Skip to content

Commit fc1ce01

Browse files
f0sself0ssel
committed
cleanup
1 parent 8f716fc commit fc1ce01

File tree

3 files changed

+34
-321
lines changed

3 files changed

+34
-321
lines changed

namespace/linux.go

Lines changed: 15 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ import (
1111
)
1212

1313
// Linux implements jail.Commander using Linux network namespaces
14-
type LinuxNetNamespace struct {
14+
type Linux struct {
1515
logger *slog.Logger
1616
namespace string
1717
vethHost string // Host-side veth interface name for iptables rules
@@ -22,8 +22,8 @@ type LinuxNetNamespace struct {
2222
userInfo UserInfo
2323
}
2424

25-
func NewLinux(config Config) (*LinuxNetNamespace, error) {
26-
return &LinuxNetNamespace{
25+
func NewLinux(config Config) (*Linux, error) {
26+
return &Linux{
2727
logger: config.Logger,
2828
namespace: newNamespaceName(),
2929
httpProxyPort: config.HttpProxyPort,
@@ -34,7 +34,7 @@ func NewLinux(config Config) (*LinuxNetNamespace, error) {
3434
}
3535

3636
// Start creates network namespace and configures iptables rules
37-
func (l *LinuxNetNamespace) Start() error {
37+
func (l *Linux) Start() error {
3838
l.logger.Debug("Setup called")
3939

4040
// Setup DNS configuration BEFORE creating namespace
@@ -76,7 +76,7 @@ func (l *LinuxNetNamespace) Start() error {
7676
}
7777

7878
// Command returns an exec.Cmd configured to run within the network namespace
79-
func (l *LinuxNetNamespace) Command(command []string) *exec.Cmd {
79+
func (l *Linux) Command(command []string) *exec.Cmd {
8080
l.logger.Debug("Command called", "command", command)
8181

8282
// Create command with ip netns exec
@@ -96,7 +96,7 @@ func (l *LinuxNetNamespace) Command(command []string) *exec.Cmd {
9696
}
9797

9898
// Close removes the network namespace and iptables rules
99-
func (l *LinuxNetNamespace) Close() error {
99+
func (l *Linux) Close() error {
100100
// Remove iptables rules
101101
err := l.removeIptables()
102102
if err != nil {
@@ -123,7 +123,7 @@ func (l *LinuxNetNamespace) Close() error {
123123
}
124124

125125
// createNamespace creates a new network namespace
126-
func (l *LinuxNetNamespace) createNamespace() error {
126+
func (l *Linux) createNamespace() error {
127127
cmd := exec.Command("ip", "netns", "add", l.namespace)
128128
err := cmd.Run()
129129
if err != nil {
@@ -133,12 +133,12 @@ func (l *LinuxNetNamespace) createNamespace() error {
133133
}
134134

135135
// setupNetworking configures networking within the namespace
136-
func (l *LinuxNetNamespace) setupNetworking() error {
136+
func (l *Linux) setupNetworking() error {
137137
// Create veth pair with short names (Linux interface names limited to 15 chars)
138138
// Generate unique ID to avoid conflicts
139139
uniqueID := fmt.Sprintf("%d", time.Now().UnixNano()%10000000) // 7 digits max
140-
vethHost := fmt.Sprintf("veth_h_%s", uniqueID) // veth_h_1234567 = 14 chars
141-
vethNetJail := fmt.Sprintf("veth_n_%s", uniqueID) // veth_n_1234567 = 14 chars
140+
vethHost := fmt.Sprintf("veth_h_%s", uniqueID) // veth_h_1234567 = 14 chars
141+
vethNetJail := fmt.Sprintf("veth_n_%s", uniqueID) // veth_n_1234567 = 14 chars
142142

143143
// Store veth interface name for iptables rules
144144
l.vethHost = vethHost
@@ -169,7 +169,7 @@ func (l *LinuxNetNamespace) setupNetworking() error {
169169
// setupDNS configures DNS resolution for the namespace
170170
// This ensures reliable DNS resolution by using public DNS servers
171171
// instead of relying on the host's potentially complex DNS configuration
172-
func (l *LinuxNetNamespace) setupDNS() error {
172+
func (l *Linux) setupDNS() error {
173173
// Always create namespace-specific resolv.conf with reliable public DNS servers
174174
// This avoids issues with systemd-resolved, Docker DNS, and other complex setups
175175
netnsEtc := fmt.Sprintf("/etc/netns/%s", l.namespace)
@@ -197,7 +197,7 @@ options timeout:2 attempts:2
197197
}
198198

199199
// setupIptables configures iptables rules for comprehensive TCP traffic interception
200-
func (l *LinuxNetNamespace) setupIptables() error {
200+
func (l *Linux) setupIptables() error {
201201
// Enable IP forwarding
202202
cmd := exec.Command("sysctl", "-w", "net.ipv4.ip_forward=1")
203203
cmd.Run() // Ignore error
@@ -222,7 +222,7 @@ func (l *LinuxNetNamespace) setupIptables() error {
222222
}
223223

224224
// removeIptables removes iptables rules
225-
func (l *LinuxNetNamespace) removeIptables() error {
225+
func (l *Linux) removeIptables() error {
226226
// Remove comprehensive TCP redirect rule
227227
cmd := exec.Command("iptables", "-t", "nat", "-D", "PREROUTING", "-i", l.vethHost, "-p", "tcp", "-j", "REDIRECT", "--to-ports", fmt.Sprintf("%d", l.httpProxyPort))
228228
cmd.Run() // Ignore errors during cleanup
@@ -235,11 +235,11 @@ func (l *LinuxNetNamespace) removeIptables() error {
235235
}
236236

237237
// removeNamespace removes the network namespace
238-
func (l *LinuxNetNamespace) removeNamespace() error {
238+
func (l *Linux) removeNamespace() error {
239239
cmd := exec.Command("ip", "netns", "del", l.namespace)
240240
err := cmd.Run()
241241
if err != nil {
242242
return fmt.Errorf("failed to remove namespace: %v", err)
243243
}
244244
return nil
245-
}
245+
}

namespace/macos.go

Lines changed: 15 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -19,16 +19,16 @@ const (
1919

2020
// MacOSNetJail implements network jail using macOS PF (Packet Filter) and group-based isolation
2121
type MacOSNetJail struct {
22-
restrictedGid int
23-
pfRulesPath string
24-
mainRulesPath string
25-
logger *slog.Logger
26-
commandEnv []string
27-
procAttr *syscall.SysProcAttr
28-
httpProxyPort int
29-
tlsConfigDir string
30-
caCertPath string
31-
userInfo UserInfo
22+
restrictedGid int
23+
pfRulesPath string
24+
mainRulesPath string
25+
logger *slog.Logger
26+
commandEnv []string
27+
procAttr *syscall.SysProcAttr
28+
httpProxyPort int
29+
tlsConfigDir string
30+
caCertPath string
31+
userInfo UserInfo
3232
}
3333

3434
// NewMacOS creates a new macOS network jail instance
@@ -261,15 +261,10 @@ func (m *MacOSNetJail) setupPFRules() error {
261261

262262
// Load rules into anchor
263263
cmd := exec.Command("pfctl", "-a", pfAnchorName, "-f", m.pfRulesPath)
264-
output, err := cmd.CombinedOutput()
264+
err = cmd.Run()
265265
if err != nil {
266-
m.logger.Error("Failed to load PF rules", "error", err, "output", string(output), "rules_file", m.pfRulesPath)
267-
// Also log the actual rules content for debugging
268-
rulesContent, readErr := os.ReadFile(m.pfRulesPath)
269-
if readErr == nil {
270-
m.logger.Debug("PF rules content", "rules", string(rulesContent))
271-
}
272-
return fmt.Errorf("failed to load PF rules: %v, output: %s", err, string(output))
266+
m.logger.Error("Failed to load PF rules", "error", err, "rules_file", m.pfRulesPath)
267+
return fmt.Errorf("failed to load PF rules: %v", err)
273268
}
274269

275270
// Enable PF if not already enabled
@@ -307,7 +302,7 @@ anchor "%s"
307302

308303
// Verify that rules were loaded correctly
309304
cmd = exec.Command("pfctl", "-a", pfAnchorName, "-s", "rules")
310-
output, err = cmd.Output()
305+
output, err := cmd.Output()
311306
if err == nil && len(output) > 0 {
312307
// Rules loaded successfully
313308
return nil
@@ -333,4 +328,4 @@ func (m *MacOSNetJail) cleanupTempFiles() {
333328
if m.mainRulesPath != "" {
334329
os.Remove(m.mainRulesPath)
335330
}
336-
}
331+
}

0 commit comments

Comments
 (0)