From 8f8bd941af90df81101a4065e2465a12850f03ce Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Mon, 14 Jun 2021 17:46:11 +0200
Subject: [PATCH] Don't need gateways

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
 firewall/nat.conf           | 16 -------------
 firewall/restrict-http.conf |  2 ++
 start.sh                    | 45 ++++++++++++++++++-------------------
 3 files changed, 24 insertions(+), 39 deletions(-)
 delete mode 100755 firewall/nat.conf

diff --git a/firewall/nat.conf b/firewall/nat.conf
deleted file mode 100755
index ef16448..0000000
--- a/firewall/nat.conf
+++ /dev/null
@@ -1,16 +0,0 @@
-#!/usr/sbin/nft -f
-
-flush ruleset
-
-table ip nat {
-    chain prerouting {
-        type nat hook prerouting priority 0; policy accept;
-    }
-
-    chain postrouting {
-        type nat hook postrouting priority 0; policy accept;
-
-        ip saddr 10.2.1.0/30 masquerade;
-        ip saddr 172.17.0.0/16 masquerade;
-    }
-}
diff --git a/firewall/restrict-http.conf b/firewall/restrict-http.conf
index 1cd867d..676ca24 100755
--- a/firewall/restrict-http.conf
+++ b/firewall/restrict-http.conf
@@ -8,6 +8,8 @@ table inet filter {
     }
     chain forward {
         type filter hook forward priority 0; policy accept
+        ip6 saddr fd00:42::/32 dport { 80 } reject;
+        ip6 daddr fd00:42::/32 dport { 80 } reject;
         accept
     }
     chain output {
diff --git a/start.sh b/start.sh
index 877d4ce..877fd42 100755
--- a/start.sh
+++ b/start.sh
@@ -21,12 +21,13 @@ tmux rename-window host
 function reset() {
   echo "Reset previous configuration..."
   pkill -e babeld
-  pkill -KILL -e re6stnet
+  pkill -e openvpn
+  pkill -e re6stnet
   pkill -e vde_plug
   rm -r run/*
   rm -rv $dir/switches
-  ip route delete 172.17.0.0/16
-  nft flush ruleset
+  ip route delete 172.17.1.0/24
+  ip route delete 172.17.2.0/24
 }
 
 reset
@@ -35,7 +36,7 @@ echo "Generate registry certificates..."
 mkdir -p $dir/certs/registry
 [[ -f $dir/certs/registry/dh4096.pem ]] || openssl dhparam -out $dir/certs/registry/dh4096.pem 4096
 [[ -f $dir/certs/registry/ca.key ]] || openssl genpkey -out $dir/certs/registry/ca.key -algorithm rsa -pkeyopt rsa_keygen_bits:4096
-[[ -f $dir/certs/registry/ca.crt ]] || openssl req -nodes -new -x509 -key $dir/certs/registry/ca.key -set_serial 0x12a0c07003012000300040001 -days 36500 -out $dir/certs/registry/ca.crt
+[[ -f $dir/certs/registry/ca.crt ]] || openssl req -nodes -new -x509 -key $dir/certs/registry/ca.key -set_serial 0x1fd000042 -days 36500 -out $dir/certs/registry/ca.crt
 
 echo "Setup switches..."
 mkdir switches
@@ -47,30 +48,27 @@ vde_plug --daemon switch://$dir/switches/switch2 null://
 sudo vde_plug --daemon vde://$dir/switches/ext tap://vde0
 sudo ip link set dev vde0 address 02:00:00:00:00:00
 sudo ip link set dev vde0 up
-sudo ip address add 10.2.1.1/30 dev vde0
+sudo ip address add 172.17.0.1/30 dev vde0
 sleep 1
 
-# Setup NAT
-nft -f $dir/firewall/nat.conf
-
 echo "Configure re6st registry..."
 mkdir -p $dir/states/host $dir/certs/host $dir/log/host $dir/run
-tmux split-window -t host -h re6st-registry --dh $dir/certs/registry/dh4096.pem --ca $dir/certs/registry/ca.crt --key $dir/certs/registry/ca.key --db $dir/states/host/registry.db --logfile $dir/log/host/registry.log --run $dir/run/registry.pid -4 10.2.1.1 -6 ::1 --prefix-length 16
+tmux split-window -t host -h re6st-registry --dh $dir/certs/registry/dh4096.pem --ca $dir/certs/registry/ca.crt --key $dir/certs/registry/ca.key --db $dir/states/host/registry.db --logfile $dir/log/host/registry.log --run $dir/run/registry.pid -4 172.17.0.1 -6 ::1 --prefix-length 64
 sleep 1
 if ! [[ -f $dir/certs/host/cert.crt ]]; then
   echo "Generating certificates for host..."
-  sqlite3 $dir/states/host/registry.db "INSERT INTO token VALUES(\"token\", \"ynerant@ynerant.fr\", 16, 1)"
+  sqlite3 $dir/states/host/registry.db "INSERT INTO token VALUES(\"token\", \"ynerant@ynerant.fr\", 32, 1)"
   sleep 1
-  re6st-conf --registry http://10.2.1.1 --dir $dir/certs/host --email ynerant@ynerant.fr --token token
+  re6st-conf --registry http://172.17.0.1 --dir $dir/certs/host --email ynerant@ynerant.fr --token token
   sleep 15
 fi
 tmux split-window -t host bash
-tmux send-keys -t host "re6stnet --registry http://10.2.1.1 --ip 10.2.1.1 --ca $dir/certs/host/ca.crt --cert $dir/certs/host/cert.crt --key $dir/certs/host/cert.key --state $dir/states/host --log $dir/log/host --run $dir/run/re6stnet-host.pid --gateway" Enter
+tmux send-keys -t host "re6stnet --registry http://172.17.0.1 --ip 172.17.0.1 --ca $dir/certs/host/ca.crt --cert $dir/certs/host/cert.crt --key $dir/certs/host/cert.key --state $dir/states/host --log $dir/log/host --run $dir/run/re6stnet-host.pid" Enter
 tmux select-pane -t host -L
 
 for i in 1 2 3 4; do
   echo "Creating new namespace..."
-  tmux new-window -n ns$i "unshare --net --mount"
+  tmux new-window -n ns$i "unshare --net"
   tmux select-window -t host
 
   sleep 1
@@ -83,8 +81,7 @@ for i in 1 2 3 4; do
     sleep 0.3
     tmux send-keys -t ns$i "ip link set dev vde0 address 02:00:00:00:00:01" Enter
     tmux send-keys -t ns$i "ip link set dev vde0 up" Enter
-    tmux send-keys -t ns$i "ip address add 10.2.1.2/30 dev vde0" Enter
-    tmux send-keys -t ns$i "ip route add default via 10.2.1.1 dev vde0 proto kernel" Enter
+    tmux send-keys -t ns$i "ip address add 172.17.0.2/30 dev vde0" Enter
   fi
 done
 
@@ -97,7 +94,7 @@ for i in 1 2 3; do
   tmux send-keys -t ns$i "ip link set dev vde1 address 02:00:00:00:01:0$i" Enter
   tmux send-keys -t ns$i "ip link set dev vde1 up" Enter
   tmux send-keys -t ns$i "ip address add 172.17.1.$i/24 dev vde1" Enter
-  tmux send-keys -t ns$i "ip route add 10.2.1.0/24 via 172.17.1.1 dev vde1 proto kernel" Enter
+  tmux send-keys -t ns$i "ip route add 172.17.0.0/30 via 172.17.1.1 dev vde1 proto kernel" Enter
 done
 
 # Switch 2: NS 2, 3, 4
@@ -109,9 +106,11 @@ for i in 2 3 4; do
   tmux send-keys -t ns$i "ip address add 172.17.2.$i/24 dev vde2" Enter
 done
 
-tmux send-keys -t ns4 "ip route add 10.2.1.0/24 via 172.17.2.2 dev vde2 proto kernel" Enter
-tmux send-keys -t ns4 "ip route add 10.2.1.0/24 via 172.17.2.3 dev vde2 proto kernel" Enter
-ip route add 172.17.0.0/16 via 10.2.1.2
+# Add IPv4 routes to contact gateway
+tmux send-keys -t ns4 "ip route add 172.17.0.0/30 via 172.17.2.2 dev vde2 proto kernel" Enter
+tmux send-keys -t ns1 "ip route add 172.17.2.0/24 via 172.17.1.2 dev vde1 proto kernel" Enter
+ip route add 172.17.1.0/24 via 172.17.0.2
+ip route add 172.17.2.0/24 via 172.17.0.2
 
 # Restrict HTTP transport on node 2
 tmux send-keys -t ns2 "nft -f $dir/firewall/restrict-http.conf" Enter
@@ -120,15 +119,15 @@ for i in 1 2 3 4; do
   mkdir -p $dir/certs/node$i $dir/states/node$i
   if ! [[ -f $dir/certs/node$i/cert.crt ]]; then
     echo "Generating certificates for node $i..."
-    sqlite3 $dir/states/host/registry.db "INSERT INTO token VALUES(\"token\", \"ynerant@ynerant.fr\", 16, 1)"
+    sqlite3 $dir/states/host/registry.db "INSERT INTO token VALUES(\"token\", \"ynerant@ynerant.fr\", 32, 1)"
     sleep 1
-    re6st-conf --registry http://10.2.1.1 --dir $dir/certs/node$i --email ynerant@ynerant.fr --token token
+    re6st-conf --registry http://172.17.0.1 --dir $dir/certs/node$i --email ynerant@ynerant.fr --token token
     sleep 15
   fi
-  tmux split-window -h -t ns$i nsenter -t `cat $dir/run/node$i.pid` --mount --net
+  tmux split-window -h -t ns$i nsenter -t `cat $dir/run/node$i.pid` --net
   subnet=1
   if [[ $i == 4 ]]; then subnet=2; fi
-  tmux send-keys -t ns$i "re6stnet --registry http://10.2.1.1 --ip 172.17.$subnet.$i --ca $dir/certs/node$i/ca.crt --cert $dir/certs/node$i/cert.crt --key $dir/certs/node$i/cert.key --state $dir/states/node$i --log $dir/log/node$i --run $dir/run/re6stnet-node$i.pid --default" Enter
+  tmux send-keys -t ns$i "re6stnet --registry http://172.17.0.1 --ip 172.17.$subnet.$i --ca $dir/certs/node$i/ca.crt --cert $dir/certs/node$i/cert.crt --key $dir/certs/node$i/cert.key --state $dir/states/node$i --log $dir/log/node$i --run $dir/run/re6stnet-node$i.pid" Enter
   tmux select-pane -t ns$i -L
 done