TC on I22

2024-06-28 09:41:18 +00:00 · 2022-08-09 07:28:47 +01:00 · 2022-08-09 07:28:47 +01:00 · c8b7362218
commit c8b7362218
parent 44c78fd76e
4 changed files with 35 additions and 16 deletions
--- a/guest/Dockerfile
+++ b/guest/Dockerfile
@ -5,13 +5,17 @@ RUN	apt update -y && \
 	apt install -y --no-install-recommends \
 		ca-certificates \
 		curl
-RUN	apt install -y --no-install-recommends \
+RUN	apt update -y && \
+	apt install -y --no-install-recommends \
 		locales \
 		gcc \
 		g++ \
 		git \
 		make \
 		build-essential \
+		strace \
+		ltrace \
+		gdb \
 		automake \
 		byacc \
 		flex \
@ -19,12 +23,14 @@ RUN	apt install -y --no-install-recommends \
 		man-db \
 		manpages-dev \
 		python-is-python3 \
-		patch
+		patch \
+		sudo
 RUN	apt install -y --no-install-recommends \
 		vim \
 		binutils \
 		whois \
 		dnsutils \
+		bc \
 		openssh-client \
 		iputils-ping \
 		iputils-tracepath \
@ -55,6 +61,11 @@ RUN	apt install -y --no-install-recommends \
 		duf \
 		lynx \
 		netcat-traditional
+RUN	apt install -y --no-install-recommends \
+		golang-go \
+		pkg-config
+RUN	apt install -y --no-install-recommends \
+		x11-apps
 RUN	apt install -y --no-install-recommends \
 		zsh \
 		zsh-syntax-highlighting \
--- a/host/fs-root/bin/segfaultsh
+++ b/host/fs-root/bin/segfaultsh
@ -145,9 +145,9 @@ print_goodbye()
 	[[ -z $IS_PTY ]] && return

 	# Restricted shell (-r) wont let us redirect stderr - use a bash-exec trick
-	n="$(bash -c "docker exec \"lg-${LID}\" ps --no-headers aux 2>/dev/null|wc -l")"
+	n="$(bash -c "docker exec \"lg-${LID}\" pgrep . 2>/dev/null|wc -l")"
 	DEBUGF "Processes running: $n"
-	if [[ "$n" -gt 4 ]]; then
+	if [[ "$n" -gt 3 ]]; then
 		echo -e "\
 ${CY}WARNING: Another shell or background process is still running.${CN}
 -------> The encrypted filesystem in /sec will remain mounted until
@ -239,8 +239,8 @@ HNLID_FILE="/config/db/hn/hn2lid-${SF_HOSTNAME}"
 [[ ! -d "/config/db/hn" ]] && { mkdir -p "/config/db/hn" || ERREXIT; }

 if [[ -d "/config/db/db-${LID}" ]]; then
-	# S="Connecting to     : ${CDY}${SF_HOSTNAME:0:34}${CN}....................................................."
-	S="Spinning up       : ${CDY}${SF_HOSTNAME:0:34}${CN}....................................................."
+	# S="Spinning up       : ${CDY}${SF_HOSTNAME:0:34}${CN}....................................................."
+	S="Your Server       : ${CDY}${SF_HOSTNAME:0:34}${CN}....................................................."
 	echo_pty -en "${S:0:65}"
 	touch "${HNLID_FILE}"
 else
--- a/router/init.sh
+++ b/router/init.sh
@ -119,10 +119,10 @@ DEV_I22="$(devbyip 172.28.0.)"
 	echo >&2 "DEV=${DEV} DEV_GW=${DEV_GW}"
 }

-# blacklist_routes
+blacklist_routes

 ip route del default && \
-# -----BEGING SSH traffic is routed via Internet-----
+# -----BEGIN SSH traffic is routed via Internet-----
 # Linux needs to know that a default route exists for the source or
 # otherwise it will drop the packet. Inform Linux that a route exist
 # to the SSHD.
@ -130,7 +130,7 @@ iptables -A PREROUTING -i ${DEV_I22} -t mangle -p tcp -d 172.28.0.2 --dport 22 -
 ip rule add fwmark 722 table 207 && \
 ip route add default via 172.22.0.22 dev ${DEV_SSHD} table 207 && \

-# Any traffic from the SSHD host shall go out (directly) to the Internet.
+# Any traffic from the SSHD shall go out (directly) to the Internet.
 iptables -A PREROUTING -i ${DEV_SSHD} -t mangle -p tcp -s 172.22.0.22 --sport 22 -j MARK --set-mark 22 && \
 ip rule add fwmark 22 table 201 && \
 ip route add default via 172.28.0.1 dev ${DEV_I22} table 201 && \
@ -160,7 +160,7 @@ iptables -t nat -A POSTROUTING -s 172.22.0.22 -o "${DEV}" -j MASQUERADE && \
 # TOR traffic (10.111.0.0/16) always goes to TOR (transparent proxy)
 ip route add 10.111.0.0/16 via "${TOR_GW}" && \
 echo -e >&2 "FW: SUCCESS" && \
-/tc.sh "${DEV_GW}" "${DEV}" && \
+/tc.sh "${DEV}" "${DEV_GW}" "${DEV_I22}" && \
 echo -e >&2 "TC: SUCCESS" && \

 # By default go via TOR until vpn_status exists
--- a/router/tc.sh
+++ b/router/tc.sh
@ -20,8 +20,13 @@ tc_set()

 [[ ! -f /config/tc/limits.conf ]] && { echo -e >&2 "WARNING: NO OUTGOING TRAFFIC LIMIT"; exit 0; }

-DEV_OUT=${1:-eth0}
-DEV_IN=${2:-eth1}
+# User's INCOMING traffic to his shell. Normally not limited.
+DEV_SHELL=${1:-eth1}
+
+# All outgoing interfaces
+DEV_GW=${2:-eth3}  # Traffic via VPN (User's shell)
+DEV_I22=${3:-eth0} # SSHD return traffic to User
+
 # shellcheck disable=SC1091
 source /config/tc/limits.conf

@ -31,10 +36,13 @@ source /config/tc/limits.conf
 [[ -z $MAXIN ]] && MAXIN="${SF_MAXIN}"

 # Delete all. This might set $? to false
-tc qdisc del dev "${DEV_OUT}" root 2>/dev/null
-# force $? to be true
+tc qdisc del dev "${DEV_GW}" root 2>/dev/null
+tc qdisc del dev "${DEV_I22}" root 2>/dev/null
+true # force $? to be true

-[[ -n $MAXOUT ]] && { tc_set "${DEV_OUT}" "${MAXOUT}" || exit 255; }
-[[ -n $MAXIN ]] && { tc_set "${DEV_IN}" "${MAXIN}" || exit 255; }
+[[ -n $MAXOUT ]] && { tc_set "${DEV_GW}" "${MAXOUT}" || exit 255; }
+[[ -n $MAXOUT ]] && { tc_set "${DEV_I22}" "${MAXOUT}" || exit 255; }
+
+[[ -n $MAXIN ]] && { tc_set "${DEV_SHELL}" "${MAXIN}" || exit 255; }

 exit 0