Test network namespace/veth

mullvad · Aug 31, 2024 · 3795899 · 3795899
1 parent 80ba0a3
commit 3795899
Show file tree

Hide file tree

Showing 5 changed files with 143 additions and 7 deletions.
diff --git a/mullvad-include b/mullvad-include
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+ip netns exec mullvad-ns sudo -u david $*
diff --git a/setup-inverse-st.sh b/setup-inverse-st.sh
@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+
+set -e
+
+namespace="mullvad-ns"
+tun_iface="wg0-mullvad"
+
+echo "Step 0: Configure DNS"
+mkdir -p /etc/netns/$namespace/
+echo "nameserver 10.64.0.1" > /etc/netns/$namespace/resolv.conf
+
+echo "hosts: files dns" > /etc/netns/$namespace/nsswitch.conf
+
+echo "Step 1: Recreating $namespace namespace"
+ip netns delete $namespace || true
+ip netns add $namespace || true
+
+echo "Step 2: Firewall stuff"
+ip netns exec $namespace nft -f - <<EOF
+table inet filter {
+    chain output {
+        type filter hook output priority 0; policy accept;
+        ip daddr 10.64.0.1 udp dport 53 accept
+        ip daddr 10.64.0.1 tcp dport 53 accept
+        udp dport 53 drop
+        tcp dport 53 drop
+    }
+}
+EOF
+
+
+tunnel_ip=$(ip addr show $tun_iface | grep -oP '(?<=inet\s)\d+(\.\d+){3}/\d+')
+echo "Tunnel IP: $tunnel_ip"
+
+echo "Step 3: Move $tun_iface to $namespace namespace"
+
+ip link set $tun_iface netns $namespace
+
+echo "Step 4: Configuring tun interface"
+
+echo "Configuring IP for $tun_iface"
+ip -n $namespace link set dev lo up
+ip -n $namespace link set $tun_iface up
+ip -n $namespace addr add dev $tun_iface $tunnel_ip
+
+echo "Add default route for $tun_iface"
+ip -n $namespace route add default dev $tun_iface
+
+echo "Performing various incantations"
+echo "Making things very secure"
+
+echo "Success."
diff --git a/setup-st.sh b/setup-st.sh
@@ -0,0 +1,79 @@
+#!/usr/bin/env bash
+
+set -e
+
+namespace="mullvad-ns-exclude"
+tun_iface="wg0-mullvad"
+
+default_ns_iface=vethmole0
+exclude_ns_iface=vethmole1
+
+default_ns_net=172.25.1.1/30
+exclude_ns_net=172.25.1.2/30
+exclude_ns_gateway=172.25.1.1
+
+# TODO: Use original host config, if possible
+echo "Configure DNS"
+mkdir -p /etc/netns/$namespace/
+echo "nameserver 1.1.1.1" > /etc/netns/$namespace/resolv.conf
+echo "hosts: files dns" > /etc/netns/$namespace/nsswitch.conf
+
+echo "Recreating namespace $namespace"
+ip netns delete $namespace || true
+ip netns add $namespace || true
+
+echo "Creating veth pair"
+ip link del dev $default_ns_iface || true
+ip link add dev $default_ns_iface type veth peer name $exclude_ns_iface
+
+echo "Setting up default namespace veth interface $default_ns_iface"
+ip addr add $default_ns_net dev $default_ns_iface
+ip link set dev $default_ns_iface up
+
+echo "Moving $exclude_ns_iface to namespace $namespace"
+ip link set dev $exclude_ns_iface netns $namespace
+
+echo "Configuring $exclude_ns_iface"
+ip -n $namespace addr add $exclude_ns_net dev $exclude_ns_iface
+ip -n $namespace link set dev lo up
+ip -n $namespace link set dev $exclude_ns_iface up
+
+echo "Add default route for $exclude_ns_iface"
+ip -n $namespace link set dev $exclude_ns_iface up
+ip -n $namespace route add default via $exclude_ns_gateway
+
+echo "Set up forwarding"
+
+# TODO: only for veth pair
+sysctl net.ipv4.conf.all.forwarding=1
+
+nft delete table inet exclude_nat_test >/dev/null || true
+nft delete table inet exclude_filter_test >/dev/null || true
+nft -f - <<EOF
+table inet exclude_nat_test {
+    chain prerouting {
+        type nat hook prerouting priority mangle; policy accept;
+        # TODO: routing or nft?
+        #ip daddr 10.64.0.1 counter accept
+        ip saddr $default_ns_net ct mark set 0x6d6f6c65
+        ip saddr $default_ns_net meta mark set ct mark
+    }
+    chain postrouting {
+        type nat hook postrouting priority 100; policy accept;
+        # TODO: != wg tun
+        ip saddr $default_ns_net masquerade
+    }
+}
+table inet exclude_filter_test {
+    chain forward {
+        type filter hook forward priority 0; policy accept;
+        iifname "$default_ns_iface" oifname != "$default_ns_iface" accept
+        oifname "$default_ns_iface" iifname != "$default_ns_iface" accept
+    }
+}
+EOF
+
+# TODO: nft or routing?
+echo "Set up routing"
+ip rule del from $default_ns_net table main || true
+ip rule add from $default_ns_net table main
diff --git a/talpid-core/src/firewall/mod.rs b/talpid-core/src/firewall/mod.rs
@@ -282,7 +282,8 @@ impl Firewall {
     /// until this method is called again with another policy, or until `reset_policy` is called.
     pub fn apply_policy(&mut self, policy: FirewallPolicy) -> Result<(), Error> {
         log::info!("Applying firewall policy: {}", policy);
-        self.inner.apply_policy(policy)
+        //self.inner.apply_policy(policy)
+        Ok(())
     }
 
     /// Resets/removes any currently enforced `FirewallPolicy`. Returns the system to the same state

diff --git a/talpid-wireguard/src/lib.rs b/talpid-wireguard/src/lib.rs
@@ -326,14 +326,14 @@ impl WireguardMonitor {
         };
 
         let gateway = config.ipv4_gateway;
-        let mut connectivity_monitor = connectivity_check::ConnectivityMonitor::new(
+        /*let mut connectivity_monitor = connectivity_check::ConnectivityMonitor::new(
             gateway,
             #[cfg(any(target_os = "macos", target_os = "linux"))]
             iface_name.clone(),
             Arc::downgrade(&monitor.tunnel),
             pinger_rx,
         )
-        .map_err(Error::ConnectivityMonitorError)?;
+        .map_err(Error::ConnectivityMonitorError)?;*/
 
         let moved_tunnel = monitor.tunnel.clone();
         let moved_close_obfs_sender = close_obfs_sender.clone();
@@ -420,7 +420,7 @@ impl WireguardMonitor {
                     };
                 });
             }
-            let mut connectivity_monitor = tokio::task::spawn_blocking(move || {
+            /*let mut connectivity_monitor = tokio::task::spawn_blocking(move || {
                 match connectivity_monitor.establish_connectivity(args.retry_attempt) {
                     Ok(true) => Ok(connectivity_monitor),
                     Ok(false) => {
@@ -437,7 +437,7 @@ impl WireguardMonitor {
                 }
             })
             .await
-            .unwrap()?;
+            .unwrap()?;*/
 
             // Add any default route(s) that may exist.
             args.route_manager
@@ -450,12 +450,13 @@ impl WireguardMonitor {
             (on_event)(TunnelEvent::Up(metadata)).await;
 
             tokio::task::spawn_blocking(move || {
-                if let Err(error) = connectivity_monitor.run() {
+                /*if let Err(error) = connectivity_monitor.run() {
                     log::error!(
                         "{}",
                         error.display_chain_with_msg("Connectivity monitor failed")
                     );
-                }
+                }*/
+                pinger_rx.recv();
             })
             .await
             .unwrap();
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		#!/usr/bin/env bash

		ip netns exec mullvad-ns sudo -u david $*