hostname.if '!' commands and rdomains

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

hostname.if '!' commands and rdomains

Matthieu Herrb-3
Hi,

When I'm configuring an interface with a spécific rdomain, I'd assume
that '!' commands (especially /sbin/route commands) are executed in
the rdomain for this interface.

I know that parsing this file is complex and somehow fragile but still
I tried to write a patch.

What do you think ?

Of course I'm ok with any enhancements / fixes to my shell foo.

--- netstart.orig Wed Jul 29 11:19:53 2020
+++ netstart Wed Jul 29 11:52:39 2020
@@ -67,8 +67,16 @@
  _cmds[${#_cmds[*]}]="ifconfig $_if ${_c[@]} up;dhclient $_if"
  V4_DHCPCONF=true
  ;;
+ rdomain) ((${#_c[*]} == 2)) || return
+ _cmds[${#_cmds[*]}]="ifconfig $_if rdomain ${_c[_name]}"
+ _rdomain=${_c[_name]}
+ ;;
  '!'*) _cmd=$(print -- "${_c[@]}" | sed 's/\$if/'$_if'/g')
- _cmds[${#_cmds[*]}]="${_cmd#!}"
+ if [[ $_rdomain -ne 0 ]]; then
+       _cmds[${#_cmds[*]}]="/sbin/route -T$_rdomain exec ${_cmd#!}"
+ else
+       _cmds[${#_cmds[*]}]="${_cmd#!}"
+ fi
  ;;
  *) _cmds[${#_cmds[*]}]="ifconfig $_if ${_c[@]}"
  ;;

--
Matthieu Herrb

Reply | Threaded
Open this post in threaded view
|

Re: hostname.if '!' commands and rdomains

Klemens Nanni-2
On Wed, Jul 29, 2020 at 11:54:17AM +0200, Matthieu Herrb wrote:
> When I'm configuring an interface with a spécific rdomain, I'd assume
> that '!' commands (especially /sbin/route commands) are executed in
> the rdomain for this interface.
I see where you're coming from, but the diff seems flawed.

I don't have a better approach for this at hand, but as it stands, I'm
happy with having to do `route -T1 exec' manually if need be.

> I know that parsing this file is complex and somehow fragile but still
> I tried to write a patch.
In any way, /usr/src/distrib/miniroot/install.sub:parse_hn_line() will
require the same treatment to keep netstart(8) and installer in sync.

Also, if something like this went in, I'd like to see hostname.if(5)
explicitly document `!' behaviour wrt. to the routing domain.

> --- netstart.orig Wed Jul 29 11:19:53 2020
> +++ netstart Wed Jul 29 11:52:39 2020
> @@ -67,8 +67,16 @@
>   _cmds[${#_cmds[*]}]="ifconfig $_if ${_c[@]} up;dhclient $_if"
>   V4_DHCPCONF=true
>   ;;
> + rdomain) ((${#_c[*]} == 2)) || return
> + _cmds[${#_cmds[*]}]="ifconfig $_if rdomain ${_c[_name]}"
> + _rdomain=${_c[_name]}
> + ;;
This assumes `rdomain' is set on its own hostname.if(5) line, so config
like "up rdomain 1" won't set `_rdomain' here...

>   '!'*) _cmd=$(print -- "${_c[@]}" | sed 's/\$if/'$_if'/g')
> - _cmds[${#_cmds[*]}]="${_cmd#!}"
> + if [[ $_rdomain -ne 0 ]]; then
> +       _cmds[${#_cmds[*]}]="/sbin/route -T$_rdomain exec ${_cmd#!}"
> + else
> +       _cmds[${#_cmds[*]}]="${_cmd#!}"
> + fi
>   ;;
and that causes the interface to be in rdomain 1 while executing
in rdomain 0.

Reply | Threaded
Open this post in threaded view
|

Re: hostname.if '!' commands and rdomains

Kapetanakis Giannis
In reply to this post by Matthieu Herrb-3
On 29/07/2020 12:54, Matthieu Herrb wrote:

> Hi,
>
> When I'm configuring an interface with a spécific rdomain, I'd assume
> that '!' commands (especially /sbin/route commands) are executed in
> the rdomain for this interface.
>
> I know that parsing this file is complex and somehow fragile but still
> I tried to write a patch.
>
> What do you think ?
>
> Of course I'm ok with any enhancements / fixes to my shell foo.
>
> --- netstart.orig Wed Jul 29 11:19:53 2020
> +++ netstart Wed Jul 29 11:52:39 2020
> @@ -67,8 +67,16 @@
>   _cmds[${#_cmds[*]}]="ifconfig $_if ${_c[@]} up;dhclient $_if"
>   V4_DHCPCONF=true
>   ;;
> + rdomain) ((${#_c[*]} == 2)) || return
> + _cmds[${#_cmds[*]}]="ifconfig $_if rdomain ${_c[_name]}"
> + _rdomain=${_c[_name]}
> + ;;
>   '!'*) _cmd=$(print -- "${_c[@]}" | sed 's/\$if/'$_if'/g')
> - _cmds[${#_cmds[*]}]="${_cmd#!}"
> + if [[ $_rdomain -ne 0 ]]; then
> +       _cmds[${#_cmds[*]}]="/sbin/route -T$_rdomain exec ${_cmd#!}"
> + else
> +       _cmds[${#_cmds[*]}]="${_cmd#!}"
> + fi
>   ;;
>   *) _cmds[${#_cmds[*]}]="ifconfig $_if ${_c[@]}"
>   ;;
>
Wouldn't this break those who already have
!route -T2 

in their hostname.if files?

G

Reply | Threaded
Open this post in threaded view
|

Re: hostname.if '!' commands and rdomains

Klemens Nanni-2
On Wed, Jul 29, 2020 at 05:33:14PM +0300, Kapetanakis Giannis wrote:
> Wouldn't this break those who already have
> !route -T2 
>
> in their hostname.if files?
No,

        $ route -T1 exec id -R
        1
        $ route -T0 exec route -T1 exec id -R
        1

Reply | Threaded
Open this post in threaded view
|

Re: hostname.if '!' commands and rdomains

Theo de Raadt-2
In reply to this post by Matthieu Herrb-3
You were already able to execute a !command inside the rdomain, either
by specifying the rdomain (on commands which can do that) or by using
route -T manually.

But now, you can't easily execute commands *outside the rdomain*, and
there are some things folk might want to do.

Also, there is an order of evaluation.  Commands before the rdomain
keywords are outside, but commands afterwards are in the rdomain.  That
troubles me a little, especially becuase it's another piece which will
be difficult to document.

Matthieu Herrb <[hidden email]> wrote:

> Hi,
>
> When I'm configuring an interface with a spécific rdomain, I'd assume
> that '!' commands (especially /sbin/route commands) are executed in
> the rdomain for this interface.
>
> I know that parsing this file is complex and somehow fragile but still
> I tried to write a patch.
>
> What do you think ?
>
> Of course I'm ok with any enhancements / fixes to my shell foo.
>
> --- netstart.orig Wed Jul 29 11:19:53 2020
> +++ netstart Wed Jul 29 11:52:39 2020
> @@ -67,8 +67,16 @@
>   _cmds[${#_cmds[*]}]="ifconfig $_if ${_c[@]} up;dhclient $_if"
>   V4_DHCPCONF=true
>   ;;
> + rdomain) ((${#_c[*]} == 2)) || return
> + _cmds[${#_cmds[*]}]="ifconfig $_if rdomain ${_c[_name]}"
> + _rdomain=${_c[_name]}
> + ;;
>   '!'*) _cmd=$(print -- "${_c[@]}" | sed 's/\$if/'$_if'/g')
> - _cmds[${#_cmds[*]}]="${_cmd#!}"
> + if [[ $_rdomain -ne 0 ]]; then
> +       _cmds[${#_cmds[*]}]="/sbin/route -T$_rdomain exec ${_cmd#!}"
> + else
> +       _cmds[${#_cmds[*]}]="${_cmd#!}"
> + fi
>   ;;
>   *) _cmds[${#_cmds[*]}]="ifconfig $_if ${_c[@]}"
>   ;;
>
> --
> Matthieu Herrb
>

Reply | Threaded
Open this post in threaded view
|

Re: hostname.if '!' commands and rdomains

Claudio Jeker
In reply to this post by Klemens Nanni-2
On Wed, Jul 29, 2020 at 04:43:18PM +0200, Klemens Nanni wrote:

> On Wed, Jul 29, 2020 at 05:33:14PM +0300, Kapetanakis Giannis wrote:
> > Wouldn't this break those who already have
> > !route -T2 
> >
> > in their hostname.if files?
> No,
>
> $ route -T1 exec id -R
> 1
> $ route -T0 exec route -T1 exec id -R
> 1

But:
        $ route -T2 exec id -R
        2
        $ route -T2 exec route -T0 exec id -R
        route: setrtable: Operation not permitted

Only root can change the rdomain if it is currently != 0.

--
:wq Claudio

Reply | Threaded
Open this post in threaded view
|

Re: hostname.if '!' commands and rdomains

Kapetanakis Giannis
In reply to this post by Klemens Nanni-2
On 29/07/2020 17:43, Klemens Nanni wrote:

> On Wed, Jul 29, 2020 at 05:33:14PM +0300, Kapetanakis Giannis wrote:
>> Wouldn't this break those who already have
>> !route -T2 
>>
>> in their hostname.if files?
> No,
>
> $ route -T1 exec id -R
> 1
> $ route -T0 exec route -T1 exec id -R
> 1
>
you're right,

Also verified with
route -T0 route -T1 add

G

Reply | Threaded
Open this post in threaded view
|

Re: hostname.if '!' commands and rdomains

Theo de Raadt-2
In reply to this post by Claudio Jeker
Claudio Jeker <[hidden email]> wrote:

> On Wed, Jul 29, 2020 at 04:43:18PM +0200, Klemens Nanni wrote:
> > On Wed, Jul 29, 2020 at 05:33:14PM +0300, Kapetanakis Giannis wrote:
> > > Wouldn't this break those who already have
> > > !route -T2 
> > >
> > > in their hostname.if files?
> > No,
> >
> > $ route -T1 exec id -R
> > 1
> > $ route -T0 exec route -T1 exec id -R
> > 1
>
> But:
> $ route -T2 exec id -R
> 2
> $ route -T2 exec route -T0 exec id -R
> route: setrtable: Operation not permitted
>
> Only root can change the rdomain if it is currently != 0.

That worry was stated in my email, but not so accurately, thank you.
So now you can't make a rdomain-0 !command in the global scope.

And if we start playing with "early !commands run in 0", that gets
even more messy.

Reply | Threaded
Open this post in threaded view
|

Re: hostname.if '!' commands and rdomains

Klemens Nanni-2
On Wed, Jul 29, 2020 at 09:05:14AM -0600, Theo de Raadt wrote:

> Claudio Jeker <[hidden email]> wrote:
> > But:
> > $ route -T2 exec id -R
> > 2
> > $ route -T2 exec route -T0 exec id -R
> > route: setrtable: Operation not permitted
> >
> > Only root can change the rdomain if it is currently != 0.
>
> That worry was stated in my email, but not so accurately, thank you.
> So now you can't make a rdomain-0 !command in the global scope.
Indeed, my example was incomplete, but as netstart(8) runs as root this
is not a problem - unless of course `!' commands do stuff as
unprivileged users in foreign routing domains.

With that in mind, I'm getting more convinced that forcing the routing
domain in hostname.if(5) is not feasible.