use random name for network interface

Author: evgeniy-scherbina

boundary.go

@@ -82,6 +82,10 @@ func (b *Boundary) ConfigureAfterRun(processPID int) {
 	b.jailer.ConfigureAfterRun(processPID)
 }
 
+func (b *Boundary) GetNetworkConfiguration() jail.NetworkConfiguration {
+	return b.jailer.GetNetworkConfiguration()
+}
+
 func (b *Boundary) Close() error {
 	// Stop proxy server
 	if b.proxyServer != nil {

cli/cli.go

@@ -102,8 +102,8 @@ func Run(ctx context.Context, config Config, args []string) error {
 		//fmt.Printf("%v\n", os.Environ())
 		time.Sleep(time.Second * 3) // wait for parent to configure env
 
-		// TODO: uncomment
-		vethNetJail := "veth_n_1111111"
+		vethNetJail := os.Getenv("VETH_NET_JAIL")
+
 		err := jail.SetupChildNetworking(vethNetJail)
 		if err != nil {
 			fmt.Fprintf(os.Stderr, "failed setupChildNetworking: %v\n", err)
@@ -224,6 +224,7 @@ func Run(ctx context.Context, config Config, args []string) error {
 		defer cancel()
 		cmd := boundaryInstance.Command(os.Args)
 		cmd.Env = append(cmd.Env, "CHILD=true")
+		cmd.Env = append(cmd.Env, fmt.Sprintf("VETH_NET_JAIL=%v", boundaryInstance.GetNetworkConfiguration().VethNetJail))
 		cmd.Stderr = os.Stderr
 		cmd.Stdout = os.Stdout
 		cmd.Stdin = os.Stdin

jail/jail.go

@@ -12,6 +12,11 @@ type Jailer interface {
 	Command(command []string) *exec.Cmd
 	ConfigureAfterRun(processPID int)
 	Close() error
+	GetNetworkConfiguration() NetworkConfiguration
+}
+
+type NetworkConfiguration struct {
+	VethNetJail string
 }
 
 type Config struct {

jail/linux.go

@@ -18,6 +18,7 @@ type LinuxJail struct {
 	logger        *slog.Logger
 	namespace     string
 	vethHost      string // Host-side veth interface name for iptables rules
+	vethNetJail   string // Host-side veth interface name for iptables rules
 	commandEnv    []string
 	httpProxyPort int
 	configDir     string
@@ -49,6 +50,48 @@ func (l *LinuxJail) Start() error {
 	e := getEnvs(l.configDir, l.caCertPath)
 	l.commandEnv = mergeEnvs(e, map[string]string{})
 
+	// Create veth pair with short names (Linux interface names limited to 15 chars)
+	// Generate unique ID to avoid conflicts
+	uniqueID := fmt.Sprintf("%d", time.Now().UnixNano()%10000000) // 7 digits max
+	vethHost := fmt.Sprintf("veth_h_%s", uniqueID)                // veth_h_1234567 = 14 chars
+	vethNetJail := fmt.Sprintf("veth_n_%s", uniqueID)             // veth_n_1234567 = 14 chars
+
+	// Store veth interface name for iptables rules
+	l.vethHost = vethHost
+	l.vethNetJail = vethNetJail
+
+	setupCmds := []struct {
+		description string
+		command     *exec.Cmd
+		ambientCaps []uintptr
+	}{
+		{
+			"create veth pair",
+			exec.Command("ip", "link", "add", vethHost, "type", "veth", "peer", "name", vethNetJail),
+			[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
+		},
+		{
+			"configure host veth",
+			exec.Command("ip", "addr", "add", "192.168.100.1/24", "dev", vethHost),
+			[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
+		},
+		{
+			"bring up host veth",
+			exec.Command("ip", "link", "set", vethHost, "up"),
+			[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
+		},
+	}
+
+	for _, command := range setupCmds {
+		command.command.SysProcAttr = &syscall.SysProcAttr{
+			AmbientCaps: command.ambientCaps,
+		}
+
+		if err := command.command.Run(); err != nil {
+			return fmt.Errorf("failed to %s: %v", command.description, err)
+		}
+	}
+
 	return nil
 }
 
@@ -91,6 +134,12 @@ func (l *LinuxJail) ConfigureAfterRun(pidInt int) {
 	}
 }
 
+func (l *LinuxJail) GetNetworkConfiguration() NetworkConfiguration {
+	return NetworkConfiguration{
+		VethNetJail: l.vethNetJail,
+	}
+}
+
 // Close removes the network namespace and iptables rules
 func (l *LinuxJail) Close() error {
 	l.logger.Debug("Close called")
@@ -140,39 +189,14 @@ func (l *LinuxJail) createNamespace() error {
 func (l *LinuxJail) setupParentNetworking(pidInt int) error {
 	PID := fmt.Sprintf("%v", pidInt)
 
-	// Create veth pair with short names (Linux interface names limited to 15 chars)
-	// Generate unique ID to avoid conflicts
-	uniqueID := fmt.Sprintf("%d", time.Now().UnixNano()%10000000) // 7 digits max
-	uniqueID = "1111111"
-	vethHost := fmt.Sprintf("veth_h_%s", uniqueID)    // veth_h_1234567 = 14 chars
-	vethNetJail := fmt.Sprintf("veth_n_%s", uniqueID) // veth_n_1234567 = 14 chars
-
-	// Store veth interface name for iptables rules
-	l.vethHost = vethHost
-
 	setupCmds := []struct {
 		description string
 		command     *exec.Cmd
 		ambientCaps []uintptr
 	}{
-		{
-			"create veth pair",
-			exec.Command("ip", "link", "add", vethHost, "type", "veth", "peer", "name", vethNetJail),
-			[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
-		},
 		{
 			"move veth to namespace",
-			exec.Command("ip", "link", "set", vethNetJail, "netns", PID),
-			[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
-		},
-		{
-			"configure host veth",
-			exec.Command("ip", "addr", "add", "192.168.100.1/24", "dev", vethHost),
-			[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
-		},
-		{
-			"bring up host veth",
-			exec.Command("ip", "link", "set", vethHost, "up"),
+			exec.Command("ip", "link", "set", l.vethNetJail, "netns", PID),
 			[]uintptr{uintptr(unix.CAP_NET_ADMIN)},
 		},
 	}

jail/macos.go

@@ -342,3 +342,7 @@ func (n *MacOSJail) cleanupTempFiles() {
 }
 
 func (u *MacOSJail) ConfigureAfterRun(processPID int) {}
+
+func (l *MacOSJail) GetNetworkConfiguration() NetworkConfiguration {
+	return NetworkConfiguration{}
+}

jail/unprivileged.go

@@ -62,3 +62,7 @@ func (u *Unprivileged) Close() error {
 }
 
 func (u *Unprivileged) ConfigureAfterRun(processPID int) {}
+
+func (l *Unprivileged) GetNetworkConfiguration() NetworkConfiguration {
+	return NetworkConfiguration{}
+}