diff options
author | netblue30 <netblue30@yahoo.com> | 2015-08-08 19:12:30 -0400 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2015-08-08 19:12:30 -0400 |
commit | 1379851360349d6617ad32944a25ee5e2bb74fc2 (patch) | |
tree | f69b48e90708bfa3c2723d5a27ed3e024c827b43 /src/firejail/network.txt | |
parent | delete files (diff) | |
download | firejail-1379851360349d6617ad32944a25ee5e2bb74fc2.tar.gz firejail-1379851360349d6617ad32944a25ee5e2bb74fc2.tar.zst firejail-1379851360349d6617ad32944a25ee5e2bb74fc2.zip |
Baseline firejail 0.9.28
Diffstat (limited to 'src/firejail/network.txt')
-rw-r--r-- | src/firejail/network.txt | 95 |
1 files changed, 95 insertions, 0 deletions
diff --git a/src/firejail/network.txt b/src/firejail/network.txt new file mode 100644 index 000000000..673d5b941 --- /dev/null +++ b/src/firejail/network.txt | |||
@@ -0,0 +1,95 @@ | |||
1 | struct Bridge { | ||
2 | char *dev; // bridge device name | ||
3 | uint32_t ip; // bridge device IP address | ||
4 | uint32_t mask; // bridge device mask | ||
5 | uint32_t ipsandbox // sandbox interface IP address | ||
6 | } | ||
7 | |||
8 | net_configure_bridge(br, device) { | ||
9 | br->dev = devname; | ||
10 | br->ip = extracted from kernel device - using net_get_if_addr() in network.c | ||
11 | br->mask = extracted from kernel device - using net_get_if_addr() in network.c | ||
12 | check available network range; /31 networks are not supported | ||
13 | } | ||
14 | |||
15 | net_configure_sandbox_ip(br) { | ||
16 | if br->ip_snadbox | ||
17 | check br->ipsandbox inside the bridge network | ||
18 | arp_check(br->ipsandbox) // send an arp req to check if anybody else is using this address | ||
19 | else | ||
20 | br->ipsandbox = arp_assign(); | ||
21 | } | ||
22 | |||
23 | net_configure_veth_pair { | ||
24 | create a veth pair | ||
25 | place one interface end in the bridge | ||
26 | place the other end in the namespace of the child process | ||
27 | } | ||
28 | |||
29 | net_bridge_wait_ip { | ||
30 | arp_check br->ipsandbox address to come up | ||
31 | wait for not more than 5 seconds | ||
32 | } | ||
33 | |||
34 | main() { | ||
35 | |||
36 | foreach argv[i] { | ||
37 | if --net | ||
38 | br = next bridge available | ||
39 | net_configure_bridge(br, device name from argv[i]); | ||
40 | else if --ip | ||
41 | br = last bridge configured | ||
42 | br->ipsandbox = ip address extracted from argv[i] | ||
43 | else if --defaultgw | ||
44 | cfg.defaultgw = ip address extracted from argv[i] | ||
45 | } | ||
46 | |||
47 | net_check_cfg(); // check the validity of network configuration so far | ||
48 | |||
49 | if (any bridge configured) { | ||
50 | lock /var/lock/firejail.lock file | ||
51 | for each bridge | ||
52 | net_configure_sandbox_ip(br) | ||
53 | } | ||
54 | |||
55 | clone (new network namespace if any bridge configured or --net=none) | ||
56 | |||
57 | if (any bridge configured) { | ||
58 | for each bridge | ||
59 | net_configure_veth_pair | ||
60 | } | ||
61 | |||
62 | notify child init is done | ||
63 | |||
64 | if (any bridge configured) { | ||
65 | for each bridge | ||
66 | net_bridge_wait_ip | ||
67 | unlock /var/lock/firejail.lock file | ||
68 | } | ||
69 | |||
70 | wait on child | ||
71 | exit | ||
72 | } | ||
73 | |||
74 | |||
75 | ****************************************************** | ||
76 | * macvlan notes | ||
77 | ****************************************************** | ||
78 | Configure a macvlan interface | ||
79 | |||
80 | # ip link add virtual0 link eth0 type macvlan mode bridge | ||
81 | (you can configure it with # ifconfig virtual0 192.168.1.52/24 up) | ||
82 | |||
83 | Create a new network namespace and move the interface in the new network namespace | ||
84 | |||
85 | # ip netns add dummy0 | ||
86 | # ip link set virtual0 netns dummy0 | ||
87 | |||
88 | Join the namespace and configure the interfaces | ||
89 | |||
90 | # ip netns exec dummy0 bash | ||
91 | # ifconfig lo up | ||
92 | # ifconfig virtual0 192.168.1.52/24 | ||
93 | |||
94 | Investigate ipvlan interface - added to linux kernel 3.19 | ||
95 | https://github.com/torvalds/linux/blob/master/Documentation/networking/ipvlan.txt | ||