Skip to content

Instantly share code, notes, and snippets.

@Manouchehri

Manouchehri/isolate.sh

Forked from cynecx/isolate.sh
Created September 18, 2021 22:43
Show Gist options
  • Save Manouchehri/235affbb13baf73b22283347d9067641 to your computer and use it in GitHub Desktop.
Save Manouchehri/235affbb13baf73b22283347d9067641 to your computer and use it in GitHub Desktop.
Download ZIP
wireguard & netns (crappy)
Raw
isolate.sh
#!/usr/bin/env bash
set -e -o pipefail
shopt -s extglob
export LC_ALL=C
CONTAINER=""
INTER_GATEWAY="192.168.30.0/24"
INTER_IP_HOST="192.168.30.1/32"
INTER_IP_CONT="192.168.30.2/32"
INTER_HOSTIF=""
INTER_CONTIF=""
WG_CONFIG=""
INTERFACE=""
ADDRESSES=( )
MTU=""
DNS=( )
TABLE=""
PRE_UP=( )
POST_UP=( )
PRE_DOWN=( )
POST_DOWN=( )
SAVE_CONFIG=0
CONFIG_FILE=""
PROGRAM="${0##*/}"
ARGS=( "$@" )
die() {
echo "$PROGRAM: $*" >&2
exit 1
}
# c&p from https://github.com/WireGuard/WireGuard/blob/master/src/tools/wg-quick/linux.bash
parse_options() {
local interface_section=0 line key value stripped
CONFIG_FILE="$1"
[[ $CONFIG_FILE =~ ^[a-zA-Z0-9_=+.-]{1,15}$ ]] && CONFIG_FILE="/etc/wireguard/$CONFIG_FILE.conf"
[[ -e $CONFIG_FILE ]] || die "\`$CONFIG_FILE' does not exist"
[[ $CONFIG_FILE =~ (^|/)([a-zA-Z0-9_=+.-]{1,15})\.conf$ ]] || die "The config file must be a valid interface name, followed by .conf"
CONFIG_FILE="$(readlink -f "$CONFIG_FILE")"
((($(stat -c '0%#a' "$CONFIG_FILE") & $(stat -c '0%#a' "${CONFIG_FILE%/*}") & 0007) == 0)) || echo "Warning: \`$CONFIG_FILE' is world accessible" >&2
INTERFACE="${BASH_REMATCH[2]}"
shopt -s nocasematch
while read -r line || [[ -n $line ]]; do
stripped="${line%%\#*}"
key="${stripped%%=*}"; key="${key##*([[:space:]])}"; key="${key%%*([[:space:]])}"
value="${stripped#*=}"; value="${value##*([[:space:]])}"; value="${value%%*([[:space:]])}"
[[ $key == "["* ]] && interface_section=0
[[ $key == "[Interface]" ]] && interface_section=1
if [[ $interface_section -eq 1 ]]; then
case "$key" in
Address) ADDRESSES+=( ${value//,/ } ); continue ;;
MTU) MTU="$value"; continue ;;
DNS) DNS+=( ${value//,/ } ); continue ;;
Table) TABLE="$value"; continue ;;
PreUp) PRE_UP+=( "$value" ); continue ;;
PreDown) PRE_DOWN+=( "$value" ); continue ;;
PostUp) POST_UP+=( "$value" ); continue ;;
PostDown) POST_DOWN+=( "$value" ); continue ;;
SaveConfig) read_bool SAVE_CONFIG "$value"; continue ;;
esac
fi
WG_CONFIG+="$line"$'\n'
done < "$CONFIG_FILE"
shopt -u nocasematch
CONTAINER="cont_$INTERFACE"
INTER_HOSTIF="veth_m$INTERFACE"
INTER_CONTIF="veth_s$INTERFACE"
}
cmd_up() {
ip netns add "$CONTAINER"
ip link add "$INTERFACE" type wireguard
ip link set "$INTERFACE" netns "$CONTAINER"
for i in "${ADDRESSES[@]}"; do
ip -n "$CONTAINER" addr add "$i" dev "$INTERFACE"
done;
ip netns exec "$CONTAINER" wg setconf "$INTERFACE" <(echo "$WG_CONFIG")
ip -n "$CONTAINER" link set "$INTERFACE" up
ip -n "$CONTAINER" route add default dev "$INTERFACE"
ip link add "$INTER_HOSTIF" type veth peer name "$INTER_CONTIF"
ip link set "$INTER_CONTIF" netns "$CONTAINER"
ip addr add "$INTER_IP_HOST" dev "$INTER_HOSTIF"
ip -n "$CONTAINER" addr add "$INTER_IP_CONT" dev "$INTER_CONTIF"
ip link set "$INTER_HOSTIF" up
ip -n "$CONTAINER" link set "$INTER_CONTIF" up
ip route add "$INTER_GATEWAY" dev "$INTER_HOSTIF"
ip -n "$CONTAINER" route add "$INTER_GATEWAY" dev "$INTER_CONTIF"
}
cmd_down() {
ip route delete "$INTER_GATEWAY"
ip -n "$CONTAINER" route delete "$INTER_GATEWAY"
ip link set "$INTER_HOSTIF" down
ip -n "$CONTAINER" link set "$INTER_CONTIF" down
ip link delete "$INTER_HOSTIF"
ip -n "$CONTAINER" link set "$INTERFACE" down
ip -n "$CONTAINER" link delete "$INTERFACE"
ip netns delete "$CONTAINER"
}
if [[ $# -eq 1 && ( $1 == --help || $1 == -h || $1 == help ) ]]; then
exit 1
elif [[ $# -eq 2 && $1 == up ]]; then
parse_options "$2"
cmd_up
elif [[ $# -eq 2 && $1 == down ]]; then
parse_options "$2"
cmd_down
else
exit 1
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment