mirror of
https://github.com/hackerschoice/segfault.git
synced 2024-06-16 11:58:43 +00:00
qdisc per LG limit
This commit is contained in:
parent
e66a2806f2
commit
af3a6d04a8
@ -6,6 +6,7 @@ WG_PORT_MIN=32768
|
||||
WG_PORT_MAX=65535
|
||||
WT_VER=1
|
||||
COLOR="always"
|
||||
ICON_ERROR=""
|
||||
source /sf/bin/funcs.sh
|
||||
source /sf/bin/funcs_redis.sh
|
||||
|
||||
@ -22,7 +23,7 @@ echo -en "Content-Type: text/plain\r\n\r\n"
|
||||
# STDERR is logged.
|
||||
BAIL()
|
||||
{
|
||||
echo -e "$1"
|
||||
echo -e "${ICON_ERROR}${RR}ERROR${N}: $1"
|
||||
[[ -n $2 ]] && echo -e >&2 "[${CB}${LID:-$REMOTE_ADDR}${CN}] ${CR}$2${CN}$3"
|
||||
|
||||
exit 255
|
||||
@ -103,7 +104,7 @@ load_config()
|
||||
{
|
||||
source /dev/shm/config.txt && return
|
||||
|
||||
BAIL "${R}ERROR${N}: Not ready. SF is still booting up..." "Failed to load: " "/dev/shm/config.txt"
|
||||
BAIL "Not ready. SF is still booting up..." "Failed to load: " "/dev/shm/config.txt"
|
||||
}
|
||||
|
||||
GenSecret()
|
||||
@ -310,10 +311,10 @@ net_init()
|
||||
local arr
|
||||
|
||||
arr=($(echo "${LID_WGDIR}/wg-"*))
|
||||
[[ ${#arr[@]} -gt 16 ]] && BAIL "${R}ERROR${N}: To many Peers. You must delete some first.
|
||||
[[ ${#arr[@]} -gt 16 ]] && BAIL "To many Peers. You must delete some first.
|
||||
Use ${C}curl sf/net/list${N} to see them all.
|
||||
Use ${C}curl sf/net/del -d name=<NAME>${N} to delete <NAME>.
|
||||
Use ${C}curl sf/net/del -d name=all${N} to delete them all." "${R}PEERS-MAX${N} " "Limit: ${#arr[@]}"
|
||||
Use ${C}curl sf/net/del -d name=all${N} to delete them all." "${RR}PEERS-MAX${N} " "Limit: ${#arr[@]}"
|
||||
|
||||
[[ -n ${R_PORTSECRET} ]] && cmd_net_init_move "${R_PORTSECRET}"
|
||||
|
||||
@ -346,10 +347,7 @@ Port ${R_PORT} is already in use. You can assign it to this server like so:\
|
||||
write_portfile
|
||||
}
|
||||
|
||||
[[ -e "/config/db/wg/wg-${R_WT_NAME}" ]] && {
|
||||
echo -e "${R}ERROR${N}: '$R_WT_NAME' already exists. Delete it first with ${C}curl sf/net/del -d name=${R_WT_NAME}${N}"
|
||||
exit
|
||||
}
|
||||
[[ -e "/config/db/wg/wg-${R_WT_NAME}" ]] && BAIL "'$R_WT_NAME' already exists. Delete it first with ${C}curl sf/net/del -d name=${R_WT_NAME}${N}"
|
||||
|
||||
# We do not need the peer's private key but it is more convenient
|
||||
# to the user to show him one complete ./wiretap command line.
|
||||
@ -495,7 +493,7 @@ cmd_net_del()
|
||||
exit
|
||||
fi
|
||||
|
||||
[[ ! -f "${LID_WGDIR}/wg-${R_WT_NAME}" ]] && BAIL "${R}Not found${N}: ${R_WT_NAME}"
|
||||
[[ ! -f "${LID_WGDIR}/wg-${R_WT_NAME}" ]] && BAIL "${RR}Not found${N}: ${R_WT_NAME}"
|
||||
xrm "/config/db/wg/wg-${R_WT_NAME}" "${LID_WGDIR}/wg-${R_WT_NAME}"
|
||||
|
||||
echo -en "\
|
||||
@ -553,7 +551,7 @@ Use ${C}curl sf/net/up${N} to enable a new Exit Node."
|
||||
[[ -e "${LID_WGNAME_FN}" ]] && {
|
||||
name=$(<"${LID_WGNAME_FN}")
|
||||
str="${F}[${G}connected${N}${F}]${N}"
|
||||
[[ -n $is_not_connected ]] && str="${F}[${N}${R}EXIT Node is not connected${N}${F}]${N}"
|
||||
[[ -n $is_not_connected ]] && str="${F}[${N}${RR}EXIT Node is not connected${N}${F}]${N}"
|
||||
echo -e "\n${YY}Name${N}: ${Y}${name:-UNKNOWN}${N} ${str}"
|
||||
### gvisor's DNAT used by WT is BROKEN
|
||||
### https://github.com/sandialabs/wiretap/issues/18#issuecomment-1583106554
|
||||
@ -610,7 +608,7 @@ CheckGoodKey()
|
||||
|
||||
[[ -z $key ]] && return
|
||||
[[ ${#key} -eq 44 ]] && return
|
||||
BAIL "${R}ERROR${N}: Bad Key for ${opt}="
|
||||
BAIL "Bad Key for ${opt}="
|
||||
}
|
||||
|
||||
# Load LG specific configuration (by source IP)
|
||||
@ -645,7 +643,7 @@ wg_net_init()
|
||||
|
||||
ERR_wg_help_exit()
|
||||
{
|
||||
echo -e "${R}ERROR${N}: $1"
|
||||
echo -e "${RR}ERROR${N}: $1"
|
||||
|
||||
cmd_wg_help
|
||||
exit
|
||||
@ -656,7 +654,7 @@ cmd_port() {
|
||||
|
||||
load_lg
|
||||
source "/dev/shm/sf/run/users/lg-${LID}/limits.txt"
|
||||
[[ -z $SF_RPORT ]] && BAIL "💥 ${CR}ERROR${CN}: ${CDM}Please contact a SysCop to enable this feature for you.${CN}"
|
||||
[[ -z $SF_RPORT ]] && BAIL "💥 ${RR}ERROR${CN}: ${M}Please contact a SysCop to enable this feature for you.${N}"
|
||||
|
||||
red RPUSH portd:cmd "remport ${lid}" >/dev/null
|
||||
sleep 1 # Stop DoS attack: flood-requesting reverse ports
|
||||
@ -669,8 +667,8 @@ BLPOP portd:response-${LID} 5" | redr) || return
|
||||
|
||||
# The PortD add's a /sf/run/self/reverse_forward.
|
||||
echo -en "\
|
||||
${CDM}Tip${CN}: ${CDC}${CF}Type ${CDC}cat /config/self/reverse_*${CN}.
|
||||
${CDG}👾 New reverse Port is ${CDY}${ipport}${CN}"
|
||||
${M}Tip${N}: Type ${C}cat /config/self/reverse_*${N}
|
||||
${G}👾 New reverse Port is ${Y}${ipport}${CN}"
|
||||
|
||||
# portd.sh automaticaly adds this to /config/self/reverse_*
|
||||
exit
|
||||
@ -681,11 +679,13 @@ cmd_token() {
|
||||
load_lg
|
||||
source "/dev/shm/sf/run/users/lg-${LID}/limits.txt"
|
||||
|
||||
[[ -n $SF_TOKEN_PROHIBITED ]] && BAIL "💥 ${CR}ERROR${CN}: ${CDM}Please contact a SysCop to enable this feature for you.${CN}"
|
||||
[[ ! -f "${token_fn}" ]] && { sleep 1; BAIL "💥 ${CR}ERROR${CN}: ${CDM}Token '${TOKEN_NAME}' does not exist.${CN}"; }
|
||||
[[ -n $SF_TOKEN_PROHIBITED ]] && BAIL "${M}Please contact a SysCop to enable this feature for you.${N}"
|
||||
[[ ! -f "${token_fn}" ]] && { sleep 1; BAIL "${M}Token '${R}${TOKEN_NAME}${M}' does not exist.${N}"; }
|
||||
|
||||
echo "${TOKEN_NAME}" >"/config/db/user/lg-${LID}/token"
|
||||
|
||||
echo -en "${G}🦋 Token set. ${N}Type ${C}halt${N} and log back in."
|
||||
|
||||
exit
|
||||
}
|
||||
|
||||
@ -710,10 +710,10 @@ cmd_wg_up()
|
||||
# Delete any EXIT or OUT
|
||||
nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip link delete group 31337 2>/dev/null
|
||||
|
||||
err=$(nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip link add "${WG_DEV}" type wireguard 2>&1) || BAIL "${R}ERROR${N}: Failed: ip link add '${WG_DEV}' (${err:0:64})." "Failed ${WG_DEV}" ": $err"
|
||||
nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip link set "${WG_DEV}" group 31337 || BAIL "${R}ERROR${N}: ip link set FAILED."
|
||||
[[ -n $R_OUT_IP4 ]] && { nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip address add dev "${WG_DEV}" "${R_OUT_IP4}" || BAIL "${R}ERROR${N}: Failed to assign IPv4 address '${R_OUT_IP4}'."; }
|
||||
[[ -n $R_OUT_IP6 ]] && { nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip -6 address add dev "${WG_DEV}" "${R_OUT_IP6}" || BAIL "${R}ERROR${N}: Failed to assign IPv6 address '${R_OUT_IP6}'."; }
|
||||
err=$(nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip link add "${WG_DEV}" type wireguard 2>&1) || BAIL "Failed: ip link add '${WG_DEV}' (${err:0:64})." "Failed ${WG_DEV}" ": $err"
|
||||
nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip link set "${WG_DEV}" group 31337 || BAIL "ip link set FAILED."
|
||||
[[ -n $R_OUT_IP4 ]] && { nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip address add dev "${WG_DEV}" "${R_OUT_IP4}" || BAIL "Failed to assign IPv4 address '${R_OUT_IP4}'."; }
|
||||
[[ -n $R_OUT_IP6 ]] && { nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip -6 address add dev "${WG_DEV}" "${R_OUT_IP6}" || BAIL "Failed to assign IPv6 address '${R_OUT_IP6}'."; }
|
||||
|
||||
args=()
|
||||
[[ -n $R_OUT_PSK ]] && {
|
||||
@ -721,7 +721,7 @@ cmd_wg_up()
|
||||
echo "$R_OUT_PSK" >"/dev/shm/psk.$$"
|
||||
}
|
||||
echo "$R_WG_PRIVATE" >"/dev/shm/private.$$"
|
||||
err=$(nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n wg set "$WG_DEV" private-key "/dev/shm/private.$$" peer "$R_OUT_PEER" "${args[@]}" endpoint "${R_OUT_ENDPOINT}" persistent-keepalive 25 allowed-ips 0.0.0.0/0,::/0 2>&1) || BAIL "${R}ERROR${N}: Failed: wg set (${err:0:128})"
|
||||
err=$(nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n wg set "$WG_DEV" private-key "/dev/shm/private.$$" peer "$R_OUT_PEER" "${args[@]}" endpoint "${R_OUT_ENDPOINT}" persistent-keepalive 25 allowed-ips 0.0.0.0/0,::/0 2>&1) || BAIL "Failed: wg set (${err:0:128})"
|
||||
rm -f "/dev/shm/private.$$" "/dev/shm/psk.$$"
|
||||
nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip link set mtu $((SF_HOST_MTU - 80 - 80)) up dev "${WG_DEV}"
|
||||
|
||||
@ -789,7 +789,8 @@ GetFormVars
|
||||
# COLOR is set (to 'always')
|
||||
Y=$CDY
|
||||
C=$CDC
|
||||
R=$CR
|
||||
R=$CDR
|
||||
RR=$CR
|
||||
G=$CDG
|
||||
B=$CB
|
||||
M=$CDM
|
||||
@ -797,6 +798,7 @@ GetFormVars
|
||||
W=$CW
|
||||
N=$CN
|
||||
F=$CF
|
||||
ICON_ERROR="💥 "
|
||||
}
|
||||
|
||||
|
||||
@ -809,7 +811,7 @@ GetFormVars
|
||||
[[ "${FCGI_CMD}" == "port" ]] && cmd_port
|
||||
[[ "${FCGI_CMD}" == "set" ]] && {
|
||||
[[ -n $TOKEN_NAME ]] && cmd_token
|
||||
BAIL "💥 ${CR}ERROR${CN}: ${CDM}Setting not found.${CN}"
|
||||
BAIL "${M}Setting not found.${N}"
|
||||
}
|
||||
|
||||
[[ -n $SF_DEBUG ]] && [[ "${FCGI_CMD}" == "env" ]] && { env; exit; }
|
||||
@ -843,7 +845,7 @@ wg_net_init
|
||||
CheckGoodKey "$R_WT_PRIVATE" "--exit_private"
|
||||
CheckGoodKey "$R_WT_PUBLIC" "--exit_public"
|
||||
|
||||
[[ -n $R_WT_PRIVATE ]] && [[ -n $R_WT_PUBLIC ]] && BAIL "${R}ERROR${N}: Set either PRIVATE or PUBLIC but not both."
|
||||
[[ -n $R_WT_PRIVATE ]] && [[ -n $R_WT_PUBLIC ]] && BAIL "Set either PRIVATE or PUBLIC but not both."
|
||||
|
||||
# Sanitize 0.4.8rc1 bug where '172...' was '"172...' in .env
|
||||
WG_IPS="${WG_IPS//[^a-fx0-9\/,:.]}"
|
||||
@ -871,14 +873,11 @@ wg_net_init
|
||||
[[ ${ARGS[1]} == 'list' ]] && cmd_net_list
|
||||
|
||||
# NOT 'up' -> EXIT
|
||||
[[ ${ARGS[1]} != 'up' ]] && { echo -e "${R}ERROR${N}: Unknown command."; cmd_net_help; }
|
||||
[[ ${ARGS[1]} != 'up' ]] && { echo -e "${RR}ERROR${N}: Unknown command."; cmd_net_help; }
|
||||
|
||||
WT_NAME="$R_WT_NAME"
|
||||
|
||||
[[ -n $IS_NOCREAT ]] && [[ -n $WT_NAME ]] && [[ ! -f "${LID_WGDIR}/wg-${WT_NAME}" ]] && {
|
||||
echo -e "${R}ERROR${N}: EXIT '${WT_NAME}' does not exist."
|
||||
exit
|
||||
}
|
||||
[[ -n $IS_NOCREAT ]] && [[ -n $WT_NAME ]] && [[ ! -f "${LID_WGDIR}/wg-${WT_NAME}" ]] && BAIL "EXIT '${WT_NAME}' does not exist."
|
||||
|
||||
if [[ -z $WT_NAME ]] && [[ -f "${LID_WGNAME_FN}" ]]; then
|
||||
is_already_up=1
|
||||
@ -896,7 +895,7 @@ wg_net_init
|
||||
# HERE: No name supplied. Another WG is already UP.
|
||||
# nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip l sh "${WG_DEV}" &>/dev/null && {
|
||||
name=$(<"${LID_WGNAME_FN}")
|
||||
echo -e "${R}ERROR${N}: Exit Node ${G}${name}${N} is already UP."
|
||||
echo -e "${RR}ERROR${N}: Exit Node ${G}${name}${N} is already UP."
|
||||
net_print_example "${name}"
|
||||
net_print_commands "${name}"
|
||||
exit 255
|
||||
@ -917,17 +916,17 @@ wg_net_init
|
||||
# _far_ more efficient.)
|
||||
nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip link delete group 31337 2>/dev/null
|
||||
|
||||
err=$(nsenter -t "${WG_PID}" -n ip link add "${WG_DEV}" type wireguard 2>&1) || BAIL "${R}ERROR${N}: Failed: ip link add ${WG_DEV} (${err:0:32})." "Failed ${WG_DEV}" ": $err"
|
||||
nsenter -t "${WG_PID}" -n ip link set "${WG_DEV}" group 31337 || BAIL "${R}ERROR${N}: ip link set FAILED."
|
||||
err=$(nsenter -t "${WG_PID}" -n ip link add "${WG_DEV}" type wireguard 2>&1) || BAIL "Failed: ip link add ${WG_DEV} (${err:0:32})." "Failed ${WG_DEV}" ": $err"
|
||||
nsenter -t "${WG_PID}" -n ip link set "${WG_DEV}" group 31337 || BAIL "ip link set FAILED."
|
||||
echo "$WG_PRIVATE" >"/dev/shm/private.$$"
|
||||
err=$(nsenter -t "${WG_PID}" -n wg set "${WG_DEV}" listen-port "${WG_PORT}" private-key "/dev/shm/private.$$" peer "${WT_PUBLIC}" allowed-ips 0.0.0.0/0,::/0 2>&1) || BAIL "${R}ERROR${N}: Failed: wg set (${err:0:128})"
|
||||
err=$(nsenter -t "${WG_PID}" -n wg set "${WG_DEV}" listen-port "${WG_PORT}" private-key "/dev/shm/private.$$" peer "${WT_PUBLIC}" allowed-ips 0.0.0.0/0,::/0 2>&1) || BAIL "Failed: wg set (${err:0:128})"
|
||||
rm -f "/dev/shm/private.$$"
|
||||
# Move Interface to user's container:
|
||||
err=$(nsenter -t "${WG_PID}" -n ip link set "${WG_DEV}" netns "${PID}" 2>&1) || BAIL "${R}ERROR${N}: Failed to move ${WG_DEV}." "Failed ${WG_DEV} netns $PID" ": $err"
|
||||
err=$(nsenter -t "${WG_PID}" -n ip link set "${WG_DEV}" netns "${PID}" 2>&1) || BAIL "Failed to move ${WG_DEV}." "Failed ${WG_DEV} netns $PID" ": $err"
|
||||
|
||||
# Configure interface after moving
|
||||
nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip -4 address add "${WG_IP}" dev "${WG_DEV}"
|
||||
err=$(nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip -6 address add "${WG_IP6}" dev "${WG_DEV}" 2>&1) || echo >&2 "${CR}ERROR${CN}: ip -6: $err"
|
||||
err=$(nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip -6 address add "${WG_IP6}" dev "${WG_DEV}" 2>&1) || echo >&2 "${RR}ERROR${N}: ip -6: $err"
|
||||
nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip link set mtu $((SF_HOST_MTU - 80)) up dev "${WG_DEV}"
|
||||
|
||||
set_route
|
||||
|
1
sfbin/sf
1
sfbin/sf
@ -181,6 +181,7 @@ export SF_GUEST_MTU=$((SF_HOST_MTU - 80))
|
||||
==> Generate your own list (see THC's Tips & Tricks).
|
||||
==> Use ${CDC}touch ${SF_BASEDIR}/config/etc/relay-exit-nodes-global.txt${CN} to stop this warning."
|
||||
}
|
||||
chmod 644 "${SF_BASEDIR}/config/etc/relay-exit-nodes-global.txt" 2>/dev/null
|
||||
|
||||
[[ -z $SF_OVERLAYDIR ]] && [[ -d "${SF_BASEDIR}/docker/overlay2" ]] && export SF_OVERLAYDIR="${SF_BASEDIR}/docker/overlay2"
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user