blob: f6df0f4854af0c72d3cf1dd568d69f6a736c0669 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
|
struct Bridge {
char *dev; // bridge device name
uint32_t ip; // bridge device IP address
uint32_t mask; // bridge device mask
uint32_t ipsandbox // sandbox interface IP address
}
net_configure_bridge(br, device) {
br->dev = devname;
br->ip = extracted from kernel device - using net_get_if_addr() in network.c
br->mask = extracted from kernel device - using net_get_if_addr() in network.c
check available network range; /31 networks are not supported
}
net_configure_sandbox_ip(br) {
if br->ip_sandbox
check br->ipsandbox inside the bridge network
arp_check(br->ipsandbox) // send an arp req to check if anybody else is using this address
else
br->ipsandbox = arp_assign();
}
net_configure_veth_pair {
create a veth pair
place one interface end in the bridge
place the other end in the namespace of the child process
}
net_bridge_wait_ip {
arp_check br->ipsandbox address to come up
wait for not more than 5 seconds
}
main() {
foreach argv[i] {
if --net
br = next bridge available
net_configure_bridge(br, device name from argv[i]);
else if --ip
br = last bridge configured
br->ipsandbox = ip address extracted from argv[i]
else if --defaultgw
cfg.defaultgw = ip address extracted from argv[i]
}
net_check_cfg(); // check the validity of network configuration so far
if (any bridge configured) {
lock /var/lock/firejail.lock file
for each bridge
net_configure_sandbox_ip(br)
}
clone (new network namespace if any bridge configured or --net=none)
if (any bridge configured) {
for each bridge
net_configure_veth_pair
}
notify child init is done
if (any bridge configured) {
for each bridge
net_bridge_wait_ip
unlock /var/lock/firejail.lock file
}
wait on child
exit
}
******************************************************
* macvlan notes
******************************************************
Configure a macvlan interface
# ip link add virtual0 link eth0 type macvlan mode bridge
(you can configure it with # ifconfig virtual0 192.168.1.52/24 up)
Create a new network namespace and move the interface in the new network namespace
# ip netns add dummy0
# ip link set virtual0 netns dummy0
Join the namespace and configure the interfaces
# ip netns exec dummy0 bash
# ifconfig lo up
# ifconfig virtual0 192.168.1.52/24
Investigate ipvlan interface - added to linux kernel 3.19
https://github.com/torvalds/linux/blob/master/Documentation/networking/ipvlan.txt
|
