Skip to content
This repository was archived by the owner on Jun 21, 2018. It is now read-only.

Add network namespaces for users #103

Open
KellerFuchs wants to merge 8 commits into
base: master
Choose a base branch
from
Open

Add network namespaces for users #103

KellerFuchs wants to merge 8 commits into from

Conversation

@KellerFuchs
Copy link
Member

@KellerFuchs KellerFuchs commented Aug 6, 2016
edited
Loading

Do not merge, there are some important parts missing:

  • DHCP (or whichever other way of allocating addresses) and NAT for IPv4 networking;
  • fixing resolv.conf, as Unbound doesn't listen on 127.0.0.1 in the user's netns;
  • computing the user's IPv6 address;
  • actually putting the user in the network namespace.

Moreover, this probably breaks our current identd setup.

@KellerFuchs KellerFuchs mentioned this pull request Oct 28, 2016
Merged
@KellerFuchs
Add user network namespaces (INCOMPLETE)
d721e37 
Todo:
- add DHCP and NAT setup for IPv4
- add pam_network_namespace to actually make the user
  enter the namespace
@KellerFuchs
netns: Correctly exit if the netns already exists
e813d35
@KellerFuchs
netns: Resolve UID and ignore system users
9e3175c
@KellerFuchs
netns: Construct user's IPv6
c084e0b
@KellerFuchs
netns: Make the default bridge br-users
82bae63
@KellerFuchs
netns: Refactor, introduce an in_ns function
8deea96
@KellerFuchs
netns: No need to manually add routes
f25500f 
RD/RA should take care of it
@KellerFuchs
netns: Shellcheck fixups
671205a 
- Avoid non-POSIX keywords (function, source)
- Use proper quoting
- Do not return strings
- Avoid [ X -a Y ], as it isn't well-defined
@KellerFuchs
Copy link
Member Author

KellerFuchs commented Jan 4, 2017

@lrvick Rebased this on the IPv6 branch, so that we can see more easily how it fits with the example config.

@daveloyall
Copy link

daveloyall commented Nov 3, 2017

Drive by observation: if outgoing connections are bound to a user's IP (or range? I don't know much about IPv6), the IRC network operators will no longer care about identd operation. The can manage connections (ie, issue bans) based on the IP.

@daurnimator
Copy link
Member

daurnimator commented Nov 3, 2017

Drive by observation: if outgoing connections are bound to a user's IP (or range? I don't know much about IPv6), the IRC network operators will no longer care about identd operation. The can manage connections (ie, issue bans) based on the IP.

Users still NAT to the ipv4 internet via the server's main ip.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

@lrvick lrvick

@daurnimator daurnimator

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@KellerFuchs @daveloyall @daurnimator @lrvick