# limitations under the License.
-# Create a network namespace. Designed for use from systemd.
-
[[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@"
-cd "${BASH_SOURCE%/*}"
-source ../errhandle/errcatch-function
-source ../errhandle/bash-trace-function
-errcatch
+if [[ ! $ERRHANDLE_PATH ]]; then
+ ERRHANDLE_PATH=$(readlink -f "${BASH_SOURCE}")
+ ERRHANDLE_PATH=$(readlink -f ${ERRHANDLE_PATH%/*}/../errhandle)
+fi
+err_sourced=true
+for p in $ERRHANDLE_PATH/{errcatch-function,bash-trace-function}; do
+ if [[ -e $p ]]; then
+ source $p
+ else
+ err_sourced=false
+ fi
+done
+if $err_sourced; then
+ errcatch
+else
+ set -eE -o pipefail
+ trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
+fi
+
+usage() {
+ cat <<EOF
+usage: ${0##*/} [OPTS] start|stop NETNS_NAME
+Setup new or systemd created network namespace with nat and mount namespace
+
+-c, --create Create network namespace. For running outside systemd private net.
+-h, --help Show this help and exit.
+
+From within systemd network namespace, nat it to the outside. If given
+-c, or if in the default network namespace, create a named network
+namepace natted to the current netns.
+
+Also create a named mount namespace under /root/mount_namespaces, so we
+can alter some system config for this namespace. Subsequent systemd
+command lines would be prefixed with:
+
+/usr/bin/nsenter --mount=/root/mount_namespaces/NETNS_NAME
+
+
+"ip netns new ..." also does a mount namespace, then bind mounts each
+thing in /etc/netns/NETNS_NAME to /etc/NETNS_NAME. Note, for openvpn having it's own
+resolv.conf, this doesn't help much. What we actually want to do is copy
+/run/resolvconf somehwere, then bind mount it on top of /run/resolvconf.
+
+Once systemd 233 comes out, it will have a bind mount option from within
+unit files, so the mount namespace won't be needed for this use case.
+
+Recommmended dependency of errhandle to print stack trace on error:
+https://iankelling.org/git/?p=errhandle, set ERRHANDLE_PATH, or put it
+in a directory adjacent to the absolute, resolved directory this file is
+in.
+
+EOF
+ exit ${1:-0}
+}
## begin arg parsing ##
+create=false
+temp=$(getopt -l help,create hc "$@") || usage 1
+eval set -- "$temp"
+while true; do
+ case $1 in
+ -c|--create) create=true; shift ;;
+ -h|--help) usage ;;
+ --) shift; break ;;
+ *) echo "$0: Internal error!" ; exit 1 ;;
+ esac
+done
+if (( $# != 2 )); then
+ usage 1
+fi
+
action=$1
nn=$2 # network namespace / namespace name
## end arg parsing ##
v1=veth1-$nn
ip_base=10.173
+if ! $create && [[ $(readlink /proc/self/ns/net) == "$(readlink /proc/1/ns/net)" ]]; then
+ create=true
+fi
target=/run/netns/default
if [[ ! -e $target && ! -L $target ]]; then
ipd() { ip -n default "$@"; }
+if $create; then
+ ipnn() { ip -n $nn "$@"; }
+else
+ # we are already in the network namespace and it's unnamed.
+ ipnn() { ip "$@"; }
+fi
dexec() { ip netns exec default "$@"; }
-# note: this script could be easily adapted to create a
-# netns instead of using the systemd created one.
-# ip netns add NAME
-# ip -n NAME link set dev lo up
-
-# random note, ip netns exec creates a mount namespace and
-# remaps /etc to /etc/netns/NAME.
-# head -n1 is defensive. I don't know if it's possible to have more
-# than one default route.
+# head -n1 is defensive. Not sure if there is some weird feature
+# for 2 routes to be 0/0.
gateway_if=$(ipd route list exact 0/0 | head -n1| sed -r 's/.*\s(\S+)\s*$/\1/')
nat() { dexec iptables -t nat $1 POSTROUTING -o $gateway_if -j MASQUERADE \
-m comment --comment "systemd network namespace nat"; }
ips="$(ipd addr show | awk '$1 == "inet" {print $2}')"
for ((i=0; i <= 254; i++)); do
network=$ip_base.$i
- if printf "%s\n" "$ips" | grep "^${network//./\\.}"; then
+ if printf "%s\n" "$ips" | grep "^${network//./\\.}" >/dev/null; then
existing=true
else
found=true
start() {
+ find_network
+ if ! $found; then
+ echo "$0: error: no open network found"
+ exit 1
+ fi
+
mkdir -p /root/mount_namespaces
if ! mountpoint /root/mount_namespaces >/dev/null; then
mount --bind /root/mount_namespaces /root/mount_namespaces
fi
-
- find_network
- if ! $found; then
- echo "$0: error: no open network found"
- exit 1
+ if $create; then
+ ip netns add $nn
+ ip -n $nn link set dev lo up
fi
+
+
echo 1 | dexec dd of=/proc/sys/net/ipv4/ip_forward 2>/dev/null
_errcatch_cleanup=stop
- ip link add $v0 type veth peer name $v1
- ip link set $v0 netns default
+ ipnn link add $v0 type veth peer name $v1
+ ipnn link set $v0 netns default
ipd addr add $network.1/24 dev $v0
ipd link set $v0 up
nat -C &>/dev/null || nat -A
- ip addr add $network.2/24 dev $v1
- ip link set $v1 up
- ip route add default via $network.1
+ ipnn addr add $network.2/24 dev $v1
+ ipnn link set $v1 up
+ ipnn route add default via $network.1
}
if ! $existing; then
if nat -C &>/dev/null; then nat -D; fi
fi
+ if $create; then
+ ip netns del $nn
+ fi
}
case $action in
iankelling.org / git / newns / blobdiff