rc1

ChangeLog

@@ -1,4 +1,4 @@
-0.5.1 - 2022-04-00
+0.4.6 - 2023-05-08
     * SF-UI alpha
     * SetEnv HIDEIP, HUSHLOGIN, PRJ, TOKEN
     * NOVPN/DIRECT support
@@ -8,13 +8,13 @@
     * Avoid port 53 traffic to VPNs that mangle with DNS
     * Fixed ARP MITM (thanks extencil@proton.thc.org)
 
-0.4.4 - 2022-03-00
+0.4.4 - 2023-03-00
     * Updated for quarterly Kali-latest
     * pipx, xpra and pwndbg update
     * SSHD master/NameSpace fix
     * Redis via unix domain socket only
 
-0.4.3 - 2022-02-21
+0.4.3 - 2023-02-21
     * kali-linux-everything
     * sshd to user's network namespace
     * Better cgroups (encfs/blkio, slices, cpus=)

Makefile

@@ -1,4 +1,4 @@
-VER := 0.4.5b3
+VER := 0.4.6
 
 all:
 	make -C router

guest/setup.sh

@@ -36,6 +36,7 @@ rm -rf /root /home
 mkdir -p /sec
 cp -a /etc/skel /sec/root
 ln -s /sec/root /root
+cd . # Prevent 'getcwd() failed' after deleting my own directory
 ln -s /sec/home /home
 
 echo "NOT ENCRYPTED" >/sec/THIS-DIRECTORY-IS-NOT-ENCRYPTED--DO-NOT-USE.txt

provision/env.example

@@ -11,9 +11,10 @@ SF_BASEDIR=${HOME}/segfault
 #SF_FQDN=CHANGEME.segfault-net
 ## Route TOR VIA VPN (the default it to route directly to Internet)
 #SF_TOR_VIA_VPN=
+## Use no VPN at all and route directly to the Internet.
+#SF_DIRECT=
 ## Obtain the private key by executing:
 ## docker run --rm --cap-add=NET_ADMIN -e USER=XXX -e PASS=YYY bubuntux/nordvpn:get_private_key
-#SF_DIRECT=1
 #SF_NORDVPN_PRIVATE_KEY=
 ## Obtain the config by executing:
 ## docker run --rm --e CRYPTOSTORM_TOKEN=XXX --entrypoint /getkey.sh hackerschoice/cryptostorm

router/user-limit.sh

@@ -33,6 +33,7 @@ source /dev/shm/net-devs.txt || exit
     set -e
     # Delete stale iptables-FORWARD rule for this C_IP (if it exist then it would go to wrong chain)
     [[ -e "${IPT_FN}" ]] && iptables -D FORWARD -i "${DEV_LG}" -s "${C_IP}" -p tcp --syn -j "$(<"$IPT_FN")"
+    # New chain must be hit before our global SYN-limit chain => Use '-I FORWARD 1'
     iptables -I FORWARD 1 -i "${DEV_LG}" -s "${C_IP}" -p tcp --syn -j "${CHAIN}"
 
     # Save chain name

sfbin/funcs_admin.sh

@@ -113,7 +113,7 @@ lgwall()
 
 # Enter a docker network namespace
 # [container] <cmd ...>
-dnenter()
+netns()
 {
 	local pid
 	local c_id
@@ -123,14 +123,16 @@ dnenter()
 
 	shift 1
 	pid=$(docker inspect -f '{{.State.Pid}}' "${c_id:?}") || return
-	[[ ${#} -le 0 ]] && {
-		env HISTFILE=/dev/null nsenter -t "${pid}" -a bash -il
-		return
-	}
+	# [[ ${#} -le 0 ]] && {
+	# 	env HISTFILE=/dev/null nsenter -t "${pid}" -a bash -il
+	# 	return
+	# }
 
 	# str=$(head -n1 "/proc/${pid}/cgroup")
 	# FIXME: '*' wont work if there are more than 1 cgroup.
 	# cgexec --sticky -g "*:${str##*:}" nsenter -t "${pid}" -a "${cmd[@]}"
+	# nsenter -C doesnt seem to be sticky: Child processes run as /user.slice rather then
+	# the slice of the spawned 'bash' (/sf.slice) -> That's contrary to the man page.
 	nsenter -t "${pid}" -n "$@"
 }