segfault/sfbin/funcs_net.sh

DevByIP()
{
	local dev

	[[ -z $1 ]] && { echo >&2 "Paremter missing"; return 255; }
	dev=$(ip addr show | grep -F "inet $1")
	dev="${dev##* }"
	[[ -z $dev ]] && { echo -e >&2 "DEV not found for ip '$1'"; return 255; }
	echo "$dev"
}


GetMainIP()
{
	local arr
	local -
	set -o noglob
	arr=($(ip route get 8.8.8.8))
	echo "${arr[6]}"
}

# https://openwrt.org/docs/guide-user/network/traffic-shaping/packet.scheduler.example4
# https://wiki.archlinux.org/title/advanced_traffic_control
# https://mirrors.bieringer.de/Linux+IPv6-HOWTO/x2759.html
# https://tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.qdisc.classful.html
# Note: hsfc and fq_codel stop working after 30 seconds or so (100% packet loss). (odd?)

# When traffic enters a classful qdisc, it needs to be sent to any of the classes
# within - it needs to be 'classified'. To determine what to do with a packet, the
# so called 'filters' are consulted. It is important to know that the filters are
# called from within a qdisc, and not the other way around!
#
# Assign a SFQ to give all LG's a fair share.
# Testing:
# docker run --rm -p7575 -p7576 -p7677  -it sf-guest bash -il
# -> 3 tmux panes with each iperf3 -s -p 757[567]
# docker run --rm -it --privileged sf-guest bash -il
# ifconfig eth0:0 172.17.0.5
# iperf3 -c 172.17.0.2 -p 7575 -l1024 -t60-  & iperf3 -c 172.17.0.2 -p 7576 -l1024 -t60- & iperf3 -B 172.17.0.5 -c 172.17.0.2 -l1024 -p7577 -t60
#
# tc -s -d qdisc show
tc_set()
{
	local dev
	local rate
	local cakekey
	local key
	dev=$1
	rate=$2
	cakekey=$3
	key=$4

	# Should not be set but lets make sure:
	tc qdisc del dev "${dev}" root 2>/dev/null

	# use TC-CAKE if there is a rate limit. Otherwise use faster SFQ below.
	[[ -n $rate ]] && {
		tc qdisc add dev "${dev}" root cake bandwidth "${rate}" "${cakekey}"
		return
	}

	set -e
	tc qdisc  add dev "${dev}" root handle 11: sfq
	tc filter add dev "${dev}" parent 11: handle 11 flow hash keys "${key}" divisor 1024
	set +e
}

set_route_pre_up() {
	# Add static routes for Segfault Services (RPC, DNS, ...)
	# nsenter -t "${PID}" -n ip route add "${SF_PC_IP}/32" dev eth0 # NOT NEEDED: RPC is on same network
	nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip route add "${SF_TOR_IP}" via "${SF_NET_LG_ROUTER_IP}" dev eth0 2>/dev/null
	nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip route add "${SF_NET_ONION}" via "${SF_NET_LG_ROUTER_IP}" dev eth0 2>/dev/null
	nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip route add "${SF_DNS}" via "${SF_NET_LG_ROUTER_IP}" dev eth0 2>/dev/null
	[[ -n $SF_MULLVAD_ROUTE ]] && nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip route add "${SF_MULLVAD_ROUTE}" via "${SF_NET_LG_ROUTER_IP}" dev eth0 2>/dev/null
}

set_route_post_up() {
	local str

	# If there is a EXTRA ROUTE then route ALL traffic. Otherwise keep default route
	# but add EXTRA ROUTE.
	[[ ${#R_ROUTE_ARR[@]} -le 0 ]] && {
		nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip route del default 2>/dev/null
        nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip route add default dev "${WG_DEV}"
	}
	# All IPv6 to WG_DEV. FIXME: One day we shall support IPv6
	nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip -6 route del default 2>/dev/null
	nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip -6 route add default dev "${WG_DEV}" 2>/dev/null

	# Add EXTRA ROUTE
    for str in "${R_ROUTE_ARR[@]}"; do
		echo "Setting route $str"
        nsenter.u1000 --setuid 0 --setgid 0 -t "$PID" -n ip route add "${str}" dev "${WG_DEV}"
    done

	# Packets to 172.16.0.3 should not be forwarded back to 172.16.0.3
	# Can not use 'sysctl net.ipv4.conf.wgExit.forwarding=1' because /proc is mounted ro
	nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n iptables  -I FORWARD -i "${WG_DEV}" -j DROP
	nsenter.u1000 --setuid 0 --setgid 0 -t "${PID}" -n ip6tables -I FORWARD -i "${WG_DEV}" -j DROP
}

# sf-master, wg/vpn
set_route()
{
	set_route_pre_up
	set_route_post_up
}