Paste
Powered by
Mojopaste
diff --git a/src/wg-quick/linux.bash b/src/wg-quick/linux.bash index 4193ce5..827032c 100755 --- a/src/wg-quick/linux.bash +++ b/src/wg-quick/linux.bash @@ -26,6 +26,9 @@ SAVE_CONFIG=0 CONFIG_FILE="" PROGRAM="${0##*/}" ARGS=( "$@" ) +NETNS="" +NETNS_CMD="" +NETNS_PLAIN="" cmd() { echo "[#] $*" >&2 @@ -66,6 +69,7 @@ parse_options() { PostUp) POST_UP+=( "$value" ); continue ;; PostDown) POST_DOWN+=( "$value" ); continue ;; SaveConfig) read_bool SAVE_CONFIG "$value"; continue ;; + NetNS) NETNS="-n $value"; NETNS_CMD="ip netns exec $value"; NETNS_PLAIN="$value"; continue ;; esac fi WG_CONFIG+="$line"$'\n' @@ -87,58 +91,62 @@ auto_su() { add_if() { local ret - if ! cmd ip link add "$INTERFACE" type wireguard; then + if ! cmd ip link add "$INTERFACE" type wireguard ; then ret=$? [[ -e /sys/module/wireguard ]] || ! command -v "${WG_QUICK_USERSPACE_IMPLEMENTATION:-wireguard-go}" >/dev/null && exit $ret echo "[!] Missing WireGuard kernel module. Falling back to slow userspace implementation." >&2 cmd "${WG_QUICK_USERSPACE_IMPLEMENTATION:-wireguard-go}" "$INTERFACE" fi + + if [[ ! -z $NETNS ]]; then + ip link set netns $NETNS_PLAIN dev "$INTERFACE" + fi } del_if() { local table [[ $HAVE_SET_DNS -eq 0 ]] || unset_dns [[ $HAVE_SET_FIREWALL -eq 0 ]] || remove_firewall - if [[ -z $TABLE || $TABLE == auto ]] && get_fwmark table && [[ $(wg show "$INTERFACE" allowed-ips) =~ /0(\ |$'\n'|$) ]]; then + if [[ -z $TABLE || $TABLE == auto ]] && get_fwmark table && [[ $($NETNS_CMD wg show "$INTERFACE" allowed-ips) =~ /0(\ |$'\n'|$) ]]; then while [[ $(ip -4 rule show 2>/dev/null) == *"lookup $table"* ]]; do - cmd ip -4 rule delete table $table + cmd ip $NETNS -4 rule delete table $table done while [[ $(ip -4 rule show 2>/dev/null) == *"from all lookup main suppress_prefixlength 0"* ]]; do - cmd ip -4 rule delete table main suppress_prefixlength 0 + cmd ip $NETNS -4 rule delete table main suppress_prefixlength 0 done while [[ $(ip -6 rule show 2>/dev/null) == *"lookup $table"* ]]; do - cmd ip -6 rule delete table $table + cmd ip $NETNS -6 rule delete table $table done while [[ $(ip -6 rule show 2>/dev/null) == *"from all lookup main suppress_prefixlength 0"* ]]; do - cmd ip -6 rule delete table main suppress_prefixlength 0 + cmd ip $NETNS -6 rule delete table main suppress_prefixlength 0 done fi - cmd ip link delete dev "$INTERFACE" + cmd ip $NETNS link delete dev "$INTERFACE" } add_addr() { local proto=-4 [[ $1 == *:* ]] && proto=-6 - cmd ip $proto address add "$1" dev "$INTERFACE" + cmd ip $NETNS $proto address add "$1" dev "$INTERFACE" } set_mtu_up() { local mtu=0 endpoint output if [[ -n $MTU ]]; then - cmd ip link set mtu "$MTU" up dev "$INTERFACE" + cmd ip $NETNS link set mtu "$MTU" up dev "$INTERFACE" return fi while read -r _ endpoint; do [[ $endpoint =~ ^\[?([a-z0-9:.]+)\]?:[0-9]+$ ]] || continue output="$(ip route get "${BASH_REMATCH[1]}" || true)" [[ ( $output =~ mtu\ ([0-9]+) || ( $output =~ dev\ ([^ ]+) && $(ip link show dev "${BASH_REMATCH[1]}") =~ mtu\ ([0-9]+) ) ) && ${BASH_REMATCH[1]} -gt $mtu ]] && mtu="${BASH_REMATCH[1]}" - done < <(wg show "$INTERFACE" endpoints) + done < <($NETNS_CMD wg show "$INTERFACE" endpoints) if [[ $mtu -eq 0 ]]; then read -r output < <(ip route show default || true) || true [[ ( $output =~ mtu\ ([0-9]+) || ( $output =~ dev\ ([^ ]+) && $(ip link show dev "${BASH_REMATCH[1]}") =~ mtu\ ([0-9]+) ) ) && ${BASH_REMATCH[1]} -gt $mtu ]] && mtu="${BASH_REMATCH[1]}" fi [[ $mtu -gt 0 ]] || mtu=1500 - cmd ip link set mtu $(( mtu - 80 )) up dev "$INTERFACE" + cmd ip $NETNS link set mtu $(( mtu - 80 )) up dev "$INTERFACE" } resolvconf_iface_prefix() { @@ -170,7 +178,7 @@ add_route() { [[ $TABLE != off ]] || return 0 if [[ -n $TABLE && $TABLE != auto ]]; then - cmd ip $proto route add "$1" dev "$INTERFACE" table "$TABLE" + cmd ip $NETNS $proto route add "$1" dev "$INTERFACE" table "$TABLE" elif [[ $1 == */0 ]]; then add_default "$1" else @@ -180,7 +188,7 @@ add_route() { get_fwmark() { local fwmark - fwmark="$(wg show "$INTERFACE" fwmark)" || return 1 + fwmark="$($NETNS_CMD wg show "$INTERFACE" fwmark)" || return 1 [[ -n $fwmark && $fwmark != off ]] || return 1 printf -v "$1" "%d" "$fwmark" return 0 @@ -216,13 +224,13 @@ add_default() { while [[ -n $(ip -4 route show table $table 2>/dev/null) || -n $(ip -6 route show table $table 2>/dev/null) ]]; do ((table++)) done - cmd wg set "$INTERFACE" fwmark $table + cmd $NETNS_CMD wg set "$INTERFACE" fwmark $table fi local proto=-4 iptables=iptables pf=ip [[ $1 == *:* ]] && proto=-6 iptables=ip6tables pf=ip6 - cmd ip $proto rule add not fwmark $table table $table - cmd ip $proto rule add table main suppress_prefixlength 0 - cmd ip $proto route add "$1" dev "$INTERFACE" table $table + cmd ip $NETNS $proto rule add not fwmark $table table $table + cmd ip $NETNS $proto rule add table main suppress_prefixlength 0 + cmd ip $NETNS $proto route add "$1" dev "$INTERFACE" table $table local marker="-m comment --comment \"wg-quick(8) rule for $INTERFACE\"" restore=$'*raw\n' nftable="wg-quick-$INTERFACE" nftcmd printf -v nftcmd '%sadd table %s %s\n' "$nftcmd" "$pf" "$nftable" @@ -248,7 +256,7 @@ add_default() { } set_config() { - cmd wg setconf "$INTERFACE" <(echo "$WG_CONFIG") + cmd $NETNS_CMD wg setconf "$INTERFACE" <(echo "$WG_CONFIG") } save_config() { @@ -278,7 +286,7 @@ save_config() { done old_umask="$(umask)" umask 077 - current_config="$(cmd wg showconf "$INTERFACE")" + current_config="$(cmd $NETNS_CMD wg showconf "$INTERFACE")" trap 'rm -f "$CONFIG_FILE.tmp"; exit' INT TERM EXIT echo "${current_config/\[Interface\]$'\n'/$new_config}" > "$CONFIG_FILE.tmp" || die "Could not write configuration file" sync "$CONFIG_FILE.tmp" @@ -325,7 +333,7 @@ cmd_usage() { cmd_up() { local i - [[ -z $(ip link show dev "$INTERFACE" 2>/dev/null) ]] || die "\`$INTERFACE' already exists" + [[ -z $(ip $NETNS link show dev "$INTERFACE" 2>/dev/null) ]] || die "\`$INTERFACE' already exists" trap 'del_if; exit' INT TERM EXIT add_if execute_hooks "${PRE_UP[@]}" @@ -335,7 +343,7 @@ cmd_up() { done set_mtu_up set_dns - for i in $(while read -r _ i; do for i in $i; do [[ $i =~ ^[0-9a-z:.]+/[0-9]+$ ]] && echo "$i"; done; done < <(wg show "$INTERFACE" allowed-ips) | sort -nr -k 2 -t /); do + for i in $(while read -r _ i; do for i in $i; do [[ $i =~ ^[0-9a-z:.]+/[0-9]+$ ]] && echo "$i"; done; done < <($NETNS_CMD wg show "$INTERFACE" allowed-ips) | sort -nr -k 2 -t /); do add_route "$i" done execute_hooks "${POST_UP[@]}" @@ -343,7 +351,7 @@ cmd_up() { } cmd_down() { - [[ " $(wg show interfaces) " == *" $INTERFACE "* ]] || die "\`$INTERFACE' is not a WireGuard interface" + [[ " $($NETNS_CMD wg show interfaces) " == *" $INTERFACE "* ]] || die "\`$INTERFACE' is not a WireGuard interface" execute_hooks "${PRE_DOWN[@]}" [[ $SAVE_CONFIG -eq 0 ]] || save_config del_if @@ -353,7 +361,7 @@ cmd_down() { } cmd_save() { - [[ " $(wg show interfaces) " == *" $INTERFACE "* ]] || die "\`$INTERFACE' is not a WireGuard interface" + [[ " $($NETNS_CMD wg show interfaces) " == *" $INTERFACE "* ]] || die "\`$INTERFACE' is not a WireGuard interface" save_config }