quiet=1 ;;
+        s) netup_sandbox=1 ;;
+        ?) print_usage $0; exit 1 ;;
+        *) print_usage $0; exit 1 ;;
+        esac
+done
+shift $((OPTIND - 1))
+if [ "x$netup_ns" = x ]; then
+        echo "$0: Network namespace name (-n) is required." 2>&1
+        print_usage $0
+        exit 1
+elif [ "x$netup_pid" = x ] && [ "x$netup_pidfile" = x ]; then
+        echo "Exactly one of -p or -P must be specified." 2>&1
+        print_usage $0
+        exit 1
+elif [ "x$netup_pid" != x ] && [ "x$netup_pidfile" != x ]; then
+        echo "Exactly one of -p or -P must be specified." 2>&1
+        print_usage $0
+        exit 1
 fi
-pidfile=/srv/gitbot/wjail.pid
+if [ "$(id -u)" -ne 0 ]; then
+        echo "You are not root."
+        exit 1
+fi
-if ! [ -f "$pidfile" ]; then
+if [ "x$netup_pidfile" != x ]; then
-echo "wjail not running."
+        if ! netup_pid="$(cat "$netup_pidfile" 2>/dev/null)"; then
-exit 1
+                echo "$0: pidfile $netup_pidfile cannot be read." 3>&1
+                exit 1
+        fi
 fi
-PID="$(cat "$pidfile")"
+message () {
+        if ! [ "$netns_quiet" ]; then
+                echo $*
+        fi
+}
-# Attach iproute2 netns
+message [STATUS] Create container namespace name.
-ip netns attach gitbot $PID
+ip netns attach $netup_ns $netup_pid
-# Add veth devices
+message [STATUS] Create veth devices.
-ip link add veth-wjail type veth peer veth0 netns gitbot
+ip link add $netup_host_ifname type veth peer $netup_ns_ifname netns $netup_ns
-# Assign ip addresses
+message [STATUS] Assign ip addresses.
-ip addr add 10.1.1.1/24 dev veth-wjail
+ip addr add $netup_host_addr/24 dev $netup_host_ifname
-ip netns exec gitbot ip addr add 10.1.1.2/24 dev veth0
+ip netns exec $netup_ns ip addr add $netup_ns_addr/24 dev $netup_ns_ifname
-# Bring interfaces up
+message [STATUS] Bring veth interfaces up.
-ip link set veth-wjail up
+ip link set $netup_host_ifname up
-ip netns exec gitbot ip link set veth0 up
+ip netns exec $netup_ns ip link set $netup_ns_ifname up
-# Assign default gateway
+if [ "$netup_sandbox" ]; then
-ip netns exec gitbot route add default gw 10.1.1.1
+        message [STATUS] Adding firewall rule to block forwarded connections.
+        iptables -I FORWARD 1 -i $netup_host_ifname -o !$netup_host_ifname -j DROP
+else
+        message [STATUS] Enabling IP forwarding.
+        echo 1 > /proc/sys/net/ipv4/ip_forward
-# Enable IP forwarding
+        message [STATUS] Add NAT forwarding rule.
-echo 1 > /proc/sys/net/ipv4/ip_forward
+        iptables -t nat -A POSTROUTING -s $netup_ns_addr/24 -j MASQUERADE
-# Add NAT forwarding rule
+        message [STATUS] Assigning container default gateway.
-iptables -t nat -A POSTROUTING -s 10.1.1.2/16 -j MASQUERADE
+        ip netns exec $netup_ns route add default gw $netup_host_addr
+fi
 #####################################################################
 # If there are "no route to host" errors in the container, check:
diff --git a/netupgrade.sh b/netupgrade.sh
new file mode 100755
index 0000000..6164d9f
--- /dev/null
+++ b/netupgrade.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+echo Bringing virtual interfaces up.
+ip link set veth-wjail-www up
+ip netns exec www ip link set veth0 up
+echo Adding container default gateway.
+ip netns exec www route add default gw 10.2.1.1
+echo Add iptables masquerade
+iptables -t nat -A POSTROUTING -s 10.2.1.1/24 -j MASQUERADE
author	Aiden Woodruff <aiden@aidenw.net>	2025-12-28 18:28:21 +0000
committer	Aiden Woodruff <aiden@aidenw.net>	2025-12-28 18:28:21 +0000
commit	d1f9a0bf22485c751b43b9c5c4e019194fd26a4c (patch)
tree	9bb24d20a7da9679e8e657bc38c96fb610c39a9d
parent	581d8fdfdc4e33ca480bf0cc614f8ca5ca41ba20 (diff)
download	wjail-net.tar.gz wjail-net.tar.bz2 wjail-net.zip

diff --git a/design.md b/design.md new file mode 100644 index 0000000..26364d9 --- /dev/null +++ b/design.md
@@ -0,0 +1,7 @@
		1	wjail start
		2	stop
		3	attach
		4	net create
		5	delete
		6	masq
		7	unmasq


diff --git a/netdowngrade.sh b/netdowngrade.sh new file mode 100755 index 0000000..7b5ae3f --- /dev/null +++ b/netdowngrade.sh
@@ -0,0 +1,8 @@
		1	#!/bin/sh
		2	echo Removing iptables rule
		3	iptables -t nat -D POSTROUTING -s 10.2.1.1/24 -j MASQUERADE
		4	echo Remove container default gateway.
		5	ip netns exec www route del default gw 10.2.1.1
		6	echo Bring virtual interfaces down.
		7	ip netns exec www ip link set veth0 down
		8	ip link set veth-wjail-www down


diff --git a/netup.sh b/netup.sh index 43a6c08..bd9ded8 100755 --- a/netup.sh +++ b/netup.sh
@@ -1,41 +1,112 @@
1	#!/bin/sh	1	#!/bin/sh
2		2
3	if [ "$(id -u)" -ne 0 ]; then	3	# OPTIONS
4	echo "You are not root."	4	netup_host_ifname=
5	exit 1	5	netup_host_addr=10.1.1.1
		6	netup_ns=
		7	netup_ns_ifname=
		8	netup_ns_addr=10.1.1.2
		9	netup_pid=
		10	netup_pidfile=
		11	netup_quiet=
		12	netup_sandbox=
		13	print_usage () {
		14	cat <<EOF
		15	USAGE: $0 [-fFhiInpPqs] ( (-p PIDFILE \| -P PID) \| (-u \| -d) )
		16	EOF
		17	}
		18	print_help () {
		19	cat <<EOF
		20	-f IFNAME Set host interface name
		21	-F IFNAME Set container interface name.
		22	-h Print this help message.
		23	-i ADDR Set host address (which is also the container default gateway,
		24	except in sandbox mode).
		25	-I ADDR Set container address.
		26	-n NETNS Name for newly created network namespace to create
		27	-p PIDFILE Container pidfile.
		28	-P PID Container PID.
		29	-q Quiet mode.
		30	-s Sandbox mode (do not setup container gateway or NAT forwarding)
		31	EOF
		32	}
		33	OPTIND=0
		34	while getopts 'f:F:hi:I:n:p:P:qs' opt; do
		35	case $opt in
		36	f) netup_host_ifname=$OPTARG ;;
		37	F) netup_ns_ifname=$OPTARG ;;
		38	h) print_usage; print_help; exit 1 ;;
		39	i) netup_host_addr=$OPTARG ;;
		40	I) netup_ns_addr=$OPTARG ;;
		41	n) netup_ns=$OPTARG ;;
		42	p) netup_pidfile="$OPTARG" ;;
		43	P) netup_pid=$OPTARG ;;
		44	q) netup_quiet=1 ;;
		45	s) netup_sandbox=1 ;;
		46	?) print_usage $0; exit 1 ;;
		47	*) print_usage $0; exit 1 ;;
		48	esac
		49	done
		50	shift $((OPTIND - 1))
		51	if [ "x$netup_ns" = x ]; then
		52	echo "$0: Network namespace name (-n) is required." 2>&1
		53	print_usage $0
		54	exit 1
		55	elif [ "x$netup_pid" = x ] && [ "x$netup_pidfile" = x ]; then
		56	echo "Exactly one of -p or -P must be specified." 2>&1
		57	print_usage $0
		58	exit 1
		59	elif [ "x$netup_pid" != x ] && [ "x$netup_pidfile" != x ]; then
		60	echo "Exactly one of -p or -P must be specified." 2>&1
		61	print_usage $0
		62	exit 1
6	fi	63	fi
7		64
8	pidfile=/srv/gitbot/wjail.pid	65	if [ "$(id -u)" -ne 0 ]; then
		66	echo "You are not root."
		67	exit 1
		68	fi
9		69
10	if ! [ -f "$pidfile" ]; then	70	if [ "x$netup_pidfile" != x ]; then
11	echo "wjail not running."	71	if ! netup_pid="$(cat "$netup_pidfile" 2>/dev/null)"; then
12	exit 1	72	echo "$0: pidfile $netup_pidfile cannot be read." 3>&1
		73	exit 1
		74	fi
13	fi	75	fi
14		76
15	PID="$(cat "$pidfile")"	77	message () {
		78	if ! [ "$netns_quiet" ]; then
		79	echo $*
		80	fi
		81	}
16		82
17	# Attach iproute2 netns	83	message [STATUS] Create container namespace name.
18	ip netns attach gitbot $PID	84	ip netns attach $netup_ns $netup_pid
19		85
20	# Add veth devices	86	message [STATUS] Create veth devices.
21	ip link add veth-wjail type veth peer veth0 netns gitbot	87	ip link add $netup_host_ifname type veth peer $netup_ns_ifname netns $netup_ns
22		88
23	# Assign ip addresses	89	message [STATUS] Assign ip addresses.
24	ip addr add 10.1.1.1/24 dev veth-wjail	90	ip addr add $netup_host_addr/24 dev $netup_host_ifname
25	ip netns exec gitbot ip addr add 10.1.1.2/24 dev veth0	91	ip netns exec $netup_ns ip addr add $netup_ns_addr/24 dev $netup_ns_ifname
26		92
27	# Bring interfaces up	93	message [STATUS] Bring veth interfaces up.
28	ip link set veth-wjail up	94	ip link set $netup_host_ifname up
29	ip netns exec gitbot ip link set veth0 up	95	ip netns exec $netup_ns ip link set $netup_ns_ifname up
30		96
31	# Assign default gateway	97	if [ "$netup_sandbox" ]; then
32	ip netns exec gitbot route add default gw 10.1.1.1	98	message [STATUS] Adding firewall rule to block forwarded connections.
		99	iptables -I FORWARD 1 -i $netup_host_ifname -o !$netup_host_ifname -j DROP
		100	else
		101	message [STATUS] Enabling IP forwarding.
		102	echo 1 > /proc/sys/net/ipv4/ip_forward
33		103
34	# Enable IP forwarding	104	message [STATUS] Add NAT forwarding rule.
35	echo 1 > /proc/sys/net/ipv4/ip_forward	105	iptables -t nat -A POSTROUTING -s $netup_ns_addr/24 -j MASQUERADE
36		106
37	# Add NAT forwarding rule	107	message [STATUS] Assigning container default gateway.
38	iptables -t nat -A POSTROUTING -s 10.1.1.2/16 -j MASQUERADE	108	ip netns exec $netup_ns route add default gw $netup_host_addr
		109	fi
39		110
40	#####################################################################	111	#####################################################################
41	# If there are "no route to host" errors in the container, check:	112	# If there are "no route to host" errors in the container, check:


diff --git a/netupgrade.sh b/netupgrade.sh new file mode 100755 index 0000000..6164d9f --- /dev/null +++ b/netupgrade.sh
@@ -0,0 +1,8 @@
		1	#!/bin/sh
		2	echo Bringing virtual interfaces up.
		3	ip link set veth-wjail-www up
		4	ip netns exec www ip link set veth0 up
		5	echo Adding container default gateway.
		6	ip netns exec www route add default gw 10.2.1.1
		7	echo Add iptables masquerade
		8	iptables -t nat -A POSTROUTING -s 10.2.1.1/24 -j MASQUERADE