diff --git a/brend.sh b/brend.sh index 4c5c3be..74ee2e1 100755 --- a/brend.sh +++ b/brend.sh @@ -26,23 +26,31 @@ # Pre-requisites: bridge-utils must be installed. -# Usage: ./brset.sh [ ...] +# Usage: ./brend.sh # - is the bridge interface to use, e.g. br0 # - is the hardware ethernet interface to use, e.g. eth0 - -# The tap interface can subsequently be deleted (so long as no one else is -# using it) with - -# openvpn --rmtun --dev tap - -# Define Bridge Interface +# - is the tap interface to use, e.g. tap0 + +# Check we have the right number of arguments +if [ "x$#" != "x3" ] +then + echo "Usage: ./brend.sh " + exit 1 +fi + +# Check we are root +euid=`id -un` +if [ "x${euid}" != "xroot" ] +then + echo "Must run as root" + exit 1 +fi + +# Break out the arguments br=$1 -shift - -# Host ethernet interface to use -eth=$1 -shift +eth=$2 +tap=$3 # Determine the IP address, netmask and broadcast of the bridge. eth_ip=`ifconfig $br | \ @@ -58,18 +66,53 @@ eth_broadcast=`ifconfig $br | \ head -1 | \ sed -e 's/^.*Bcast:\([^ \t]*\).*$/\1/'` -# Define list of TAP interfaces to be bridged, -tap=$* - -echo "Deleting bridge $br" -echo " Host Ethernet device: $eth" -echo " Host IP address: $eth_ip" -echo " Host netmask: $eth_netmask" -echo " Host broadcast: $eth_broadcast" - -# Delete the bridge -ifconfig $br down -brctl delbr $br - -# Restore the Ethernet interface -ifconfig $eth $eth_ip netmask $eth_netmask broadcast $eth_broadcast +# Close the firewall to the tap and bridge +iptables -D INPUT -i ${tap} -j ACCEPT +iptables -D INPUT -i ${br} -j ACCEPT +iptables -D FORWARD -i ${br} -j ACCEPT + +# Take down the bridge and delete it +ifconfig ${br} down + +if [ $? != 0 ] +then + echo "Failed to take down ${br}" + exit 1 +fi + +brctl delbr ${br} + +if [ $? != 0 ] +then + echo "Failed to take delete ${br}" + exit 1 +fi + +# Delete the TAP interface. Note we mustn't have anything using it. It's +# rather harsh, but we use fuser to ensure this (it will take out all users of +# any TAP/TUN interface). +fuser -k /dev/net/tun +openvpn --rmtun --dev ${tap} + +if [ $? != 0 ] +then + echo "Failed to remove ${tap}" + exit 1 +fi + +# Restore the Ethernet interface. We could use ifconfig with the IP address, +# netmask and broadcast mask from earlier, but this does not seem to work in a +# DHCP world +# ifconfig ${eth} ${eth_ip} netmask ${eth_netmask} broadcast ${eth_broadcast} +# Instead we use a single shot dhcp configuration. In future the extant eth0 +# dhclient will refresh the lease. +dhclient -1 -d ${eth0} + +if [ $? != 0 ] +then + echo "Failed to get lease for ${eth}" + exit 1 +fi + +# Kill the outstanding br0 DHCL client +kill `ps ax | grep "dhclient.*${br}" | grep -v "grep" | cut -c 1-5` diff --git a/brstart.sh b/brstart.sh index 5030969..7bb2dca 100755 --- a/brstart.sh +++ b/brstart.sh @@ -26,26 +26,37 @@ # Pre-requisites: bridge-utils must be installed. -# Usage: ./brset.sh [ ...] +# Usage: ./brstart.sh # - is the bridge interface to use, e.g. br0 # - is the hardware ethernet interface to use, e.g. eth0 # - is/are the persistent TAP interface(s) -# The tap interfaces must have been previously set up persistently by the -# superuser using for example: - -# openvpn --mktun --dev tap --user --group - -# Define Bridge Interface -br=$1 -shift - -# Host ethernet interface to use -eth=$1 -shift - -# Determine the IP address, netmask and broadcast of the host. +# Check we have the right number of arguments +if [ "x$#" != "x5" ] +then + echo "Usage: ./brstart.sh " + exit 1 +fi + +# Check we are root +euid=`id -un` +if [ "x${euid}" != "xroot" ] +then + echo "Must run as root" + exit 1 +fi + +# Break out the arguments +username=$1 +groupname=$2 +br=$3 +eth=$4 +tap=$5 + +# Determine the IP address, netmask and broadcast of the current Ethernet +# interface. This is used if the bridge is set up manually, rather than using +# DHCP. eth_ip=`ifconfig $eth | \ grep "inet addr" | \ head -1 | \ @@ -59,34 +70,56 @@ eth_broadcast=`ifconfig $eth | \ head -1 | \ sed -e 's/^.*Bcast:\([^ \t]*\).*$/\1/'` -# Define list of TAP interfaces to be bridged, -tap=$* +# Create the TAP interface +openvpn --mktun --dev ${tap} --user ${username} --group ${groupname} -echo "Creating bridge $br" -echo " Host Ethernet device: $eth" -echo " Host IP address: $eth_ip" -echo " Host netmask: $eth_netmask" -echo " Host broadcast: $eth_broadcast" -echo " Target TAP device(s): $tap" +if [ $? != 0 ] +then + echo "Failed to create ${tap}" + exit 1 +fi # Create the bridge -brctl addbr $br - -# Add the host Ethernet and TAP interfaces -brctl addif $br $eth - -for t in $tap; do - brctl addif $br $t -done - -# Remove the IP addresses of the underlying interfaces -ifconfig $eth 0.0.0.0 promisc up - -for t in $tap; do - ifconfig $t 0.0.0.0 promisc up +brctl addbr ${br} + +if [ $? != 0 ] +then + echo "Failed to create ${br}" + exit 1 +fi + +# Add the host Ethernet and TAP interfaces, removing the IP addresses of the +# underlying interfaces. +for i in ${eth} ${tap} +do + # Add the interface + brctl addif ${br} ${i} + + if [ $? != 0 ] + then + echo "Failed to create ${i}" + exit 1 + fi + + # Remove the IP address + ifconfig ${i} 0.0.0.0 promisc up + + if [ $? != 0 ] + then + echo "Failed to remove IP interface of ${i}" + exit 1 + fi done -# Reconfigure the bridge to have the Ethernet address that had been used just -# by $eth. -# ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast -dhclient $br +# Reconfigure the bridge to have the appropriate Ethernet address. This uses +# dhclient to get the information from DHCP, but we could instead use +# ifconfig and the data about the original IP address, netmask and broadcast +# mask as follows: +# ifconfig ${br} ${eth_ip} netmask ${eth_netmask} broadcast ${eth_broadcast} +dhclient ${br} + +# Open up firewall to the tap and bridge. We have a generic reject at the end +# of the chain, so we insert these at the start. +iptables -I INPUT 1 -i ${tap} -j ACCEPT +iptables -I INPUT 1 -i ${br} -j ACCEPT +iptables -I FORWARD 1 -i ${br} -j ACCEPT