nub 0.0.103 → 0.0.119

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e03ab8b435d9eccad62fe0d1a515377dddf39cdd752e6ae643dd4337bb3a606e
-  data.tar.gz: 4795f2c20f7eeaf1da565f41c783d15b20007307f3cd926bbe28860419511cdc
+  metadata.gz: d7c15f5f66c73221685a124f105c3cca8205d41155603111823e8d580783aea7
+  data.tar.gz: 5d1bbe7937d9befa92a78237d6554993490e3e492b2dd75c5721e4457c2e630e
 SHA512:
-  metadata.gz: 69825e1f9cb11e189c77ab8ca30f9668300759f30f7fa1805153994c5ffb24eb017b7a3f12abd2067cdf1b04110a64b3558c7ff220d1211172060985ea52f7fc
-  data.tar.gz: cbdb16ed3fb4eb6b9f219492d60279d6035c233d1c21802b745079ea3e1d78fe12e0610bcfc0cc9fcfcaf2c18925c2ceff61434df84727f562287e246566da6b
+  metadata.gz: 4e2d6a2b5344de24c51ddb4913dd1225de0da8e6aeead3a527138bf124bfbe96a309f50ce5cd4b5b572a33bcdaf048da9cde1197c7a4dfb76f9a037e80b740d9
+  data.tar.gz: 11bb6954b62eb0326ac9015cd517808edaaabfeed0ec3d220448a80bd91b5ad84a03c8a94deed1c63f29d00a80eae5e3b1fe87fcc43290d902566de35393f0c9

data/README.md

@@ -25,6 +25,7 @@ Collection of ruby utils I've used in several of my projects and wanted re-usabl
     * [Examples](#examples)
     * [Indicators](#indicators)
 * [Config Module](#config-module)
+  * [ERB Resolution](#erb-resolution)
 * [Core Module](#core-module)
 * [FileUtils Extensions](#fileutils-extensions)
 * [Hash Module](#hash-module)
@@ -350,6 +351,18 @@ Config.init("openvpn.yml")
 ```
 
 ## Core Module <a name="core-module"></a>
+The core module provides a few extensions to common ruby types.
+
+### ERB Resolution <a name="erb-resolution"></a>
+The ***String*** class has been extended to include ***.erb*** and ***.erb!*** to easily resolve
+template variables. Additionally the ***Array*** and ***Hash*** classes have been extended to
+recursively resolve template variables with ***.erb*** and ***.erb!*** functions.
+
+Examples:
+```ruby
+puts("This is a template example <%=foo%>.".erb({'foo': 'foobar'}))
+# outputs: This is a template example foobar.
+```
 
 ## FileUtils Extensions <a name="fileutils-module"></a>
 
@@ -367,11 +380,11 @@ encapsulate functionality into reusable components.
 Linux by default shares a single set of network interfaces and routing table entries, such that an
 installed application can bind to all interfaces and has access to all other services currently
 running on the system. Network namespaces implemented in the kernel provide a way to isolate
-networks and services from each other. This is the technology that docker uses to isolate docker
-apps from the host and other docker apps.
+networks, interfaces and services from each other. This is the technology that docker uses to
+isolate networking in docker apps from the host and other docker apps.
 
-Network namespaces provide a way to have different separate virtual interfaces and routing tables
-that operate independent of each other. They can be easily manipulated via the ***ip netns*** command.
+Network namespaces provide a way to have separate virtual interfaces and routing tables that operate
+independent of each other. They can be manipulated via the `ip netns` command.
 
 ```bash
 # Create a new network namespace
@@ -382,8 +395,8 @@ sudo ip netns add foo
 ip netns list
 ```
 
-Once a network namespace has been created you need to configure how it connected to the host. This
-can be done by creating a pair of virtual Ethernet ***veth*** interfaces and assigning them to the
+Once a network namespace has been created you need to configure how/if it connects to the host. This
+can be done by creating a pair of virtual Ethernet (***veth***) interfaces and assigning them to the
 new network namespace as by default they will be assigned to the root namespace. The root namespace
 or global namespace is the default namespace used by the host for regular networking.
 
@@ -429,7 +442,7 @@ sudo ip netns exec foo ping 192.168.100.1
 # 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.080 ms
 ```
 
-Now we have connectivity between our veth pair across network namespaces. Because
+Now we have connectivity between our veth pair across network namespaces. Because the
 ***192.168.100.0/24*** network, that we configured the veth pair on, is a separate network from the
 host any applications running within the new network namespace will not have connectivity to
 anything else on your host or networks currently including external access to the internet.
@@ -443,18 +456,38 @@ sudo ip netns exec foo ping www.google.com
 # connect: Network is unreachable
 ```
 
-In the following sub sections I'll show you how to automated this compliated setup using the
+In the following sub sections I'll show you how to automated this complicated setup using the
 ***Net*** ruby module.
 
 #### TeamViewer Example <a name="teamviewer-example"></a>
 In this example I'll be showing you how to isolate Teamviewer such that Teamviewer is only able to
-bind to the veth2 IPv4 address that we create for it rather than all network interfaces on the host.
-This will allow you to have Teamviewer running and accessible from your network facing IP but also
-to be able to SSH port forward other Teamviewer instances to your loopback interface or other veth
-addresses.
+bind to the veth IPv4 address that we create for it rather than all network interfaces on the host.
+This will allow you to have a local Teamviewer instance running and accessible from your network
+facing IP but also to be able to SSH port forward other Teamviewer instances to your veth addresses.
 
-```ruby
-WIP
+```bash
+require_relative '../lib/nub/net'
+require_relative '../lib/nub/user'
+!puts("Must be root to execute") and exit if not User.root?
+
+if ARGV.size > 0
+  cmd = ARGV[0]
+  app = ARGV[1]
+  namespace = "foo"
+  host_veth = Net::Veth.new("veth1", "192.168.100.1")
+  guest_veth = Net::Veth.new("veth2", "192.168.100.2")
+  network = Net::Network.new("192.168.100.0", "24")
+  if cmd == "isolate"
+    Net.create_namespace(namespace, host_veth, guest_veth, network, "enp+")
+    Net.namespace_connectivity?(namespace, "google.com")
+    Net.namespace_exec(namespace, "lxterminal")
+  elsif cmd == "destroy"
+    Net.delete_namespace(namespace, host_veth, network, "enp+")
+  end
+else
+  puts("Isolate: #{$0} isolate <app>")
+  puts("Destroy: #{$0} destroy")
+end
 ```
 
 #### PIA VPN Example <a name="pia-vpn-example"></a>
@@ -488,6 +521,11 @@ Net.proxy?
 Net.proxy_export
 ```
 
+```bash
+# Ping type equivalent that works behind a proxy
+curl -m 3 -sL -w "%{http_code}" google.com -o /dev/null
+```
+
 ## Pacman Module <a name="pacman-module"></a>
 
 ## Process Module <a name="process-module"></a>
@@ -498,6 +536,19 @@ Net.proxy_export
 
 ## User Module <a name="user-module"></a>
 
+```ruby
+require 'nub'
+
+# Check if the user is root
+User.root?
+
+# Drop root privileges to regular user that invoked sudo
+User.drop_privileges
+
+# Raise privileges back to sudo user if previously dropped
+User.raise_privileges
+```
+
 ## Ruby Gem Creation <a name="ruby-gem-creation"></a>
 http://guides.rubygems.org/make-your-own-gem/
 

data/lib/nub/:w

@@ -0,0 +1,374 @@
+#!/usr/bin/env ruby
+#MIT License
+#Copyright (c) 2018 phR0ze
+#
+#Permission is hereby granted, free of charge, to any person obtaining a copy
+#of this software and associated documentation files (the "Software"), to deal
+#in the Software without restriction, including without limitation the rights
+#to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+#copies of the Software, and to permit persons to whom the Software is
+#furnished to do so, subject to the following conditions:
+#
+#The above copyright notice and this permission notice shall be included in all
+#copies or substantial portions of the Software.
+#
+#THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+#IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+#FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+#AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+#LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+#OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+#SOFTWARE.
+
+require 'ostruct'
+require 'ipaddr'
+require_relative 'log'
+require_relative 'sys'
+require_relative 'module'
+
+# Collection of network related helpers
+module Net
+  extend self
+  mattr_accessor(:agents)
+  mattr_accessor(:namespace_subnet, :namespce_cidr)
+
+  @@namespace_cidr = "24"
+  @@namespace_subnet  = "192.168.100.0"
+
+  @@agents = OpenStruct.new({
+    windows_ie_6: 'Windows IE 6',
+    windows_ie_7: 'Windows IE 7',
+    windows_mozilla: 'Windows Mozilla',
+    mac_safari: 'Mac Safari',
+    mac_firefox: 'Mac FireFox',
+    mac_mozilla: 'Mac Mozilla',
+    linux_mozilla: 'Linux Mozilla',
+    linux_firefox: 'Linux Firefox',
+    linux_konqueror: 'Linux Konqueror',
+    iphone: 'iPhone'
+  })
+
+  # Get fresh proxy from environment
+  def proxy
+    return OpenStruct.new({
+      ftp: ENV['ftp_proxy'],
+      http: ENV['http_proxy'],
+      https: ENV['https_proxy'],
+      no: ENV['no_proxy'],
+      uri: ENV['http_proxy'] ? ENV['http_proxy'].split(':')[0..-2] * ":" : nil,
+      port: ENV['http_proxy'] ? ENV['http_proxy'].split(':').last : nil
+    })
+  end
+
+  # Check if a proxy is set
+  def proxy?
+    return !self.proxy.http.nil?
+  end
+
+  # Get a shell export string for proxies
+  # @param proxy [String] to use rather than default
+  def proxy_export(*args)
+    proxy = args.any? ? args.first.to_s : nil
+    if proxy
+      ({'ftp_proxy' => proxy,
+       'http_proxy' => proxy,
+       'https_proxy' => proxy
+      }.map{|k,v| "export #{k}=#{v}"} * ';') + ";"
+    elsif self.proxy?
+      (self.proxy.to_h.map{|k,v| (![:uri, :port].include?(k) && v) ? "export #{k}_proxy=#{v}" : nil}.compact * ';') + ";"
+    else
+      return nil
+    end
+  end
+
+  # Check if the system is configured for the kernel to forward ip traffic
+  def ip_forward?
+    return File.read('/proc/sys/net/ipv4/ip_forward').include?('1')
+  end
+
+  # Determine the primary nic on the machine
+  # based off default routing to google.com
+  # @returns [String] nic identified as primary
+  def primary_nic
+    out = `ip route`
+    return out[/default via.*dev (.*) proto/, 1]
+  end
+
+  # Increment the given ip address
+  # @param ip [String] ip address to increment
+  # @param i [int] optionally increment by given number
+  # @returns [String] incremented ip
+  def ipinc(ip, *args)
+    i = args.any? ? args.first.to_i : 1
+    ip_i = IPAddr.new(ip).to_i + i
+    return [24, 16, 8, 0].collect{|x| (ip_i >> x) & 255}.join('.')
+  end
+
+  # Decrement the given ip address
+  # @param ip [String] ip address to decrement
+  # @param i [int] optionally decrement by given number
+  # @returns [String] decremented ip
+  def ipdec(ip, *args)
+    i = args.any? ? args.first.to_i : 1
+    ip_i = IPAddr.new(ip).to_i - i
+    return [24, 16, 8, 0].collect{|x| (ip_i >> x) & 255}.join('.')
+  end
+
+  # ----------------------------------------------------------------------------
+  # Namespace related helpers
+  # ----------------------------------------------------------------------------
+
+  # Virtual Ethernet NIC object
+  # @param name [String] of the veth e.g. veth1
+  # @param ip [String] of the veth e.g. 192.168.100.1
+  Veth = Struct.new(:name, :ip)
+
+  # Network object
+  # @param subnet [String] of the network e.g. 192.168.100.0
+  # @param cidr [String] of the network
+  # @param nic [String] to use for NAT etc...
+  # @param nameservers [Array[String]] to optionally use for new network else uses hosts
+  Network = Struct.new(:subnet, :cidr, :nic, :nameservers)
+
+  # Get all namespaces
+  # @returns [Array] of namespace names
+  def namespaces
+    return Dir[File.join("/var/run/netns", "*")].map{|x| File.basename(x)}
+  end
+
+  # Get the current nameservers in use
+  # @param filename [String] to use instead of /etc/resolv.conf
+  # @returns [Array] of name server ips
+  def nameservers(*args)
+    filename = args.any? ? args.first.to_s : '/etc/resolv.conf'
+
+    result = []
+    if File.file?(filename)
+      File.readlines(filename).each{|line|
+        if line[/nameserver/]
+          result << line[/nameserver\s+(.*)/, 1]
+        end
+      }
+    end
+    return result
+  end
+
+  # Check that the namespace has connectivity to the outside world
+  # using a simple curl on google
+  # @param namespace [String] name to use when creating it
+  # @param target [String] ip or dns name to use for check
+  # @param proxy [String] to use rather than default
+  def namespace_connectivity?(namespace, target, *args)
+    success = false
+    proxy = args.any? ? args.first.to_s : nil
+    Log.info("Checking namespace #{namespace.colorize(:cyan)} for connectivity to #{target}", newline:false)
+
+    if self.namespaces.include?(namespace)
+      ping = "curl -m 3 -sL -w \"%{http_code}\" #{target} -o /dev/null"
+      return Sys.exec_status("ip netns exec #{namespace} bash -c '#{self.proxy_export(proxy)}#{ping}'", die:false, check:"200")
+    else
+      Sys.exec_status(":", die:false, check:"200")
+      Log.warn("Namespace #{namespace} doesn't exist!")
+    end
+  end
+
+  # Get namespace details using defaults for missing arguments
+  # veth names are generated incrementally using the '<ns>_vethN' naming pattern
+  # veth ips are generated based off @@namespace_subnet/@@namespace_cidr incrementally
+  # network subnet and cidr default and namespaces and nic are looked up
+  # @param namespace [String] name to use when creating it
+  # @returns [host_veth, guest_veth, network]
+  def namespace_details(namespace, *args)
+    host_veth, guest_veth = Veth.new, Veth.new
+    network = Network.new(@@namespace_subnet, @@namespace_cidr, true)
+
+    # Rebuild namespace objects from disk where possible
+    if self.namespaces.include?(namespace)
+
+      # Rebuild veths from guest
+      out = `ip netns exec #{namespace} ip a show type veth`
+      if hostif = out[/([\d]+):\s+.*@if[\d]+/, 1] ? "if" + out[/([\d]+):\s+.*@if[\d]+/, 1] : nil
+        guest_veth.name = out[/ (.*)@if[\d]+/, 1]
+        guest_veth.ip = out[/inet\s+([\d]+\.[\d]+\.[\d]+\.[\d]+).*/, 1]
+        host_veth.name = out[/ (.*)@#{hostif}/, 1]
+        host_veth.ip = self.ipdec(guest_veth.ip)
+
+      # Rebuild veths from host
+      else
+#        out = `ip a show type veth`
+#        host_str = out[/inet(.*)#{host_veth.name}/, 1]
+#        host_ip = host_str[/\s*([\d]+\.[\d]+\.[\d]+\.[\d]+\/[\d]+).*/, 1] if host_str
+#        host_veth.ip = host_ip[/(.*)\/[\d]+/, 1] if host_ip
+      end
+
+      # Rebuild network object
+      namespace_conf = File.join("/etc/netns", namespace, "resolv.conf")
+      network.nameservers = self.nameservers(namespace_conf) if File.exists?(namespace_conf)
+      network.cidr = host_ip[/\/([\d]+)/, 1] if host_ip
+      network.subnet = IPAddr.new(host_veth.ip).mask(network.cidr).to_s
+      out = `iptables -S`
+      if out.include?(host_veth.name)
+        network.nic = out[/-A FORWARD -i #{host_veth.name} -o (.*) -j ACCEPT/, 1]
+      end
+
+    # Handle args as either as positional or named
+    else
+      if args.size == 1 && args.first.is_a?(Hash)
+        network = args.first[:network] if args.first.key?(:network)
+        host_veth = args.first[:host_veth] if args.first.key?(:host_veth)
+        guest_veth = args.first[:guest_veth] if args.first.key?(:guest_veth)
+      elsif args.size > 1
+        host_veth = args.shift
+        guest_veth = args.shift if args.any?
+        network = args.shift if args.any?
+      end
+    end
+
+    # Populate missing information
+    nss = self.namespaces
+    i = (nss.include?(namespace) ? nss.size - 1 : nss.size) * 2 + 1
+    host_veth.name = "#{namespace}_veth#{i}" if !host_veth.name
+    host_veth.ip = self.ipinc(@@namespace_subnet, i) if !host_veth.ip
+    guest_veth.name = "#{namespace}_veth#{i + 1}" if !guest_veth.name
+    guest_veth.ip = "#{self.ipinc(host_veth.ip)}" if !guest_veth.ip
+    network.nic = self.primary_nic if network.nic == true
+    network.nameservers = self.nameservers if not network.nameservers
+
+    return host_veth, guest_veth, network
+  end
+
+  # Create a network namespace with the given name
+  # Params can be given as ordered positional args or named args
+  #
+  # @param namespace [String] name to use when creating it
+  # @param host_veth [Veth] describes the veth to create for the host side
+  # @param guest_veth [Veth] describes the veth to create for the guest side
+  # @param network [Network] describes the network to share. 
+  #   If the nic param is nil NAT is not enabled. If nic is true then the primary nic is dynamically
+  #   looked up else use user given If nameservers are not given the host nameservers will be used
+  #def create_namespace(namespace, host_veth, guest_veth, network)
+  def create_namespace(namespace, *args)
+    host_veth, guest_veth, network = self.namespace_details(namespace, args)
+
+    # Ensure namespace i.e. /var/run/netns/<namespace> exists
+    if !self.namespaces.include?(namespace)
+      Log.info("Creating Network Namespace #{namespace.colorize(:cyan)}", newline:false)
+      Sys.exec_status("ip netns add #{namespace}")
+    end
+
+    # Ensure loopback device is running inside the pnamespace
+    if `ip netns exec #{namespace} ip a`.include?("state DOWN")
+      Log.info("Start loopback interface in namespace", newline:false)
+      Sys.exec_status("ip netns exec #{namespace} ip link set lo up")
+    end
+
+    # Create a virtual ethernet pair to communicate across namespaces
+    # by default they will both be in the root namespace until one is assigned to another
+    # e.g. host:192.168.100.1 and guest:192.168.100.2 communicating in network:192.168.100.0
+    if !`ip a`.include?(host_veth.name)
+      msg = "Create namespace veths #{host_veth.name.colorize(:cyan)} for #{'root'.colorize(:cyan)} "
+      msg += "and #{guest_veth.name.colorize(:cyan)} for #{namespace.colorize(:cyan)}"
+      Log.info(msg, newline:false)
+      Sys.exec_status("ip link add #{host_veth.name} type veth peer name #{guest_veth.name}")
+      Log.info("Assign veth #{guest_veth.name.colorize(:cyan)} to namespace #{namespace.colorize(:cyan)}", newline:false)
+      Sys.exec_status("ip link set #{guest_veth.name} netns #{namespace}")
+    end
+
+    # Assign IPv4 addresses and start up the new veth interfaces
+    # sudo ping #{host_veth.ip} and sudo netns exec #{namespace} ping #{guest_veth.ip} should work now
+    if !`ip a`.include?(host_veth.ip)
+      Log.info("Assign ip #{host_veth.ip.colorize(:cyan)} and start #{host_veth.name.colorize(:cyan)}", newline:false)
+      Sys.exec_status("ifconfig #{host_veth.name} #{File.join(host_veth.ip, network.cidr)} up")
+    end
+    if !`ip netns exec #{namespace} ip a`.include?(guest_veth.ip)
+      Log.info("Assign ip #{guest_veth.ip.colorize(:cyan)} and start #{guest_veth.name.colorize(:cyan)}", newline:false)
+      Sys.exec_status("ip netns exec #{namespace} ifconfig #{guest_veth.name} #{File.join(guest_veth.ip, network.cidr)} up")
+    end
+
+    # Configure host veth as guest's default route leaving namespace
+    if !`ip netns exec #{namespace} ip route`.include?('default')
+      Log.info("Set default route for traffic leaving namespace #{namespace.colorize(:cyan)} to #{host_veth.ip.colorize(:cyan)}", newline:false)
+      Sys.exec_status("ip netns exec #{namespace} ip route add default via #{host_veth.ip} dev #{guest_veth.name}")
+    end
+
+    # NAT guest veth behind host veth to share internet access on host with guest
+    # Note: to see current forward rules use: sudo iptables -S
+    if network.nic
+      if !`iptables -t nat -S`.include?(File.join(network.subnet, network.cidr))
+        Log.info("Enable NAT on host for namespace #{File.join(network.subnet, network.cidr).colorize(:cyan)}", newline:false)
+        Sys.exec_status("iptables -t nat -A POSTROUTING -s #{File.join(network.subnet, network.cidr)} -o #{network.nic} -j MASQUERADE")
+      end
+      if !`iptables -S`.include?("-A FORWARD -i #{network.nic}")
+        Log.info("Allow forwarding to #{namespace.colorize(:cyan)} from #{network.nic.colorize(:cyan)}", newline:false)
+        Sys.exec_status("iptables -A FORWARD -i #{network.nic} -o #{host_veth.name} -j ACCEPT")
+      end
+      if !`iptables -S`.include?("-A FORWARD -i #{host_veth.name}")
+        Log.info("Allow forwarding from #{namespace.colorize(:cyan)} to #{network.nic.colorize(:cyan)}", newline:false)
+        Sys.exec_status("iptables -A FORWARD -i #{host_veth.name} -o #{network.nic} -j ACCEPT")
+      end
+    end
+
+    # Configure nameserver to use in Network namespace
+    namespace_conf = File.join("/etc/netns", namespace)
+    if !File.exists?(namespace_conf) && network.nameservers
+      Log.info("Creating nameserver config #{namespace_conf}", newline:false)
+      Sys.exec_status("mkdir -p #{namespace_conf}")
+      network.nameservers.each{|x|
+        Log.info("Adding nameserver #{x.colorize(:cyan)} to config", newline:false)
+        Sys.exec_status("echo 'nameserver #{x}' >> /etc/netns/#{namespace}/resolv.conf")
+      }
+    end
+  end
+
+  # Delete the given network namespace
+  # @param namespace [String] name to use when creating it
+  def delete_namespace(namespace)
+    host_veth, guest_veth, network = self.namespace_details(namespace)
+
+    # Remove nameserver config for network namespace
+    namespace_conf = File.join("/etc/netns", namespace)
+    if File.exists?(namespace_conf)
+      Log.info("Removing nameserver config #{namespace_conf.colorize(:cyan)}", newline:false)
+      Sys.exec_status("rm -rf #{namespace_conf}")
+    end
+
+    # Remove NAT and iptables forwarding allowances
+    if network.nic
+      if `iptables -t nat -S`.include?(File.join(network.subnet, network.cidr))
+        Log.info("Removing NAT on host for namespace #{File.join(network.subnet, network.cidr).colorize(:cyan)}", newline:false)
+        Sys.exec_status("iptables -t nat -D POSTROUTING -s #{File.join(network.subnet, network.cidr)} -o #{network.nic} -j MASQUERADE")
+      end
+      if `iptables -S`.include?("-A FORWARD -i #{network.nic}")
+        Log.info("Remove forwarding to #{namespace.colorize(:cyan)} from #{host_veth.ip.colorize(:cyan)}", newline:false)
+        Sys.exec_status("iptables -D FORWARD -i #{network.nic} -o #{host_veth.name} -j ACCEPT")
+      end
+      if `iptables -S`.include?("-A FORWARD -i #{host_veth.name}")
+        Log.info("Remove forwarding from #{namespace.colorize(:cyan)} to #{host_veth.ip.colorize(:cyan)}", newline:false)
+        Sys.exec_status("iptables -D FORWARD -i #{host_veth.name} -o #{network.nic} -j ACCEPT")
+      end
+    end
+
+    # Remove veths (virtual ethernet interfaces)
+    if `ip a`.include?(host_veth.name)
+      Log.info("Removing veth interface #{host_veth.name.colorize(:cyan)} for namespace", newline:false)
+      Sys.exec_status("ip link delete #{host_veth.name}")
+    end
+
+    # Remove namespace
+    if self.namespaces.include?(namespace)
+      Log.info("Removing namespace #{namespace.colorize(:cyan)}", newline:false)
+      Sys.exec_status("ip netns delete #{namespace}")
+    end
+  end
+
+  # Execute in the namespace
+  # @param namespace [String] to execut within
+  # @param cmd [String] command to execute
+  # @param proxy [String] to use rather than default
+  def namespace_exec(namespace, cmd, *args)
+    proxy = args.any? ? args.first.to_s : nil
+    return `ip netns exec #{namespace} bash -c '#{self.proxy_export(proxy)}#{cmd}'`
+  end
+end
+
+# vim: ft=ruby:ts=2:sw=2:sts=2

data/lib/nub/net.rb

@@ -21,6 +21,7 @@
 #SOFTWARE.
 
 require 'ostruct'
+require 'ipaddr'
 require_relative 'log'
 require_relative 'sys'
 require_relative 'module'
@@ -29,6 +30,10 @@ require_relative 'module'
 module Net
   extend self
   mattr_accessor(:agents)
+  mattr_accessor(:namespace_subnet, :namespce_cidr)
+
+  @@namespace_cidr = "24"
+  @@namespace_subnet  = "192.168.100.0"
 
   @@agents = OpenStruct.new({
     windows_ie_6: 'Windows IE 6',
@@ -62,7 +67,8 @@ module Net
 
   # Get a shell export string for proxies
   # @param proxy [String] to use rather than default
-  def proxy_export(proxy:nil)
+  def proxy_export(*args)
+    proxy = args.any? ? args.first.to_s : nil
     if proxy
       ({'ftp_proxy' => proxy,
        'http_proxy' => proxy,
@@ -80,32 +86,85 @@ module Net
     return File.read('/proc/sys/net/ipv4/ip_forward').include?('1')
   end
 
+  # Determine the primary nic on the machine
+  # based off default routing to google.com
+  # @returns [String] nic identified as primary
+  def primary_nic
+    out = `ip route`
+    return out[/default via.*dev (.*) proto/, 1]
+  end
+
+  # Increment the given ip address
+  # @param ip [String] ip address to increment
+  # @param i [int] optionally increment by given number
+  # @returns [String] incremented ip
+  def ipinc(ip, *args)
+    i = args.any? ? args.first.to_i : 1
+    ip_i = IPAddr.new(ip).to_i + i
+    return [24, 16, 8, 0].collect{|x| (ip_i >> x) & 255}.join('.')
+  end
+
+  # Decrement the given ip address
+  # @param ip [String] ip address to decrement
+  # @param i [int] optionally decrement by given number
+  # @returns [String] decremented ip
+  def ipdec(ip, *args)
+    i = args.any? ? args.first.to_i : 1
+    ip_i = IPAddr.new(ip).to_i - i
+    return [24, 16, 8, 0].collect{|x| (ip_i >> x) & 255}.join('.')
+  end
+
   # ----------------------------------------------------------------------------
   # Namespace related helpers
   # ----------------------------------------------------------------------------
 
   # Virtual Ethernet NIC object
-  # @param name [String] of the veth
-  # @param ip [String] of the veth
-  # @param nic [String] pattern matching nic e.g. en+
-  Veth = Struct.new(:name, :ip, :nic)
+  # @param name [String] of the veth e.g. veth1
+  # @param ip [String] of the veth e.g. 192.168.100.1
+  Veth = Struct.new(:name, :ip)
 
   # Network object
-  # @param ip [String] of the network
+  # @param subnet [String] of the network e.g. 192.168.100.0
   # @param cidr [String] of the network
-  # @param nameservers [Array[String]] to use for new network
-  Network = Struct.new(:ip, :cidr, :nameservers)
+  # @param nic [String] to use for NAT etc...
+  # @param nameservers [Array[String]] to optionally use for new network else uses hosts
+  Network = Struct.new(:subnet, :cidr, :nic, :nameservers)
+
+  # Get all namespaces
+  # @returns [Array] of namespace names
+  def namespaces
+    return Dir[File.join("/var/run/netns", "*")].map{|x| File.basename(x)}
+  end
+
+  # Get the current nameservers in use
+  # @param filename [String] to use instead of /etc/resolv.conf
+  # @returns [Array] of name server ips
+  def nameservers(*args)
+    filename = args.any? ? args.first.to_s : '/etc/resolv.conf'
+
+    result = []
+    if File.file?(filename)
+      File.readlines(filename).each{|line|
+        if line[/nameserver/]
+          result << line[/nameserver\s+(.*)/, 1]
+        end
+      }
+    end
+    return result
+  end
 
   # Check that the namespace has connectivity to the outside world
   # using a simple curl on google
   # @param namespace [String] name to use when creating it
+  # @param target [String] ip or dns name to use for check
   # @param proxy [String] to use rather than default
-  def namespace_connectivity?(namespace, proxy:nil)
+  def namespace_connectivity?(namespace, target, *args)
     success = false
-    Log.info("Checking namespace #{namespace.colorize(:cyan)} for connectivity to google.com", newline:false)
+    proxy = args.any? ? args.first.to_s : nil
+    Log.info("Checking namespace #{namespace.colorize(:cyan)} for connectivity to #{target}", newline:false)
 
-    if File.exists?(File.join("/var/run/netns", namespace))
-      ping = 'curl -sL -w "%{http_code}" http://www.google.com -o /dev/null'
+    if self.namespaces.include?(namespace)
+      ping = "curl -m 3 -sL -w \"%{http_code}\" #{target} -o /dev/null"
       return Sys.exec_status("ip netns exec #{namespace} bash -c '#{self.proxy_export(proxy)}#{ping}'", die:false, check:"200")
     else
       Sys.exec_status(":", die:false, check:"200")
@@ -113,17 +172,55 @@ module Net
     end
   end
 
+  # Get namespace details using defaults for missing arguments
+  # veth names are generated using the '<ns>_<type>' naming pattern
+  # veth ips are generated based off @@namespace_subnet/@@namespace_cidr incrementally
+  # network subnet and cidr default and namespaces and nic are looked up
+  # @param namespace [String] name to use when creating it
+  # @returns [host_veth, guest_veth, network]
+  def namespace_details(namespace, *args)
+    host_veth, guest_veth = Veth.new, Veth.new
+    network = Network.new(@@namespace_subnet, @@namespace_cidr, true)
+
+    # Handle args as either as positional or named
+    if args.size == 1 && args.first.is_a?(Hash)
+      network = args.first[:network] if args.first.key?(:network)
+      host_veth = args.first[:host_veth] if args.first.key?(:host_veth)
+      guest_veth = args.first[:guest_veth] if args.first.key?(:guest_veth)
+    elsif args.size > 1
+      host_veth = args.shift
+      guest_veth = args.shift if args.any?
+      network = args.shift if args.any?
+    end
+
+    # Populate missing information
+    nss = self.namespaces
+    i = (nss.include?(namespace) ? nss.size - 1 : nss.size) * 2 + 1
+    host_veth.name = "#{namespace}_host" if !host_veth.name
+    host_veth.ip = self.ipinc(@@namespace_subnet, i) if !host_veth.ip
+    guest_veth.name = "#{namespace}_guest" if !guest_veth.name
+    guest_veth.ip = "#{self.ipinc(host_veth.ip)}" if !guest_veth.ip
+    network.nic = self.primary_nic if network.nic == true
+    network.nameservers = self.nameservers if not network.nameservers
+
+    return host_veth, guest_veth, network
+  end
+
   # Create a network namespace with the given name
+  # Params can be given as ordered positional args or named args
+  #
   # @param namespace [String] name to use when creating it
   # @param host_veth [Veth] describes the veth to create for the host side
   # @param guest_veth [Veth] describes the veth to create for the guest side
-  # @param network [Network] describes the network to share
-  def create_namespace(namespace, host_veth, guest_veth, network)
-    namespace_conf = File.join("/etc/netns", namespace)
+  # @param network [Network] describes the network to share.
+  #   If the nic param is nil NAT is not enabled. If nic is true then the primary nic is dynamically
+  #   looked up else use user given If nameservers are not given the host nameservers will be used
+  def create_namespace(namespace, *args)
+    host_veth, guest_veth, network = self.namespace_details(namespace, args)
 
     # Ensure namespace i.e. /var/run/netns/<namespace> exists
-    if !File.exists?(File.join("/var/run/netns", namespace))
-      Log.info("Creating VPN Namespace #{namespace.colorize(:cyan)}", newline:false)
+    if !self.namespaces.include?(namespace)
+      Log.info("Creating Network Namespace #{namespace.colorize(:cyan)}", newline:false)
       Sys.exec_status("ip netns add #{namespace}")
     end
 
@@ -137,8 +234,9 @@ module Net
     # by default they will both be in the root namespace until one is assigned to another
     # e.g. host:192.168.100.1 and guest:192.168.100.2 communicating in network:192.168.100.0
     if !`ip a`.include?(host_veth.name)
-      Log.info("Create vpn veths #{host_veth.name.colorize(:cyan)} for #{'root'.colorize(:cyan)}
-       and #{guest_veth.name.colorize(:cyan)} for #{namespace.colorize(:cyan)}", newline:false)
+      msg = "Create namespace veths #{host_veth.name.colorize(:cyan)} for #{'root'.colorize(:cyan)} "
+      msg += "and #{guest_veth.name.colorize(:cyan)} for #{namespace.colorize(:cyan)}"
+      Log.info(msg, newline:false)
       Sys.exec_status("ip link add #{host_veth.name} type veth peer name #{guest_veth.name}")
       Log.info("Assign veth #{guest_veth.name.colorize(:cyan)} to namespace #{namespace.colorize(:cyan)}", newline:false)
       Sys.exec_status("ip link set #{guest_veth.name} netns #{namespace}")
@@ -147,34 +245,38 @@ module Net
     # Assign IPv4 addresses and start up the new veth interfaces
     # sudo ping #{host_veth.ip} and sudo netns exec #{namespace} ping #{guest_veth.ip} should work now
     if !`ip a`.include?(host_veth.ip)
-      Log.info("Assign ip #{host_veth.ip.colorize(:cyan)} and start #{host_veth.ip.colorize(:cyan)}", newline:false)
-      Sys.exec_status("ifconfig #{host_veth.name} #{File.join(host_veth.ip, nework.cidr)} up")
+      Log.info("Assign ip #{host_veth.ip.colorize(:cyan)} and start #{host_veth.name.colorize(:cyan)}", newline:false)
+      Sys.exec_status("ifconfig #{host_veth.name} #{File.join(host_veth.ip, network.cidr)} up")
     end
     if !`ip netns exec #{namespace} ip a`.include?(guest_veth.ip)
-      Log.info("Assign ip #{guest_veth.ip.colorize(:cyan)} and start #{guest_veth.ip.colorize(:cyan)}", newline:false)
-      Sys.exec_status("ip netns exec #{namespace} ifconfig #{guest_veth.name} #{File.join(guest_veth.ip, nework.cidr)} up")
+      Log.info("Assign ip #{guest_veth.ip.colorize(:cyan)} and start #{guest_veth.name.colorize(:cyan)}", newline:false)
+      Sys.exec_status("ip netns exec #{namespace} ifconfig #{guest_veth.name} #{File.join(guest_veth.ip, network.cidr)} up")
     end
 
-    # Share internet access on host with namespace
-    # Note: to see current forward rules use: iptables -S
+    # Configure host veth as guest's default route leaving namespace
     if !`ip netns exec #{namespace} ip route`.include?('default')
-      Log.info("Set default route for traffic leaving namespace to #{host_veth.ip.colorize(:cyan)}", newline:false)
+      Log.info("Set default route for traffic leaving namespace #{namespace.colorize(:cyan)} to #{host_veth.ip.colorize(:cyan)}", newline:false)
       Sys.exec_status("ip netns exec #{namespace} ip route add default via #{host_veth.ip} dev #{guest_veth.name}")
     end
-    if !`iptables -t nat -S`.include?(File.join(nework.ip, nework.cidr))
-      Log.info("Enable NAT on host for vpn net #{File.join(nework.ip, nework.cidr).colorize(:cyan)}", newline:false)
-      Sys.exec_status("iptables -t nat -A POSTROUTING -s #{File.join(nework.ip, nework.cidr)} -o #{host_veth.nic} -j MASQUERADE")
-    end
-    if !`iptables -S`.include?("-A FORWARD -i #{host_veth.nic}")
-      Log.info("Allow forwarding to #{namespace.colorize(:cyan)}", newline:false)
-      Sys.exec_status("iptables -A FORWARD -i #{host_veth.nic} -o #{host_veth.name} -j ACCEPT")
-    end
-    if !`iptables -S`.include?("-A FORWARD -i #{host_veth.name}")
-      Log.info("Allow forwarding from #{namespace.colorize(:cyan)}", newline:false)
-      Sys.exec_status("iptables -A FORWARD -i #{host_veth.name} -o #{host_veth.nic} -j ACCEPT")
+
+    # NAT guest veth behind host veth to share internet access on host with guest
+    # Note: to see current forward rules use: sudo iptables -S
+    if network.nic
+      if !`iptables -t nat -S`.include?(File.join(network.subnet, network.cidr))
+        Log.info("Enable NAT on host for namespace #{File.join(network.subnet, network.cidr).colorize(:cyan)}", newline:false)
+        Sys.exec_status("iptables -t nat -A POSTROUTING -s #{File.join(network.subnet, network.cidr)} -o #{network.nic} -j MASQUERADE")
+      end
+      if !`iptables -S`.include?("-A FORWARD -i #{network.nic}")
+        Log.info("Allow forwarding to #{namespace.colorize(:cyan)} from #{network.nic.colorize(:cyan)}", newline:false)
+        Sys.exec_status("iptables -A FORWARD -i #{network.nic} -o #{host_veth.name} -j ACCEPT")
+      end
+      if !`iptables -S`.include?("-A FORWARD -i #{host_veth.name}")
+        Log.info("Allow forwarding from #{namespace.colorize(:cyan)} to #{network.nic.colorize(:cyan)}", newline:false)
+        Sys.exec_status("iptables -A FORWARD -i #{host_veth.name} -o #{network.nic} -j ACCEPT")
+      end
     end
 
-    # Configure nameserver to use in VPN namespace
+    # Configure nameserver to use in Network namespace
     namespace_conf = File.join("/etc/netns", namespace)
     if !File.exists?(namespace_conf) && network.nameservers
       Log.info("Creating nameserver config #{namespace_conf}", newline:false)
@@ -187,40 +289,48 @@ module Net
   end
 
   # Delete the given network namespace
-  # @param namespace [String] name to use when creating it
+  # Params can be given as ordered positional args or named args
+  #
+  # @param namespace [String] name to use when deleting it
   # @param host_veth [Veth] describes the veth to create for the host side
-  # @param network [Network] describes the network to share
-  def delete_namespace(namespace, host_veth, network)
+  # @param guest_veth [Veth] describes the veth to create for the guest side
+  # @param network [Network] describes the network to share.
+  #   If the nic param is nil NAT is not enabled. If nic is true then the primary nic is dynamically
+  #   looked up else use user given If nameservers are not given the host nameservers will be used
+  def delete_namespace(namespace, *args)
+    host_veth, guest_veth, network = self.namespace_details(namespace, args)
 
-    # Remove nameserver config for vpn
+    # Remove nameserver config for network namespace
     namespace_conf = File.join("/etc/netns", namespace)
     if File.exists?(namespace_conf)
-      Log.info("Removing nameserver config #{namespace_conf}", newline:false)
+      Log.info("Removing nameserver config #{namespace_conf.colorize(:cyan)}", newline:false)
       Sys.exec_status("rm -rf #{namespace_conf}")
     end
 
     # Remove NAT and iptables forwarding allowances
-    if `iptables -t nat -S`.include?(File.join(network.ip, network.cidr))
-      Log.info("Removing NAT on host for vpn net #{File.join(network.ip, network.cidr).colorize(:cyan)}", newline:false)
-      Sys.exec_status("iptables -t nat -D POSTROUTING -s #{File.join(network.ip, network.cidr)} -o #{host_veth.nic} -j MASQUERADE")
-    end
-    if `iptables -S`.include?("-A FORWARD -i #{host_veth.nic}")
-      Log.info("Allow forwarding to #{namespace.colorize(:cyan)}", newline:false)
-      Sys.exec_status("iptables -D FORWARD -i #{host_veth.nic} -o #{host_veth.name} -j ACCEPT")
-    end
-    if `iptables -S`.include?("-A FORWARD -i #{host_veth.name}")
-      Log.info("Allow forwarding from #{namespace.colorize(:cyan)}", newline:false)
-      Sys.exec_status("iptables -D FORWARD -i #{host_veth.name} -o #{host_veth.nic} -j ACCEPT")
+    if network.nic
+      if `iptables -t nat -S`.include?(File.join(network.subnet, network.cidr))
+        Log.info("Removing NAT on host for namespace #{File.join(network.subnet, network.cidr).colorize(:cyan)}", newline:false)
+        Sys.exec_status("iptables -t nat -D POSTROUTING -s #{File.join(network.subnet, network.cidr)} -o #{network.nic} -j MASQUERADE")
+      end
+      if `iptables -S`.include?("-A FORWARD -i #{network.nic}")
+        Log.info("Remove forwarding to #{namespace.colorize(:cyan)} from #{host_veth.ip.colorize(:cyan)}", newline:false)
+        Sys.exec_status("iptables -D FORWARD -i #{network.nic} -o #{host_veth.name} -j ACCEPT")
+      end
+      if `iptables -S`.include?("-A FORWARD -i #{host_veth.name}")
+        Log.info("Remove forwarding from #{namespace.colorize(:cyan)} to #{host_veth.ip.colorize(:cyan)}", newline:false)
+        Sys.exec_status("iptables -D FORWARD -i #{host_veth.name} -o #{network.nic} -j ACCEPT")
+      end
     end
 
-    # Remove virtual ethernet interfaces
+    # Remove veths (virtual ethernet interfaces)
     if `ip a`.include?(host_veth.name)
-      Log.info("Removing veth interface #{host_veth.name.colorize(:cyan)} for vpn", newline:false)
+      Log.info("Removing veth interface #{host_veth.name.colorize(:cyan)} for namespace", newline:false)
       Sys.exec_status("ip link delete #{host_veth.name}")
     end
 
-    # Remove namespace for vpn
-    if File.exists?(File.join("/var/run/netns", namespace))
+    # Remove namespace
+    if self.namespaces.include?(namespace)
       Log.info("Removing namespace #{namespace.colorize(:cyan)}", newline:false)
       Sys.exec_status("ip netns delete #{namespace}")
     end
@@ -230,7 +340,8 @@ module Net
   # @param namespace [String] to execut within
   # @param cmd [String] command to execute
   # @param proxy [String] to use rather than default
-  def namespace_exec(namespace, cmd, proxy:nil)
+  def namespace_exec(namespace, cmd, *args)
+    proxy = args.any? ? args.first.to_s : nil
     return `ip netns exec #{namespace} bash -c '#{self.proxy_export(proxy)}#{cmd}'`
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: nub
 version: !ruby/object:Gem::Version
-  version: 0.0.103
+  version: 0.0.119
 platform: ruby
 authors:
 - Patrick Crummett
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-08-11 00:00:00.000000000 Z
+date: 2018-08-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: colorize
@@ -44,14 +44,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.8'
+        version: 0.8.22
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.8'
+        version: 0.8.22
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -89,6 +89,7 @@ files:
 - LICENSE
 - README.md
 - lib/nub.rb
+- lib/nub/:w
 - lib/nub/commander.rb
 - lib/nub/config.rb
 - lib/nub/core.rb