rootlesskit icon indicating copy to clipboard operation
rootlesskit copied to clipboard
verified publisher icon rootless-containers

feat: add new bridge network

Open antrusd opened this issue 1 year ago • 0 comments

This PR will add net bridge driver support. The driver almost similar with lxc-user-nic but without attaching connectivity between host namespace with target namespace. The connectivity need to be configured manually with the help veth interface (need root privilege) from host namespace which can be "watched" using bash script + systemd service.

eg.

#!/usr/bin/env bash

export ROOTKIT_STATE_DIRECTORY=/path/to/rootkit/state/directory
export BRIDGE=docker0
export VETHP=docker0p1
export VETHC=docker0c1

# add masquerade support
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables-save | grep -q ${BRIDGE} || iptables -t nat -A POSTROUTING -s 172.17.0.0/16 ! -o ${BRIDGE} -j MASQUERADE

while :; do
  until test -r ${ROOTKIT_STATE_DIRECTORY}/child_pid; do
    sleep 1
  done

  child_pid=$(cat ${ROOTKIT_STATE_DIRECTORY}/child_pid)
  mkdir -p /var/run/netns
  ln -sf /proc/${child_pid}/ns/net /var/run/netns/${BRIDGE}
  ip link add ${VETHC} type veth peer name ${VETHP}
  ip link set ${VETHP} up
  ip link set ${VETHP} master ${BRIDGE}
  ip link set ${VETHC} netns ${BRIDGE}

  while test -r ${ROOTKIT_STATE_DIRECTORY}/child_pid && ip link show ${VETHP} &>/dev/null; do
    sleep 1
  done
done

antrusd avatar Mar 24 '24 16:03 antrusd