mirror of
https://github.com/hackerschoice/segfault.git
synced 2024-06-16 11:58:43 +00:00
109 lines
3.8 KiB
Bash
109 lines
3.8 KiB
Bash
|
|
DevByIP()
|
|
{
|
|
local dev
|
|
|
|
[[ -z $1 ]] && { echo >&2 "Paremter missing"; return 255; }
|
|
dev=$(ip addr show | grep -F "inet $1")
|
|
dev="${dev##* }"
|
|
[[ -z $dev ]] && { echo -e >&2 "DEV not found for ip '$1'"; return 255; }
|
|
echo "$dev"
|
|
}
|
|
|
|
|
|
GetMainIP()
|
|
{
|
|
local arr
|
|
local -
|
|
set -o noglob
|
|
arr=($(ip route get 8.8.8.8))
|
|
echo "${arr[6]}"
|
|
}
|
|
|
|
# https://openwrt.org/docs/guide-user/network/traffic-shaping/packet.scheduler.example4
|
|
# https://wiki.archlinux.org/title/advanced_traffic_control
|
|
# https://mirrors.bieringer.de/Linux+IPv6-HOWTO/x2759.html
|
|
# https://tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.qdisc.classful.html
|
|
# Note: hsfc and fq_codel stop working after 30 seconds or so (100% packet loss). (odd?)
|
|
|
|
# When traffic enters a classful qdisc, it needs to be sent to any of the classes
|
|
# within - it needs to be 'classified'. To determine what to do with a packet, the
|
|
# so called 'filters' are consulted. It is important to know that the filters are
|
|
# called from within a qdisc, and not the other way around!
|
|
#
|
|
# Assign a SFQ to give all LG's a fair share.
|
|
# Testing:
|
|
# docker run --rm -p7575 -p7576 -p7677 -it sf-guest bash -il
|
|
# -> 3 tmux panes with each iperf3 -s -p 757[567]
|
|
# docker run --rm -it --privileged sf-guest bash -il
|
|
# ifconfig eth0:0 172.17.0.5
|
|
# iperf3 -c 172.17.0.2 -p 7575 -l1024 -t60- & iperf3 -c 172.17.0.2 -p 7576 -l1024 -t60- & iperf3 -B 172.17.0.5 -c 172.17.0.2 -l1024 -p7577 -t60
|
|
#
|
|
# tc -s -d qdisc show
|
|
tc_set()
|
|
{
|
|
local dev
|
|
local rate
|
|
local cakekey
|
|
local key
|
|
dev=$1
|
|
rate=$2
|
|
cakekey=$3
|
|
key=$4
|
|
|
|
# Should not be set but lets make sure:
|
|
tc qdisc del dev "${dev}" root 2>/dev/null
|
|
|
|
# use TC-CAKE if there is a rate limit. Otherwise use faster SFQ below.
|
|
[[ -n $rate ]] && {
|
|
tc qdisc add dev "${dev}" root cake bandwidth "${rate}" "${cakekey}"
|
|
return
|
|
}
|
|
|
|
set -e
|
|
tc qdisc add dev "${dev}" root handle 11: sfq
|
|
tc filter add dev "${dev}" parent 11: handle 11 flow hash keys "${key}" divisor 1024
|
|
set +e
|
|
}
|
|
|
|
set_route_pre_up() {
|
|
# Add static routes for Segfault Services (RPC, DNS, ...)
|
|
# nsenter -t "${PID}" -n ip route add "${SF_PC_IP}/32" dev eth0 # NOT NEEDED: RPC is on same network
|
|
nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip route add "${SF_TOR_IP}" via "${SF_NET_LG_ROUTER_IP}" dev eth0 2>/dev/null
|
|
nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip route add "${SF_NET_ONION}" via "${SF_NET_LG_ROUTER_IP}" dev eth0 2>/dev/null
|
|
nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip route add "${SF_DNS}" via "${SF_NET_LG_ROUTER_IP}" dev eth0 2>/dev/null
|
|
[[ -n $SF_MULLVAD_ROUTE ]] && nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip route add "${SF_MULLVAD_ROUTE}" via "${SF_NET_LG_ROUTER_IP}" dev eth0 2>/dev/null
|
|
}
|
|
|
|
set_route_post_up() {
|
|
local str
|
|
|
|
# If there is a EXTRA ROUTE then route ALL traffic. Otherwise keep default route
|
|
# but add EXTRA ROUTE.
|
|
[[ ${#R_ROUTE_ARR[@]} -le 0 ]] && {
|
|
nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip route del default 2>/dev/null
|
|
nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip route add default dev "${WG_DEV}"
|
|
}
|
|
# All IPv6 to WG_DEV. FIXME: One day we shall support IPv6
|
|
nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip -6 route del default 2>/dev/null
|
|
nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip -6 route add default dev "${WG_DEV}" 2>/dev/null
|
|
|
|
# Add EXTRA ROUTE
|
|
for str in "${R_ROUTE_ARR[@]}"; do
|
|
echo "Setting route $str"
|
|
nsenter.u1000 --setuid 0 --setgid 0 -t "$PID" -n ip route add "${str}" dev "${WG_DEV}"
|
|
done
|
|
|
|
# Packets to 172.16.0.3 should not be forwarded back to 172.16.0.3
|
|
# Can not use 'sysctl net.ipv4.conf.wgExit.forwarding=1' because /proc is mounted ro
|
|
nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n iptables -I FORWARD -i "${WG_DEV}" -j DROP
|
|
nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip6tables -I FORWARD -i "${WG_DEV}" -j DROP
|
|
}
|
|
|
|
# sf-master, wg/vpn
|
|
set_route()
|
|
{
|
|
set_route_pre_up
|
|
set_route_post_up
|
|
}
|