diff options
| author | Wojciech Kosior <kwojtus@protonmail.com> | 2020-05-28 20:28:03 +0200 |
|---|---|---|
| committer | Wojciech Kosior <kwojtus@protonmail.com> | 2020-05-28 20:28:03 +0200 |
| commit | 2f55027b9b69dc21c59d7d1fe90c5e56eea7908b (patch) | |
| tree | efb3f14a2c71ea19240826768949341a318a30b7 | |
| parent | c96321d576e79834f262486f44ab772f33053f7b (diff) | |
| download | 0tdns-2f55027b9b69dc21c59d7d1fe90c5e56eea7908b.tar.gz 0tdns-2f55027b9b69dc21c59d7d1fe90c5e56eea7908b.zip | |
timestamp namespaces to avoid conflicts with other instances of script
| -rwxr-xr-x | netns-script | 29 | ||||
| -rwxr-xr-x | vpn_wrapper.sh | 51 |
2 files changed, 55 insertions, 25 deletions
diff --git a/netns-script b/netns-script index 36cbda9..ba2d226 100755 --- a/netns-script +++ b/netns-script @@ -3,35 +3,36 @@ # adapted from # https://unix.stackexchange.com/questions/149293/feed-all-traffic-through-openvpn-for-a-specific-network-namespace-only +# vpn_wrapper.sh creates another script of name helper_script<timestamp>.sh, +# which gets called by openvpn process, exports NAMESPACE_NAME and WRAPPER_PID +# variables and then runs this script + case $script_type in - up) - ip netns add 0tdns - ip netns exec 0tdns ip link set dev lo up - ip link set dev "$1" up netns 0tdns mtu "$2" - ip netns exec 0tdns ip addr add dev "$1" \ + up) + env + ip netns add $NAMESPACE_NAME + ip netns exec $NAMESPACE_NAME ip link set dev lo up + ip link set dev "$1" up netns $NAMESPACE_NAME mtu "$2" + ip netns exec $NAMESPACE_NAME ip addr add dev "$1" \ "$4/${ifconfig_netmask:-30}" \ ${ifconfig_broadcast:+broadcast "$ifconfig_broadcast"} if [ -n "$ifconfig_ipv6_local" ]; then - ip netns exec 0tdns ip addr add dev "$1" \ + ip netns exec $NAMESPACE_NAME ip addr add dev "$1" \ "$ifconfig_ipv6_local"/112 fi ;; route-up) - ip netns exec 0tdns ip route add default via "$ifconfig_remote" + ip netns exec $NAMESPACE_NAME ip route add default via "$ifconfig_remote" if [ -n "$ifconfig_ipv6_remote" ]; then - ip netns exec 0tdns ip route add default via \ + ip netns exec $NAMESPACE_NAME ip route add default via \ "$ifconfig_ipv6_remote" fi # notify our sh process, that openvpn finished initializing - kill -usr1 `cat /var/lib/0tdns/shell_pid` - - # we no longer need this connection - #kill $OPENVPN_PID - + kill -usr1 $WRAPPER_PID ;; down) - ip netns delete 0tdns + ip netns delete $NAMESPACE_NAME ;; esac diff --git a/vpn_wrapper.sh b/vpn_wrapper.sh index 1fa3fe8..b4b9350 100755 --- a/vpn_wrapper.sh +++ b/vpn_wrapper.sh @@ -4,18 +4,47 @@ OPENVPN_CONFIG="$1" # rest of args is the command to run in network namespace shift -echo -n $$ > /var/lib/0tdns/shell_pid +# just in case something causes more instances of this script +# to run simultaneously, we timestamp some names +SECONDS=`date '+%s'` -# starts openvpn with the netns-script, -# that creates tun inside network namespace 0tdns; +HELPER_SCRIPT=/var/lib/0tdns/helper_script$SECONDS.sh +NAMESPACE_NAME=0tdns$SECONDS + +# we create another script as a way of passing variables +# to netns-script +cat > $HELPER_SCRIPT <<EOF +#!/bin/sh + +export NAMESPACE_NAME=$NAMESPACE_NAME +export WRAPPER_PID=$$ + +/var/lib/0tdns/netns-script "\$@" +EOF + +chmod u+x $HELPER_SCRIPT + +# in case we want some process in the namespace to be able +# to resolve domain names via libc we put some random public +# dns in namespace sepcific's resolv.conf; +# note, that while libunbound we're using will probably have +# dns addresses provided by us, it is still possible to pass +# a domain name as forwarder address to unbound, in which case +# it will try to resolve it first using libc +mkdir -p /etc/netns/$NAMESPACE_NAME/ +echo nameserver 23.253.163.53 > /etc/netns/$NAMESPACE_NAME/resolv.conf + +# starts openvpn with our just-created helper script, which calls +# the netns-script, which creates tun inside network namespace +# of name $NAMESPACE_NAME # we could consider using --daemon option instead of & -openvpn --ifconfig-noexec --route-noexec --up netns-script \ - --route-up netns-script --down netns-script \ +openvpn --ifconfig-noexec --route-noexec --up $HELPER_SCRIPT \ + --route-up $HELPER_SCRIPT --down $HELPER_SCRIPT \ --config "$OPENVPN_CONFIG" --script-security 2 & OPENVPN_PID=$! -# waitin for signal from our netns script +# waiting for signal from our netns script # https://stackoverflow.com/questions/9052847/implementing-infinite-wait-in-shell-scripting trap true usr1 @@ -27,13 +56,13 @@ wait $OPENVPN_PID # TODO check which of 2 above mention situations occured and # return from script with error code if openvpn process died -# we no longer need this file -rm /var/lib/0tdns/shell_pid - -# run the provided command inside '0tdns' namespace +# run the provided command inside newly created namespace # under '0tdns' user; -sudo ip netns exec 0tdns sudo -u 0tdns "$@" +sudo ip netns exec $NAMESPACE_NAME sudo -u 0tdns "$@" # close the connection kill $OPENVPN_PID wait $OPENVPN_PID + +# we no longer need those +rm -r $HELPER_SCRIPT /etc/netns/$NAMESPACE_NAME/ |