From cb8e699bb0dcdd0b2647d9b5a14a313025f079da Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Mon, 14 Jun 2021 16:14:14 +0200 Subject: [PATCH] PoC with Re6st Signed-off-by: Yohann D'ANELLO --- .gitignore | 4 ++ firewall/restrict-http.conf | 21 +++++----- start.sh | 81 ++++++++++++++++++++++++++----------- 3 files changed, 71 insertions(+), 35 deletions(-) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e08b4ff --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +certs/ +log/ +run/ +states/ diff --git a/firewall/restrict-http.conf b/firewall/restrict-http.conf index 7b90e13..1cd867d 100755 --- a/firewall/restrict-http.conf +++ b/firewall/restrict-http.conf @@ -3,15 +3,14 @@ flush ruleset table inet filter { - chain input { - type filter hook input priority 0; - } - chain forward { - type filter hook forward priority 0; policy accept - tcp dport { 80 } reject; - accept - } - chain output { - type filter hook output priority 0; - } + chain input { + type filter hook input priority 0; + } + chain forward { + type filter hook forward priority 0; policy accept + accept + } + chain output { + type filter hook output priority 0; + } } diff --git a/start.sh b/start.sh index af04325..2108922 100755 --- a/start.sh +++ b/start.sh @@ -20,86 +20,119 @@ tmux rename-window host function reset() { echo "Reset previous configuration..." - pkill -e vde_plug pkill -e babeld - rm -rv /tmp/switch* /tmp/ns* + pkill -KILL -e re6stnet + pkill -e vde_plug + rm -r run/* + rm -rv $dir/switches ip route delete 172.17.0.0/16 nft flush ruleset } reset +echo "Generate registry certificates..." +mkdir -p $dir/certs/registry +[[ -f $dir/certs/registry/dh4096.pem ]] || openssl dhparam -out $dir/certs/registry/dh4096.pem 4096 +[[ -f $dir/certs/registry/ca.key ]] || openssl genpkey -out $dir/certs/registry/ca.key -algorithm rsa -pkeyopt rsa_keygen_bits:4096 +[[ -f $dir/certs/registry/ca.crt ]] || openssl req -nodes -new -x509 -key $dir/certs/registry/ca.key -set_serial 0x12a0c07003012000300040001 -days 36500 -out $dir/certs/registry/ca.crt + echo "Setup switches..." -vde_plug --daemon switch:///tmp/ext null:// -vde_plug --daemon switch:///tmp/switch1 null:// -vde_plug --daemon switch:///tmp/switch2 null:// +mkdir switches +vde_plug --daemon switch://$dir/switches/ext null:// +vde_plug --daemon switch://$dir/switches/switch1 null:// +vde_plug --daemon switch://$dir/switches/switch2 null:// # Connect to the exterior -sudo vde_plug --daemon vde:///tmp/ext tap://vde0 +sudo vde_plug --daemon vde://$dir/switches/ext tap://vde0 sudo ip link set dev vde0 address 02:00:00:00:00:00 sudo ip link set dev vde0 up sudo ip address add 10.2.1.1/30 dev vde0 +sleep 1 # Setup NAT nft -f $dir/firewall/nat.conf +echo "Configure re6st registry..." +mkdir -p $dir/states/host $dir/certs/host $dir/log/host $dir/run +tmux split-window -t host -h re6st-registry --dh $dir/certs/registry/dh4096.pem --ca $dir/certs/registry/ca.crt --key $dir/certs/registry/ca.key --db $dir/states/host/registry.db --logfile $dir/log/host/registry.log --run $dir/run/registry.pid -4 10.2.1.1 -6 ::1 --prefix-length 16 +sleep 1 +if ! [[ -f $dir/certs/host/cert.crt ]]; then + echo "Generating certificates for host..." + sqlite3 $dir/states/host/registry.db "INSERT INTO token VALUES(\"token\", \"ynerant@ynerant.fr\", 16, 1)" + sleep 1 + re6st-conf --registry http://10.2.1.1 --dir $dir/certs/host --email ynerant@ynerant.fr --token token + sleep 15 +fi +tmux split-window -t host bash +tmux send-keys -t host "re6stnet --registry http://10.2.1.1 --ip 10.2.1.1 --ca $dir/certs/host/ca.crt --cert $dir/certs/host/cert.crt --key $dir/certs/host/cert.key --state $dir/states/host --log $dir/log/host --run $dir/run/re6stnet-host.pid --gateway" Enter +tmux select-pane -t host -L + for i in 1 2 3 4; do echo "Creating new namespace..." - mkdir -p /tmp/ns$i/log - tmux new-window -n ns$i "unshare --user --map-root-user --net --mount" + tmux new-window -n ns$i "unshare --net --mount" tmux select-window -t host sleep 1 echo "Configure ns$i..." - tmux send-keys -t ns$i "echo \$\$ > /tmp/ns$i/pid" Enter + tmux send-keys -t ns$i "echo \$\$ > $dir/run/node$i.pid" Enter if [[ $i -eq 1 ]]; then - tmux send-keys -t ns$i "vde_plug --daemon vde:///tmp/ext tap://vde0" Enter + tmux send-keys -t ns$i "vde_plug --daemon vde://$dir/switches/ext tap://vde0" Enter sleep 0.3 tmux send-keys -t ns$i "ip link set dev vde0 address 02:00:00:00:00:01" Enter tmux send-keys -t ns$i "ip link set dev vde0 up" Enter tmux send-keys -t ns$i "ip address add 10.2.1.2/30 dev vde0" Enter tmux send-keys -t ns$i "ip route add default via 10.2.1.1 dev vde0 proto kernel" Enter - tmux send-keys -t ns$i "echo \"interface vde0 type wired\" >> /tmp/ns$i/babeld.conf" Enter - tmux send-keys -t ns$i "echo \"redistribute metric 256\" >> /tmp/ns$i/babeld.conf" Enter fi - - tmux send-keys -t ns$i "mount --bind /tmp/ns$i/log /var/log" Enter done echo "Enable links..." # Switch 1: NS 1, 2, 3 for i in 1 2 3; do - tmux send-keys -t ns$i "vde_plug --daemon vde:///tmp/switch1 tap://vde1" Enter + tmux send-keys -t ns$i "vde_plug --daemon vde://$dir/switches/switch1 tap://vde1" Enter sleep 0.3 tmux send-keys -t ns$i "ip link set dev vde1 address 02:00:00:00:01:0$i" Enter tmux send-keys -t ns$i "ip link set dev vde1 up" Enter - tmux send-keys -t ns$i "ip address add 172.17.1.$i/32 dev vde1" Enter - tmux send-keys -t ns$i "echo \"interface vde1 type wired\" >> /tmp/ns$i/babeld.conf" Enter + tmux send-keys -t ns$i "ip address add 172.17.1.$i/24 dev vde1" Enter + tmux send-keys -t ns$i "ip route add 10.2.1.0/24 via 172.17.1.1 dev vde1 proto kernel" Enter done # Switch 2: NS 2, 3, 4 for i in 2 3 4; do - tmux send-keys -t ns$i "vde_plug --daemon vde:///tmp/switch2 tap://vde2" Enter + tmux send-keys -t ns$i "vde_plug --daemon vde://$dir/switches/switch2 tap://vde2" Enter sleep 0.3 tmux send-keys -t ns$i "ip link set dev vde2 address 02:00:00:00:02:0$i" Enter tmux send-keys -t ns$i "ip link set dev vde2 up" Enter - tmux send-keys -t ns$i "ip address add 172.17.2.$i/32 dev vde2" Enter - tmux send-keys -t ns$i "echo \"interface vde2 type wired\" >> /tmp/ns$i/babeld.conf" Enter + tmux send-keys -t ns$i "ip address add 172.17.2.$i/24 dev vde2" Enter done +tmux send-keys -t ns4 "ip route add 172.17.1.0/24 via 172.17.2.2 dev vde2 proto kernel" Enter +tmux send-keys -t ns4 "ip route add 172.17.1.0/24 via 172.17.2.3 dev vde2 proto kernel" Enter +tmux send-keys -t ns4 "ip route add 10.2.1.0/24 via 172.17.2.2 dev vde2 proto kernel" Enter +tmux send-keys -t ns4 "ip route add 10.2.1.0/24 via 172.17.2.3 dev vde2 proto kernel" Enter +tmux send-keys -t ns1 "ip route add 172.17.2.0/24 via 172.17.1.2 dev vde1 proto kernel" Enter ip route add 172.17.0.0/16 via 10.2.1.2 # Restrict HTTP transport on node 2 tmux send-keys -t ns2 "nft -f $dir/firewall/restrict-http.conf" Enter -# Put a higher metric for node 3, to enforce babel to choose node 2 -echo "in neigh fe80::ff:fe00:202 metric 512" > /tmp/ns4/babeld.conf for i in 1 2 3 4; do - tmux send-keys -t ns$i "touch /etc/babeld.conf && mount --bind /tmp/ns$i/babeld.conf /etc/babeld.conf" Enter - tmux send-keys -t ns$i "babeld -D -I /tmp/ns$i/babeld.pid -G /tmp/ns$i/socket -S /tmp/ns1/state" Enter + mkdir -p $dir/certs/node$i $dir/states/node$i + if ! [[ -f $dir/certs/node$i/cert.crt ]]; then + echo "Generating certificates for node $i..." + sqlite3 $dir/states/host/registry.db "INSERT INTO token VALUES(\"token\", \"ynerant@ynerant.fr\", 16, 1)" + sleep 1 + re6st-conf --registry http://10.2.1.1 --dir $dir/certs/node$i --email ynerant@ynerant.fr --token token + sleep 15 + fi + tmux split-window -h -t ns$i nsenter -t `cat $dir/run/node$i.pid` --mount --net + subnet=1 + if [[ $i == 4 ]]; then subnet=2; fi + tmux send-keys -t ns$i "re6stnet --registry http://10.2.1.1 --ip 172.17.$subnet.$i --ca $dir/certs/node$i/ca.crt --cert $dir/certs/node$i/cert.crt --key $dir/certs/node$i/cert.key --state $dir/states/node$i --log $dir/log/node$i --run $dir/run/re6stnet-node$i.pid --default" Enter + tmux select-pane -t ns$i -L done bash