destruct

2024-06-26 00:38:36 +00:00 · 2023-05-15 10:54:09 +01:00 · 2023-05-15 10:54:09 +01:00 · 33d239f394
commit 33d239f394
parent c07b1ede83
13 changed files with 160 additions and 70 deletions
--- a/2
+++ b/2
@ -1,5 +1,7 @@
 0.4.7 - 2023-06-00
    * LXCFS - report correct uptime, cpuinfo, ...
+    * geoip and /sf/share
+    * XPRA/SF-UI improvements

 0.4.6 - 2023-05-08
    * SF-UI alpha
--- a/5
+++ b/5
@ -26,6 +26,7 @@ FILES_GUEST += "segfault-$(VER)/guest/fs-root/usr/bin/chromium-hook"
 FILES_GUEST += "segfault-$(VER)/guest/fs-root/usr/share/code/code-hook"
 FILES_GUEST += "segfault-$(VER)/guest/fs-root/usr/share/code/bin/code-hook"
 FILES_GUEST += "segfault-$(VER)/guest/fs-root/usr/bin/xterm-dark"
+FILES_GUEST += "segfault-$(VER)/guest/fs-root/usr/bin/xterm-dark-xpra"
 FILES_GUEST += "segfault-$(VER)/guest/fs-root/etc/profile.d/segfault.sh"
 FILES_GUEST += "segfault-$(VER)/guest/fs-root/etc/shellrc"
 FILES_GUEST += "segfault-$(VER)/guest/fs-root/etc/skel/.config/htop/htoprc"
@ -34,10 +35,14 @@ FILES_GUEST += "segfault-$(VER)/guest/fs-root/etc/zsh_command_not_found"
 FILES_GUEST += "segfault-$(VER)/guest/fs-root/etc/zsh/zshenv"
 FILES_GUEST += "segfault-$(VER)/guest/fs-root/etc/proxychains.conf"
 FILES_GUEST += "segfault-$(VER)/guest/fs-root/sf/bin/sf-motd.sh"
+FILES_GUEST += "segfault-$(VER)/guest/fs-root/sf/bin/funcs.sh"
+FILES_GUEST += "segfault-$(VER)/guest/fs-root/sf/bin/destruct"
+FILES_GUEST += "segfault-$(VER)/guest/fs-root/sf/bin/funcs_motd-xpra"
 FILES_GUEST += "segfault-$(VER)/guest/fs-root/sf/bin/sf-setup.sh"
 FILES_GUEST += "segfault-$(VER)/guest/fs-root/sf/bin/startxvnc"
 FILES_GUEST += "segfault-$(VER)/guest/fs-root/sf/bin/startxweb"
 FILES_GUEST += "segfault-$(VER)/guest/fs-root/sf/bin/startfb"
+FILES_GUEST += "segfault-$(VER)/guest/fs-root/sf/bin/geoip"
 FILES_GUEST += "segfault-$(VER)/guest/fs-root/sf/bin/pkg-install.sh"
 FILES_GUEST += "segfault-$(VER)/guest/fs-root/etc/rc.local-example"
 FILES_GUEST += "segfault-$(VER)/guest/fs-root/etc/vim/vimrc.local"
--- a/guest/Dockerfile
+++ b/guest/Dockerfile
@ -507,6 +507,7 @@ RUN /pkg-install.sh DEVEL pip install --break-system-packages \
 		pyTelegramBotAPI \
 		tgcrypto \
 		wsgidav
+RUN /pkg-install.sh    LARGE pipx install gdown
 RUN /pkg-install.sh LARGE bin 'https://gitlab.com/api/v4/projects/32089582/packages/generic/geonet-rs/0.4.3/geonet_0.4.3_%arch:x86_64=amd64:DEFAULT=SKIP%.deb'    `# x86_64 only` \
 	&& /pkg-install.sh MINI bash -c "{ [[ -f /usr/share/locale/locale.alias ]] && localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8; }" \
 	&& /pkg-install.sh DEVEL bash -c '{ arch=amd64; [[ $HOSTTYPE == "aarch64" ]] && arch=arm64; apt-get install -y --no-install-recommends linux-headers-${arch}; }'
@ -525,6 +526,7 @@ RUN /pkg-install.sh LARGE apt-get install -y --no-install-recommends \
 		cups-client \
 		byobu \
 		fish \
+		parallel \
 		sshuttle
 RUN /pkg-install.sh HUGE apt-get install -y --no-install-recommends \
 		gopls \
@ -536,6 +538,7 @@ RUN /pkg-install.sh HACK ghbin shadow1ng/fscan 'fscan_%arch:x86_64=amd64:aarch64
 	&& /pkg-install.sh HACK ghbin 'theaog/spirit' 'spirit%arch:x86_64=:DEFAULT=SKIP%.tgz$' spirit   `# x86_64 only, spirit-arm bad` \
 	&& /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/tomnomnom/gf@latest; }' \
 	&& /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/tomnomnom/hacks/inscope@latest; }' \
+	&& /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/Emoe/kxss@latest; }' \
 	&& /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/Josue87/analyticsrelationships@latest; }' \
 	&& /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/Josue87/gotator@latest; }' \
 	&& /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/Josue87/roboxtractor@latest; }' \
@ -604,6 +607,7 @@ RUN /pkg-install.sh WEB apt-get install -y --no-install-recommends \
 RUN /pkg-install.sh DEV apt-get install -y --no-install-recommends \
 		ninja-build \
 		repo
+# Android build tools:
 RUN /pkg-install.sh LARGE apt-get install -y --no-install-recommends \
 		aria2 \
 		buildtorrent \
@ -649,6 +653,8 @@ RUN /pkg-install.sh HACK bin https://raw.githubusercontent.com/trustedsec/hardci
 RUN /pkg-install.sh NET bin https://github.com/hackerschoice/binary/raw/main/gsocket/latest/gsocket_latest_all.deb   `# x86_64 only` \
 	&& /pkg-install.sh NET ghbin shadowsocks/shadowsocks-rust '%arch%.*linux.musl.tar.xz$' \
 	&& /pkg-install.sh NET ghbin ginuerzh/gost  'linux-%arch:x86_64=amd64:aarch64=armv8%.*gz$' gost \
+	&& /pkg-install.sh NET ghbin tulir/gomuks 'linux-%arch:x86_64=amd64:aarch64=arm64%' gomuks \
+	&& /pkg-install.sh NET ghbin maxmind/mmdbinspect 'linux_amd64.tar.gz$' mmdbinspect       `# x86_64 only` \
 	&& /pkg-install.sh NET ghbin KaranGauswami/socks-to-http-proxy 'sthp-linux' sthp         `# x86_64 only` \
 	&& /pkg-install.sh NET ghbin schollz/croc 'Linux-%arch:x86_64=64bit:aarch64=ARM64%.deb' \
 	&& /pkg-install.sh NET ghbin vi/websocat '%arch%.*linux-musl' websocat \
--- a/guest/fs-root/etc/shellrc
+++ b/guest/fs-root/etc/shellrc
@ -31,6 +31,9 @@ function dmesg {
 alias norg="gron --ungron"
 alias ungron="gron --ungron"
 alias carbonyl="carbonyl --no-sandbox"
+alias seppuku="destruct"
+
+[[ -n $IS_SHOW_MOTD_XPRA ]] && [[ -f /sf/bin/funcs_motd-xpra ]] && source /sf/bin/funcs_motd-xpra

 tty -s && [[ -n $TERM ]] && [[ "$TERM" != dumb ]] && {
 	_grccmd()
--- a/guest/fs-root/sf/bin/destruct
+++ b/guest/fs-root/sf/bin/destruct
@ -0,0 +1,40 @@
+#! /bin/bash
+
+# shellcheck disable=SC1091
+source "/sf/bin/funcs.sh"
+cd /
+
+[[ "$1" != now ]] && {
+    echo -e "\
+This system will ${CRY}SELF-DESTRUCT${CN} in 10 seconds.
+
+${CDR}*** ALL DATA WILL BE WIPED ***${CN}
+Press ${CDY}ANY KEY${CN} to stop or type ${CDC}now${CN} to proceed immediatly.
+
+Consider ${CDC}halt${CN} to shut down this server instead. This way all your
+encrypted data will remain until next log in (with the correct SECRET).
+
+This system will ${CRY}SELF-DESTRUCT${CN} in 10 seconds."
+    read -r -n8 -t10 str && {
+        echo -e "${CDR}Self-Destruct cancelled...${CDY}*phew*${CN}"
+        [[ $str == "halt" ]] && {
+            echo -e "HALT instead..."
+            halt
+            exit 255
+        }
+        [[ $str != "now" ]] && exit 255
+    }
+}
+
+[[ "$str" == halt ]] && {
+    halt
+    exit 0; }
+
+echo -e "${CDR}***DESTRUCT***${CN}"
+
+shopt -s dotglob
+rm -rf /onion/*
+rm -rf "/everyone/${SF_HOSTNAME,,}/"*
+rm -rf /sec/*
+echo -e "${CDG}DONE.${CN}"
+halt
--- a/guest/fs-root/sf/bin/funcs_motd-xpra
+++ b/guest/fs-root/sf/bin/funcs_motd-xpra
@ -0,0 +1,13 @@
+### Sources from /etc/shellrc
+### Display a welcome screen when the first xterm is started from
+### inside an xpra session.
+
+unset IS_SHOW_MOTD_XPRA
+
+echo -e "\
+${CDY}---------------------------------------------------------------${CN}
+${CDY}-->${CN} Welcome to ${CDG}Segfault GUI${CN}.
+${CDY}-->${CN} Use the ${CDM}menu${CN} at the TOP to start apps.
+${CDY}-->${CN} Type ${CDC}brave-browser &${CN} to start a web browser.
+${CDY}-->${CN} Type ${CDC}xterm &${CN} to start another terminal.
+${CDY}---------------------------------------------------------------${CN}"
--- a/guest/fs-root/sf/bin/geoip
+++ b/guest/fs-root/sf/bin/geoip
@ -0,0 +1,26 @@
+#! /bin/bash
+
+ip=$1
+[[ -z $ip ]] && { echo >&2 "$0 [IP-Address]"; exit 255; }
+
+db="/sf/share/GeoLite2-City.mmdb"
+[[ -f "/sf/share/dbip-city-lite.mmdb" ]] && db="/sf/share/dbip-city-lite.mmdb"
+
+res=$(mmdbinspect --db "$db" "$ip") || exit
+city=$(echo "$res" | jq -r '.[0].Records[0].Record.city.names.en | select(. != null)')
+country=$(echo "$res" | jq -r '.[0].Records[0].Record.country.names.en | select(. != null)')
+
+unset YOUR_GEOIP
+if [[ -n $city ]] && [[ -n $country ]]; then
+	YOUR_GEOIP="${city}/${country}"
+elif [[ -n $city ]] || [[ -n $country ]]; then
+	YOUR_GEOIP="${city}${country}" # Either one but not both
+fi
+
+[[ -z $YOUR_GEOIP ]] && {
+	echo >&2 "NOT FOUND"
+	exit 255
+}
+
+echo "${YOUR_GEOIP}"
+
--- a/guest/fs-root/sf/bin/sf-motd.sh
+++ b/guest/fs-root/sf/bin/sf-motd.sh
@ -1,32 +1,43 @@
 #! /bin/bash

-[[ -t 1 ]] && {
-# CY="\e[1;33m" # yellow
-# CG="\e[1;32m" # green
-CR="\e[1;31m" # red
-CC="\e[1;36m" # cyan
-# CM="\e[1;35m" # magenta
-# CW="\e[1;37m" # white
-CB="\e[1;34m" # blue
-CF="\e[2m"    # faint
-CN="\e[0m"    # none
-
-# CBG="\e[42;1m" # Background Green
-
-# night-mode
-CDY="\e[0;33m" # yellow
-CDG="\e[0;32m" # green
-# CDR="\e[0;31m" # red
-CDB="\e[0;34m" # blue
-CDC="\e[0;36m" # cyan
-CDM="\e[0;35m" # magenta
-CUL="\e[4m"
-}
 # BINDIR="$(cd "$(dirname "${0}")" || exit; pwd)"
-
+# shellcheck disable=SC1091
+source "/sf/bin/funcs.sh" 2>/dev/null
 # shellcheck disable=SC1091
 source "/config/guest/vpn_status" 2>/dev/null

+print_ssh_access()
+{
+	local key_suffix
+
+	key_suffix="sf-${SF_FQDN//./-}"
+	echo 1>&2 -e "\
+:Cut & Paste these lines to your workstation's shell to retain access:
+######################################################################
+${CDC}cat >~/.ssh/id_${key_suffix} ${CDR}<<__EOF__
+${CN}${CF}$(<"/config/guest/id_ed25519")
+${CDR}__EOF__
+${CDC}cat >>~/.ssh/config ${CDR}<<${CDR}__EOF__
+${CN}${CF}host ${SF_HOSTNAME,,}
+    User root
+    HostName ${SF_FQDN}
+    IdentityFile ~/.ssh/id_${key_suffix}
+    SetEnv SECRET=${SF_SEC}
+${CDR}__EOF__
+${CDC}chmod 600 ~/.ssh/config ~/.ssh/id_${key_suffix}${CN}
+######################################################################
+Thereafter use these commands:
+--> ${CDC}ssh  ${SF_HOSTNAME,,}${CN}
+--> ${CDC}sftp ${SF_HOSTNAME,,}${CN}
+--> ${CDC}scp  ${SF_HOSTNAME,,}:stuff.tar.gz ~/${CN}
+--> ${CDC}sshfs -o reconnect ${SF_HOSTNAME,,}:/sec ~/sec ${CN}
+----------------------------------------------------------------------"
+}
+
+[[ -n $SF_IS_NEW_SERVER ]] && _IS_SHOW_MORE=1
+[[ "${0##*/}" == "info" ]] && _IS_SHOW_MORE=1
+[[ -n $_IS_SHOW_MORE ]] && print_ssh_access
+
 if [[ -z $IS_VPN_CONNECTED ]]; then
 	if source "/config/guest/vpn_status.direct" 2>/dev/null; then
 		str="${SFVPN_EXIT_IP}                   "
@ -69,8 +80,6 @@ Reverse Port      : ${IPPORT}${CN}
 ${VPN_DST}"

 # All below should only be displayed if user types 'info' or a newly created server.
-[[ -n $SF_IS_NEW_SERVER ]] && _IS_SHOW_MORE=1
-[[ "${0##*/}" == "info" ]] && _IS_SHOW_MORE=1
 [[ -z $_IS_SHOW_MORE ]] && {
 	echo -e "\
 Hint              : ${CDC}Type ${CC}info${CDC} for more details.${CN}"
@ -109,5 +118,5 @@ SSH (gsocket)     : ${CC}gsocket -s $(cat /config/guest/gsnc-access-22.txt) ssh$
                       ${SF_USER:-UNKNOWN}@${SF_FQDN%.*}.gsocket${CN}"
 }
 str="SECRET            : ${CDY}${SF_SEC}"
-[[ -n $SF_IS_LOGINSHELL ]] && str+=" \e[0;33;41m<<<  WRITE THIS DOWN  <<<"
+[[ -n $SF_IS_LOGINSHELL ]] && str+=" ${CRY}<<<  WRITE THIS DOWN  <<<"
 echo -e "${str}${CN}"
--- a/guest/fs-root/sf/bin/startxweb
+++ b/guest/fs-root/sf/bin/startxweb
@ -32,7 +32,7 @@ sv_startx()
 	local str_auth

 	[[ -n $PASSWORD ]] && str_auth="env"
-	XPRA_PASSWORD="${PASSWORD}" xpra.orig start --pulseaudio=yes --resize-display=1280x1024 --bind-tcp=127.0.0.1:2000,auth="${str_auth:-allow}" --html=on --start=xterm-dark --daemon=no &>/dev/null &
+	XPRA_PASSWORD="${PASSWORD}" xpra.orig start --pulseaudio=yes --resize-display=1280x1024 --bind-tcp=127.0.0.1:2000,auth="${str_auth:-allow}" --html=on --start=xterm-dark-xpra --daemon=no &>/dev/null &
 	# XPRA_PASSWORD="${PASSWORD}" xpra.orig start-desktop --pulseaudio=yes --bind-tcp=127.0.0.1:2000,auth="${str_auth}" --html=on --start-child=xfce4-session --start=xterm-dark --systemd-run=no --exit-with-children --daemon=no &>/dev/null &
 	PID_V=$!

--- a/guest/fs-root/usr/bin/xterm-dark-xpra
+++ b/guest/fs-root/usr/bin/xterm-dark-xpra
@ -0,0 +1,6 @@
+#! /bin/bash
+
+### xpra does not honor --env=IS_SHOW_MOTD_XPRA=1 and thus we have to trampoline
+### through this function.
+
+IS_SHOW_MOTD_XPRA=1 exec xterm-dark "$@"
--- a/host/fs-root/bin/docker_sshd.sh
+++ b/host/fs-root/bin/docker_sshd.sh
@ -27,7 +27,7 @@ setup_sshd()
 	# Default is for user to use 'ssh root@segfault.net' but this can be changed
 	# in .env to any other user name. In case it is 'root' then we need to move
 	# the true root out of the way for the docker-sshd to work.
-	tail -n1 /etc/passwd | grep ^"${SF_USER}" >/dev/null && return
+	tail -n1 /etc/passwd | grep ^secret >/dev/null && return

 	if [[ "$SF_USER" == "root" ]]; then
 		# rename root user
@ -170,9 +170,9 @@ while [[ $i -lt $SF_HM_SIZE_LG ]]; do
 done

 # LXCFS creates different directories depending on the version.
-[[ -d /var/lib/lxcfs ]] && {
+[[ -d /var/lib/lxcfs/proc ]] && {
 	unset str
-	for fn in $(cd /var/lib/lxcfs; find proc -type f; find sys -type f); do
+	for fn in $(cd /var/lib/lxcfs; find proc -type f 2>/dev/null; find sys -type f 2>/dev/null); do
 		str+="'-v' '/var/lib/lxcfs/${fn}:/$fn:ro' "
 	done
 	LXCFS_STR=$str
--- a/host/fs-root/bin/segfaultsh
+++ b/host/fs-root/bin/segfaultsh
@ -21,7 +21,7 @@ SSH_SF_DEBUG="${SF_DEBUG}" # Set by SSH client
 [[ -f /dev/shm/env.txt ]] && eval "$(</dev/shm/env.txt)"
 [[ -z $SF_DEBUG ]] && SF_DEBUG="${SSH_SF_DEBUG}"
 unset SSH_SF_DEBUG
-eval "$(</sf/bin/funcs_redis.sh)"
+eval "$(</sf/bin/funcs_redis.sh)" || exit
 # Debug Trace. see sf_trace-DISABLED
 [[ -f /bin/sf_trace ]] && eval "$(</bin/sf_trace)"

@ -393,37 +393,6 @@ ${CR}######################################################################
 ######################################################################${CN}"
 }

-print_ssh_access()
-{
-	local key_suffix
-	# [[ -z $IS_LOGIN ]] && return => Still display help if this is a new server even if just cmd execution.
-	[[ -n $SF_HUSHLOGIN ]] && return
-	[[ -z $SF_IS_NEW_SERVER ]] && return
-
-	key_suffix="sf-${SF_FQDN//./-}"
-	echo 1>&2 -e "\
-:Cut & Paste these lines to your workstation's shell to retain access:
-######################################################################
-${CDC}cat >~/.ssh/id_${key_suffix} ${CDR}<<__EOF__
-${CN}${CF}$(<"/config/guest/id_ed25519")
-${CDR}__EOF__
-${CDC}cat >>~/.ssh/config ${CDR}<<${CDR}__EOF__
-${CN}${CF}host ${SF_HOSTNAME,,}
-    User root
-    HostName ${SF_FQDN}
-    IdentityFile ~/.ssh/id_${key_suffix}
-    SetEnv SECRET=${SF_SEC}
-${CDR}__EOF__
-${CDC}chmod 600 ~/.ssh/config ~/.ssh/id_${key_suffix}${CN}
-######################################################################
-Thereafter use these commands:
--> ${CDC}ssh  ${SF_HOSTNAME,,}${CN}
--> ${CDC}sftp ${SF_HOSTNAME,,}${CN}
--> ${CDC}scp  ${SF_HOSTNAME,,}:stuff.tar.gz ~/${CN}
--> ${CDC}sshfs -o reconnect ${SF_HOSTNAME,,}:/sec ~/sec ${CN}
----------------------------------------------------------------------"
-}
-
 # Output GOODBYE message with infos how to connect back to this shell
 print_goodbye()
 {
@ -684,6 +653,8 @@ load_limits()

 	[[ -n $SF_SHM_SIZE ]] && DOCKER_ARGS+=("--shm-size=$SF_SHM_SIZE")

+	[[ -n $SF_SYSBOX ]] && SYSBOX_ARGS+=("--runtime=sysbox-runc")
+
 	setup_fs_limit || ERREXIT 202 "Can't configure XFS limit"
 }

@ -886,10 +857,10 @@ mk_geoip()
 	country=$(echo "$res" | jq -r '.[0].Records[0].Record.country.names.en | select(. != null)')

 	unset YOUR_GEOIP
-	if [[ -n $city && -n $country ]]; then
-		YOUR_GEOIP+="${city}/${country}"
-	elif [[ -n $city || -n $country ]]; then
-		YOUR_GEOIP+="${city}${country}" # Either one but not both
+	if [[ -n $city ]] && [[ -n $country ]]; then
+		YOUR_GEOIP="${city}/${country}"
+	elif [[ -n $city ]] || [[ -n $country ]]; then
+		YOUR_GEOIP="${city}${country}" # Either one but not both
 	fi
 }

@ -963,8 +934,13 @@ fi
 	SF_PRJ="${PRJ//[^a-zA-Z0-9._]}"
 	SF_PRJ="${SF_PRJ:0:32}"
 }
+
+[[ -n $TOKEN ]] && {
+	SF_TOKEN="${TOKEN//[^a-zA-Z0-9._:]}"
+	SF_TOKEN="${SF_TOKEN:0:32}"
+}
 # Unset user supplied env variables
-unset SECRET HUSTLOGIN HIDEIP PRJ
+unset SECRET HUSTLOGIN HIDEIP PRJ TOKEN
 ### ----END SANITIZE----

 # Only output progress if this is a login shell _and_ not HUSHLOGIN
@ -1116,6 +1092,7 @@ xmkdir "${selfdir}"
 [[ -n $SF_DEBUG ]] && export SF_DEBUG
 # exec_devnull docker run --runtime=sysbox-runc \
 exec_devnull docker run \
+	"${SYSBOX_ARGS[@]}" \
 	--hostname "sf-${SF_HOSTNAME}" \
 	"${DOCKER_ARGS[@]}" \
 	--rm \
@ -1144,6 +1121,7 @@ exec_devnull docker run \
 	--log-driver "${SF_DOCKER_LOG}" \
 	--tmpfs /tmp:exec                                       `# GoLang needs /tmp to be executeable` \
 	--sysctl net.ipv6.conf.all.disable_ipv6=0               `# Allow IPv6 (used by WireGuard FOBs)` \
+	-v "${SF_BASEDIR}/data/share/:/sf/share:ro" \
 	-v "${SF_CFG_GUEST_DIR:?}/:/config/guest:ro" \
 	-v "${SF_GUEST_SELFDIR:?}/lg-${LID}:/config/self:ro,slave" \
 	-v "${SF_ENCFS_SEC_DIR}/lg-${LID}:/sec:slave" \
@ -1202,9 +1180,6 @@ tofile "${C_IP:?}" "/config/self-for-guest/lg-${LID}/c_ip"

 echo_pty -e "....[${CG}OK${CN}]"

-# Show help how to connect elegantly
-print_ssh_access
-
 # Spawn shell
 spawn_shell_exit "$@"
 # NOT REACHED
--- a/master/ready-lg.sh
+++ b/master/ready-lg.sh
@ -21,9 +21,14 @@ LG_MAC=$(docker inspect -f '{{ (index .NetworkSettings.Networks "sf-guest").MacA
 # nsenter -t "${SF_ROUTER_PID:?}" -n ip neigh add "${C_IP:?}" lladdr "${LG_MAC:?}" dev XXX 
 nsenter -t "${SF_ROUTER_PID:?}" -n arp -s "${C_IP:?}" "${LG_MAC:?}"

+# echo nsenter.u1000 -t "${LG_PID:?}" --setuid 0 --setgid 0 -n arp -s "${SF_NET_LG_ROUTER_IP}" "${LG_ROUTER_MAC}"
 nsenter.u1000 -t "${LG_PID:?}" --setuid 0 --setgid 0 -n arp -s "${SF_NET_LG_ROUTER_IP}" "${LG_ROUTER_MAC}"
+# echo nsenter.u1000 -t "${LG_PID:?}" --setuid 0 --setgid 0 -n arp -s "${SF_RPC_IP}"           "${LG_RPC_MAC}"
 nsenter.u1000 -t "${LG_PID:?}" --setuid 0 --setgid 0 -n arp -s "${SF_RPC_IP}"           "${LG_RPC_MAC}"

 # 255.0.0.1 always points to guest's localhost: user can now set up a ssh -D1080 and connect with browser to
 # 255.0.0.1 and reach guest's 127.0.0.1.
+# echo nsenter.u1000 -t "${LG_PID}" -n iptables -t nat -A OUTPUT -p tcp --dst 255.0.0.1 -j DNAT --to-destination 127.0.0.1
 nsenter.u1000 -t "${LG_PID}" -n iptables -t nat -A OUTPUT -p tcp --dst 255.0.0.1 -j DNAT --to-destination 127.0.0.1
+
+exit 0