segfault/sfbin/funcs_net.sh


DevByIP()
{
	local dev

	[[ -z $1 ]] && { echo >&2 "Paremter missing"; return 255; }
	dev=$(ip addr show | grep -F "inet $1")
	dev="${dev##* }"
	[[ -z $dev ]] && { echo -e >&2 "DEV not found for ip '$1'"; return 255; }
	echo "$dev"
}


GetMainIP()
{
	local arr
	local -
	set -o noglob
	arr=($(ip route get 8.8.8.8))
	echo "${arr[6]}"
}

# https://openwrt.org/docs/guide-user/network/traffic-shaping/packet.scheduler.example4
# https://wiki.archlinux.org/title/advanced_traffic_control
# https://mirrors.bieringer.de/Linux+IPv6-HOWTO/x2759.html
# https://tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.qdisc.classful.html
# Note: hsfc and fq_codel stop working after 30 seconds or so (100% packet loss). (odd?)

# When traffic enters a classful qdisc, it needs to be sent to any of the classes
# within - it needs to be 'classified'. To determine what to do with a packet, the
# so called 'filters' are consulted. It is important to know that the filters are
# called from within a qdisc, and not the other way around!
#
# Assign a SFQ to give all LG's a fair share.
# Testing:
# docker run --rm -p7575 -p7576 -p7677  -it sf-guest bash -il
# -> 3 tmux panes with each iperf3 -s -p 757[567]
# docker run --rm -it --privileged sf-guest bash -il
# ifconfig eth0:0 172.17.0.5
# iperf3 -c 172.17.0.2 -p 7575 -l1024 -t60-  & iperf3 -c 172.17.0.2 -p 7576 -l1024 -t60- & iperf3 -B 172.17.0.5 -c 172.17.0.2 -l1024 -p7577 -t60
#
# tc -s -d qdisc show
tc_set()
{
	local dev
	local rate
	local cakekey
	local key
	dev=$1
	rate=$2
	cakekey=$3
	key=$4

	# Should not be set but lets make sure:
	tc qdisc del dev "${dev}" root 2>/dev/null

	# use TC-CAKE if there is a rate limit. Otherwise use faster SFQ below.
	[[ -n $rate ]] && {
		tc qdisc add dev "${dev}" root cake bandwidth "${rate}" "${cakekey}"
		return
	}

	set -e
	tc qdisc  add dev "${dev}" root handle 11: sfq
	tc filter add dev "${dev}" parent 11: handle 11 flow hash keys "${key}" divisor 1024
	set +e
}

set_route_pre_up() {
	# Add static routes for Segfault Services (RPC, DNS, ...)
	# nsenter -t "${PID}" -n ip route add "${SF_PC_IP}/32" dev eth0 # NOT NEEDED: RPC is on same network
	nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip route add "${SF_TOR_IP}" via "${SF_NET_LG_ROUTER_IP}" dev eth0 2>/dev/null
	nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip route add "${SF_NET_ONION}" via "${SF_NET_LG_ROUTER_IP}" dev eth0 2>/dev/null
	nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip route add "${SF_DNS}" via "${SF_NET_LG_ROUTER_IP}" dev eth0 2>/dev/null
	[[ -n $SF_MULLVAD_ROUTE ]] && nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip route add "${SF_MULLVAD_ROUTE}" via "${SF_NET_LG_ROUTER_IP}" dev eth0 2>/dev/null
}

set_route_post_up() {
	local str

	# If there is a EXTRA ROUTE then route ALL traffic. Otherwise keep default route
	# but add EXTRA ROUTE.
	[[ ${#R_ROUTE_ARR[@]} -le 0 ]] && {
		nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip route del default 2>/dev/null
        nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip route add default dev "${WG_DEV}"
	}
	# All IPv6 to WG_DEV. FIXME: One day we shall support IPv6
	nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip -6 route del default 2>/dev/null
	nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip -6 route add default dev "${WG_DEV}" 2>/dev/null

	# Add EXTRA ROUTE
    for str in "${R_ROUTE_ARR[@]}"; do
		echo "Setting route $str"
        nsenter.u1000 --setuid 0 --setgid 0 -t "$PID" -n ip route add "${str}" dev "${WG_DEV}"
    done

	# Packets to 172.16.0.3 should not be forwarded back to 172.16.0.3
	# Can not use 'sysctl net.ipv4.conf.wgExit.forwarding=1' because /proc is mounted ro
	nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n iptables  -I FORWARD -i "${WG_DEV}" -j DROP
	nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip6tables -I FORWARD -i "${WG_DEV}" -j DROP
}

# sf-master, wg/vpn
set_route()
{
	set_route_pre_up
	set_route_post_up
}
fixed 2023-01-05 19:03:25 +00:00
			`DevByIP()`
			`{`
			`local dev`

			`[[ -z $1 ]] && { echo >&2 "Paremter missing"; return 255; }`
			`dev=$(ip addr show \| grep -F "inet $1")`
			`dev="${dev##* }"`
			`[[ -z $dev ]] && { echo -e >&2 "DEV not found for ip '$1'"; return 255; }`
			`echo "$dev"`
			`}`


			`GetMainIP()`
			`{`
			`local arr`
release 2023-06-21 08:48:47 +00:00			`local -`
			`set -o noglob`
fixed 2023-01-05 19:03:25 +00:00			`arr=($(ip route get 8.8.8.8))`
			`echo "${arr[6]}"`
			`}`
more 2023-02-19 17:15:42 +00:00
SYN fixes. Webshell Login. Hushlogin 2023-04-25 10:31:33 +00:00			`# https://openwrt.org/docs/guide-user/network/traffic-shaping/packet.scheduler.example4`
			`# https://wiki.archlinux.org/title/advanced_traffic_control`
			`# https://mirrors.bieringer.de/Linux+IPv6-HOWTO/x2759.html`
			`# https://tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.qdisc.classful.html`
			`# Note: hsfc and fq_codel stop working after 30 seconds or so (100% packet loss). (odd?)`

			`# When traffic enters a classful qdisc, it needs to be sent to any of the classes`
			`# within - it needs to be 'classified'. To determine what to do with a packet, the`
			`# so called 'filters' are consulted. It is important to know that the filters are`
			`# called from within a qdisc, and not the other way around!`
			`#`
			`# Assign a SFQ to give all LG's a fair share.`
			`# Testing:`
			`# docker run --rm -p7575 -p7576 -p7677 -it sf-guest bash -il`
			`# -> 3 tmux panes with each iperf3 -s -p 757[567]`
			`# docker run --rm -it --privileged sf-guest bash -il`
			`# ifconfig eth0:0 172.17.0.5`
			`# iperf3 -c 172.17.0.2 -p 7575 -l1024 -t60- & iperf3 -c 172.17.0.2 -p 7576 -l1024 -t60- & iperf3 -B 172.17.0.5 -c 172.17.0.2 -l1024 -p7577 -t60`
			`#`
			`# tc -s -d qdisc show`
more 2023-02-19 17:15:42 +00:00			`tc_set()`
			`{`
			`local dev`
			`local rate`
routing/tc fixes 2023-04-26 17:57:44 +00:00			`local cakekey`
more 2023-02-19 17:15:42 +00:00			`local key`
			`dev=$1`
			`rate=$2`
routing/tc fixes 2023-04-26 17:57:44 +00:00			`cakekey=$3`
			`key=$4`
more 2023-02-19 17:15:42 +00:00
routing/tc fixes 2023-04-26 17:57:44 +00:00			`# Should not be set but lets make sure:`
SYN fixes. Webshell Login. Hushlogin 2023-04-25 10:31:33 +00:00			`tc qdisc del dev "${dev}" root 2>/dev/null`

routing/tc fixes 2023-04-26 17:57:44 +00:00			`# use TC-CAKE if there is a rate limit. Otherwise use faster SFQ below.`
SYN fixes. Webshell Login. Hushlogin 2023-04-25 10:31:33 +00:00			`[[ -n $rate ]] && {`
routing/tc fixes 2023-04-26 17:57:44 +00:00			`tc qdisc add dev "${dev}" root cake bandwidth "${rate}" "${cakekey}"`
			`return`
SYN fixes. Webshell Login. Hushlogin 2023-04-25 10:31:33 +00:00			`}`

routing/tc fixes 2023-04-26 17:57:44 +00:00			`set -e`
			`tc qdisc add dev "${dev}" root handle 11: sfq`
more 2023-02-19 17:15:42 +00:00			`tc filter add dev "${dev}" parent 11: handle 11 flow hash keys "${key}" divisor 1024`
SYN fixes. Webshell Login. Hushlogin 2023-04-25 10:31:33 +00:00			`set +e`
more 2023-02-19 17:15:42 +00:00			`}`
OpenVPN 2024-01-19 17:18:58 +00:00
			`set_route_pre_up() {`
			`# Add static routes for Segfault Services (RPC, DNS, ...)`
			`# nsenter -t "${PID}" -n ip route add "${SF_PC_IP}/32" dev eth0 # NOT NEEDED: RPC is on same network`
			`nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip route add "${SF_TOR_IP}" via "${SF_NET_LG_ROUTER_IP}" dev eth0 2>/dev/null`
			`nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip route add "${SF_NET_ONION}" via "${SF_NET_LG_ROUTER_IP}" dev eth0 2>/dev/null`
			`nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip route add "${SF_DNS}" via "${SF_NET_LG_ROUTER_IP}" dev eth0 2>/dev/null`
			`[[ -n $SF_MULLVAD_ROUTE ]] && nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip route add "${SF_MULLVAD_ROUTE}" via "${SF_NET_LG_ROUTER_IP}" dev eth0 2>/dev/null`
			`}`

			`set_route_post_up() {`
			`local str`

			`# If there is a EXTRA ROUTE then route ALL traffic. Otherwise keep default route`
			`# but add EXTRA ROUTE.`
			`[[ ${#R_ROUTE_ARR[@]} -le 0 ]] && {`
			`nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip route del default 2>/dev/null`
			`nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip route add default dev "${WG_DEV}"`
			`}`
			`# All IPv6 to WG_DEV. FIXME: One day we shall support IPv6`
			`nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip -6 route del default 2>/dev/null`
			`nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip -6 route add default dev "${WG_DEV}" 2>/dev/null`

			`# Add EXTRA ROUTE`
			`for str in "${R_ROUTE_ARR[@]}"; do`
			`echo "Setting route $str"`
			`nsenter.u1000 --setuid 0 --setgid 0 -t "$PID" -n ip route add "${str}" dev "${WG_DEV}"`
			`done`

			`# Packets to 172.16.0.3 should not be forwarded back to 172.16.0.3`
			`# Can not use 'sysctl net.ipv4.conf.wgExit.forwarding=1' because /proc is mounted ro`
			`nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n iptables -I FORWARD -i "${WG_DEV}" -j DROP`
			`nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip6tables -I FORWARD -i "${WG_DEV}" -j DROP`
			`}`

			`# sf-master, wg/vpn`
			`set_route()`
			`{`
			`set_route_pre_up`
			`set_route_post_up`
			`}`