Commit fresh-releases/upstream - slirp4netns

+36

-14

.github/workflows/main.yaml less more

1	1	on: [push, pull_request]
2	2	jobs:
3	3	test-main:
4		runs-on: ubuntu-latest
	4	runs-on: ubuntu-20.04
5	5	strategy:
6	6	matrix:
7		libslirp_commit: [master, v4.3.0, v4.2.0, v4.1.0]
	7	libslirp_commit: [master, v4.7.0, v4.6.1, v4.1.0]
8	8	steps:
9		- uses: actions/checkout@v1
	9	- uses: actions/checkout@v2
10	10	- run: docker build -t slirp4netns-tests --build-arg LIBSLIRP_COMMIT -f Dockerfile.tests .
11	11	env:
12	12	LIBSLIRP_COMMIT: ${{ matrix.libslirp_commit }}
13	13	- run: docker run --rm --privileged slirp4netns-tests
14	14	test-build:
15		runs-on: ubuntu-latest
	15	runs-on: ubuntu-20.04
16	16	steps:
17		- uses: actions/checkout@v1
	17	- uses: actions/checkout@v2
18	18	- run: DOCKER_BUILDKIT=1 docker build -f Dockerfile.buildtests .
19		artifact:
20		runs-on: ubuntu-latest
	19	test-centos7:
	20	# vagrant is not installed on macOS 11 instances
	21	runs-on: macos-10.15
	22	env:
	23	LIBSECCOMP_COMMIT: v2.3.3
	24	LIBSLIRP_COMMIT: v4.1.0
	25	BENCHMARK_IPERF3_DURATION: 3
21	26	steps:
22		- uses: actions/checkout@v1
23		- run: DOCKER_BUILDKIT=1 docker build -o /tmp/artifact --target artifact -f Dockerfile.buildtests .
24		- run: (cd /tmp/artifact; sha256sum *)
25		- uses: actions/upload-artifact@v1
26		with:
27		name: slirp4netns-x86_64
28		path: /tmp/artifact/slirp4netns
	27	- uses: actions/checkout@v2
	28	- name: Setup CentOS 7 VM
	29	run: \|
	30	vagrant up --provision --no-tty
	31	cat > ./run-vagrant-tests <<'EOF'
	32	exec vagrant ssh --no-tty -c "
	33	export LIBSECCOMP_COMMIT=\"${LIBSECCOMP_COMMIT}\"
	34	export LIBSLIRP_COMMIT=\"${LIBSLIRP_COMMIT}\"
	35	export BENCHMARK_IPERF3_DURATION=\"${BENCHMARK_IPERF3_DURATION}\"
	36	/src/build-and-test
	37	"
	38	EOF
	39	- name: Build and test with Debian 10's version of libseccomp
	40	run: sh ./run-vagrant-tests
	41	- name: Build and test with Ubuntu 20.04's versions of libseccomp/libslirp
	42	run: sh ./run-vagrant-tests
	43	env:
	44	LIBSECCOMP_COMMIT: v2.4.3
	45	LIBSLIRP_COMMIT: v4.1.0
	46	- name: Build and test with recent versions of libseccomp/libslirp
	47	run: sh ./run-vagrant-tests
	48	env:
	49	LIBSECCOMP_COMMIT: v2.5.4
	50	LIBSLIRP_COMMIT: v4.7.0

+53

-20

.github/workflows/release.yaml less more

0	0	name: Release
1	1	on:
2	2	push:
3		tags:
4		- 'v*'
	3	pull_request:
5	4
6	5	jobs:
7	6	release:
8		runs-on: ubuntu-latest
	7	runs-on: ubuntu-20.04
9	8	steps:
10		- uses: actions/checkout@v1
11		- run: DOCKER_BUILDKIT=1 docker build -o /tmp/artifact --target artifact -f Dockerfile.buildtests .
12		- run: (cd /tmp/artifact; sha256sum *)
13		- uses: actions/create-release@v1
14		id: create_release
	9	- uses: actions/checkout@v3
	10	- uses: docker/setup-buildx-action@v1
	11	- name: "Build binaries from Dockerfile.artifact"
	12	run: docker buildx build -o /tmp --platform=amd64,arm64,arm,s390x,ppc64le,riscv64 -f Dockerfile.artifact .
	13	- name: "Create /tmp/artifact"
	14	run: \|
	15	mkdir -p /tmp/artifact
	16	mv /tmp/linux_amd64/slirp4netns /tmp/artifact/slirp4netns-x86_64
	17	mv /tmp/linux_arm64/slirp4netns /tmp/artifact/slirp4netns-aarch64
	18	mv /tmp/linux_arm_v7/slirp4netns /tmp/artifact/slirp4netns-armv7l
	19	mv /tmp/linux_s390x/slirp4netns /tmp/artifact/slirp4netns-s390x
	20	mv /tmp/linux_ppc64le/slirp4netns /tmp/artifact/slirp4netns-ppc64le
	21	mv /tmp/linux_riscv64/slirp4netns /tmp/artifact/slirp4netns-riscv64
	22	- name: "SHA256SUMS"
	23	run: (cd /tmp/artifact; sha256sum *) \| tee /tmp/SHA256SUMS
	24	- name: "The sha256sum of the SHA256SUMS file"
	25	run: sha256sum /tmp/SHA256SUMS
	26	- name: "Prepare the release note"
	27	run: \|
	28	tag="${GITHUB_REF##*/}"
	29	shasha=$(sha256sum /tmp/SHA256SUMS \| awk '{print $1}')
	30	libslirp_version=$(/tmp/artifact/slirp4netns-x86_64 -v \| grep -oP '^libslirp: \K\S*')
	31	libseccomp_version=$(/tmp/artifact/slirp4netns-x86_64 -v \| grep -oP '^libseccomp: \K\S*')
	32	ubuntu_version=$(grep -oP '^ARG UBUNTU_VERSION=\K\S*' Dockerfile.artifact)
	33	cat << EOF \| tee /tmp/release-note.txt
	34	${tag}
	35
	36	#### Changes
	37	(To be documented)
	38
	39	#### Install
	40	\`\`\`
	41	curl -o slirp4netns --fail -L https://github.com/${{ github.repository }}/releases/download/${tag}/slirp4netns-\$(uname -m)
	42	chmod +x slirp4netns
	43	\`\`\`
	44
	45	#### About the binaries
	46	The binaries are statically linked with libslirp ${libslirp_version} and libseccomp ${libseccomp_version} using Ubuntu ${ubuntu_version}.
	47
	48	The binaries were built automatically on GitHub Actions.
	49	The build log is available for 90 days: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
	50
	51	The sha256sum of the SHA256SUMS file itself is \`${shasha}\` .
	52	EOF
	53	- name: "Create release"
	54	if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
15	55	env:
16	56	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
17		with:
18		tag_name: ${{ github.ref }}
19		release_name: ${{ github.ref }}
20		draft: true
21		- uses: actions/upload-release-asset@v1.0.1
22		env:
23		GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
24		with:
25		upload_url: ${{ steps.create_release.outputs.upload_url }}
26		asset_path: /tmp/artifact/slirp4netns
27		asset_name: slirp4netns-x86_64
28		asset_content_type: application/octet-stream
	57	run: \|
	58	tag="${GITHUB_REF##*/}"
	59	asset_flags=()
	60	for f in /tmp/artifact/* /tmp/SHA256SUMS; do asset_flags+=("-a" "$f"); done
	61	hub release create "${asset_flags[@]}" -F /tmp/release-note.txt --draft "${tag}"

+2

-1

.gitignore less more

8	8	config.h
9	9	config.status
10	10	INSTALL
	11	/.vagrant
11	12
12	13	################################################################################
13	14	# https://github.com/github/gitignore/blob/c24cdc2175d7514d504d7f060a5d69675c8a9b50/Autotools.gitignore

56	57	m4/ltoptions.m4
57	58	m4/ltsugar.m4
58	59	m4/ltversion.m4
59		m4/lt~obsolete.m4⏎
	60	m4/lt~obsolete.m4

+33

-0

Dockerfile.artifact less more

	0	ARG LIBSLIRP_COMMIT=v4.7.0
	1	ARG UBUNTU_VERSION=22.04
	2	ARG XX_VERSION=1.1.0
	3
	4	FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
	5
	6	FROM --platform=$BUILDPLATFORM ubuntu:${UBUNTU_VERSION} AS build-libslirp
	7	ENV DEBIAN_FRONTEND=noninteractive
	8	RUN apt-get update && apt-get install -y apt-utils automake autotools-dev make git ninja-build meson
	9	RUN git clone https://git.qemu.org/libslirp.git /libslirp
	10	WORKDIR /libslirp
	11	ARG LIBSLIRP_COMMIT
	12	RUN git pull && git checkout ${LIBSLIRP_COMMIT}
	13	COPY --from=xx / /
	14	ARG TARGETPLATFORM
	15	RUN xx-apt-get install -y gcc libglib2.0-dev libcap-dev libseccomp-dev
	16	COPY Dockerfile.artifact.d/meson-cross /meson-cross
	17	RUN meson_setup_flags="--default-library=both" ; \
	18	if xx-info is-cross; then meson_setup_flags="${meson_setup_flags} --cross-file=/meson-cross/$(xx-info) -Dprefix=/usr/local/$(xx-info)"; fi ; \
	19	meson setup ${meson_setup_flags} build && ninja -C build install
	20
	21	FROM build-libslirp AS build
	22	COPY . /src
	23	WORKDIR /src
	24	RUN ./autogen.sh && \
	25	./configure LDFLAGS="-static" --host=$(xx-info) && \
	26	make && \
	27	$(xx-info)-strip slirp4netns && \
	28	xx-verify --static slirp4netns && \
	29	cp -a slirp4netns /
	30
	31	FROM scratch
	32	COPY --from=build /slirp4netns /slirp4netns

+12

-0

Dockerfile.artifact.d/meson-cross/aarch64-linux-gnu less more

	0	[binaries]
	1	c = 'aarch64-linux-gnu-gcc'
	2	cpp = 'aarch64-linux-gnu-g++'
	3	ar = 'aarch64-linux-gnu-gcc-ar'
	4	strip = 'aarch64-linux-gnu-strip'
	5	pkgconfig = 'aarch64-linux-gnu-pkg-config'
	6
	7	[host_machine]
	8	system = 'linux'
	9	cpu_family = 'aarch64'
	10	cpu = 'aarch64'
	11	endian = 'little'

+12

-0

Dockerfile.artifact.d/meson-cross/arm-linux-gnueabihf less more

	0	[binaries]
	1	c = 'arm-linux-gnueabihf-gcc'
	2	cpp = 'arm-linux-gnueabihf-g++'
	3	ar = 'arm-linux-gnueabihf-gcc-ar'
	4	strip = 'arm-linux-gnueabihf-strip'
	5	pkgconfig = 'arm-linux-gnueabihf-pkg-config'
	6
	7	[host_machine]
	8	system = 'linux'
	9	cpu_family = 'arm'
	10	cpu = 'armhf'
	11	endian = 'little'

+12

-0

Dockerfile.artifact.d/meson-cross/powerpc64le-linux-gnu less more

	0	[binaries]
	1	c = 'powerpc64le-linux-gnu-gcc'
	2	cpp = 'powerpc64le-linux-gnu-g++'
	3	ar = 'powerpc64le-linux-gnu-gcc-ar'
	4	strip = 'powerpc64le-linux-gnu-strip'
	5	pkgconfig = 'powerpc64le-linux-gnu-pkg-config'
	6
	7	[host_machine]
	8	system = 'linux'
	9	cpu_family = 'ppc64'
	10	cpu = 'powerpc64le'
	11	endian = 'little'

+12

-0

Dockerfile.artifact.d/meson-cross/riscv64-linux-gnu less more

	0	[binaries]
	1	c = 'riscv64-linux-gnu-gcc'
	2	cpp = 'riscv64-linux-gnu-g++'
	3	ar = 'riscv64-linux-gnu-gcc-ar'
	4	strip = 'riscv64-linux-gnu-strip'
	5	pkgconfig = 'riscv64-linux-gnu-pkg-config'
	6
	7	[host_machine]
	8	system = 'linux'
	9	cpu_family = 'riscv64'
	10	cpu = 'riscv64'
	11	endian = 'little'

+12

-0

Dockerfile.artifact.d/meson-cross/s390x-linux-gnu less more

	0	[binaries]
	1	c = 's390x-linux-gnu-gcc'
	2	cpp = 's390x-linux-gnu-g++'
	3	ar = 's390x-linux-gnu-gcc-ar'
	4	strip = 's390x-linux-gnu-strip'
	5	pkgconfig = 's390x-linux-gnu-pkg-config'
	6
	7	[host_machine]
	8	system = 'linux'
	9	cpu_family = 's390x'
	10	cpu = 's390x'
	11	endian = 'big'

+12

-0

Dockerfile.artifact.d/meson-cross/x86_64-linux-gnu less more

	0	[binaries]
	1	c = 'x86_64-linux-gnu-gcc'
	2	cpp = 'x86_64-linux-gnu-g++'
	3	ar = 'x86_64-linux-gnu-gcc-ar'
	4	strip = 'x86_64-linux-gnu-strip'
	5	pkgconfig = 'x86_64-linux-gnu-pkg-config'
	6
	7	[host_machine]
	8	system = 'linux'
	9	cpu_family = 'x86_64'
	10	cpu = 'x86_64'
	11	endian = 'little'

+8

-32

Dockerfile.buildtests less more

0		ARG LIBSLIRP_COMMIT=v4.3.0
	0	ARG LIBSLIRP_COMMIT=v4.7.0
1	1
2	2	# Alpine
3	3	FROM alpine:3 AS buildtest-alpine3-static
4		RUN apk add --no-cache git build-base autoconf automake libtool linux-headers glib-dev glib-static libcap-static libcap-dev libseccomp-dev git meson
5		RUN git clone https://gitlab.freedesktop.org/slirp/libslirp.git /libslirp
	4	RUN apk add --no-cache git build-base autoconf automake libtool linux-headers glib-dev glib-static libcap-static libcap-dev libseccomp-dev libseccomp-static git meson
	5	RUN git clone git://git.qemu.org/libslirp.git /libslirp
6	6	WORKDIR /libslirp
7	7	ARG LIBSLIRP_COMMIT
8	8	RUN git pull && git checkout ${LIBSLIRP_COMMIT} && meson setup --default-library=both build && ninja -C build install

12	12
13	13	# Ubuntu
14	14	FROM ubuntu:18.04 AS buildtest-ubuntu1804-common
	15	ENV DEBIAN_FRONTEND=noninteractive
15	16	RUN apt update && apt install -y automake autotools-dev make gcc libglib2.0-dev libcap-dev libseccomp-dev git ninja-build python3-pip
16	17	RUN pip3 install meson
17		RUN git clone https://gitlab.freedesktop.org/slirp/libslirp.git /libslirp
	18	RUN git clone git://git.qemu.org/libslirp.git /libslirp
18	19	WORKDIR /libslirp
19	20	ARG LIBSLIRP_COMMIT
20	21	RUN git pull && git checkout ${LIBSLIRP_COMMIT} && meson setup build && ninja -C build install

25	26	FROM buildtest-ubuntu1804-common AS buildtest-ubuntu1804-dynamic
26	27	RUN ./configure && make && cp -f slirp4netns /
27	28
28		# CentOS
29		FROM centos:7 AS buildtest-centos7-common
30		RUN yum install -y epel-release
31		RUN yum install -y autoconf automake gcc glib2-devel git make libcap-devel libseccomp-devel ninja-build python3-pip
32		RUN pip3 install meson
33		RUN git clone https://gitlab.freedesktop.org/slirp/libslirp.git /libslirp
34		WORKDIR /libslirp
35		ARG LIBSLIRP_COMMIT
36		RUN git pull && git checkout ${LIBSLIRP_COMMIT} && meson setup --default-library=both --prefix=/usr build && ninja-build -C build install
37		COPY . /src
38		WORKDIR /src
39		RUN ./autogen.sh
40
41		FROM buildtest-centos7-common AS buildtest-centos7-dynamic
42		RUN ./configure && make && cp -f slirp4netns /
43
44		FROM buildtest-centos7-common AS buildtest-centos7-static
45		RUN yum install -y glibc-static glib2-static
46		RUN yum-config-manager --add-repo=https://buildlogs.centos.org/centos/7/virt/x86_64/container && \
47		yum install --nogpgcheck -y libseccomp-static
48		RUN ./configure LDFLAGS="-static" && make && cp -f slirp4netns /
	29	# CentOS 7 is no longer tested in this file.
	30	# See Vagrantfile for CentOS 7 tests.
49	31
50	32	# openSUSE (dynamic only)
51	33	FROM opensuse/leap:15 AS buildtest-opensuse15-common
52	34	RUN zypper install -y --no-recommends autoconf automake gcc glib2-devel git make libcap-devel libseccomp-devel ninja python3-pip
53	35	RUN pip3 install meson
54		RUN git clone https://gitlab.freedesktop.org/slirp/libslirp.git /libslirp
	36	RUN git clone git://git.qemu.org/libslirp.git /libslirp
55	37	WORKDIR /libslirp
56	38	ARG LIBSLIRP_COMMIT
57	39	RUN git pull && git checkout ${LIBSLIRP_COMMIT} && meson setup --default-library=both build && ninja -C build install

62	44	FROM buildtest-opensuse15-common AS buildtest-opensuse15-dynamic
63	45	RUN ./configure && make && cp -f slirp4netns /
64	46
65		# artifact for GitHub actions
66		FROM scratch AS artifact
67		COPY --from=buildtest-centos7-static /slirp4netns /slirp4netns
68
69	47	FROM scratch AS buildtest-final-stage
70	48	COPY --from=buildtest-alpine3-static /slirp4netns /buildtest-alpine3-static
71	49	COPY --from=buildtest-ubuntu1804-dynamic /slirp4netns /buildtest-ubuntu1804-dynamic
72		COPY --from=buildtest-centos7-dynamic /slirp4netns /buildtest-centos7-dynamic
73		COPY --from=buildtest-centos7-static /slirp4netns /buildtest-centos7-static
74	50	COPY --from=buildtest-opensuse15-dynamic /slirp4netns /buildtest-opensuse15-dynamic

+5

-4

Dockerfile.tests less more

0		ARG LIBSLIRP_COMMIT=v4.3.0
	0	ARG LIBSLIRP_COMMIT=v4.7.0
1	1
2		FROM ubuntu:18.04 AS build
	2	FROM ubuntu:22.04 AS build
	3	ENV DEBIAN_FRONTEND=noninteractive
3	4	RUN apt update && apt install -y automake autotools-dev make gcc libglib2.0-dev libcap-dev libseccomp-dev git ninja-build python3-pip
4	5	RUN pip3 install meson
5		RUN git clone https://gitlab.freedesktop.org/slirp/libslirp.git /libslirp
	6	RUN git clone git://git.qemu.org/libslirp.git /libslirp
6	7	WORKDIR /libslirp
7	8	ARG LIBSLIRP_COMMIT
8	9	RUN git pull && git checkout ${LIBSLIRP_COMMIT} && meson setup build && ninja -C build install

14	15
15	16	FROM build AS test
16	17	USER 0
17		RUN apt update && apt install -y git libtool iproute2 clang clang-format clang-tidy iputils-ping iperf3 nmap jq
	18	RUN apt update && apt install -y git libtool iproute2 clang clang-format clang-tidy iputils-ping iperf3 ncat jq udhcpc
18	19	USER 1000:1000
19	20	CMD ["make", "ci"]

+13

-10

MAINTAINERS less more

7	7	# An approver may approve PRs and ship releases without waiting for LGTMs from other approvers.
8	8	# However, the approver should try to get LGTMs from other approvers for significant changes.
9	9	#
10		# Release guide (since v0.4.3):
11		# 1. Bump up the version string to `vX.Y.Z` (or `vX.Y.Z-beta.W`) in `configure.ac`.
12		# 2. `git commit -a -s -m vX.Y.Z`
13		# 3. Bump up the version string to `vX.Y.Z+dev` (or `vX.Y.Z-beta.W`+dev) in `configure.ac`.
14		# 4. `git commit -a -s -m vX.Y.Z+dev`
15		# 5. Open a PR and merge it.
16		# 6. Create a tag `v.X.Y.Z` for the `vX.Y.Z` commit, and push the tag to the upstream: `git push upstream vX.Y.Z`
17		# 7. GitHub Actions automatically ships a draft release with a statically compiled binary: https://github.com/rootless-containers/slirp4netns/releases
18		# If it fails, check the GitHub Actions log: https://github.com/rootless-containers/slirp4netns/actions?query=workflow%3ARelease
19		# 8. Add release notes to the draft release and ship the release.
	10	# Release guide (since v1.1.1):
	11	# 1. Bump up the version string in `configure.ac` to `vX.Y.Z` (or `vX.Y.Z-beta.W`)
	12	# 2. `git commit -a -s -m vX.Y.Z`
	13	# 3. Bump up the version string to `vX.Y.Z+dev` (or `vX.Y.Z-beta.W+dev`)
	14	# 4. `git commit -a -s -m vX.Y.Z+dev`
	15	# 5. Open a PR and merge it.
	16	# 6. Create a tag `v.X.Y.Z` for the `vX.Y.Z` commit, with a GPG sign: `git tag -s vX.Y.Z <commit>`
	17	# 7. Push the tag to the upstream: `git push upstream vX.Y.Z`
	18	# 8. GitHub Actions automatically ships a draft release with statically compiled binaries `slirp4netns-$(uname -m)` and `SHA256SUMS`: https://github.com/rootless-containers/slirp4netns/releases
	19	# If it fails, check the GitHub Actions log: https://github.com/rootless-containers/slirp4netns/actions?query=workflow%3ARelease
	20	# 9. Sign `SHA256SUMS`: `gpg --detach-sign -a SHA256SUMS`
	21	# This command will create `SHA256SUMS.asc`. Make sure to use the same GPG key used for `git tag -s vX.Y.Z <commit>`.
	22	# 10. Attach `SHA256SUMS.asc` and add release note texts to the draft release, and ship the release.
20	23	[Org.Approvers]
21	24	people = [
22	25	"akihirosuda",

+22

-7

Makefile.am less more

4	4	noinst_LIBRARIES = libparson.a
5	5
6	6	AM_TESTS_ENVIRONMENT = PATH="$(abs_top_builddir):$(PATH)"
7		TESTS = tests/test-slirp4netns.sh tests/test-slirp4netns-configure.sh tests/test-slirp4netns-exit-fd.sh tests/test-slirp4netns-ready-fd.sh tests/test-slirp4netns-api-socket.sh tests/test-slirp4netns-disable-host-loopback.sh tests/test-slirp4netns-cidr.sh
	7	TESTS = tests/test-slirp4netns-api-socket.sh \
	8	tests/test-slirp4netns-cidr.sh \
	9	tests/test-slirp4netns-configure.sh \
	10	tests/test-slirp4netns-dhcp.sh \
	11	tests/test-slirp4netns-disable-dns.sh \
	12	tests/test-slirp4netns-disable-host-loopback.sh \
	13	tests/test-slirp4netns-exit-fd.sh \
	14	tests/test-slirp4netns-macaddress.sh \
	15	tests/test-slirp4netns-nspath.sh \
	16	tests/test-slirp4netns-outbound-addr.sh \
	17	tests/test-slirp4netns-ready-fd.sh \
	18	tests/test-slirp4netns-sandbox.sh \
	19	tests/test-slirp4netns-sandbox-no-unmount.sh \
	20	tests/test-slirp4netns-seccomp.sh
8	21
9	22	EXTRA_DIST = \
10	23	slirp4netns.1.md \

14	27	slirp4netns.h \
15	28	api.h \
16	29	sandbox.h \
	30	seccomparch.h \
17	31	seccompfilter.h \
18		tests/slirp4netns-no-unmount.sh \
	32	seccompfilter_rules.h \
19	33	vendor/parson/LICENSE \
20	34	vendor/parson/README.md \
21	35	vendor/parson/parson.h
22	36
23	37	# define specific commit if git available or it was replaced during git-archive creation
24		COMMIT := $(shell V=6a7b16babc95b6a3056b33fb45b74a6f62262dd4 ; \
	38	COMMIT := $(shell V=656041d45cfca7a4176f6b7eed9e4fe6c11e8383 ; \
25	39	expr match "$$V" ormat: >/dev/null \
26	40	&& (cd "$$abs_srcdir" && [ -d .git ] && git describe --always --abbrev=0 --dirty --exclude=\* \|\| echo unknown) \
27	41	\|\| echo "$$V" )

38	52	generate-man:
39	53	go-md2man -in slirp4netns.1.md -out slirp4netns.1
40	54
41		CLANGTIDY = clang-tidy -warnings-as-errors='*'
	55	# clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling is disabled because too nitpicky: https://github.com/rootless-containers/slirp4netns/issues/216
	56	CLANGTIDY = clang-tidy -warnings-as-errors='*' --checks='-clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling'
42	57
43	58	CLANGFORMAT = clang-format
44	59

52	67	$(CLANGFORMAT) -i $(slirp4netns_SOURCES)
53	68
54	69	benchmark:
55		benchmarks/benchmark-iperf3.sh
56		benchmarks/benchmark-iperf3-reverse.sh
	70	"$(abs_srcdir)/benchmarks/benchmark-iperf3.sh"
	71	"$(abs_srcdir)/benchmarks/benchmark-iperf3-reverse.sh"
57	72
58	73	ci:
59	74	$(MAKE) indent
60		git diff --exit-code
	75	git -C "$(abs_srcdir)" diff --exit-code
61	76	# TODO: make sure ./vendor is synced with ./vendor.sh
62	77	$(MAKE) lint
63	78	$(MAKE) -j $(shell nproc) distcheck \|\| ( find . -name test-suite.log \| xargs cat; exit 1 )

+148

-132

README.md less more

0	0	# slirp4netns: User-mode networking for unprivileged network namespaces
1	1
2	2	slirp4netns provides user-mode networking ("slirp") for unprivileged network namespaces.
	3
	4	<!-- START doctoc generated TOC please keep comment here to allow auto update -->
	5	<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
	6
	7
	8	- [Motivation](#motivation)
	9	- [Projects using slirp4netns](#projects-using-slirp4netns)
	10	- [Maintenance policy](#maintenance-policy)
	11	- [Quick start](#quick-start)
	12	- [Install](#install)
	13	- [Usage](#usage)
	14	- [Manual](#manual)
	15	- [Benchmarks](#benchmarks)
	16	- [iperf3 (netns -> host)](#iperf3-netns---host)
	17	- [Install from source](#install-from-source)
	18	- [Acknowledgement](#acknowledgement)
	19	- [License](#license)
	20
	21	<!-- END doctoc generated TOC please keep comment here to allow auto update -->
3	22
4	23	## Motivation
5	24
6	25	Starting with Linux 3.8, unprivileged users can create [`network_namespaces(7)`](http://man7.org/linux/man-pages/man7/network_namespaces.7.html) along with [`user_namespaces(7)`](http://man7.org/linux/man-pages/man7/user_namespaces.7.html).
7	26	However, unprivileged network namespaces had not been very useful, because creating [`veth(4)`](http://man7.org/linux/man-pages/man4/veth.4.html) pairs across the host and network namespaces still requires the root privileges. (i.e. No internet connection)
8	27
9		slirp4netns allows connecting a network namespace to the Internet in a completely unprivileged way, by connecting a TAP device in a network namespace to the usermode TCP/IP stack ("slirp").
	28	slirp4netns allows connecting a network namespace to the Internet in a completely unprivileged way, by connecting a TAP device in a network namespace to the usermode TCP/IP stack (["slirp"](https://gitlab.freedesktop.org/slirp/libslirp)).
10	29
11	30	## Projects using slirp4netns
12	31

19	38	* [Buildah](https://github.com/containers/buildah)
20	39	* [ctnr](https://github.com/mgoltzsche/ctnr) (via slirp-cni-plugin)
21	40	* [Docker & Moby](https://get.docker.com/rootless) (optionally, via RootlessKit)
	41	* [containerd/nerdctl](https://github.com/containerd/nerdctl) (optionally, via RootlessKit)
22	42
23	43	Tools:
24	44	* [RootlessKit](https://github.com/rootless-containers/rootlesskit)

29	49
30	50	Version \| Status
31	51	-------------------------------\|------------------------------------------------------------------------
32		v1.0.x \| :white_check_mark: Active
33		v0.4.x \| :white_check_mark: Active (EOL: Sep 30, 2020)
34		v0.3.x \| :warning: End of Life (Mar 31, 2020)
35		v0.2.x \| :warning: End of Life (Aug 30, 2019)
36		Early versions prior to v0.2.x \| :warning: End of Life (Jan 5, 2019)
	52	v1.2.x \| :white_check_mark: Active
	53	v1.1.x \| End of Life (May 2, 2022)
	54	v1.0.x \| End of Life (Jun 2, 2020)
	55	v0.4.x \| End of Life (Sep 30, 2020)
	56	v0.3.x \| End of Life (Mar 31, 2020)
	57	v0.2.x \| End of Life (Aug 30, 2019)
	58	Early versions prior to v0.2.x \| End of Life (Jan 5, 2019)
37	59
38	60	See https://github.com/rootless-containers/slirp4netns/releases for the releases.
39	61
	62	### Security advisories
40	63	See https://github.com/rootless-containers/slirp4netns/security/advisories for the past security advisories.
41	64
	65	:warning: We had been collecting [the vulnerabilities of QEMU/libslirp](https://www.cvedetails.com/product/57329/Libslirp-Project-Libslirp.html?vendor_id=20192) in this slirp4netns repo until the end of 2020,
	66	as the slirp4netns releases prior to v1.0.0 were always statically linked with a specific version of QEMU/libslirp.
	67	Starting with 2021, the vulnerabilities of libslirp are no longer collected in this slirp4netns repo, as slirp4netns >= v1.0.0 can be linked with an arbitrary version of libslirp.
	68
	69	<details>
	70	<summary> Run <code>slirp4netns --version</code> to check the version of the linked libslirp. </summary>
	71
	72	<p>
	73
	74	```console
	75	$ slirp4netns --version
	76	slirp4netns version 1.1.8
	77	commit: d361001f495417b880f20329121e3aa431a8f90f
	78	libslirp: 4.4.0
	79	SLIRP_CONFIG_VERSION_MAX: 3
	80	libseccomp: 2.4.3
	81	```
	82
	83	</p>
	84
	85	</details>
	86
42	87	## Quick start
43	88
44		### Install from source
45
46		Build dependencies:
47		* `glib2-devel` (`libglib2.0-dev`)
48		* `libslirp-devel` >= 4.1 (`libslirp-dev`)
49		* `libcap-devel` (`libcap-dev`)
50		* `libseccomp-devel` (`libseccomp-dev`)
51
52		Install steps:
53
54		```console
55		$ ./autogen.sh
56		$ ./configure --prefix=/usr
57		$ make
58		$ sudo make install
59		```
60
61		* To build `slirp4netns` as a static binary, please run `./configure` with `LDFLAGS=-static`.
62		* If you set `--prefix` to `$HOME`, you don't need to run `make install` with `sudo`.
63
64		### Install from binary
65
66		#### RHEL 8 & [Fedora (28 or later)](https://src.fedoraproject.org/rpms/slirp4netns):
67
68		```console
69		$ sudo dnf install slirp4netns
70		```
71
72		#### RHEL/CentOS 7.7
73
74		```console
75		$ sudo yum install slirp4netns
76		```
77
78		#### [RHEL/CentOS 7.6](https://copr.fedorainfracloud.org/coprs/vbatts/shadow-utils-newxidmap/)
79
80		```console
81		$ sudo curl -o /etc/yum.repos.d/vbatts-shadow-utils-newxidmap-epel-7.repo https://copr.fedorainfracloud.org/coprs/vbatts/shadow-utils-newxidmap/repo/epel-7/vbatts-shadow-utils-newxidmap-epel-7.repo
82		$ sudo yum install slirp4netns
83		```
84
85		You might need to enable user namespaces manually:
86		```console
87		$ sudo sh -c 'echo "user.max_user_namespaces=28633" > /etc/sysctl.d/userns.conf'
88		$ sudo sysctl -p /etc/sysctl.d/userns.conf
89		```
90
91		#### [Arch Linux](https://www.archlinux.org/packages/community/x86_64/slirp4netns/):
92
93		```console
94		$ sudo pacman -S slirp4netns
95		```
96
97		You might need to enable user namespaces manually:
98		```console
99		$ sudo sh -c "echo 1 > /proc/sys/kernel/unprivileged_userns_clone"
100		```
101
102		#### [openSUSE Tumbleweed](https://build.opensuse.org/package/show/openSUSE%3AFactory/slirp4netns)
103
104		```console
105		$ sudo zypper install slirp4netns
106		```
107
108		#### [openSUSE Leap 15.0](https://build.opensuse.org/package/show/devel%3Akubic/slirp4netns)
109
110		```console
111		$ sudo zypper addrepo --refresh http://download.opensuse.org/repositories/devel:/kubic/openSUSE_Leap_15.0/devel:kubic.repo
112		$ sudo zypper install slirp4netns
113		```
114
115		#### [SUSE Linux Enterprise 15](https://build.opensuse.org/package/show/devel%3Akubic/slirp4netns)
116
117		```console
118		$ sudo zypper addrepo --refresh http://download.opensuse.org/repositories/devel:/kubic/SLE_15/devel:kubic.repo
119		$ sudo zypper install slirp4netns
120		```
121
122		#### [Debian GNU/Linux (10 or later)](https://packages.debian.org/buster/slirp4netns) & [Ubuntu (19.04 or later)](https://packages.ubuntu.com/disco/slirp4netns)
123
124		```console
125		$ sudo apt install slirp4netns
126		```
127
128		#### [NixOS](https://github.com/NixOS/nixpkgs/tree/master/pkgs/tools/networking/slirp4netns)
129
130		```console
131		$ nix-env -i slirp4netns
132		```
133
134		#### [Gentoo Linux](https://packages.gentoo.org/packages/app-emulation/slirp4netns)
135
136		```console
137		$ sudo emerge app-emulation/slirp4netns
138		```
139
140		#### [Slackware](https://git.slackbuilds.org/slackbuilds/tree/network/slirp4netns)
141
142		```console
143		$ sudo sbopkg -i slirp4netns
144		```
145
146		#### [Void Linux](https://github.com/void-linux/void-packages/tree/master/srcpkgs/slirp4netns)
147
148		```console
149		$ sudo xbps-install slirp4netns
150		```
	89	### Install
	90
	91	Statically linked binaries available for x86\_64, aarch64, armv7l, s390x, ppc64le, and riscv64: https://github.com/rootless-containers/slirp4netns/releases
	92
	93	Also available as a package on almost all Linux distributions:
	94	* [RHEL/CentOS (since 7.7 and 8.0)](https://pkgs.org/search/?q=slirp4netns)
	95	* [Fedora (since 28)](https://src.fedoraproject.org/rpms/slirp4netns)
	96	* [Arch Linux](https://www.archlinux.org/packages/community/x86_64/slirp4netns/)
	97	* [openSUSE (since Leap 15.0)](https://build.opensuse.org/package/show/openSUSE%3AFactory/slirp4netns)
	98	* [SUSE Linux Enterprise (since 15)](https://build.opensuse.org/package/show/devel%3Akubic/slirp4netns)
	99	* [Debian GNU/Linux (since 10.0)](https://packages.debian.org/buster/slirp4netns)
	100	* [Ubuntu (since 19.04)](https://packages.ubuntu.com/search?keywords=slirp4netns)
	101	* [NixOS](https://github.com/NixOS/nixpkgs/tree/master/pkgs/tools/networking/slirp4netns)
	102	* [Gentoo Linux](https://packages.gentoo.org/packages/app-emulation/slirp4netns)
	103	* [Slackware](https://git.slackbuilds.org/slackbuilds/tree/network/slirp4netns)
	104	* [Void Linux](https://github.com/void-linux/void-packages/tree/master/srcpkgs/slirp4netns)
	105	* [Alpine Linux (since 3.14)](https://pkgs.alpinelinux.org/packages?name=slirp4netns)
	106
	107	e.g.
	108
	109	```console
	110	$ sudo apt-get install slirp4netns
	111	```
	112
	113	To install slirp4netns from the source, see [Install from source](#install-from-source).
151	114
152	115	### Usage
153	116
154		Terminal 1: Create user/network/mount namespaces
155		```console
156		$ unshare --user --map-root-user --net --mount
157		unshared$ echo $$ > /tmp/pid
158		```
159
160		Terminal 2: Start slirp4netns
161		```console
162		$ slirp4netns --configure --mtu=65520 --disable-host-loopback $(cat /tmp/pid) tap0
	117	Terminal 1: Create user/network/mount namespaces
	118
	119	```console
	120	(host)$ unshare --user --map-root-user --net --mount
	121	(namespace)$ echo $$ > /tmp/pid
	122	```
	123
	124	In this documentation, we use `(host)$` as the prompt of the host shell, `(namespace)$` as the prompt of the shell running in the namespaces.
	125
	126	If `unshare` fails, try the following commands (known to be needed on Debian, Arch, and old CentOS 7.X):
	127
	128	```console
	129	(host)$ sudo sh -c 'echo "user.max_user_namespaces=28633" >> /etc/sysctl.d/userns.conf'
	130	(host)$ [ -f /proc/sys/kernel/unprivileged_userns_clone ] && sudo sh -c 'echo "kernel.unprivileged_userns_clone=1" >> /etc/sysctl.d/userns.conf'
	131	(host)$ sudo sysctl --system
	132	```
	133
	134	Terminal 2: Start slirp4netns
	135
	136	```console
	137	(host)$ slirp4netns --configure --mtu=65520 --disable-host-loopback $(cat /tmp/pid) tap0
163	138	starting slirp, MTU=65520
164	139	...
165	140	```
166	141
167		Terminal 1: Make sure the `tap0` is configured and connected to the Internet
168		```console
169		unshared$ ip a
	142	Terminal 1: Make sure the `tap0` is configured and connected to the Internet
	143
	144	```console
	145	(namespace)$ ip a
170	146	1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
171	147	link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
172	148	3: tap0: <BROADCAST,UP,LOWER_UP> mtu 65520 qdisc fq_codel state UNKNOWN group default qlen 1000

175	151	valid_lft forever preferred_lft forever
176	152	inet6 fe80::c028:cff:fe0e:2906/64 scope link
177	153	valid_lft forever preferred_lft forever
178		unshared$ echo "nameserver 10.0.2.3" > /tmp/resolv.conf
179		unshared$ mount --bind /tmp/resolv.conf /etc/resolv.conf
180		unshared$ curl https://example.com
181		```
182
183		See [`slirp4netns.1.md`](slirp4netns.1.md) for further information.
	154	(namespace)$ echo "nameserver 10.0.2.3" > /tmp/resolv.conf
	155	(namespace)$ mount --bind /tmp/resolv.conf /etc/resolv.conf
	156	(namespace)$ curl https://example.com
	157	```
	158
	159	## Manual
	160
	161	Manual: [`slirp4netns.1.md`](slirp4netns.1.md)
	162
	163	* [Description](./slirp4netns.1.md#description)
	164	* [Options](./slirp4netns.1.md#options)
	165	* [Example](./slirp4netns.1.md#example)
	166	* [Routing ping packets](./slirp4netns.1.md#routing-ping-packets)
	167	* [API socket](./slirp4netns.1.md#api-socket)
	168	* [Defined namespace paths](./slirp4netns.1.md#defined-namespace-paths)
	169	* [Outbound addresses](./slirp4netns.1.md#outbound-addresses)
	170	* [Inter-namespace communication](./slirp4netns.1.md#inter-namespace-communication)
	171	* [Inter-host communication](./slirp4netns.1.md#inter-host-communication)
	172	* [Bugs](./slirp4netns.1.md#bugs)
184	173
185	174	## Benchmarks
186	175

196	185
197	186	slirp4netns is faster than [vde_plug](https://github.com/rd235/vdeplug_slirp) and [VPNKit](https://github.com/moby/vpnkit) because slirp4netns is optimized to avoid copying packets across the namespaces.
198	187
199		The latest revision of slirp4netns is regularly benchmarked (`make benchmark`) on Travis: https://travis-ci.org/rootless-containers/slirp4netns
	188	The latest revision of slirp4netns is regularly benchmarked (`make benchmark`) on [CI](https://github.com/rootless-containers/slirp4netns/actions?query=workflow%3AMain).
	189
	190	## Install from source
	191
	192	Build dependencies (`apt-get`):
	193
	194	```console
	195	$ sudo apt-get install libglib2.0-dev libslirp-dev libcap-dev libseccomp-dev
	196	```
	197
	198	Build dependencies (`dnf`):
	199
	200	```console
	201	$ sudo dnf install glib2-devel libslirp-devel libcap-devel libseccomp-devel
	202	```
	203
	204	Installation steps:
	205
	206	```console
	207	$ ./autogen.sh
	208	$ ./configure --prefix=/usr
	209	$ make
	210	$ sudo make install
	211	```
	212
	213	* [libslirp](https://gitlab.freedesktop.org/slirp/libslirp) needs to be v4.1.0 or later.
	214	* To build `slirp4netns` as a static binary, run `./configure` with `LDFLAGS=-static`.
	215	* If you set `--prefix` to `$HOME`, you don't need to run `make install` with `sudo`.
200	216
201	217	## Acknowledgement
202	218	See [`vendor/README.md`](./vendor/README.md).

+86

-0

Vagrantfile less more

	0	Vagrant.configure("2") do \|config\|
	1	require 'etc'
	2	config.vm.provider "virtualbox" do \|vbox\|
	3	vbox.cpus = [1, Etc.nprocessors].max
	4	# Change VirtualBox itself's slirp CIDR so that it doesn't conflict with slirp4netns
	5	vbox.customize ["modifyvm", :id, "--natnet1", "10.0.200.0/24"]
	6	end
	7	config.vm.box = "centos/7"
	8	config.vm.synced_folder ".", "/vagrant", disabled: true
	9	config.vm.synced_folder ".", "/src/slirp4netns", type: "rsync"
	10	config.vm.provision "shell",
	11	inline: <<~'SHELL'
	12	set -xeu
	13	sysctl user.max_user_namespaces=65536
	14
	15	yum install -y \
	16	epel-release \
	17	https://repo.ius.io/ius-release-el7.rpm
	18
	19	yum install -y \
	20	autoconf automake make gcc gperf libtool \
	21	git-core meson ninja-build \
	22	glib2-devel libcap-devel \
	23	git-core libtool iproute iputils iperf3 nmap jq
	24
	25	# TODO: install udhcpc (required by test-slirp4netns-dhcp.sh)
	26
	27	cd /src
	28	chown vagrant .
	29
	30	su vagrant -c '
	31	set -xeu
	32
	33	git clone --depth=1 --no-checkout https://github.com/seccomp/libseccomp
	34	git -C ./libseccomp fetch --tags --depth=1
	35
	36	git clone --depth=1 --no-checkout git://git.qemu.org/libslirp.git
	37	git -C ./libslirp fetch --tags --depth=1
	38
	39	touch ./build-and-test
	40	chmod a+x ./build-and-test
	41	'
	42
	43	cat > ./build-and-test <<'EOS'
	44	#! /bin/sh
	45	set -xeu
	46	src_dir='/src'
	47
	48	prefix="${PREFIX:-${HOME}/prefix}"
	49	build_root="${BUILD_ROOT:-${prefix}/build}"
	50	rm -rf "${prefix}" "${build_root}"
	51	mkdir -p "${build_root}"
	52
	53	export CFLAGS="-I${prefix}"
	54	export LDFLAGS="-L${prefix} -Wl,-rpath,${prefix}/lib"
	55	export PKG_CONFIG_PATH="${prefix}/lib/pkgconfig${PKG_CONFIG_PATH:+:${PKG_CONFIG_PATH}}"
	56
	57	git -C "${src_dir}/libseccomp" fetch --depth=1 origin "${LIBSECCOMP_COMMIT:-v2.4.3}"
	58	git -C "${src_dir}/libseccomp" checkout FETCH_HEAD
	59	( cd "${src_dir}/libseccomp" && ./autogen.sh )
	60	mkdir "${build_root}/libseccomp"
	61	pushd "${build_root}/libseccomp"
	62	"${src_dir}/libseccomp/configure" --prefix="${prefix}"
	63	make -j "$( nproc )" CFLAGS+="-I$( pwd )/include"
	64	make install
	65	popd
	66
	67	git -C "${src_dir}/libslirp" fetch --depth=1 origin "${LIBSLIRP_COMMIT:-v4.1.0}"
	68	git -C "${src_dir}/libslirp" checkout FETCH_HEAD
	69	mkdir "${build_root}/libslirp"
	70	pushd "${build_root}/libslirp"
	71	meson setup --prefix="${prefix}" --libdir=lib . "${src_dir}/libslirp"
	72	ninja -C . install
	73	popd
	74
	75	( cd "${src_dir}/slirp4netns" && ./autogen.sh )
	76	mkdir "${build_root}/slirp4netns"
	77	pushd "${build_root}/slirp4netns"
	78	"${src_dir}/slirp4netns/configure" --prefix="${prefix}"
	79	make -j "$( nproc )"
	80
	81	make ci 'CLANGTIDY=echo skipping:' 'CLANGFORMAT=echo skipping:'
	82	popd
	83	EOS
	84	SHELL
	85	end

+3

-4

api.c less more

93	93	static int api_handle_req_add_hostfwd(Slirp slirp, int fd, struct api_ctx ctx,
94	94	JSON_Object *jo)
95	95	{
96		int wrc = 0, slirprc = 0;
	96	int wrc = 0;
97	97	char idbuf[64];
98	98	const char *proto_s = json_object_dotget_string(jo, "arguments.proto");
99	99	const char *host_addr_s =

155	155	free(fwd);
156	156	goto finish;
157	157	}
158		if ((slirprc = slirp_add_hostfwd(slirp, fwd->is_udp, fwd->host_addr,
159		fwd->host_port, fwd->guest_addr,
160		fwd->guest_port)) < 0) {
	158	if (slirp_add_hostfwd(slirp, fwd->is_udp, fwd->host_addr, fwd->host_port,
	159	fwd->guest_addr, fwd->guest_port) < 0) {
161	160	const char *err = "{\"error\":{\"desc\":\"bad request: add_hostfwd: "
162	161	"slirp_add_hostfwd failed\"}}";
163	162	wrc = write(fd, err, strlen(err));

+1

-1

benchmarks/benchmark-iperf3-reverse.sh less more

29	29	}
30	30	trap cleanup EXIT
31	31
32		iperf3 -c 127.0.0.1 -p 15201 -t 60
	32	iperf3 -c 127.0.0.1 -p 15201 -t "${BENCHMARK_IPERF3_DURATION:-60}"

+1

-1

benchmarks/benchmark-iperf3.sh less more

22	22	}
23	23	trap cleanup EXIT
24	24
25		nsenter --preserve-credentials -U -n --target=$child iperf3 -c 10.0.2.2 -t 60
	25	nsenter --preserve-credentials -U -n --target=$child iperf3 -c 10.0.2.2 -t "${BENCHMARK_IPERF3_DURATION:-60}"

+4

-3

configure.ac less more

0	0	AC_PREREQ([2.69])
1		AC_INIT([slirp4netns], [1.0.1], [https://github.com/rootless-containers/slirp4netns/issues])
	1	AC_INIT([slirp4netns], [1.2.0], [https://github.com/rootless-containers/slirp4netns/issues])
2	2	AC_CONFIG_SRCDIR([main.c])
3	3	AC_CONFIG_HEADERS([config.h])
4	4
5	5	AC_PROG_CC
6	6	AC_PROG_RANLIB
7	7
8		AM_INIT_AUTOMAKE([1.9 foreign subdir-objects])
	8	AM_INIT_AUTOMAKE([1.11.2 foreign subdir-objects])
	9	AM_PROG_AR
9	10
10	11	AC_CHECK_HEADERS([arpa/inet.h fcntl.h netdb.h netinet/in.h stddef.h stdint.h stdlib.h string.h sys/ioctl.h sys/mount.h sys/socket.h sys/timeb.h unistd.h getopt.h])
11	12

28	29	AC_FUNC_FORK
29	30	AC_FUNC_MALLOC
30	31	AC_FUNC_REALLOC
31		AC_CHECK_FUNCS([atexit clock_gettime dup2 getopt_long inet_ntoa memmove memset mkdir regcomp rmdir socket strcasecmp strchr strdup strerror strstr strtol strtoul])
	32	AC_CHECK_FUNCS([atexit clock_gettime dup2 getopt_long memmove memset mkdir regcomp rmdir socket strcasecmp strchr strdup strerror strstr strtol strtoul])
32	33
33	34	PKG_CHECK_MODULES(GLIB, glib-2.0)
34	35	PKG_CHECK_MODULES(SLIRP, slirp >= 4.1.0)

+0

-148

~~hack/release.sh~~ less more

0		#!/bin/bash
1		# release.sh: configurable signed-artefact release script
2		# Copyright (C) 2016-2019 SUSE LLC.
3		#
4		# This Source Code Form is subject to the terms of the Mozilla Public
5		# License, v2.0. If a copy of the MPL was not distributed with this
6		# file, You can obtain one at http://mozilla.org/MPL/2.0/.
7
8		set -Eeuo pipefail
9
10		## --->
11		# Project-specific options and functions. In theory you shouldn't need to
12		# touch anything else in this script in order to use this elsewhere.
13		project="slirp4netns"
14		root="$(readlink -f "$(dirname "${BASH_SOURCE}")/..")"
15
16		# Make pushd and popd silent.
17		function pushd() { command pushd "$@" &>/dev/null ; }
18		function popd() { command popd "$@" &>/dev/null ; }
19
20		# These functions allow you to configure how the defaults are computed.
21		function get_arch() { uname -m ; }
22		function get_version() { echo '@VERSION@' \| "$root/config.status" --file - ; }
23
24		# Any pre-configuration steps should be done here -- for instance ./configure.
25		function setup_project() {
26		pushd "$root"
27		[ -x ./configure ] \|\| ./autogen.sh
28		./configure LDFLAGS="-static" --prefix=/ --bindir=/bin
29		popd
30		}
31
32		# This function takes an output path as an argument, where the built
33		# (preferably static) binary should be placed.
34		function build_project() {
35		tmprootfs="$(mktemp -d --tmpdir "$project-build.XXXXXX")"
36
37		make -C "$root" clean all install DESTDIR="$tmprootfs"
38
39		mv "$tmprootfs/bin/slirp4netns" "$1"
40		rm -rf "$tmprootfs"
41		}
42		# End of the easy-to-configure portion.
43		## <---
44
45		# Print usage information.
46		function usage() {
47		echo "usage: release.sh [-h] [-v <version>] [-c <commit>] [-o <output-dir>]" >&2
48		echo " [-H <hashcmd>] [-S <gpg-key>]" >&2
49		}
50
51		# Log something to stderr.
52		function log() {
53		echo "[*]" "$@" >&2
54		}
55
56		# Log something to stderr and then exit with 0.
57		function quit() {
58		log "$@"
59		exit 0
60		}
61
62		# Conduct a sanity-check to make sure that GPG provided with the given
63		# arguments can sign something. Inability to sign things is not a fatal error.
64		function gpg_cansign() {
65		gpg "$@" --clear-sign </dev/null >/dev/null
66		}
67
68		# When creating releases we need to build (ideally static) binaries, an archive
69		# of the current commit, and generate detached signatures for both.
70		keyid=""
71		version=""
72		arch=""
73		commit="HEAD"
74		hashcmd="sha256sum"
75		while getopts ":h:v:c:o:S:H:" opt; do
76		case "$opt" in
77		S)
78		keyid="$OPTARG"
79		;;
80		c)
81		commit="$OPTARG"
82		;;
83		o)
84		outputdir="$OPTARG"
85		;;
86		v)
87		version="$OPTARG"
88		;;
89		H)
90		hashcmd="$OPTARG"
91		;;
92		h)
93		usage ; exit 0
94		;;
95		\:)
96		echo "Missing argument: -$OPTARG" >&2
97		usage ; exit 1
98		;;
99		\?)
100		echo "Invalid option: -$OPTARG" >&2
101		usage ; exit 1
102		;;
103		esac
104		done
105
106		# Run project setup first...
107		( set -x ; setup_project )
108
109		# Generate the defaults for version and so on after argument parsing and
110		# setup_project, to avoid calling get_version() needlessly.
111		version="${version:-$(get_version)}"
112		arch="${arch:-$(get_arch)}"
113		outputdir="${outputdir:-release/$version}"
114
115		log "[[ $project ]]"
116		log "version: $version"
117		log "commit: $commit"
118		log "output_dir: $outputdir"
119		log "key: ${keyid:-(default)}"
120		log "hash_cmd: $hashcmd"
121
122		# Make explicit what we're doing.
123		set -x
124
125		# Make the release directory.
126		rm -rf "$outputdir" && mkdir -p "$outputdir"
127
128		# Build project.
129		build_project "$outputdir/$project.$arch"
130
131		# Generate new archive.
132		git archive --format=tar --prefix="$project-$version/" "$commit" \| xz > "$outputdir/$project.tar.xz"
133
134		# Generate sha256 checksums for both.
135		( cd "$outputdir" ; "$hashcmd" "$project".{"$arch",tar.xz} > "$project.$hashcmd" ; )
136
137		# Set up the gpgflags.
138		gpgflags=()
139		[[ -z "$keyid" ]] \|\| gpgflags+=("--default-key=$keyid")
140		gpg_cansign "${gpgflags[@]}" \|\| quit "Could not find suitable GPG key, skipping signing step."
141
142		# Sign everything.
143		gpg "${gpgflags[@]}" --detach-sign --armor "$outputdir/$project.$arch"
144		gpg "${gpgflags[@]}" --detach-sign --armor "$outputdir/$project.tar.xz"
145		gpg "${gpgflags[@]}" --clear-sign --armor \
146		--output "$outputdir/$project.$hashcmd"{.tmp,} && \
147		mv "$outputdir/$project.$hashcmd"{.tmp,}

+426

-18

main.c less more

10	10	#include <sys/ioctl.h>
11	11	#include <sys/socket.h>
12	12	#include <sys/types.h>
	13	#include <sys/un.h>
13	14	#include <sys/wait.h>
14	15	#include <linux/if_tun.h>
15	16	#include <arpa/inet.h>

20	21	#include <regex.h>
21	22	#include <libslirp.h>
22	23	#include "slirp4netns.h"
	24	#include <ifaddrs.h>
	25	#include <seccomp.h>
23	26
24	27	#define DEFAULT_MTU (1500)
25	28	#define DEFAULT_CIDR ("10.0.2.0/24")

28	31	#define DEFAULT_VNAMESERVER_OFFSET (3) // 10.0.2.3
29	32	#define DEFAULT_RECOMMENDED_VGUEST_OFFSET (100) // 10.0.2.100
30	33	#define DEFAULT_NETNS_TYPE ("pid")
	34	#define DEFAULT_TARGET_TYPE ("netns")
31	35	#define NETWORK_PREFIX_MIN (1)
32	36	// >=26 is not supported because the recommended guest IP is set to network addr
33	37	// + 100 .

78	82	{
79	83	int fd;
80	84	struct ifreq ifr;
	85	if (tapname == NULL) {
	86	fprintf(stderr, "tapname is NULL\n");
	87	return -1;
	88	}
81	89	if ((fd = open("/dev/net/tun", O_RDWR)) < 0) {
82	90	perror("open(\"/dev/net/tun\")");
83	91	return fd;

157	165	return -1;
158	166	}
159	167
	168	if (cfg->vmacaddress_len > 0) {
	169	ifr.ifr_ifru.ifru_hwaddr = cfg->vmacaddress;
	170	if (ioctl(sockfd, SIOCSIFHWADDR, &ifr) < 0) {
	171	perror("cannot set MAC address");
	172	return -1;
	173	}
	174	}
	175
160	176	sai->sin_family = AF_INET;
161	177	sai->sin_port = 0;
162	178	sai->sin_addr = cfg->recommended_vguest;

194	210	return 0;
195	211	}
196	212
	213	/* Child (--target-type=netns) */
197	214	static int child(int sock, pid_t target_pid, bool do_config_network,
198	215	const char tapname, char netns_path, char *userns_path,
199	216	struct slirp4netns_config *cfg)

216	233	fprintf(stderr, "sent tapfd=%d for %s\n", tapfd, tapname);
217	234	close(sock);
218	235	return 0;
	236	}
	237
	238	/*
	239	* Child (--target-type=bess)
	240	*
	241	* FIXME: We do not really need to fork the child for BESS mode
	242	*/
	243	static int child_bess(int sock, const char *bess_socket)
	244	{
	245	int bess_listenfd = -1, bess_acceptfd = -1;
	246	struct sockaddr_un bess_listenaddr, bess_acceptaddr;
	247	socklen_t bess_acceptaddrlen = sizeof(struct sockaddr_un);
	248	memset(&bess_acceptaddr, 0, sizeof(bess_acceptaddr));
	249	memset(&bess_listenaddr, 0, sizeof(bess_listenaddr));
	250
	251	/* Listen on the BESS socket */
	252	if ((bess_listenfd = socket(AF_UNIX, SOCK_SEQPACKET, 0)) == -1) {
	253	perror("child_bess: socket");
	254	goto error;
	255	}
	256	bess_listenaddr.sun_family = AF_UNIX;
	257	if (bess_socket == NULL) {
	258	fprintf(stderr, "the specified BESS socket path is NULL\n");
	259	goto error;
	260	}
	261	if (strlen(bess_socket) >= sizeof(bess_listenaddr.sun_path)) {
	262	fprintf(stderr, "the specified BESS socket path is too long (>= %lu)\n",
	263	sizeof(bess_listenaddr.sun_path));
	264	goto error;
	265	}
	266	strncpy(bess_listenaddr.sun_path, bess_socket,
	267	sizeof(bess_listenaddr.sun_path) - 1);
	268	unlink(bess_socket); /* avoid EADDRINUSE */
	269	if (bind(bess_listenfd, (struct sockaddr *)&bess_listenaddr,
	270	sizeof(bess_listenaddr)) < 0) {
	271	perror("child_bess: bind");
	272	goto error;
	273	}
	274	if (listen(bess_listenfd, 0) < 0) {
	275	perror("child_bess: listen");
	276	goto error;
	277	}
	278
	279	/* Accept a connection, and send its connection to the parent */
	280	fprintf(stderr, "Waiting for connection to %s\n", bess_socket);
	281	if ((bess_acceptfd =
	282	accept(bess_listenfd, (struct sockaddr *)&bess_acceptaddr,
	283	&bess_acceptaddrlen)) < 0) {
	284	perror("child_bess: accept");
	285	goto error;
	286	}
	287	if (sendfd(sock, bess_acceptfd) < 0) {
	288	goto error;
	289	}
	290	fprintf(stderr, "sent \"tapfd\"=%d (not really TAP) for %s\n",
	291	bess_acceptfd, bess_socket);
	292	close(sock);
	293	close(bess_listenfd);
	294	return 0;
	295	error:
	296	close(bess_acceptfd);
	297	close(bess_listenfd);
	298	close(sock);
	299	return -1;
219	300	}
220	301
221	302	static int recvfd(int sock)

254	335	static int parent(int sock, int ready_fd, int exit_fd, const char *api_socket,
255	336	struct slirp4netns_config *cfg, pid_t target_pid)
256	337	{
	338	char str[INET6_ADDRSTRLEN];
257	339	int rc, tapfd;
	340	struct in_addr vdhcp_end = {
	341	#define NB_BOOTP_CLIENTS 16
	342	/* NB_BOOTP_CLIENTS is hard-coded to 16 in libslirp:
	343	https://gitlab.freedesktop.org/slirp/libslirp/-/issues/49 */
	344	.s_addr = htonl(ntohl(cfg->vdhcp_start.s_addr) + NB_BOOTP_CLIENTS - 1),
	345	#undef NB_BOOTP_CLIENTS
	346	};
258	347	if ((tapfd = recvfd(sock)) < 0) {
259	348	return tapfd;
260	349	}

262	351	close(sock);
263	352	printf("Starting slirp\n");
264	353	printf("* MTU: %d\n", cfg->mtu);
265		printf("* Network: %s\n", inet_ntoa(cfg->vnetwork));
266		printf("* Netmask: %s\n", inet_ntoa(cfg->vnetmask));
267		printf("* Gateway: %s\n", inet_ntoa(cfg->vhost));
268		printf("* DNS: %s\n", inet_ntoa(cfg->vnameserver));
269		printf("* Recommended IP: %s\n", inet_ntoa(cfg->recommended_vguest));
	354	printf("* Network: %s\n",
	355	inet_ntop(AF_INET, &cfg->vnetwork, str, sizeof(str)));
	356	printf("* Netmask: %s\n",
	357	inet_ntop(AF_INET, &cfg->vnetmask, str, sizeof(str)));
	358	printf("* Gateway: %s\n",
	359	inet_ntop(AF_INET, &cfg->vhost, str, sizeof(str)));
	360	printf("* DNS: %s\n",
	361	inet_ntop(AF_INET, &cfg->vnameserver, str, sizeof(str)));
	362	printf("* DHCP begin: %s\n",
	363	inet_ntop(AF_INET, &cfg->vdhcp_start, str, sizeof(str)));
	364	printf("* DHCP end: %s\n",
	365	inet_ntop(AF_INET, &vdhcp_end, str, sizeof(str)));
	366	printf("* Recommended IP: %s\n",
	367	inet_ntop(AF_INET, &cfg->recommended_vguest, str, sizeof(str)));
270	368	if (api_socket != NULL) {
271	369	printf("* API Socket: %s\n", api_socket);
	370	}
	371	#if SLIRP_CONFIG_VERSION_MAX >= 2
	372	if (cfg->enable_outbound_addr) {
	373	printf(
	374	"* Outbound IPv4: %s\n",
	375	inet_ntop(AF_INET, &cfg->outbound_addr.sin_addr, str, sizeof(str)));
	376	}
	377	if (cfg->enable_outbound_addr6) {
	378	if (inet_ntop(AF_INET6, &cfg->outbound_addr6.sin6_addr, str,
	379	sizeof(str)) != NULL) {
	380	printf("* Outbound IPv6: %s\n", str);
	381	}
	382	}
	383	#endif
	384	if (cfg->vmacaddress_len > 0) {
	385	unsigned char mac = (unsigned char )cfg->vmacaddress.sa_data;
	386	printf("* MAC address: %02x:%02x:%02x:%02x:%02x:%02x\n", mac[0],
	387	mac[1], mac[2], mac[3], mac[4], mac[5]);
272	388	}
273	389	if (!cfg->disable_host_loopback) {
274	390	printf(
275	391	"WARNING: 127.0.0.1:* on the host is accessible as %s (set "
276	392	"--disable-host-loopback to prohibit connecting to 127.0.0.1:*)\n",
277		inet_ntoa(cfg->vhost));
	393	inet_ntop(AF_INET, &cfg->vhost, str, sizeof(str)));
278	394	}
279	395	if (cfg->enable_sandbox && geteuid() != 0) {
280	396	if ((rc = nsenter(target_pid, NULL, NULL, true)) < 0) {

303	419
304	420	static void usage(const char *argv0)
305	421	{
306		printf("Usage: %s [OPTION]... PID\|PATH TAPNAME\n", argv0);
	422	printf("Usage: %s [OPTION]... PID\|PATH [TAPNAME]\n", argv0);
307	423	printf("User-mode networking for unprivileged network namespaces.\n\n");
308	424	printf("-c, --configure bring up the interface\n");
309	425	printf("-e, --exit-fd=FD specify the FD for terminating "

331	447	"caps except CAP_NET_BIND_SERVICE if running as the root)\n");
332	448	printf("--enable-seccomp enable seccomp to limit syscalls "
333	449	"(experimental)\n");
	450	/* v1.1.0 */
	451	#if SLIRP_CONFIG_VERSION_MAX >= 2
	452	printf("--outbound-addr=IPv4 sets outbound ipv4 address to bound to "
	453	"(experimental)\n");
	454	printf("--outbound-addr6=IPv6 sets outbound ipv6 address to bound to "
	455	"(experimental)\n");
	456	#endif
	457	#if SLIRP_CONFIG_VERSION_MAX >= 3
	458	printf("--disable-dns disables 10.0.2.3 (or configured internal "
	459	"ip) to host dns redirect (experimental)\n");
	460	#endif
	461	/* v1.1.9 */
	462	printf("--macaddress=MAC specify the MAC address of the TAP (only "
	463	"valid with -c)\n");
	464	/* v1.2.0 */
	465	printf("--target-type=TYPE specify the target type ([netns\|bess], "
	466	"default=%s)\n",
	467	DEFAULT_TARGET_TYPE);
334	468	/* others */
335	469	printf("-h, --help show this help and exit\n");
336	470	printf("-v, --version show version and exit\n");

339	473	// version output is runc-compatible and machine-parsable
340	474	static void version()
341	475	{
	476	const struct scmp_version *scmpv = seccomp_version();
342	477	printf("slirp4netns version %s\n", VERSION ? VERSION : PACKAGE_VERSION);
343	478	#ifdef COMMIT
344	479	printf("commit: %s\n", COMMIT);
345	480	#endif
346	481	printf("libslirp: %s\n", slirp_version_string());
	482	printf("SLIRP_CONFIG_VERSION_MAX: %d\n", SLIRP_CONFIG_VERSION_MAX);
	483	if (scmpv != NULL) {
	484	printf("libseccomp: %d.%d.%d\n", scmpv->major, scmpv->minor,
	485	scmpv->micro);
	486	/* Do not free scmpv */
	487	}
347	488	}
348	489
349	490	struct options {
350		pid_t target_pid; // argv[1]
351	491	char *tapname; // argv[2]
352		bool do_config_network; // -c
353		int exit_fd; // -e
354		int ready_fd; // -r
355		unsigned int mtu; // -m
356		bool disable_host_loopback; // --disable-host-loopback
357	492	char *cidr; // --cidr
358		bool enable_ipv6; // -6
359	493	char *api_socket; // -a
360	494	char *netns_type; // argv[1]
361	495	char *netns_path; // --netns-path
362	496	char *userns_path; // --userns-path
	497	char *outbound_addr; // --outbound-addr
	498	char *outbound_addr6; // --outbound-addr6
	499	pid_t target_pid; // argv[1]
	500	int exit_fd; // -e
	501	int ready_fd; // -r
	502	unsigned int mtu; // -m
	503	bool do_config_network; // -c
	504	bool disable_host_loopback; // --disable-host-loopback
	505	bool enable_ipv6; // -6
363	506	bool enable_sandbox; // --enable-sandbox
364	507	bool enable_seccomp; // --enable-seccomp
	508	bool disable_dns; // --disable-dns
	509	char *macaddress; // --macaddress
	510	char *target_type; // --target-type
	511	char *bess_socket; // argv[1] (When --target-type="bess")
365	512	};
366	513
367	514	static void options_init(struct options *options)

396	543	if (options->userns_path != NULL) {
397	544	free(options->userns_path);
398	545	options->userns_path = NULL;
	546	}
	547	if (options->outbound_addr != NULL) {
	548	free(options->outbound_addr);
	549	options->outbound_addr = NULL;
	550	}
	551	if (options->outbound_addr6 != NULL) {
	552	free(options->outbound_addr6);
	553	options->outbound_addr6 = NULL;
	554	}
	555	if (options->macaddress != NULL) {
	556	free(options->macaddress);
	557	options->macaddress = NULL;
	558	}
	559	if (options->target_type != NULL) {
	560	free(options->target_type);
	561	options->target_type = NULL;
	562	}
	563	if (options->bess_socket != NULL) {
	564	free(options->bess_socket);
	565	options->bess_socket = NULL;
399	566	}
400	567	}
401	568

410	577	char *optarg_netns_type = NULL;
411	578	char *optarg_userns_path = NULL;
412	579	char *optarg_api_socket = NULL;
	580	char *optarg_outbound_addr = NULL;
	581	char *optarg_outbound_addr6 = NULL;
	582	char *optarg_macaddress = NULL;
	583	char *optarg_target_type = NULL;
413	584	#define CIDR -42
414	585	#define DISABLE_HOST_LOOPBACK -43
415	586	#define NETNS_TYPE -44
416	587	#define USERNS_PATH -45
417	588	#define ENABLE_SANDBOX -46
418	589	#define ENABLE_SECCOMP -47
	590	#define OUTBOUND_ADDR -48
	591	#define OUTBOUND_ADDR6 -49
	592	#define DISABLE_DNS -50
	593	#define MACADDRESS -51
	594	#define TARGET_TYPE -52
419	595	#define _DEPRECATED_NO_HOST_LOOPBACK \
420	596	-10043 // deprecated in favor of disable-host-loopback
421	597	#define _DEPRECATED_CREATE_SANDBOX \

437	613	{ "enable-seccomp", no_argument, NULL, ENABLE_SECCOMP },
438	614	{ "help", no_argument, NULL, 'h' },
439	615	{ "version", no_argument, NULL, 'v' },
	616	{ "outbound-addr", required_argument, NULL, OUTBOUND_ADDR },
	617	{ "outbound-addr6", required_argument, NULL, OUTBOUND_ADDR6 },
	618	{ "disable-dns", no_argument, NULL, DISABLE_DNS },
	619	{ "macaddress", required_argument, NULL, MACADDRESS },
	620	{ "target-type", required_argument, NULL, TARGET_TYPE },
440	621	{ 0, 0, 0, 0 },
441	622	};
442	623	options_init(options);

525	706	version();
526	707	exit(EXIT_SUCCESS);
527	708	break;
	709	case OUTBOUND_ADDR:
	710	printf("WARNING: Support for --outbound-addr is experimental\n");
	711	optarg_outbound_addr = optarg;
	712	break;
	713	case OUTBOUND_ADDR6:
	714	printf("WARNING: Support for --outbound-addr6 is experimental\n");
	715	optarg_outbound_addr6 = optarg;
	716	break;
	717	case DISABLE_DNS:
	718	options->disable_dns = true;
	719	break;
	720	case MACADDRESS:
	721	optarg_macaddress = optarg;
	722	break;
	723	case TARGET_TYPE:
	724	optarg_target_type = optarg;
	725	break;
528	726	default:
529	727	goto error;
530	728	break;

541	739	}
542	740	if (optarg_api_socket != NULL) {
543	741	options->api_socket = strdup(optarg_api_socket);
	742	}
	743	if (optarg_outbound_addr != NULL) {
	744	options->outbound_addr = strdup(optarg_outbound_addr);
	745	}
	746	if (optarg_outbound_addr6 != NULL) {
	747	options->outbound_addr6 = strdup(optarg_outbound_addr6);
	748	}
	749	if (optarg_macaddress != NULL) {
	750	if (!options->do_config_network) {
	751	fprintf(stderr, "--macaddr cannot be specified when --configure or "
	752	"-c is not specified\n");
	753	goto error;
	754	} else {
	755	options->macaddress = strdup(optarg_macaddress);
	756	}
	757	}
	758	if (optarg_target_type != NULL) {
	759	options->target_type = strdup(optarg_target_type);
544	760	}
545	761	#undef CIDR
546	762	#undef DISABLE_HOST_LOOPBACK

549	765	#undef _DEPRECATED_NO_HOST_LOOPBACK
550	766	#undef ENABLE_SANDBOX
551	767	#undef ENABLE_SECCOMP
	768	#undef OUTBOUND_ADDR
	769	#undef OUTBOUND_ADDR6
	770	#undef DISABLE_DNS
	771	#undef MACADDRESS
	772	#undef TARGET_TYPE
	773
	774	/* BESS mode */
	775	if (options->target_type != NULL &&
	776	strcmp(options->target_type, "bess") == 0) {
	777	if (argc - optind < 1) {
	778	goto error;
	779	}
	780	if (argc - optind > 1) {
	781	fprintf(stderr, "too many arguments\n");
	782	goto error;
	783	}
	784	options->bess_socket = strdup(argv[optind]);
	785	if (options->do_config_network) {
	786	fprintf(stderr, "--configure conflicts with --target-type=bess\n");
	787	goto error;
	788	}
	789	if (options->netns_type != NULL) {
	790	fprintf(stderr, "--netns-type conflicts with --target-type=bess\n");
	791	goto error;
	792	}
	793	if (options->userns_path != NULL) {
	794	fprintf(stderr,
	795	"--userns-path conflicts with --target-type=bess\n");
	796	goto error;
	797	}
	798	printf("WARNING: BESS mode is experimental\n");
	799	return;
	800	}
	801
	802	/* NetNS mode*/
	803	if (options->target_type != NULL &&
	804	strcmp(options->target_type, "netns") != 0) {
	805	fprintf(stderr, "--target-type must be either \"netns\" or \"bess\"\n");
	806	goto error;
	807	}
552	808	if (argc - optind < 2) {
553	809	goto error;
	810	}
	811	if (argc - optind > 2) {
	812	// not an error, for preventing potential compatibility issue
	813	printf("WARNING: too many arguments\n");
554	814	}
555	815	if (!options->netns_type \|\|
556	816	strcmp(options->netns_type, DEFAULT_NETNS_TYPE) == 0) {

669	929	return rc;
670	930	}
671	931
	932	static int get_interface_addr(const char interface, int af, void addr)
	933	{
	934	struct ifaddrs ifaddr, ifa;
	935	if (interface == NULL)
	936	return -1;
	937
	938	if (getifaddrs(&ifaddr) == -1) {
	939	fprintf(stderr, "getifaddrs failed to obtain interface addresses");
	940	return -1;
	941	}
	942
	943	for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) {
	944	if (ifa->ifa_addr == NULL \|\| ifa->ifa_name == NULL)
	945	continue;
	946	if (ifa->ifa_addr->sa_family == af) {
	947	if (strcmp(ifa->ifa_name, interface) == 0) {
	948	if (af == AF_INET) {
	949	(struct in_addr )addr =
	950	((struct sockaddr_in *)ifa->ifa_addr)->sin_addr;
	951	} else {
	952	(struct in6_addr )addr =
	953	((struct sockaddr_in6 *)ifa->ifa_addr)->sin6_addr;
	954	}
	955	return 0;
	956	}
	957	}
	958	}
	959	return -1;
	960	}
	961
	962	/*
	963	* Convert a MAC string (macaddr) to bytes (data).
	964	* macaddr must be a null-terminated string in the format of
	965	* xx:xx:xx:xx:xx:xx. The data buffer needs to be at least 6 bytes.
	966	* Typically the data is put into sockaddr sa_data, which is 14 bytes.
	967	*/
	968	static int slirp4netns_macaddr_hexstring_to_data(char macaddr, char data)
	969	{
	970	int temp;
	971	char *macaddr_ptr;
	972	char *data_ptr;
	973	for (macaddr_ptr = macaddr, data_ptr = data;
	974	macaddr_ptr != NULL && data_ptr < data + 6;
	975	macaddr_ptr = strchr(macaddr_ptr, ':'), data_ptr++) {
	976	if (macaddr_ptr != macaddr) {
	977	macaddr_ptr++; // advance over the :
	978	}
	979	if (sscanf(macaddr_ptr, "%x", &temp) != 1 \|\| temp < 0 \|\| temp > 255) {
	980	fprintf(stderr, "\"%s\" is an invalid MAC address.\n", macaddr);
	981	return -1;
	982	}
	983	*data_ptr = temp;
	984	}
	985	if (macaddr_ptr != NULL) {
	986	fprintf(stderr, "\"%s\" is an invalid MAC address. Is it too long?\n",
	987	macaddr);
	988	return -1;
	989	}
	990	return (int)(data_ptr - data);
	991	}
	992
672	993	static int slirp4netns_config_from_options(struct slirp4netns_config *cfg,
673	994	struct options *opt)
674	995	{

679	1000	if (rc < 0) {
680	1001	goto finish;
681	1002	}
682		cfg->enable_ipv6 = cfg->enable_ipv6;
	1003	cfg->enable_ipv6 = opt->enable_ipv6;
683	1004	cfg->disable_host_loopback = opt->disable_host_loopback;
684	1005	cfg->enable_sandbox = opt->enable_sandbox;
685	1006	cfg->enable_seccomp = opt->enable_seccomp;
	1007
	1008	#if SLIRP_CONFIG_VERSION_MAX >= 2
	1009	cfg->enable_outbound_addr = false;
	1010	cfg->enable_outbound_addr6 = false;
	1011	#endif
	1012
	1013	if (opt->outbound_addr != NULL) {
	1014	#if SLIRP_CONFIG_VERSION_MAX >= 2
	1015	cfg->outbound_addr.sin_family = AF_INET;
	1016	cfg->outbound_addr.sin_port = 0; // Any local port will do
	1017	if (inet_pton(AF_INET, opt->outbound_addr,
	1018	&cfg->outbound_addr.sin_addr) == 1) {
	1019	cfg->enable_outbound_addr = true;
	1020	} else {
	1021	if (get_interface_addr(opt->outbound_addr, AF_INET,
	1022	&cfg->outbound_addr.sin_addr) != 0) {
	1023	fprintf(stderr, "outbound-addr has to be valid ipv4 address or "
	1024	"interface name.");
	1025	rc = -1;
	1026	goto finish;
	1027	}
	1028	cfg->enable_outbound_addr = true;
	1029	}
	1030	#else
	1031	fprintf(stderr, "slirp4netns has to be compiled against libslrip 4.2.0 "
	1032	"or newer for --outbound-addr support.");
	1033	rc = -1;
	1034	goto finish;
	1035	#endif
	1036	}
	1037	if (opt->outbound_addr6 != NULL) {
	1038	#if SLIRP_CONFIG_VERSION_MAX >= 2
	1039	cfg->outbound_addr6.sin6_family = AF_INET6;
	1040	cfg->outbound_addr6.sin6_port = 0; // Any local port will do
	1041	if (inet_pton(AF_INET6, opt->outbound_addr6,
	1042	&cfg->outbound_addr6.sin6_addr) == 1) {
	1043	cfg->enable_outbound_addr6 = true;
	1044	} else {
	1045	if (get_interface_addr(opt->outbound_addr, AF_INET6,
	1046	&cfg->outbound_addr6.sin6_addr) != 0) {
	1047	fprintf(stderr, "outbound-addr has to be valid ipv4 address or "
	1048	"iterface name.");
	1049	rc = -1;
	1050	goto finish;
	1051	}
	1052	cfg->enable_outbound_addr6 = true;
	1053	}
	1054	#else
	1055	fprintf(stderr, "slirp4netns has to be compiled against libslirp 4.2.0 "
	1056	"or newer for --outbound-addr6 support.");
	1057	rc = -1;
	1058	goto finish;
	1059	#endif
	1060	}
	1061
	1062	#if SLIRP_CONFIG_VERSION_MAX >= 3
	1063	cfg->disable_dns = opt->disable_dns;
	1064	#else
	1065	if (opt->disable_dns) {
	1066	fprintf(stderr, "slirp4netns has to be compiled against libslirp 4.3.0 "
	1067	"or newer for --disable-dns support.");
	1068	rc = -1;
	1069	goto finish;
	1070	}
	1071	#endif
	1072
	1073	cfg->vmacaddress_len = 0;
	1074	memset(&cfg->vmacaddress, 0, sizeof(cfg->vmacaddress));
	1075	if (opt->macaddress != NULL) {
	1076	cfg->vmacaddress.sa_family = AF_LOCAL;
	1077	int macaddr_len;
	1078	if ((macaddr_len = slirp4netns_macaddr_hexstring_to_data(
	1079	opt->macaddress, cfg->vmacaddress.sa_data)) < 0) {
	1080	fprintf(stderr, "macaddress has to be a valid MAC address (hex "
	1081	"string, 6 bytes, each byte separated by a ':').");
	1082	rc = -1;
	1083	goto finish;
	1084	}
	1085	cfg->vmacaddress_len = macaddr_len;
	1086	}
686	1087	finish:
687	1088	return rc;
688	1089	}

711	1112	goto finish;
712	1113	}
713	1114	if (child_pid == 0) {
714		if (child(sv[1], options.target_pid, options.do_config_network,
715		options.tapname, options.netns_path, options.userns_path,
716		&slirp4netns_config) < 0) {
	1115	int ret;
	1116	if (options.target_type != NULL &&
	1117	strcmp(options.target_type, "bess") == 0) {
	1118	ret = child_bess(sv[1], options.bess_socket);
	1119	} else {
	1120	ret = child(sv[1], options.target_pid, options.do_config_network,
	1121	options.tapname, options.netns_path,
	1122	options.userns_path, &slirp4netns_config);
	1123	}
	1124	if (ret < 0) {
717	1125	exit_status = EXIT_FAILURE;
718	1126	goto finish;
719	1127	}

+66

-0

seccomparch.h less more

	0	/* SPDX-License-Identifier: LGPL-2.1+ */
	1	#ifndef SLIRP4NETNS_SECCOMPARCH_H
	2	#define SLIRP4NETNS_SECCOMPARCH_H
	3
	4	#include <stdint.h>
	5	#include <seccomp.h>
	6
	7	/*
	8	* seccomp_extra_archs derived from systemd seccomp_local_archs
	9	* but does NOT contain native archs:
	10	* https://github.com/systemd/systemd/blob/v245/src/shared/seccomp-util.c#L25-L95
	11	* .
	12	*/
	13	const uint32_t seccomp_extra_archs[] = {
	14	#if defined(__x86_64__) && \
	15	defined(__ILP32__) /* X32 ( https://en.wikipedia.org/wiki/X32_ABI ) */
	16	SCMP_ARCH_X86, SCMP_ARCH_X86_64,
	17	#elif defined(__x86_64__) && !defined(__ILP32__) /* X86_64 */
	18	SCMP_ARCH_X86, SCMP_ARCH_X32,
	19	#elif defined(__i386__) /* X86 */
	20	/* NONE */
	21	#elif defined(__aarch64__) /* AARCH64 */
	22	SCMP_ARCH_ARM,
	23	#elif defined(__arm__) /* ARM */
	24	/* NONE */
	25	#elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && \
	26	_MIPS_SIM == _MIPS_SIM_ABI32 /* MIPS */
	27	SCMP_ARCH_MIPSEL,
	28	#elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && \
	29	_MIPS_SIM == _MIPS_SIM_ABI32 /* MIPSEL */
	30	SCMP_ARCH_MIPS,
	31	#elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && \
	32	_MIPS_SIM == _MIPS_SIM_ABI64 /* MIPS64 */
	33	SCMP_ARCH_MIPSEL, SCMP_ARCH_MIPS, SCMP_ARCH_MIPSEL64N32,
	34	SCMP_ARCH_MIPS64N32, SCMP_ARCH_MIPSEL64,
	35	#elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && \
	36	_MIPS_SIM == _MIPS_SIM_ABI64 /* MIPSEL64 */
	37	SCMP_ARCH_MIPS, SCMP_ARCH_MIPSEL, SCMP_ARCH_MIPS64N32,
	38	SCMP_ARCH_MIPSEL64N32, SCMP_ARCH_MIPS64,
	39	#elif defined(__mips__) && __BYTE_ORDER == __BIG_ENDIAN && \
	40	_MIPS_SIM == _MIPS_SIM_NABI32 /* MIPS64N32 */
	41	SCMP_ARCH_MIPSEL, SCMP_ARCH_MIPS, SCMP_ARCH_MIPSEL64,
	42	SCMP_ARCH_MIPS64, SCMP_ARCH_MIPSEL64N32,
	43	#elif defined(__mips__) && __BYTE_ORDER == __LITTLE_ENDIAN && \
	44	_MIPS_SIM == _MIPS_SIM_NABI32 /* MIPSEL64N32 */
	45	SCMP_ARCH_MIPS, SCMP_ARCH_MIPSEL, SCMP_ARCH_MIPS64,
	46	SCMP_ARCH_MIPSEL64, SCMP_ARCH_MIPS64N32,
	47	#elif defined(__powerpc64__) && __BYTE_ORDER == __BIG_ENDIAN /* PPC64 */
	48	SCMP_ARCH_PPC, SCMP_ARCH_PPC64LE,
	49	#elif defined(__powerpc64__) && __BYTE_ORDER == __LITTLE_ENDIAN /* PPC64LE */
	50	SCMP_ARCH_PPC, SCMP_ARCH_PPC64,
	51	#elif defined(__powerpc__) /* PPC */
	52	/* NONE */
	53	#elif defined(__s390x__) /* S390X */
	54	SCMP_ARCH_S390,
	55	#elif defined(__s390__) /* S390 */
	56	/* NONE */
	57	#endif
	58	(uint32_t)-1
	59	};
	60
	61	/* seccomp_extra_archs_items can be 0 */
	62	const int seccomp_extra_archs_items =
	63	sizeof(seccomp_extra_archs) / sizeof(seccomp_extra_archs[0]) - 1;
	64
	65	#endif

+79

-37

seccompfilter.c less more

0	0	/* SPDX-License-Identifier: GPL-2.0-or-later */
1	1	#define _GNU_SOURCE
2	2	#include <stdio.h>
	3	#include <errno.h>
	4	#include <string.h>
	5	#include <linux/seccomp.h>
	6	#include <glib.h>
3	7	#include <seccomp.h>
	8	#include "seccomparch.h"
	9
	10	#if defined(SCMP_ACT_KILL_PROCESS) && defined(SECCOMP_GET_ACTION_AVAIL) && \
	11	defined(SECCOMP_RET_KILL_PROCESS)
	12	#include <unistd.h>
	13	#include <sys/syscall.h>
	14
	15	static uint32_t get_block_action()
	16	{
	17	const uint32_t action = SECCOMP_RET_KILL_PROCESS;
	18	/* Syscall fails if either actions_avail or kill_process is not available */
	19	if (syscall(__NR_seccomp, SECCOMP_GET_ACTION_AVAIL, 0, &action) == 0)
	20	return SCMP_ACT_KILL_PROCESS;
	21	return SCMP_ACT_KILL;
	22	}
	23	#else
	24	static uint32_t get_block_action()
	25	{
	26	return SCMP_ACT_KILL;
	27	}
	28	#endif
	29
	30	static void add_block_rule(scmp_filter_ctx ctx, const char *name,
	31	uint32_t block_action, GString *blocked,
	32	GString skipped_undefined, GString skipped_failed)
	33	{
	34	int rc = -1, num = seccomp_syscall_resolve_name(name);
	35	if (num == __NR_SCMP_ERROR) {
	36	g_string_append_printf(skipped_undefined, " %s", name);
	37	return;
	38	}
	39	if ((rc = seccomp_rule_add(ctx, block_action, num, 0)) != 0) {
	40	g_string_append_printf(skipped_failed, " %s(%s)", name, strerror(-rc));
	41	return;
	42	}
	43	g_string_append_printf(blocked, " %s", name);
	44	}
4	45
5	46	int enable_seccomp()
6	47	{
7		int rc = -1;
	48	int rc = -1, i;
	49	uint32_t block_action = get_block_action();
	50	GString *blocked = g_string_new(NULL);
	51	GString *skipped_undefined = g_string_new(NULL);
	52	GString *skipped_failed = g_string_new(NULL);
8	53	/* Allow everything by default and block dangerous syscalls explicitly,
9	54	* as it is hard to find the correct set of required syscalls */
10	55	scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW);
11	56	if (ctx == NULL)
12	57	goto ret;
13		printf("seccomp: The following syscalls will be blocked by seccomp:");
14		#ifdef SCMP_ACT_KILL_PROCESS
15		#define BLOCK_ACTION SCMP_ACT_KILL_PROCESS
16		#else
17		#define BLOCK_ACTION SCMP_ACT_KILL
18		#endif
19		#define BLOCK(x) \
20		{ \
21		rc = seccomp_rule_add(ctx, BLOCK_ACTION, SCMP_SYS(x), 0); \
22		if (rc < 0) \
23		goto ret; \
24		printf(" %s", #x); \
	58	for (i = 0; i < seccomp_extra_archs_items; i++) {
	59	uint32_t arch = seccomp_extra_archs[i];
	60	rc = seccomp_arch_add(ctx, arch);
	61	if (rc < 0 && rc != -EEXIST && rc != -EDOM) {
	62	fprintf(stderr,
	63	"seccomp: WARNING: can't add extra arch (i=%d): %s\n", i,
	64	strerror(-rc));
	65	}
25	66	}
26		BLOCK(execve);
27		#ifdef __NR_execveat
28		BLOCK(execveat);
29		#else
30		fprintf(stderr,
31		"seccomp: can't block execevat because __NR_execveat was not "
32		"defined in the build environment\n");
33		#endif
34		/* ideally we should also block open() and openat() but required for
35		* resolv.conf */
36		BLOCK(open_by_handle_at);
37		BLOCK(ptrace);
38		BLOCK(prctl);
39		BLOCK(process_vm_readv);
40		BLOCK(process_vm_writev);
41		BLOCK(mount);
42		BLOCK(name_to_handle_at);
43		BLOCK(setns);
44		BLOCK(umount);
45		BLOCK(umount2);
46		BLOCK(unshare);
	67	#define BLOCK(x) \
	68	add_block_rule(ctx, #x, block_action, blocked, skipped_undefined, \
	69	skipped_failed)
	70	#include "seccompfilter_rules.h"
47	71	#undef BLOCK
48		#undef BLOCK_ACTION
49		printf(".\n");
50		rc = seccomp_load(ctx);
	72	if ((rc = seccomp_load(ctx)) != 0) {
	73	fprintf(stderr, "seccomp: seccomp_load(): %s\n", strerror(-rc));
	74	goto ret;
	75	}
	76	printf("seccomp: The following syscalls are blocked:%s\n", blocked->str);
	77	if (skipped_undefined->len > 0) {
	78	fprintf(stderr,
	79	"seccomp: WARNING: the following syscalls are not defined "
	80	"in libseccomp and cannot be "
	81	"blocked:%s\n",
	82	skipped_undefined->str);
	83	}
	84	if (skipped_failed->len > 0) {
	85	fprintf(stderr,
	86	"seccomp: WARNING: the following syscalls cannot be "
	87	"blocked due to unexpected errors:%s\n",
	88	skipped_failed->str);
	89	}
51	90	ret:
52	91	seccomp_release(ctx);
	92	g_string_free(blocked, TRUE);
	93	g_string_free(skipped_undefined, TRUE);
	94	g_string_free(skipped_failed, TRUE);
53	95	return rc;
54	96	}

+62

-0

seccompfilter_rules.h less more

	0	/* SPDX-License-Identifier: GPL-2.0-or-later */
	1
	2	/* We do not need ifndef _XXX_H guard: https://github.com/rootless-containers/slirp4netns/pull/238#discussion_r530214521 */
	3
	4	#ifndef BLOCK
	5	#error "Included in an unexpected way?"
	6	#endif
	7
	8	/*
	9	NOTE:
	10	- Run `sudo systemd-analyze syscall-filter` to show list of syscall groups.
	11	- Ideally we should also block open() and openat(), but these calls are required for opening resolv.conf
	12	*/
	13
	14	/* group: @default */
	15	BLOCK(execve);
	16
	17	/* group: @debug */
	18	BLOCK(lookup_dcookie);
	19	BLOCK(pidfd_getfd);
	20	BLOCK(ptrace);
	21
	22	/* group: @ipc */
	23	BLOCK(process_vm_readv);
	24	BLOCK(process_vm_writev);
	25
	26	/* group: @module*/
	27	BLOCK(delete_module);
	28	BLOCK(finit_module);
	29	BLOCK(init_module);
	30
	31	/* group: @mount */
	32	BLOCK(chroot);
	33	BLOCK(fsconfig);
	34	BLOCK(fsmount);
	35	BLOCK(fsopen);
	36	BLOCK(fspick);
	37	BLOCK(mount);
	38	BLOCK(move_mount);
	39	BLOCK(open_tree);
	40	BLOCK(pivot_root);
	41	BLOCK(umount);
	42	BLOCK(umount2);
	43
	44	/* group: @privileged */
	45	BLOCK(open_by_handle_at);
	46
	47	/* group: @process */
	48	BLOCK(execveat);
	49	BLOCK(pidfd_open);
	50	BLOCK(pidfd_send_signal);
	51	BLOCK(prctl);
	52	BLOCK(setns);
	53	BLOCK(unshare);
	54
	55	/* group: @reboot */
	56	BLOCK(kexec_file_load);
	57	BLOCK(kexec_load);
	58	BLOCK(reboot);
	59
	60	/* group: @system-service */
	61	BLOCK(name_to_handle_at);

+372

-181

slirp4netns.1 less more

0	0	.nh
1		.TH SLIRP4NETNS 1 "March 2020" "Rootless Containers" "User Commands"
	1	.TH SLIRP4NETNS 1 "January 2022" "Rootless Containers" "User Commands"
2	2
3	3	.SH NAME
4	4	.PP

7	7
8	8	.SH SYNOPSIS
9	9	.PP
10		slirp4netns [OPTION]... PID\|PATH TAPNAME
	10	slirp4netns [OPTION]... PID\|PATH [TAPNAME]
11	11
12	12
13	13	.SH DESCRIPTION

15	15	slirp4netns provides user\-mode networking ("slirp") for network namespaces.
16	16
17	17	.PP
18		Unlike \fBveth\fP(4), slirp4netns does not require the root privileges on the host.
	18	Unlike \fB\fCveth(4)\fR, slirp4netns does not require the root privileges on the host.
19	19
20	20	.PP
21	21	Default configuration:

30	30	.IP \(bu 2
31	31	DNS: 10.0.2.3 (network address + 3)
32	32	.IP \(bu 2
	33	DHCP begin: 10.0.2.15 (network address + 15)
	34	.IP \(bu 2
	35	DHCP end: 10.0.2.30 (network address + 30)
	36	.IP \(bu 2
33	37	IPv6 CIDR: fd00::/64
34	38	.IP \(bu 2
35	39	IPv6 Gateway/Host: fd00::2

41	45
42	46	.SH OPTIONS
43	47	.PP
44		\fB\-c\fP, \fB\-\-configure\fP
	48	\fB\fC\-c\fR, \fB\fC\-\-configure\fR
45	49	bring up the TAP interface. IP will be set to 10.0.2.100 (network address + 100) by default. IPv6 will be set to a random address.
46		Starting with v0.4.0, the loopback interface (\fBlo\fP) is brought up as well.
47
48		.PP
49		\fB\-e\fP, \fB\-\-exit\-fd=FD\fP
	50	Starting with v0.4.0, the loopback interface (\fB\fClo\fR) is brought up as well.
	51
	52	.PP
	53	\fB\fC\-e\fR, \fB\fC\-\-exit\-fd=FD\fR
50	54	specify the FD for terminating slirp4netns.
51		When the FD is specified, slirp4netns exits when a \fBpoll(2)\fP event happens on the FD.
52
53		.PP
54		\fB\-r\fP, \fB\-\-ready\-fd=FD\fP
	55	When the FD is specified, slirp4netns exits when a \fB\fCpoll(2)\fR event happens on the FD.
	56
	57	.PP
	58	\fB\fC\-r\fR, \fB\fC\-\-ready\-fd=FD\fR
55	59	specify the FD to write to when the initialization steps are finished.
56		When the FD is specified, slirp4netns writes \fB"1"\fP to the FD and close the FD.
57		Prior to v0.4.0, the FD was written after the network configuration (\fB\-c\fP)
58		but before the API socket configuration (\fB\-a\fP).
59
60		.PP
61		\fB\-m\fP, \fB\-\-mtu=MTU\fP (since v0.2.0)
	60	When the FD is specified, slirp4netns writes \fB\fC"1"\fR to the FD and close the FD.
	61	Prior to v0.4.0, the FD was written after the network configuration (\fB\fC\-c\fR)
	62	but before the API socket configuration (\fB\fC\-a\fR).
	63
	64	.PP
	65	\fB\fC\-m\fR, \fB\fC\-\-mtu=MTU\fR (since v0.2.0)
62	66	specify MTU (max=65521).
63	67
64	68	.PP
65		\fB\-6\fP, \fB\-\-enable\-ipv6\fP (since v0.2.0, EXPERIMENTAL)
	69	\fB\fC\-6\fR, \fB\fC\-\-enable\-ipv6\fR (since v0.2.0, EXPERIMENTAL)
66	70	enable IPv6
67	71
68	72	.PP
69		\fB\-a\fP, \fB\-\-api\-socket\fP (since v0.3.0)
	73	\fB\fC\-a\fR, \fB\fC\-\-api\-socket\fR (since v0.3.0)
70	74	API socket path
71	75
72	76	.PP
73		\fB\-\-cidr\fP (since v0.3.0)
	77	\fB\fC\-\-cidr\fR (since v0.3.0)
74	78	specify CIDR, e.g. 10.0.2.0/24
75	79
76	80	.PP
77		\fB\-\-disable\-host\-loopback\fP (since v0.3.0)
	81	\fB\fC\-\-disable\-host\-loopback\fR (since v0.3.0)
78	82	prohibit connecting to 127.0.0.1:* on the host namespace
79	83
80	84	.PP
81		\fB\-\-netns\-type=TYPE\fP (since v0.4.0)
	85	\fB\fC\-\-netns\-type=TYPE\fR (since v0.4.0)
82	86	specify network namespace type ([path\|pid], default=pid)
83	87
84	88	.PP
85		\fB\-\-userns\-path=PATH\fP (since v0.4.0)
	89	\fB\fC\-\-userns\-path=PATH\fR (since v0.4.0)
86	90	specify user namespace path
87	91
88	92	.PP
89		\fB\-\-enable\-sandbox\fP (since v0.4.0)
	93	\fB\fC\-\-enable\-sandbox\fR (since v0.4.0)
90	94	enter the user namespace and create a new mount namespace where only /etc and
91	95	/run are mounted from the host.
92	96
93	97	.PP
94		Requires \fB/etc/resolv.conf\fP not to be a symlink to a file outside /etc and /run.
	98	Requires \fB\fC/etc/resolv.conf\fR not to be a symlink to a file outside /etc and /run.
95	99
96	100	.PP
97	101	When running as the root, the process does not enter the user namespace but all
98	102	the capabilities except \fB\fCCAP\_NET\_BIND\_SERVICE\fR are dropped.
99	103
100	104	.PP
101		\fB\-\-enable\-seccomp\fP (since v0.4.0, EXPERIMENTAL)
102		enable \fBseccomp(2)\fP to limit syscalls.
103		Typically used in conjunction with \fB\-\-enable\-sandbox\fP\&.
104
105		.PP
106		\fB\-h\fP, \fB\-\-help\fP (since v0.2.0)
	105	\fB\fC\-\-enable\-seccomp\fR (since v0.4.0, EXPERIMENTAL)
	106	enable \fB\fCseccomp(2)\fR to limit syscalls.
	107	Typically used in conjunction with \fB\fC\-\-enable\-sandbox\fR\&.
	108
	109	.PP
	110	\fB\fC\-\-outbound\-addr=IPv4\fR (since v1.1.0, EXPERIMENTAL)
	111	specify outbound ipv4 address slirp should bind to
	112
	113	.PP
	114	\fB\fC\-\-outbound\-addr=INTERFACE\fR (since v1.1.0, EXPERIMENTAL)
	115	specify outbound interface slirp should bind to (ipv4 traffic only)
	116
	117	.PP
	118	\fB\fC\-\-outbound\-addr=IPv6\fR (since v1.1.0, EXPERIMENTAL)
	119	specify outbound ipv6 address slirp should bind to
	120
	121	.PP
	122	\fB\fC\-\-outbound\-addr6=INTERFACE\fR (since v1.1.0, EXPERIMENTAL)
	123	specify outbound interface slirp should bind to (ipv6 traffic only)
	124
	125	.PP
	126	\fB\fC\-\-disable\-dns\fR (since v1.1.0)
	127	disable built\-in DNS (10.0.2.3 by default)
	128
	129	.PP
	130	\fB\fC\-\-macaddress\fR (since v1.1.9)
	131	specify MAC address of the TAP interface (only valid with \-c)
	132
	133	.PP
	134	\fB\fC\-\-target\-type=TYPE\fR (since v1.2.0)
	135	specify the target type ([netns\|bess], default=netns).
	136
	137	.PP
	138	The \fB\fCbess\fR mode (since v1.2.0, EXPERIMENTAL) is expected to be used with User Mode Linux.
	139	The \fB\fCbess\fR mode conflicts with \fB\fC\-\-configure\fR, \fB\fC\-\-netns\-type\fR, and \fB\fC\-\-userns\-path\fR\&.
	140
	141	.PP
	142	\fB\fC\-h\fR, \fB\fC\-\-help\fR (since v0.2.0)
107	143	show help and exit
108	144
109	145	.PP
110		\fB\-v\fP, \fB\-\-version\fP (since v0.2.0)
	146	\fB\fC\-v\fR, \fB\fC\-\-version\fR (since v0.2.0)
111	147	show version and exit
112	148
113	149
114	150	.SH EXAMPLE
115	151	.PP
116		Terminal 1: Create user/network/mount namespaces
117
118		.PP
119		.RS
120
121		.nf
122		$ unshare \-\-user \-\-map\-root\-user \-\-net \-\-mount
123		unshared$ echo $$ > /tmp/pid
124
125		.fi
126		.RE
127
128		.PP
129		Terminal 2: Start slirp4netns
130
131		.PP
132		.RS
133
134		.nf
135		$ slirp4netns \-\-configure \-\-mtu=65520 $(cat /tmp/pid) tap0
	152	\fBTerminal 1\fP: Create user/network/mount namespaces
	153
	154	.PP
	155	.RS
	156
	157	.nf
	158	(host)$ unshare \-\-user \-\-map\-root\-user \-\-net \-\-mount
	159	(namespace)$ echo $$ > /tmp/pid
	160
	161	.fi
	162	.RE
	163
	164	.PP
	165	In this documentation, we use \fB\fC(host)$\fR as the prompt of the host shell, \fB\fC(namespace)$\fR as the prompt of the shell running in the namespaces.
	166
	167	.PP
	168	If \fB\fCunshare\fR fails, try the following commands (known to be needed on Debian, Arch, and old CentOS 7.X):
	169
	170	.PP
	171	.RS
	172
	173	.nf
	174	(host)$ sudo sh \-c 'echo "user.max\_user\_namespaces=28633" >> /etc/sysctl.d/userns.conf'
	175	(host)$ if [ \-f /proc/sys/kernel/unprivileged\_userns\_clone ]; then sudo sh \-c 'echo "kernel.unprivileged\_userns\_clone=1" >> /etc/sysctl.d/userns.conf'; fi
	176	(host)$ sudo sysctl \-\-system
	177
	178	.fi
	179	.RE
	180
	181	.PP
	182	\fBTerminal 2\fP: Start slirp4netns
	183
	184	.PP
	185	.RS
	186
	187	.nf
	188	(host)$ slirp4netns \-\-configure \-\-mtu=65520 $(cat /tmp/pid) tap0
136	189	starting slirp, MTU=65520
137	190	...
138	191

140	193	.RE
141	194
142	195	.PP
143		Terminal 1: Make sure \fBtap0\fP is configured and connected to the Internet
144
145		.PP
146		.RS
147
148		.nf
149		unshared$ ip a
	196	\fBTerminal 1\fP: Make sure \fB\fCtap0\fR is configured and connected to the Internet
	197
	198	.PP
	199	.RS
	200
	201	.nf
	202	(namespace)$ ip a
150	203	1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
151	204	link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
152	205	3: tap0: <BROADCAST,UP,LOWER\_UP> mtu 65520 qdisc fq\_codel state UNKNOWN group default qlen 1000

155	208	valid\_lft forever preferred\_lft forever
156	209	inet6 fe80::c028:cff:fe0e:2906/64 scope link
157	210	valid\_lft forever preferred\_lft forever
158		unshared$ echo "nameserver 10.0.2.3" > /tmp/resolv.conf
159		unshared$ mount \-\-bind /tmp/resolv.conf /etc/resolv.conf
160		unshared$ curl https://example.com
161
162		.fi
163		.RE
164
165		.PP
166		Bind\-mounting \fB/etc/resolv.conf\fP is only needed when \fB/etc/resolv.conf\fP on
167		the host refers to loopback addresses (\fB127.0.0.X\fP, typically because of
168		\fBdnsmasq\fP(8) or \fBsystemd\-resolved.service\fP(8)) that cannot be accessed from
169		the namespace.
170
171		.PP
172		If your \fB/etc/resolv.conf\fP on the host is managed by \fBnetworkmanager\fP(8)
173		or \fBsystemd\-resolved.service\fP(8), you might need to mount a new filesystem on
174		\fB/etc\fP instead, so as to prevent the new \fB/etc/resolv.conf\fP from being
175		unmounted unexpectedly when \fB/etc/resolv.conf\fP on the host is regenerated.
176
177		.PP
178		.RS
179
180		.nf
181		unshared$ mkdir /tmp/a /tmp/b
182		unshared$ mount \-\-rbind /etc /tmp/a
183		unshared$ mount \-\-rbind /tmp/b /etc
184		unshared$ mkdir /etc/.ro
185		unshared$ mount \-\-move /tmp/a /etc/.ro
186		unshared$ cd /etc
187		unshared$ for f in .ro/*; do ln \-s $f $(basename $f); done
188		unshared$ rm resolv.conf
189		unshared$ echo "nameserver 10.0.2.3" > /tmp/resolv.conf
190		unshared$ curl https://example.com
	211	(namespace)$ echo "nameserver 10.0.2.3" > /tmp/resolv.conf
	212	(namespace)$ mount \-\-bind /tmp/resolv.conf /etc/resolv.conf
	213	(namespace)$ curl https://example.com
	214
	215	.fi
	216	.RE
	217
	218	.PP
	219	Bind\-mounting \fB\fC/etc/resolv.conf\fR is only needed when \fB\fC/etc/resolv.conf\fR on
	220	the host refers to loopback addresses (\fB\fC127.0.0.X\fR, typically \fB\fCdnsmasq(8)\fR
	221	or \fB\fCsystemd\-resolved.service(8)\fR) that cannot be accessed from the namespace.
	222
	223	.PP
	224	If your \fB\fC/etc/resolv.conf\fR on the host is managed by \fB\fCnetworkmanager(8)\fR
	225	or \fB\fCsystemd\-resolved.service(8)\fR, you might need to mount a new filesystem on
	226	\fB\fC/etc\fR instead, so as to prevent the new \fB\fC/etc/resolv.conf\fR from being
	227	unmounted unexpectedly when \fB\fC/etc/resolv.conf\fR on the host is regenerated.
	228
	229	.PP
	230	.RS
	231
	232	.nf
	233	(namespace)$ mkdir /tmp/a /tmp/b
	234	(namespace)$ mount \-\-rbind /etc /tmp/a
	235	(namespace)$ mount \-\-rbind /tmp/b /etc
	236	(namespace)$ mkdir /etc/.ro
	237	(namespace)$ mount \-\-move /tmp/a /etc/.ro
	238	(namespace)$ cd /etc
	239	(namespace)$ for f in .ro/*; do ln \-s $f $(basename $f); done
	240	(namespace)$ rm resolv.conf
	241	(namespace)$ echo "nameserver 10.0.2.3" > resolv.conf
	242	(namespace)$ curl https://example.com
	243
	244	.fi
	245	.RE
	246
	247	.PP
	248	These steps can be simplified with \fB\fCrootlesskit \-\-copy\-up=/etc\fR if \fB\fCrootlesskit\fR is installed:
	249
	250	.PP
	251	.RS
	252
	253	.nf
	254	(host)$ rootlesskit \-\-net=slirp4netns \-\-copy\-up=/etc bash
	255	(namespace)$ cat /etc/resolv.conf
	256	nameserver 10.0.2.3
191	257
192	258	.fi
193	259	.RE

195	261
196	262	.SH ROUTING PING PACKETS
197	263	.PP
198		To route ping packets, you need to set up \fBnet.ipv4.ping\_group\_range\fP properly
199		as the root.
	264	To route ping packets, you may need to set up \fB\fCnet.ipv4.ping\_group\_range\fR properly as the root.
200	265
201	266	.PP
202	267	e.g.

205	270	.RS
206	271
207	272	.nf
208		$ sudo sh \-c "echo 0 2147483647 > /proc/sys/net/ipv4/ping\_group\_range"
	273	(host)$ sudo sh \-c 'echo "net.ipv4.ping\_group\_range=0 2147483647" > /etc/sysctl.d/ping\_group\_range.conf'
	274	(host)$ sudo sysctl \-\-system
209	275
210	276	.fi
211	277	.RE

213	279
214	280	.SH FILTERING CONNECTIONS
215	281	.PP
216		By default, ports listening on \fBINADDR\_LOOPBACK\fP (\fB127.0.0.1\fP) on the host are accessible from the child namespace via the gateway (default: \fB10.0.2.2\fP).
217		\fB\-\-disable\-host\-loopback\fP can be used to prohibit connecting to \fBINADDR\_LOOPBACK\fP on the host.
218
219		.PP
220		However, a host loopback address might be still accessible via the built\-in DNS (default: \fB10.0.2.3\fP) if \fB\fC/etc/resolv.conf\fR on the host refers to a loopback address.
	282	By default, ports listening on \fB\fCINADDR\_LOOPBACK\fR (\fB\fC127.0.0.1\fR) on the host are accessible from the child namespace via the gateway (default: \fB\fC10.0.2.2\fR).
	283	\fB\fC\-\-disable\-host\-loopback\fR can be used to prohibit connecting to \fB\fCINADDR\_LOOPBACK\fR on the host.
	284
	285	.PP
	286	However, a host loopback address might be still accessible via the built\-in DNS (default: \fB\fC10.0.2.3\fR) if \fB\fC/etc/resolv.conf\fR on the host refers to a loopback address.
221	287	You may want to set up iptables for limiting access to the built\-in DNS in such a case.
222	288
223	289	.PP
224	290	.RS
225	291
226	292	.nf
227		unshared$ iptables \-A OUTPUT \-d 10.0.2.3 \-p udp \-\-dport 53 \-j ACCEPT
228		unshared$ iptables \-A OUTPUT \-d 10.0.2.3 \-j DROP
	293	(host)$ nsenter \-t $(cat /tmp/pid) \-U \-\-preserve\-credentials \-n
	294	(namespace)$ iptables \-A OUTPUT \-d 10.0.2.3 \-p udp \-\-dport 53 \-j ACCEPT
	295	(namespace)$ iptables \-A OUTPUT \-d 10.0.2.3 \-j DROP
229	296
230	297	.fi
231	298	.RE

239	306	.RS
240	307
241	308	.nf
242		$ slirp4netns \-\-api\-socket /tmp/slirp4netns.sock ...
243
244		.fi
245		.RE
246
247		.PP
248		\fBadd\_hostfwd\fP: Expose a port (IPv4 only)
249
250		.PP
251		.RS
252
253		.nf
254		$ json='{"execute": "add\_hostfwd", "arguments": {"proto": "tcp", "host\_addr": "0.0.0.0", "host\_port": 8080, "guest\_addr": "10.0.2.100", "guest\_port": 80}}'
255		$ echo \-n $json \| nc \-U /tmp/slirp4netns.sock
256		{ "return": {"id": 42}}
257
258		.fi
259		.RE
260
261		.PP
262		If \fBhost\_addr\fP is not specified, then it defaults to "0.0.0.0".
263
264		.PP
265		If \fBguest\_addr\fP is not specified, then it will be set to the default address that corresponds to \-\-configure.
266
267		.PP
268		\fBlist\_hostfwd\fP: List exposed ports
269
270		.PP
271		.RS
272
273		.nf
274		$ json='{"execute": "list\_hostfwd"}'
275		$ echo \-n $json \| nc \-U /tmp/slirp4netns.sock
276		{ "return": {"entries": [{"id": 42, "proto": "tcp", "host\_addr": "0.0.0.0", "host\_port": 8080, "guest\_addr": "10.0.2.100", "guest\_port": 80}]}}
277
278		.fi
279		.RE
280
281		.PP
282		\fBremove\_hostfwd\fP: Remove an exposed port
283
284		.PP
285		.RS
286
287		.nf
288		$ json='{"execute": "remove\_hostfwd", "arguments": {"id": 42}}'
289		$ echo \-n $json \| nc \-U /tmp/slirp4netns.sock
290		{ "return": {}}
	309	(host)$ slirp4netns \-\-api\-socket /tmp/slirp4netns.sock ...
	310
	311	.fi
	312	.RE
	313
	314	.PP
	315	\fB\fCadd\_hostfwd\fR: Expose a port (IPv4 only)
	316
	317	.PP
	318	.RS
	319
	320	.nf
	321	(namespace)$ json='{"execute": "add\_hostfwd", "arguments": {"proto": "tcp", "host\_addr": "0.0.0.0", "host\_port": 8080, "guest\_addr": "10.0.2.100", "guest\_port": 80}}'
	322	(namespace)$ echo \-n $json \| nc \-U /tmp/slirp4netns.sock
	323	{"return": {"id": 42}}
	324
	325	.fi
	326	.RE
	327
	328	.PP
	329	If \fB\fChost\_addr\fR is not specified, then it defaults to "0.0.0.0".
	330
	331	.PP
	332	If \fB\fCguest\_addr\fR is not specified, then it will be set to the default address that corresponds to \fB\fC\-\-configure\fR\&.
	333
	334	.PP
	335	\fB\fClist\_hostfwd\fR: List exposed ports
	336
	337	.PP
	338	.RS
	339
	340	.nf
	341	(namespace)$ json='{"execute": "list\_hostfwd"}'
	342	(namespace)$ echo \-n $json \| nc \-U /tmp/slirp4netns.sock
	343	{"return": {"entries": [{"id": 42, "proto": "tcp", "host\_addr": "0.0.0.0", "host\_port": 8080, "guest\_addr": "10.0.2.100", "guest\_port": 80}]}}
	344
	345	.fi
	346	.RE
	347
	348	.PP
	349	\fB\fCremove\_hostfwd\fR: Remove an exposed port
	350
	351	.PP
	352	.RS
	353
	354	.nf
	355	(namespace)$ json='{"execute": "remove\_hostfwd", "arguments": {"id": 42}}'
	356	(namespace)$ echo \-n $json \| nc \-U /tmp/slirp4netns.sock
	357	{"return": {}}
291	358
292	359	.fi
293	360	.RE

297	364
298	365	.RS
299	366	.IP \(bu 2
300		Client needs to \fBshutdown(2)\fP the socket with \fBSHUT\_WR\fP after sending every request.
	367	Client needs to \fB\fCshutdown(2)\fR the socket with \fB\fCSHUT\_WR\fR after sending every request.
301	368	i.e. No support for keep\-alive and timeout.
302	369	.IP \(bu 2
303	370	slirp4netns "stops the world" during processing API requests.
304	371	.IP \(bu 2
305	372	A request must be less than 4096 bytes.
306	373	.IP \(bu 2
307		JSON responses may contain \fBerror\fP instead of \fBreturn\fP\&.
	374	JSON responses may contain \fB\fCerror\fR instead of \fB\fCreturn\fR\&.
308	375
309	376	.RE
310	377

317	384	.RS
318	385
319	386	.nf
320		$ slirp4netns \-\-netns\-type=path ... /path/to/netns tap0
321
322		.fi
323		.RE
324
325		.PP
326		Currently, the \fBnetns\-type=TYPE\fP argument supports \fBpath\fP or \fBpid\fP args with the default being \fBpid\fP\&.
327
328		.PP
329		Additionally, a \fB\-\-userns\-path=PATH\fP argument can be included to override any user namespace path defaults
330
331		.PP
332		.RS
333
334		.nf
335		$ slirp4netns \-\-netns\-type=path \-\-userns\-path=/path/to/userns /path/to/netns tap0
336
337		.fi
338		.RE
	387	(host)$ slirp4netns \-\-netns\-type=path ... /path/to/netns tap0
	388
	389	.fi
	390	.RE
	391
	392	.PP
	393	Currently, the \fB\fCnetns\-type=TYPE\fR argument supports \fB\fCpath\fR or \fB\fCpid\fR args with the default being \fB\fCpid\fR\&.
	394
	395	.PP
	396	Additionally, a \fB\fC\-\-userns\-path=PATH\fR argument can be included to override any user namespace path defaults
	397
	398	.PP
	399	.RS
	400
	401	.nf
	402	(host)$ slirp4netns \-\-netns\-type=path \-\-userns\-path=/path/to/userns /path/to/netns tap0
	403
	404	.fi
	405	.RE
	406
	407
	408	.SH OUTBOUND ADDRESSES
	409	.PP
	410	A user can defined preferred outbound ipv4 and ipv6 address in multi IP scenarios.
	411
	412	.PP
	413	.RS
	414
	415	.nf
	416	(host)$ slirp4netns \-\-outbound\-addr=10.2.2.10 \-\-outbound\-addr6=fe80::10 ...
	417
	418	.fi
	419	.RE
	420
	421	.PP
	422	Optionally you can use interface names instead of ip addresses.
	423
	424	.PP
	425	.RS
	426
	427	.nf
	428	(host)$ slirp4netns \-\-outbound\-addr=eth0 \-\-outbound\-addr6=eth0 ...
	429
	430	.fi
	431	.RE
	432
	433
	434	.SH INTER\-NAMESPACE COMMUNICATION
	435	.PP
	436	The easiest way to allow inter\-namespace communication is to nest network namespaces inside the slirp4netns's network namespace.
	437
	438	.PP
	439	.RS
	440
	441	.nf
	442	(host)$ nsenter \-t $(cat /tmp/pid) \-U \-\-preserve\-credentials \-n \-m
	443	(namespace)$ mount \-t tmpfs none /run
	444	(namespace)$ ip netns add foo
	445	(namespace)$ ip netns add bar
	446	(namespace)$ ip link add veth\-foo type veth peer name veth\-bar
	447	(namespace)$ ip link set veth\-foo netns foo
	448	(namespace)$ ip link set veth\-bar netns bar
	449	(namespace)$ ip netns exec foo ip link set veth\-foo name eth0
	450	(namespace)$ ip netns exec bar ip link set veth\-bar name eth0
	451	(namespace)$ ip netns exec foo ip link set lo up
	452	(namespace)$ ip netns exec bar ip link set lo up
	453	(namespace)$ ip netns exec foo ip link set eth0 up
	454	(namespace)$ ip netns exec bar ip link set eth0 up
	455	(namespace)$ ip netns exec foo ip addr add 192.168.42.100/24 dev eth0
	456	(namespace)$ ip netns exec bar ip addr add 192.168.42.101/24 dev eth0
	457	(namespace)$ ip netns exec bar ping 192.168.42.100
	458
	459	.fi
	460	.RE
	461
	462	.PP
	463	However, this method does not work when you want to allow communication across multiple slirp4netns instances.
	464	To allow communication across multiple slirp4netns instances, you need to combine another network stack such as
	465	\fB\fCvde\_plug(1)\fR with slirp4netns.
	466
	467	.PP
	468	.RS
	469
	470	.nf
	471	(host)$ vde\_plug \-\-daemon switch:///tmp/switch null://
	472	(host)$ nsenter \-t $(cat /tmp/pid\-instance0) \-U \-\-preserve\-credentials \-n
	473	(namespace\-instance0)$ vde\_plug \-\-daemon vde:///tmp/switch tap://vde
	474	(namespace\-instance0)$ ip link set vde up
	475	(namespace\-instance0)$ ip addr add 192.168.42.100/24 dev vde
	476	(namespace\-instance0)$ exit
	477	(host)$ nsenter \-t $(cat /tmp/pid\-instance1) \-U \-\-preserve\-credentials \-n
	478	(namespace\-instance1)$ vde\_plug \-\-daemon vde:///tmp/switch tap://vde
	479	(namespace\-instance1)$ ip link set vde up
	480	(namespace\-instance1)$ ip addr add 192.168.42.101/24 dev vde
	481	(namespace\-instance1)$ ping 192.168.42.100
	482
	483	.fi
	484	.RE
	485
	486
	487	.SH INTER\-HOST COMMUNICATION
	488	.PP
	489	VXLAN is known to work.
	490	See Usernetes project for the example of multi\-node rootless Kubernetes cluster with VXLAN: \fB\fChttps://github.com/rootless\-containers/usernetes\fR
	491
	492
	493	.SH BESS MODE (FOR USER MODE LINUX)
	494	.PP
	495	slirp4netns (since v1.2.0) can be also used as a BESS\-compatible server to provide network connectivity to User Mode Linux.
	496
	497	.PP
	498	\fBTerminal 1\fP: Start slirp4netns
	499
	500	.PP
	501	.RS
	502
	503	.nf
	504	(host)$ slirp4netns \-\-target\-type=bess /tmp/bess.sock
	505
	506	.fi
	507	.RE
	508
	509	.PP
	510	\fBTerminal 2\fP: Start User Mode Linux
	511
	512	.PP
	513	.RS
	514
	515	.nf
	516	(host)$ linux.uml vec0:transport=bess,dst=/tmp/bess.sock,depth=128,gro=1 root=/dev/root rootfstype=hostfs init=/bin/bash mem=2G
	517	(UML)$ ip addr add 10.0.2.100/24 dev vec0
	518	(UML)$ ip link set vec0 up
	519	(UML)$ ip route add default via 10.0.2.2
	520
	521	.fi
	522	.RE
	523
	524	.PP
	525	Currently, only a single instance of User Mode Linux can be connected to the slirp4netns BESS server.
	526
	527	.PP
	528	See also User Mode Linux documentation: \fB\fChttps://www.kernel.org/doc/html/latest/virt/uml/user\_mode\_linux\_howto\_v2.html#bess\-socket\-transport\fR
339	529
340	530
341	531	.SH BUGS
342	532	.PP
343		Kernel 4.20 bumped up the default value of \fB/proc/sys/net/ipv4/tcp\_rmem\fP from 87380 to 131072.
344		This is known to slow down slirp4netns port forwarding: \fBhttps://github.com/rootless\-containers/slirp4netns/issues/128\fP\&.
345
346		.PP
347		As a workaround, you can adjust the value of \fB/proc/sys/net/ipv4/tcp\_rmem\fP inside the namespace.
	533	Kernel 4.20 bumped up the default value of \fB\fC/proc/sys/net/ipv4/tcp\_rmem\fR from 87380 to 131072.
	534	This is known to slow down slirp4netns port forwarding: \fB\fChttps://github.com/rootless\-containers/slirp4netns/issues/128\fR\&.
	535
	536	.PP
	537	As a workaround, you can adjust the value of \fB\fC/proc/sys/net/ipv4/tcp\_rmem\fR inside the namespace.
348	538	No real root privilege is needed to modify the file since kernel 4.15.
349	539
350	540	.PP
351	541	.RS
352	542
353	543	.nf
354		unshared$ c=$(cat /proc/sys/net/ipv4/tcp\_rmem); echo $c \| sed \-e s/131072/87380/g > /proc/sys/net/ipv4/tcp\_rmem
	544	(host)$ nsenter \-t $(cat /tmp/pid) \-U \-\-preserve\-credentials \-n \-m
	545	(namespace)$ c=$(cat /proc/sys/net/ipv4/tcp\_rmem); echo $c \| sed \-e s/131072/87380/g > /proc/sys/net/ipv4/tcp\_rmem
355	546
356	547	.fi
357	548	.RE

359	550
360	551	.SH SEE ALSO
361	552	.PP
362		\fBnetwork\_namespaces\fP(7), \fBuser\_namespaces\fP(7), \fBveth\fP(4)
	553	\fB\fCnetwork\_namespaces(7)\fR, \fB\fCuser\_namespaces(7)\fR, \fB\fCveth(4)\fR
363	554
364	555
365	556	.SH AVAILABILITY
366	557	.PP
367		The slirp4netns command is available from \fBhttps://github.com/rootless\-containers/slirp4netns\fP under GNU GENERAL PUBLIC LICENSE Version 2 (or later).
	558	The slirp4netns command is available from \fB\fChttps://github.com/rootless\-containers/slirp4netns\fR under GNU GENERAL PUBLIC LICENSE Version 2 (or later).

+251

-122

slirp4netns.1.md less more

0		SLIRP4NETNS 1 "March 2020" "Rootless Containers" "User Commands"
	0	SLIRP4NETNS 1 "January 2022" "Rootless Containers" "User Commands"
1	1	==================================================
2	2
3	3	# NAME

6	6
7	7	# SYNOPSIS
8	8
9		slirp4netns [OPTION]... PID\|PATH TAPNAME
	9	slirp4netns [OPTION]... PID\|PATH [TAPNAME]
10	10
11	11	# DESCRIPTION
12	12
13	13	slirp4netns provides user-mode networking ("slirp") for network namespaces.
14	14
15		Unlike veth(4), slirp4netns does not require the root privileges on the host.
	15	Unlike `veth(4)`, slirp4netns does not require the root privileges on the host.
16	16
17	17	Default configuration:
18	18

20	20	* CIDR: 10.0.2.0/24
21	21	* Gateway/Host: 10.0.2.2 (network address + 2)
22	22	* DNS: 10.0.2.3 (network address + 3)
	23	* DHCP begin: 10.0.2.15 (network address + 15)
	24	* DHCP end: 10.0.2.30 (network address + 30)
23	25	* IPv6 CIDR: fd00::/64
24	26	* IPv6 Gateway/Host: fd00::2
25	27	* IPv6 DNS: fd00::3
26	28
27	29	# OPTIONS
28	30
29		-c, --configure
	31	`-c`, `--configure`
30	32	bring up the TAP interface. IP will be set to 10.0.2.100 (network address + 100) by default. IPv6 will be set to a random address.
31		Starting with v0.4.0, the loopback interface (lo) is brought up as well.
32
33		-e, --exit-fd=FD
	33	Starting with v0.4.0, the loopback interface (`lo`) is brought up as well.
	34
	35	`-e`, `--exit-fd=FD`
34	36	specify the FD for terminating slirp4netns.
35		When the FD is specified, slirp4netns exits when a poll(2) event happens on the FD.
36
37		-r, --ready-fd=FD
	37	When the FD is specified, slirp4netns exits when a `poll(2)` event happens on the FD.
	38
	39	`-r`, `--ready-fd=FD`
38	40	specify the FD to write to when the initialization steps are finished.
39		When the FD is specified, slirp4netns writes "1" to the FD and close the FD.
40		Prior to v0.4.0, the FD was written after the network configuration (-c)
41		but before the API socket configuration (-a).
42
43		-m, --mtu=MTU (since v0.2.0)
	41	When the FD is specified, slirp4netns writes `"1"` to the FD and close the FD.
	42	Prior to v0.4.0, the FD was written after the network configuration (`-c`)
	43	but before the API socket configuration (`-a`).
	44
	45	`-m`, `--mtu=MTU` (since v0.2.0)
44	46	specify MTU (max=65521).
45	47
46		-6, --enable-ipv6 (since v0.2.0, EXPERIMENTAL)
	48	`-6`, `--enable-ipv6` (since v0.2.0, EXPERIMENTAL)
47	49	enable IPv6
48	50
49		-a, --api-socket (since v0.3.0)
	51	`-a`, `--api-socket` (since v0.3.0)
50	52	API socket path
51	53
52		--cidr (since v0.3.0)
	54	`--cidr` (since v0.3.0)
53	55	specify CIDR, e.g. 10.0.2.0/24
54	56
55		--disable-host-loopback (since v0.3.0)
	57	`--disable-host-loopback` (since v0.3.0)
56	58	prohibit connecting to 127.0.0.1:\* on the host namespace
57	59
58		--netns-type=TYPE (since v0.4.0)
	60	`--netns-type=TYPE` (since v0.4.0)
59	61	specify network namespace type ([path\|pid], default=pid)
60	62
61		--userns-path=PATH (since v0.4.0)
	63	`--userns-path=PATH` (since v0.4.0)
62	64	specify user namespace path
63	65
64		--enable-sandbox (since v0.4.0)
	66	`--enable-sandbox` (since v0.4.0)
65	67	enter the user namespace and create a new mount namespace where only /etc and
66	68	/run are mounted from the host.
67	69
68		Requires /etc/resolv.conf not to be a symlink to a file outside /etc and /run.
	70	Requires `/etc/resolv.conf` not to be a symlink to a file outside /etc and /run.
69	71
70	72	When running as the root, the process does not enter the user namespace but all
71	73	the capabilities except `CAP_NET_BIND_SERVICE` are dropped.
72	74
73		--enable-seccomp (since v0.4.0, EXPERIMENTAL)
74		enable seccomp(2) to limit syscalls.
75		Typically used in conjunction with --enable-sandbox.
76
77		-h, --help (since v0.2.0)
	75	`--enable-seccomp` (since v0.4.0, EXPERIMENTAL)
	76	enable `seccomp(2)` to limit syscalls.
	77	Typically used in conjunction with `--enable-sandbox`.
	78
	79	`--outbound-addr=IPv4` (since v1.1.0, EXPERIMENTAL)
	80	specify outbound ipv4 address slirp should bind to
	81
	82	`--outbound-addr=INTERFACE` (since v1.1.0, EXPERIMENTAL)
	83	specify outbound interface slirp should bind to (ipv4 traffic only)
	84
	85	`--outbound-addr=IPv6` (since v1.1.0, EXPERIMENTAL)
	86	specify outbound ipv6 address slirp should bind to
	87
	88	`--outbound-addr6=INTERFACE` (since v1.1.0, EXPERIMENTAL)
	89	specify outbound interface slirp should bind to (ipv6 traffic only)
	90
	91	`--disable-dns` (since v1.1.0)
	92	disable built-in DNS (10.0.2.3 by default)
	93
	94	`--macaddress` (since v1.1.9)
	95	specify MAC address of the TAP interface (only valid with -c)
	96
	97	`--target-type=TYPE` (since v1.2.0)
	98	specify the target type ([netns\|bess], default=netns).
	99
	100	The `bess` mode (since v1.2.0, EXPERIMENTAL) is expected to be used with User Mode Linux.
	101	The `bess` mode conflicts with `--configure`, `--netns-type`, and `--userns-path`.
	102
	103	`-h`, `--help` (since v0.2.0)
78	104	show help and exit
79	105
80		-v, --version (since v0.2.0)
	106	`-v`, `--version` (since v0.2.0)
81	107	show version and exit
82	108
	109
83	110	# EXAMPLE
84	111
85		Terminal 1: Create user/network/mount namespaces
86		```console
87		$ unshare --user --map-root-user --net --mount
88		unshared$ echo $$ > /tmp/pid
89		```
90
91		Terminal 2: Start slirp4netns
92		```console
93		$ slirp4netns --configure --mtu=65520 $(cat /tmp/pid) tap0
	112	Terminal 1: Create user/network/mount namespaces
	113
	114	```console
	115	(host)$ unshare --user --map-root-user --net --mount
	116	(namespace)$ echo $$ > /tmp/pid
	117	```
	118
	119	In this documentation, we use `(host)$` as the prompt of the host shell, `(namespace)$` as the prompt of the shell running in the namespaces.
	120
	121	If `unshare` fails, try the following commands (known to be needed on Debian, Arch, and old CentOS 7.X):
	122
	123	```console
	124	(host)$ sudo sh -c 'echo "user.max_user_namespaces=28633" >> /etc/sysctl.d/userns.conf'
	125	(host)$ if [ -f /proc/sys/kernel/unprivileged_userns_clone ]; then sudo sh -c 'echo "kernel.unprivileged_userns_clone=1" >> /etc/sysctl.d/userns.conf'; fi
	126	(host)$ sudo sysctl --system
	127	```
	128
	129	Terminal 2: Start slirp4netns
	130
	131	```console
	132	(host)$ slirp4netns --configure --mtu=65520 $(cat /tmp/pid) tap0
94	133	starting slirp, MTU=65520
95	134	...
96	135	```
97	136
98		Terminal 1: Make sure tap0 is configured and connected to the Internet
99		```console
100		unshared$ ip a
	137	Terminal 1: Make sure `tap0` is configured and connected to the Internet
	138
	139	```console
	140	(namespace)$ ip a
101	141	1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
102	142	link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
103	143	3: tap0: <BROADCAST,UP,LOWER_UP> mtu 65520 qdisc fq_codel state UNKNOWN group default qlen 1000

106	146	valid_lft forever preferred_lft forever
107	147	inet6 fe80::c028:cff:fe0e:2906/64 scope link
108	148	valid_lft forever preferred_lft forever
109		unshared$ echo "nameserver 10.0.2.3" > /tmp/resolv.conf
110		unshared$ mount --bind /tmp/resolv.conf /etc/resolv.conf
111		unshared$ curl https://example.com
112		```
113
114		Bind-mounting /etc/resolv.conf is only needed when /etc/resolv.conf on
115		the host refers to loopback addresses (127.0.0.X, typically because of
116		dnsmasq(8) or systemd-resolved.service(8)) that cannot be accessed from
117		the namespace.
118
119		If your /etc/resolv.conf on the host is managed by networkmanager(8)
120		or systemd-resolved.service(8), you might need to mount a new filesystem on
121		/etc instead, so as to prevent the new /etc/resolv.conf from being
122		unmounted unexpectedly when /etc/resolv.conf on the host is regenerated.
123
124		```console
125		unshared$ mkdir /tmp/a /tmp/b
126		unshared$ mount --rbind /etc /tmp/a
127		unshared$ mount --rbind /tmp/b /etc
128		unshared$ mkdir /etc/.ro
129		unshared$ mount --move /tmp/a /etc/.ro
130		unshared$ cd /etc
131		unshared$ for f in .ro/*; do ln -s $f $(basename $f); done
132		unshared$ rm resolv.conf
133		unshared$ echo "nameserver 10.0.2.3" > /tmp/resolv.conf
134		unshared$ curl https://example.com
	149	(namespace)$ echo "nameserver 10.0.2.3" > /tmp/resolv.conf
	150	(namespace)$ mount --bind /tmp/resolv.conf /etc/resolv.conf
	151	(namespace)$ curl https://example.com
	152	```
	153
	154	Bind-mounting `/etc/resolv.conf` is only needed when `/etc/resolv.conf` on
	155	the host refers to loopback addresses (`127.0.0.X`, typically `dnsmasq(8)`
	156	or `systemd-resolved.service(8)`) that cannot be accessed from the namespace.
	157
	158	If your `/etc/resolv.conf` on the host is managed by `networkmanager(8)`
	159	or `systemd-resolved.service(8)`, you might need to mount a new filesystem on
	160	`/etc` instead, so as to prevent the new `/etc/resolv.conf` from being
	161	unmounted unexpectedly when `/etc/resolv.conf` on the host is regenerated.
	162
	163	```console
	164	(namespace)$ mkdir /tmp/a /tmp/b
	165	(namespace)$ mount --rbind /etc /tmp/a
	166	(namespace)$ mount --rbind /tmp/b /etc
	167	(namespace)$ mkdir /etc/.ro
	168	(namespace)$ mount --move /tmp/a /etc/.ro
	169	(namespace)$ cd /etc
	170	(namespace)$ for f in .ro/*; do ln -s $f $(basename $f); done
	171	(namespace)$ rm resolv.conf
	172	(namespace)$ echo "nameserver 10.0.2.3" > resolv.conf
	173	(namespace)$ curl https://example.com
	174	```
	175
	176	These steps can be simplified with `rootlesskit --copy-up=/etc` if `rootlesskit` is installed:
	177	```console
	178	(host)$ rootlesskit --net=slirp4netns --copy-up=/etc bash
	179	(namespace)$ cat /etc/resolv.conf
	180	nameserver 10.0.2.3
135	181	```
136	182
137	183	# ROUTING PING PACKETS
138	184
139		To route ping packets, you need to set up net.ipv4.ping_group_range properly
140		as the root.
	185	To route ping packets, you may need to set up `net.ipv4.ping_group_range` properly as the root.
141	186
142	187	e.g.
143	188	```console
144		$ sudo sh -c "echo 0 2147483647 > /proc/sys/net/ipv4/ping_group_range"
	189	(host)$ sudo sh -c 'echo "net.ipv4.ping_group_range=0 2147483647" > /etc/sysctl.d/ping_group_range.conf'
	190	(host)$ sudo sysctl --system
145	191	```
146	192
147	193	# FILTERING CONNECTIONS
148	194
149		By default, ports listening on INADDR_LOOPBACK (127.0.0.1) on the host are accessible from the child namespace via the gateway (default: 10.0.2.2).
150		--disable-host-loopback can be used to prohibit connecting to INADDR_LOOPBACK on the host.
151
152		However, a host loopback address might be still accessible via the built-in DNS (default: 10.0.2.3) if `/etc/resolv.conf` on the host refers to a loopback address.
	195	By default, ports listening on `INADDR_LOOPBACK` (`127.0.0.1`) on the host are accessible from the child namespace via the gateway (default: `10.0.2.2`).
	196	`--disable-host-loopback` can be used to prohibit connecting to `INADDR_LOOPBACK` on the host.
	197
	198	However, a host loopback address might be still accessible via the built-in DNS (default: `10.0.2.3`) if `/etc/resolv.conf` on the host refers to a loopback address.
153	199	You may want to set up iptables for limiting access to the built-in DNS in such a case.
154	200
155	201	```console
156		unshared$ iptables -A OUTPUT -d 10.0.2.3 -p udp --dport 53 -j ACCEPT
157		unshared$ iptables -A OUTPUT -d 10.0.2.3 -j DROP
	202	(host)$ nsenter -t $(cat /tmp/pid) -U --preserve-credentials -n
	203	(namespace)$ iptables -A OUTPUT -d 10.0.2.3 -p udp --dport 53 -j ACCEPT
	204	(namespace)$ iptables -A OUTPUT -d 10.0.2.3 -j DROP
158	205	```
159	206
160	207	# API SOCKET

162	209	slirp4netns can provide QMP-like API server over an UNIX socket file:
163	210
164	211	```console
165		$ slirp4netns --api-socket /tmp/slirp4netns.sock ...
166		```
167
168		add_hostfwd: Expose a port (IPv4 only)
169
170		```console
171		$ json='{"execute": "add_hostfwd", "arguments": {"proto": "tcp", "host_addr": "0.0.0.0", "host_port": 8080, "guest_addr": "10.0.2.100", "guest_port": 80}}'
172		$ echo -n $json \| nc -U /tmp/slirp4netns.sock
173		{ "return": {"id": 42}}
174		```
175
176		If host_addr is not specified, then it defaults to "0.0.0.0".
177
178		If guest_addr is not specified, then it will be set to the default address that corresponds to --configure.
179
180		list_hostfwd: List exposed ports
181
182		```console
183		$ json='{"execute": "list_hostfwd"}'
184		$ echo -n $json \| nc -U /tmp/slirp4netns.sock
185		{ "return": {"entries": [{"id": 42, "proto": "tcp", "host_addr": "0.0.0.0", "host_port": 8080, "guest_addr": "10.0.2.100", "guest_port": 80}]}}
186		```
187
188		remove_hostfwd: Remove an exposed port
189
190		```console
191		$ json='{"execute": "remove_hostfwd", "arguments": {"id": 42}}'
192		$ echo -n $json \| nc -U /tmp/slirp4netns.sock
193		{ "return": {}}
	212	(host)$ slirp4netns --api-socket /tmp/slirp4netns.sock ...
	213	```
	214
	215	`add_hostfwd`: Expose a port (IPv4 only)
	216
	217	```console
	218	(namespace)$ json='{"execute": "add_hostfwd", "arguments": {"proto": "tcp", "host_addr": "0.0.0.0", "host_port": 8080, "guest_addr": "10.0.2.100", "guest_port": 80}}'
	219	(namespace)$ echo -n $json \| nc -U /tmp/slirp4netns.sock
	220	{"return": {"id": 42}}
	221	```
	222
	223	If `host_addr` is not specified, then it defaults to "0.0.0.0".
	224
	225	If `guest_addr` is not specified, then it will be set to the default address that corresponds to `--configure`.
	226
	227	`list_hostfwd`: List exposed ports
	228
	229	```console
	230	(namespace)$ json='{"execute": "list_hostfwd"}'
	231	(namespace)$ echo -n $json \| nc -U /tmp/slirp4netns.sock
	232	{"return": {"entries": [{"id": 42, "proto": "tcp", "host_addr": "0.0.0.0", "host_port": 8080, "guest_addr": "10.0.2.100", "guest_port": 80}]}}
	233	```
	234
	235	`remove_hostfwd`: Remove an exposed port
	236
	237	```console
	238	(namespace)$ json='{"execute": "remove_hostfwd", "arguments": {"id": 42}}'
	239	(namespace)$ echo -n $json \| nc -U /tmp/slirp4netns.sock
	240	{"return": {}}
194	241	```
195	242
196	243	Remarks:
197	244
198		* Client needs to shutdown(2) the socket with SHUT_WR after sending every request.
	245	* Client needs to `shutdown(2)` the socket with `SHUT_WR` after sending every request.
199	246	i.e. No support for keep-alive and timeout.
200	247	* slirp4netns "stops the world" during processing API requests.
201	248	* A request must be less than 4096 bytes.
202		* JSON responses may contain error instead of return.
	249	* JSON responses may contain `error` instead of `return`.
203	250
204	251	# DEFINED NAMESPACE PATHS
205	252	A user can define a network namespace path as opposed to the default process ID:
206	253
207	254	```console
208		$ slirp4netns --netns-type=path ... /path/to/netns tap0
209		```
210		Currently, the netns-type=TYPE argument supports path or pid args with the default being pid.
211
212		Additionally, a --userns-path=PATH argument can be included to override any user namespace path defaults
213		```console
214		$ slirp4netns --netns-type=path --userns-path=/path/to/userns /path/to/netns tap0
215		```
	255	(host)$ slirp4netns --netns-type=path ... /path/to/netns tap0
	256	```
	257	Currently, the `netns-type=TYPE` argument supports `path` or `pid` args with the default being `pid`.
	258
	259	Additionally, a `--userns-path=PATH` argument can be included to override any user namespace path defaults
	260	```console
	261	(host)$ slirp4netns --netns-type=path --userns-path=/path/to/userns /path/to/netns tap0
	262	```
	263
	264	# OUTBOUND ADDRESSES
	265	A user can defined preferred outbound ipv4 and ipv6 address in multi IP scenarios.
	266
	267	```console
	268	(host)$ slirp4netns --outbound-addr=10.2.2.10 --outbound-addr6=fe80::10 ...
	269	```
	270
	271	Optionally you can use interface names instead of ip addresses.
	272
	273	```console
	274	(host)$ slirp4netns --outbound-addr=eth0 --outbound-addr6=eth0 ...
	275	```
	276
	277	# INTER-NAMESPACE COMMUNICATION
	278
	279	The easiest way to allow inter-namespace communication is to nest network namespaces inside the slirp4netns's network namespace.
	280
	281	```console
	282	(host)$ nsenter -t $(cat /tmp/pid) -U --preserve-credentials -n -m
	283	(namespace)$ mount -t tmpfs none /run
	284	(namespace)$ ip netns add foo
	285	(namespace)$ ip netns add bar
	286	(namespace)$ ip link add veth-foo type veth peer name veth-bar
	287	(namespace)$ ip link set veth-foo netns foo
	288	(namespace)$ ip link set veth-bar netns bar
	289	(namespace)$ ip netns exec foo ip link set veth-foo name eth0
	290	(namespace)$ ip netns exec bar ip link set veth-bar name eth0
	291	(namespace)$ ip netns exec foo ip link set lo up
	292	(namespace)$ ip netns exec bar ip link set lo up
	293	(namespace)$ ip netns exec foo ip link set eth0 up
	294	(namespace)$ ip netns exec bar ip link set eth0 up
	295	(namespace)$ ip netns exec foo ip addr add 192.168.42.100/24 dev eth0
	296	(namespace)$ ip netns exec bar ip addr add 192.168.42.101/24 dev eth0
	297	(namespace)$ ip netns exec bar ping 192.168.42.100
	298	```
	299
	300	However, this method does not work when you want to allow communication across multiple slirp4netns instances.
	301	To allow communication across multiple slirp4netns instances, you need to combine another network stack such as
	302	`vde_plug(1)` with slirp4netns.
	303
	304	```console
	305	(host)$ vde_plug --daemon switch:///tmp/switch null://
	306	(host)$ nsenter -t $(cat /tmp/pid-instance0) -U --preserve-credentials -n
	307	(namespace-instance0)$ vde_plug --daemon vde:///tmp/switch tap://vde
	308	(namespace-instance0)$ ip link set vde up
	309	(namespace-instance0)$ ip addr add 192.168.42.100/24 dev vde
	310	(namespace-instance0)$ exit
	311	(host)$ nsenter -t $(cat /tmp/pid-instance1) -U --preserve-credentials -n
	312	(namespace-instance1)$ vde_plug --daemon vde:///tmp/switch tap://vde
	313	(namespace-instance1)$ ip link set vde up
	314	(namespace-instance1)$ ip addr add 192.168.42.101/24 dev vde
	315	(namespace-instance1)$ ping 192.168.42.100
	316	```
	317
	318	# INTER-HOST COMMUNICATION
	319
	320	VXLAN is known to work.
	321	See Usernetes project for the example of multi-node rootless Kubernetes cluster with VXLAN: `https://github.com/rootless-containers/usernetes`
	322
	323	# BESS MODE (FOR USER MODE LINUX)
	324	slirp4netns (since v1.2.0) can be also used as a BESS-compatible server to provide network connectivity to User Mode Linux.
	325
	326	Terminal 1: Start slirp4netns
	327
	328	```console
	329	(host)$ slirp4netns --target-type=bess /tmp/bess.sock
	330	```
	331
	332	Terminal 2: Start User Mode Linux
	333
	334	```console
	335	(host)$ linux.uml vec0:transport=bess,dst=/tmp/bess.sock,depth=128,gro=1 root=/dev/root rootfstype=hostfs init=/bin/bash mem=2G
	336	(UML)$ ip addr add 10.0.2.100/24 dev vec0
	337	(UML)$ ip link set vec0 up
	338	(UML)$ ip route add default via 10.0.2.2
	339	```
	340
	341	Currently, only a single instance of User Mode Linux can be connected to the slirp4netns BESS server.
	342
	343	See also User Mode Linux documentation: `https://www.kernel.org/doc/html/latest/virt/uml/user_mode_linux_howto_v2.html#bess-socket-transport`
216	344
217	345	# BUGS
218	346
219		Kernel 4.20 bumped up the default value of /proc/sys/net/ipv4/tcp_rmem from 87380 to 131072.
220		This is known to slow down slirp4netns port forwarding: https://github.com/rootless-containers/slirp4netns/issues/128.
221
222		As a workaround, you can adjust the value of /proc/sys/net/ipv4/tcp_rmem inside the namespace.
	347	Kernel 4.20 bumped up the default value of `/proc/sys/net/ipv4/tcp_rmem` from 87380 to 131072.
	348	This is known to slow down slirp4netns port forwarding: `https://github.com/rootless-containers/slirp4netns/issues/128`.
	349
	350	As a workaround, you can adjust the value of `/proc/sys/net/ipv4/tcp_rmem` inside the namespace.
223	351	No real root privilege is needed to modify the file since kernel 4.15.
224	352
225	353	```console
226		unshared$ c=$(cat /proc/sys/net/ipv4/tcp_rmem); echo $c \| sed -e s/131072/87380/g > /proc/sys/net/ipv4/tcp_rmem
	354	(host)$ nsenter -t $(cat /tmp/pid) -U --preserve-credentials -n -m
	355	(namespace)$ c=$(cat /proc/sys/net/ipv4/tcp_rmem); echo $c \| sed -e s/131072/87380/g > /proc/sys/net/ipv4/tcp_rmem
227	356	```
228	357
229	358	# SEE ALSO
230	359
231		network_namespaces(7), user_namespaces(7), veth(4)
	360	`network_namespaces(7)`, `user_namespaces(7)`, `veth(4)`
232	361
233	362	# AVAILABILITY
234	363
235		The slirp4netns command is available from https://github.com/rootless-containers/slirp4netns under GNU GENERAL PUBLIC LICENSE Version 2 (or later).
	364	The slirp4netns command is available from `https://github.com/rootless-containers/slirp4netns` under GNU GENERAL PUBLIC LICENSE Version 2 (or later).

+18

-0

slirp4netns.c less more

274	274	cfg.if_mtu = s4nn->mtu;
275	275	cfg.if_mru = s4nn->mtu;
276	276	cfg.disable_host_loopback = s4nn->disable_host_loopback;
	277	#if SLIRP_CONFIG_VERSION_MAX >= 2
	278	cfg.outbound_addr = NULL;
	279	cfg.outbound_addr6 = NULL;
	280	if (s4nn->enable_outbound_addr) {
	281	cfg.version = 2;
	282	cfg.outbound_addr = &s4nn->outbound_addr;
	283	}
	284	if (s4nn->enable_outbound_addr6) {
	285	cfg.version = 2;
	286	cfg.outbound_addr6 = &s4nn->outbound_addr6;
	287	}
	288	#endif
	289	#if SLIRP_CONFIG_VERSION_MAX >= 3
	290	if (s4nn->disable_dns) {
	291	cfg.version = 3;
	292	cfg.disable_dns = true;
	293	}
	294	#endif
277	295	slirp = slirp_new(&cfg, &libslirp_cb, opaque);
278	296	if (slirp == NULL) {
279	297	fprintf(stderr, "slirp_new failed\n");

+26

-13

slirp4netns.h less more

0	0	/* SPDX-License-Identifier: GPL-2.0-or-later */
1	1	#ifndef SLIRP4NETNS_H
2		# define SLIRP4NETNS_H
	2	#define SLIRP4NETNS_H
3	3	#include <arpa/inet.h>
4	4
5	5	struct slirp4netns_config {
6		unsigned int mtu;
7		struct in_addr vnetwork; // 10.0.2.0
8		struct in_addr vnetmask; // 255.255.255.0
9		struct in_addr vhost; // 10.0.2.2
10		struct in_addr vdhcp_start; // 10.0.2.15
11		struct in_addr vnameserver; // 10.0.2.3
12		struct in_addr recommended_vguest; // 10.0.2.100 (slirp itself is unaware of vguest)
13		bool enable_ipv6;
14		bool disable_host_loopback;
15		bool enable_sandbox;
16		bool enable_seccomp;
	6	unsigned int mtu;
	7	struct in_addr vnetwork; // 10.0.2.0
	8	struct in_addr vnetmask; // 255.255.255.0
	9	struct in_addr vhost; // 10.0.2.2
	10	struct in_addr vdhcp_start; // 10.0.2.15
	11	struct in_addr vnameserver; // 10.0.2.3
	12	struct in_addr
	13	recommended_vguest; // 10.0.2.100 (slirp itself is unaware of vguest)
	14	bool enable_ipv6;
	15	bool disable_host_loopback;
	16	bool enable_sandbox;
	17	bool enable_seccomp;
	18	#if SLIRP_CONFIG_VERSION_MAX >= 2
	19	bool enable_outbound_addr;
	20	struct sockaddr_in outbound_addr;
	21	bool enable_outbound_addr6;
	22	struct sockaddr_in6 outbound_addr6;
	23	#endif
	24	#if SLIRP_CONFIG_VERSION_MAX >= 3
	25	bool disable_dns;
	26	#endif
	27	struct sockaddr vmacaddress; // MAC address of interface
	28	int vmacaddress_len; // MAC address byte length
17	29	};
18		int do_slirp(int tapfd, int readyfd, int exitfd, const char api_socket, struct slirp4netns_config cfg);
	30	int do_slirp(int tapfd, int readyfd, int exitfd, const char *api_socket,
	31	struct slirp4netns_config *cfg);
19	32
20	33	#endif

+100

-52

tests/common.sh less more

0	0	#!/bin/bash
1	1
	2	# See https://www.gnu.org/software/automake/manual/html_node/Scripts_002dbased-Testsuites.html#Testsuite-progress-on-console
	3	TEST_EXIT_CODE_SKIP=77
	4
	5	function nsenter_flags {
	6	pid=$1
	7	flags="--target=${pid}"
	8	userns="$(readlink /proc/${pid}/ns/user)"
	9	mntns="$(readlink /proc/${pid}/ns/mnt)"
	10	netns="$(readlink /proc/${pid}/ns/net)"
	11
	12	self_userns="$(readlink /proc/self/ns/user)"
	13	self_mntns="$(readlink /proc/self/ns/mnt)"
	14	self_netns="$(readlink /proc/self/ns/net)"
	15
	16	if [ "${userns}" != "${self_userns}" ]; then
	17	flags="$flags --preserve-credentials -U"
	18	fi
	19	if [ "${mntns}" != "${self_mntns}" ]; then
	20	flags="$flags -m"
	21	fi
	22	if [ "${netns}" != "${self_netns}" ]; then
	23	flags="$flags -n"
	24	fi
	25	echo "${flags}"
	26	}
	27
2	28	function wait_for_network_namespace {
3		# Wait that the namespace is ready.
4		COUNTER=0
5		while [ $COUNTER -lt 40 ]; do
6		if nsenter --preserve-credentials -U -n --target=$1 true; then
7		break
8		else
9		sleep 0.5
10		fi
11		let COUNTER=COUNTER+1
12		done
	29	# Wait that the namespace is ready.
	30	COUNTER=0
	31	while [ $COUNTER -lt 40 ]; do
	32	flags=$(nsenter_flags $1)
	33	if $(echo $flags \| grep -qvw -- -n); then
	34	flags="$flags -n"
	35	fi
	36	if nsenter ${flags} true >/dev/null 2>&1; then
	37	return 0
	38	else
	39	sleep 0.5
	40	fi
	41	let COUNTER=COUNTER+1
	42	done
	43	exit 1
13	44	}
14	45
15	46	function wait_for_network_device {
16		# Wait that the device appears.
17		COUNTER=0
18		while [ $COUNTER -lt 40 ]; do
19		if nsenter --preserve-credentials -U -n --target=$1 ip addr show $2; then
20		break
21		else
22		sleep 0.5
23		fi
24		let COUNTER=COUNTER+1
25		done
	47	# Wait that the device appears.
	48	COUNTER=0
	49	while [ $COUNTER -lt 40 ]; do
	50	if nsenter $(nsenter_flags $1) ip addr show $2; then
	51	return 0
	52	else
	53	sleep 0.5
	54	fi
	55	let COUNTER=COUNTER+1
	56	done
	57	exit 1
26	58	}
27	59
28	60	function wait_process_exits {
29		COUNTER=0
30		while [ $COUNTER -lt 40 ]; do
31		if kill -0 $1; then
32		sleep 0.5
33		else
34		break
35		fi
36		let COUNTER=COUNTER+1
37		done
	61	COUNTER=0
	62	while [ $COUNTER -lt 40 ]; do
	63	if kill -0 $1; then
	64	sleep 0.5
	65	else
	66	return 0
	67	fi
	68	let COUNTER=COUNTER+1
	69	done
	70	exit 1
38	71	}
39	72
40	73	function wait_for_ping_connectivity {
41		COUNTER=0
42		while [ $COUNTER -lt 40 ]; do
43		if nsenter --preserve-credentials -U -n --target=$1 ping -c 1 -w 1 $2; then
44		break
45		else
46		sleep 0.5
47		fi
48		let COUNTER=COUNTER+1
49		done
	74	COUNTER=0
	75	while [ $COUNTER -lt 40 ]; do
	76	if nsenter $(nsenter_flags $1) ping -c 1 -w 1 $2; then
	77	return 0
	78	else
	79	sleep 0.5
	80	fi
	81	let COUNTER=COUNTER+1
	82	done
	83	exit 1
	84	}
	85
	86	function wait_for_connectivity {
	87	COUNTER=0
	88	while [ $COUNTER -lt 40 ]; do
	89	if echo "wait_for_connectivity" \| nsenter $(nsenter_flags $1) ncat -v $2 $3; then
	90	return 0
	91	else
	92	sleep 0.5
	93	fi
	94	let COUNTER=COUNTER+1
	95	done
	96	exit 1
50	97	}
51	98
52	99	function wait_for_file_content {
53		# Wait for a file to get the specified content.
54		COUNTER=0
55		while [ $COUNTER -lt 20 ]; do
56		if grep $1 $2; then
57		break
58		else
59		sleep 0.5
60		fi
61		let COUNTER=COUNTER+1
62		done
	100	# Wait for a file to get the specified content.
	101	COUNTER=0
	102	while [ $COUNTER -lt 20 ]; do
	103	if grep $1 $2; then
	104	return 0
	105	else
	106	sleep 0.5
	107	fi
	108	let COUNTER=COUNTER+1
	109	done
	110	exit 1
63	111	}
64	112
65	113	function expose_tcp() {
66		apisock=$1 hostport=$2 guestport=$3
67		json="{\"execute\": \"add_hostfwd\", \"arguments\": {\"proto\": \"tcp\", \"host_addr\": \"0.0.0.0\", \"host_port\": $hostport, \"guest_addr\": \"10.0.2.100\", \"guest_port\": $guestport}}"
68		echo -n $json \| ncat -U $apisock
69		echo -n "{\"execute\": \"list_hostfwd\"}" \| ncat -U $apisock
	114	apisock=$1 hostport=$2 guestport=$3
	115	json="{\"execute\": \"add_hostfwd\", \"arguments\": {\"proto\": \"tcp\", \"host_addr\": \"0.0.0.0\", \"host_port\": $hostport, \"guest_addr\": \"10.0.2.100\", \"guest_port\": $guestport}}"
	116	echo -n $json \| ncat -U $apisock
	117	echo -n "{\"execute\": \"list_hostfwd\"}" \| ncat -U $apisock
70	118	}

+0

-29

~~tests/slirp4netns-no-unmount.sh~~ less more

0		#!/bin/bash
1		set -xeuo pipefail
2
3		. $(dirname $0)/common.sh
4
5		# it is a part of test-slirp4netns.sh
6		# must run in a new mount namespace
7
8		mount -t tmpfs tmpfs /run
9		mkdir /run/foo
10		mount -t tmpfs tmpfs /run/foo
11		mount --make-rshared /run
12
13		unshare -n sleep infinity &
14		child=$!
15
16		wait_for_network_namespace $child
17
18		./slirp4netns --enable-sandbox --netns-type=path /proc/$child/ns/net tun11 &
19		slirp_pid=$!
20
21		function cleanup {
22		kill -9 $child $slirp_pid
23		}
24		trap cleanup EXIT
25
26		wait_for_network_device $child tun11
27
28		findmnt /run/foo

+7

-7

tests/test-slirp4netns-api-socket.sh less more

11	11	apisocket=${tmpdir}/slirp4netns.sock
12	12	apisocketlongpath=${tmpdir}/slirp4netns-TOO-LONG-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.sock
13	13
14		if slirp4netns -c $child --api-socket $apisocketlongpath tun11; then
15		echo "expected failure with apisocket path too long" >&2
16		kill -9 $child
17		rm -rf $tmpdir
18		exit 1
	14	if slirp4netns -c $child --api-socket $apisocketlongpath tap11; then
	15	echo "expected failure with apisocket path too long" >&2
	16	kill -9 $child
	17	rm -rf $tmpdir
	18	exit 1
19	19	fi
20	20
21		slirp4netns -c $child --api-socket $apisocket tun11 &
	21	slirp4netns -c $child --api-socket $apisocket tap11 &
22	22	slirp_pid=$!
23	23
24		wait_for_network_device $child tun11
	24	wait_for_network_device $child tap11
25	25
26	26	function cleanup() {
27	27	kill -9 $child $slirp_pid

+10

-10

tests/test-slirp4netns-cidr.sh less more

8	8	wait_for_network_namespace $child
9	9
10	10	set +e
11		result=$(slirp4netns -c --cidr 24 $child tun11 2>&1)
	11	result=$(slirp4netns -c --cidr 24 $child tap11 2>&1)
12	12	set -e
13	13	echo $result \| grep "invalid CIDR"
14	14
15	15	set +e
16		result=$(slirp4netns -c --cidr foo $child tun11 2>&1)
	16	result=$(slirp4netns -c --cidr foo $child tap11 2>&1)
17	17	set -e
18	18	echo $result \| grep "invalid CIDR"
19	19
20	20	set +e
21		result=$(slirp4netns -c --cidr 10.0.2.0 $child tun11 2>&1)
	21	result=$(slirp4netns -c --cidr 10.0.2.0 $child tap11 2>&1)
22	22	set -e
23	23	echo $result \| grep "invalid CIDR"
24	24
25	25	set +e
26		result=$(slirp4netns -c --cidr 10.0.2.100/24 $child tun11 2>&1)
	26	result=$(slirp4netns -c --cidr 10.0.2.100/24 $child tap11 2>&1)
27	27	set -e
28	28	echo $result \| grep "CIDR needs to be a network address like 10.0.2.0/24, not like 10.0.2.100/24"
29	29
30	30	set +e
31		result=$(slirp4netns -c --cidr 10.0.2.100/26 $child tun11 2>&1)
	31	result=$(slirp4netns -c --cidr 10.0.2.100/26 $child tap11 2>&1)
32	32	set -e
33	33	echo $result \| grep "prefix length needs to be 1-25"
34	34
35		slirp4netns -c $child --cidr 10.0.135.128/25 tun11 &
	35	slirp4netns -c $child --cidr 10.0.135.128/25 tap11 &
36	36	slirp_pid=$!
37	37
38		wait_for_network_device $child tun11
	38	wait_for_network_device $child tap11
39	39
40	40	function cleanup {
41		kill -9 $child $slirp_pid
	41	kill -9 $child $slirp_pid
42	42	}
43	43	trap cleanup EXIT
44	44
45		ip=$(nsenter --preserve-credentials -U -n --target=$child ip -json a show dev tun11 \| jq -r .[1].addr_info[0].local)
46		[[ $ip = 10.0.135.228 ]]
	45	result="$(nsenter $(nsenter_flags $child) ip a show dev tap11)"
	46	echo "$result" \| grep -o '^\sinet ./' \| grep -F 10.0.135.228

+5

-5

tests/test-slirp4netns-configure.sh less more

7	7
8	8	wait_for_network_namespace $child
9	9
10		slirp4netns -c $child tun11 &
	10	slirp4netns -c $child tap11 &
11	11	slirp_pid=$!
12	12
13		wait_for_network_device $child tun11
	13	wait_for_network_device $child tap11
14	14
15	15	function cleanup {
16		kill -9 $child $slirp_pid
	16	kill -9 $child $slirp_pid
17	17	}
18	18	trap cleanup EXIT
19	19
20		nsenter --preserve-credentials -U -n --target=$child ip -a netconf \| grep tun11
	20	nsenter $(nsenter_flags $child) ip -a netconf \| grep tap11
21	21
22		nsenter --preserve-credentials -U -n --target=$child ip addr show tun11 \| grep inet
	22	nsenter $(nsenter_flags $child) ip addr show tap11 \| grep inet

+35

-0

tests/test-slirp4netns-dhcp.sh less more

	0	#!/bin/bash
	1
	2	# This test should pass with libslirp < 4.6.0 and libslirp >= 4.6.1,
	3	# but should fail with libslirp == 4.6.0 .
	4	# https://gitlab.freedesktop.org/slirp/libslirp/-/issues/48
	5
	6	set -xeuo pipefail
	7
	8	. $(dirname $0)/common.sh
	9
	10	if ! command -v udhcpc 2>&1; then
	11	echo "udhcpc is missing, skipping the test"
	12	exit "$TEST_EXIT_CODE_SKIP"
	13	fi
	14
	15	unshare -r -n sleep infinity &
	16	child=$!
	17
	18	wait_for_network_namespace $child
	19
	20	slirp4netns $child tap0 &
	21	slirp_pid=$!
	22
	23	udhcpc_log=$(mktemp /tmp/slirp4netns-test-udhcpc.XXXXXXXXXX)
	24
	25	function cleanup {
	26	kill -9 $child $slirp_pid
	27	rm -f $udhcpc_log
	28	}
	29	trap cleanup EXIT
	30
	31	nsenter $(nsenter_flags $child) ip link set lo up
	32	nsenter $(nsenter_flags $child) ip link set tap0 up
	33	nsenter $(nsenter_flags $child) timeout 10s udhcpc -q -i tap0 -s /bin/true 2>&1 \| tee $udhcpc_log
	34	grep 10.0.2.15 $udhcpc_log

+35

-0

tests/test-slirp4netns-disable-dns.sh less more

	0	#!/bin/bash
	1	set -xeuo pipefail
	2
	3	. $(dirname $0)/common.sh
	4
	5	SLIRP_CONFIG_VERSION_MAX=$(slirp4netns -v \| grep "SLIRP_CONFIG_VERSION_MAX: " \| sed 's#SLIRP_CONFIG_VERSION_MAX: ##')
	6
	7	if [ "${SLIRP_CONFIG_VERSION_MAX:-0}" -lt 3 ]; then
	8	printf "'--disable-dns' requires SLIRP_CONFIG_VERSION_MAX 3 or newer. Test skipped..."
	9	exit "$TEST_EXIT_CODE_SKIP"
	10	fi
	11
	12	port=53
	13	unshare -r -n sleep infinity &
	14	child=$!
	15
	16	wait_for_network_namespace $child
	17
	18	mtu=${MTU:=1500}
	19	slirp4netns -c --mtu $mtu --disable-dns $child tap11 &
	20	slirp_pid=$!
	21
	22	wait_for_network_device $child tap11
	23	# ping to 10.0.2.2
	24	wait_for_ping_connectivity $child 10.0.2.2
	25
	26	function cleanup() {
	27	kill -9 $child $slirp_pid
	28	}
	29	trap cleanup EXIT
	30
	31	set +e
	32	err=$(echo "should fail" \| nsenter $(nsenter_flags $child) ncat -v 10.0.2.3 $port 2>&1)
	33	set -e
	34	echo $err \| grep 'Connection timed out\\|TIMEOUT'

+4

-5

tests/test-slirp4netns-disable-host-loopback.sh less more

12	12	wait_for_network_namespace $child
13	13
14	14	mtu=${MTU:=1500}
15		slirp4netns -c --mtu $mtu --disable-host-loopback $child tun11 &
	15	slirp4netns -c --mtu $mtu --disable-host-loopback $child tap11 &
16	16	slirp_pid=$!
17	17
18		wait_for_network_device $child tun11
	18	wait_for_network_device $child tap11
19	19	# ping to 10.0.2.2 is possible even with --disable-host-loopback
20	20	wait_for_ping_connectivity $child 10.0.2.2
21	21
22	22	function cleanup {
23		kill -9 $nc_pid $child $slirp_pid
	23	kill -9 $nc_pid $child $slirp_pid
24	24	}
25	25	trap cleanup EXIT
26	26
27	27	set +e
28		err=$(echo "should fail" \| nsenter --preserve-credentials -U -n --target=$child ncat -v 10.0.2.2 $port 2>&1)
	28	err=$(echo "should fail" \| nsenter $(nsenter_flags $child) ncat -v 10.0.2.2 $port 2>&1)
29	29	set -e
30	30	echo $err \| grep "Network is unreachable"
31

+5

-5

tests/test-slirp4netns-exit-fd.sh less more

9	9
10	10	touch keep_alive
11	11
12		slirp4netns -e 10 $child tun11 10<(while test -e keep_alive; do sleep 0.1; done) &
	12	slirp4netns -e 10 $child tap11 10<(while test -e keep_alive; do sleep 0.1; done) &
13	13
14	14	slirp_pid=$!
15	15
16	16	function cleanup {
17		set +xeuo pipefail
18		kill -9 $child $slirp_pid
19		rm -f keep_alive
	17	set +xeuo pipefail
	18	kill -9 $child $slirp_pid
	19	rm -f keep_alive
20	20	}
21	21	trap cleanup EXIT
22	22

28	28	wait_process_exits $slirp_pid
29	29
30	30	if kill -0 $slirp_pid; then
31		exit 1
	31	exit 1
32	32	fi
33	33
34	34	exit 0

+29

-0

tests/test-slirp4netns-macaddress.sh less more

	0	#!/bin/bash
	1	set -xeuo pipefail
	2
	3	. $(dirname $0)/common.sh
	4	MACADDRESS="0e:d4:18:d9:38:fb"
	5
	6	unshare -r -n sleep infinity &
	7	child=$!
	8
	9	wait_for_network_namespace $child
	10
	11	function cleanup {
	12	kill -9 $child $slirp_pid
	13	}
	14	trap cleanup EXIT
	15
	16	slirp4netns -c --macaddress $MACADDRESS $child tap11 &
	17	slirp_pid=$!
	18
	19	wait_for_network_device $child tap11
	20
	21	result=$(nsenter $(nsenter_flags $child) ip addr show tap11 \| grep -o "ether $MACADDRESS")
	22
	23	if [ -z "$result" ]; then
	24	printf "expecting %s MAC address on the interface but didn't get it" "$MACADDRESS"
	25	exit 1
	26	fi
	27
	28	cleanup

+39

-0

tests/test-slirp4netns-nspath.sh less more

	0	#!/bin/bash
	1	set -xeuo pipefail
	2
	3	. $(dirname $0)/common.sh
	4
	5	# Test --userns-path= --netns-type=path
	6	unshare -r -n sleep infinity &
	7	child=$!
	8
	9	wait_for_network_namespace $child
	10
	11	slirp4netns --userns-path=/proc/$child/ns/user --netns-type=path /proc/$child/ns/net tap11 &
	12	slirp_pid=$!
	13
	14	function cleanup {
	15	kill -9 $child $slirp_pid
	16	}
	17	trap cleanup EXIT
	18
	19	wait_for_network_device $child tap11
	20
	21	nsenter $(nsenter_flags $child) ip -a netconf \| grep tap11
	22	nsenter $(nsenter_flags $child) ip addr show tap11 \| grep -v inet
	23
	24	kill -9 $child $slirp_pid
	25
	26	# Test --netns-type=path
	27	unshare -r -n sleep infinity &
	28	child=$!
	29
	30	wait_for_network_namespace $child
	31
	32	nsenter --preserve-credentials -U --target=$child slirp4netns --netns-type=path /proc/$child/ns/net tap11 &
	33	slirp_pid=$!
	34
	35	wait_for_network_device $child tap11
	36
	37	nsenter $(nsenter_flags $child) ip -a netconf \| grep tap11
	38	nsenter $(nsenter_flags $child) ip addr show tap11 \| grep -v inet

+53

-0

tests/test-slirp4netns-outbound-addr.sh less more

	0	#!/bin/bash
	1	set -xeuo pipefail
	2
	3	. $(dirname $0)/common.sh
	4
	5	SLIRP_CONFIG_VERSION_MAX=$(slirp4netns -v \| grep "SLIRP_CONFIG_VERSION_MAX: " \| sed 's#SLIRP_CONFIG_VERSION_MAX: ##')
	6
	7	if [ "${SLIRP_CONFIG_VERSION_MAX:-0}" -lt 2 ]; then
	8	printf "'--disable-dns' requires SLIRP_CONFIG_VERSION_MAX 2 or newer. Test skipped..."
	9	exit "$TEST_EXIT_CODE_SKIP"
	10	fi
	11
	12	IPv4_1="127.0.0.1"
	13	IPv4_2=$(ip a \| sed -En 's/127.0.0.1//;s/.inet (addr:)?(([0-9]\.){3}[0-9])./\2/p' \| head -n 1)
	14
	15	# For future ipv6 tests
	16	#IPv6_1="::1"
	17	#IPv6_2=$(ip a \| sed -En 's/::1\/128//;s/.inet6 (addr:)?([^ ])\/.*$/\2/p' \| head -n 1)
	18
	19	function cleanup() {
	20	rm -rf ncat.log
	21	kill -9 $child $slirp_pid \|\| exit 0
	22	}
	23	trap cleanup EXIT
	24
	25	port=12122
	26	mtu=${MTU:=1500}
	27
	28	IPs=("$IPv4_1" "$IPv4_2")
	29	for ip in "${IPs[@]}"; do
	30	ncat -l $port -v >ncat.log 2>&1 &
	31	ncat1=$!
	32
	33	unshare -r -n sleep infinity &
	34	child=$!
	35
	36	wait_for_network_namespace $child
	37
	38	slirp4netns -c --mtu $mtu --outbound-addr="$ip" $child tap11 &
	39	slirp_pid=$!
	40
	41	wait_for_network_device $child tap11
	42
	43	wait_for_connectivity $child 10.0.2.2 $port
	44
	45	wait_process_exits $ncat1
	46	if ! grep "$ip" ncat.log; then
	47	printf "%s not found in ncat.log" "$ip"
	48	exit 1
	49	fi
	50	cleanup
	51	let port=port+1
	52	done

+5

-5

tests/test-slirp4netns-ready-fd.sh less more

9	9
10	10	touch keep_alive
11	11
12		slirp4netns -c -r 10 $child tun11 10>configured &
	12	slirp4netns -c -r 10 $child tap11 10>configured &
13	13	slirp_pid=$!
14	14
15	15	function cleanup {
16		set +xeuo pipefail
17		kill -9 $child $slirp_pid
18		rm -f configured keep_alive
	16	set +xeuo pipefail
	17	kill -9 $child $slirp_pid
	18	rm -f configured keep_alive
19	19	}
20	20	trap cleanup EXIT
21	21
22		wait_for_network_device $child tun11
	22	wait_for_network_device $child tap11
23	23
24	24	wait_for_file_content 1 configured
25	25

+32

-0

tests/test-slirp4netns-sandbox-no-unmount.sh less more

	0	#!/bin/bash
	1	set -xeuo pipefail
	2
	3	if [[ ! -v "CHILD" ]]; then
	4	# reexec in a new mount namespace
	5	export CHILD=1
	6	exec unshare -rm "$0" "$@"
	7	fi
	8
	9	. $(dirname $0)/common.sh
	10
	11	mount -t tmpfs tmpfs /run
	12	mkdir /run/foo
	13	mount -t tmpfs tmpfs /run/foo
	14	mount --make-rshared /run
	15
	16	unshare -n sleep infinity &
	17	child=$!
	18
	19	wait_for_network_namespace $child
	20
	21	slirp4netns --enable-sandbox --netns-type=path /proc/$child/ns/net tap11 &
	22	slirp_pid=$!
	23
	24	function cleanup {
	25	kill -9 $child $slirp_pid
	26	}
	27	trap cleanup EXIT
	28
	29	wait_for_network_device $child tap11
	30
	31	findmnt /run/foo

+35

-0

tests/test-slirp4netns-sandbox.sh less more

	0	#!/bin/bash
	1	set -xeuo pipefail
	2
	3	. $(dirname $0)/common.sh
	4
	5	unshare -r -n sleep infinity &
	6	child=$!
	7
	8	wait_for_network_namespace $child
	9
	10	slirp4netns --ready-fd=3 --enable-sandbox $child tap11 3>ready.file &
	11	slirp_pid=$!
	12
	13	# Wait that the sandbox is created
	14	wait_for_file_content 1 ready.file
	15	rm ready.file
	16
	17	# Check there are no capabilities left in slirp4netns
	18	getpcaps $slirp_pid 2>&1 \| tail -n1 >slirp.caps
	19	grep cap_net_bind_service slirp.caps
	20	grep -v cap_sys_admin slirp.caps
	21	rm slirp.caps
	22	test -e /proc/$slirp_pid/root/etc
	23	test -e /proc/$slirp_pid/root/run
	24	test \! -e /proc/$slirp_pid/root/home
	25	test \! -e /proc/$slirp_pid/root/root
	26	test \! -e /proc/$slirp_pid/root/var
	27
	28	function cleanup {
	29	kill -9 $child $slirp_pid
	30	}
	31	trap cleanup EXIT
	32
	33	nsenter $(nsenter_flags $child) ip -a netconf \| grep tap11
	34	nsenter $(nsenter_flags $child) ip addr show tap11 \| grep -v inet

+23

-0

tests/test-slirp4netns-seccomp.sh less more

	0	#!/bin/bash
	1	set -xeuo pipefail
	2
	3	. $(dirname $0)/common.sh
	4
	5	unshare -r -n sleep infinity &
	6	child=$!
	7
	8	wait_for_network_namespace $child
	9
	10	slirp4netns -c --enable-seccomp --userns-path=/proc/$child/ns/user $child tap11 &
	11	slirp_pid=$!
	12
	13	wait_for_network_device $child tap11
	14
	15	function cleanup {
	16	kill -9 $child $slirp_pid
	17	}
	18	trap cleanup EXIT
	19
	20	nsenter $(nsenter_flags $child) ip -a netconf \| grep tap11
	21
	22	nsenter $(nsenter_flags $child) ip addr show tap11 \| grep inet

+0

-71

~~tests/test-slirp4netns.sh~~ less more

0		#!/bin/bash
1		set -xeuo pipefail
2
3		. $(dirname $0)/common.sh
4
5
6		# Test --netns-type=pid
7		unshare -r -n sleep infinity &
8		child=$!
9
10		wait_for_network_namespace $child
11
12		slirp4netns --ready-fd=3 --enable-sandbox $child tun11 3>ready.file &
13		slirp_pid=$!
14
15		# Wait that the sandbox is created
16		wait_for_file_content 1 ready.file
17		rm ready.file
18
19		# Check there are no capabilities left in slirp4netns
20		getpcaps $slirp_pid 2>&1 \| tail -n1 > slirp.caps
21		grep cap_net_bind_service slirp.caps
22		grep -v cap_sys_admin slirp.caps
23		rm slirp.caps
24		test -e /proc/$slirp_pid/root/etc
25		test -e /proc/$slirp_pid/root/run
26		test \! -e /proc/$slirp_pid/root/home
27		test \! -e /proc/$slirp_pid/root/root
28		test \! -e /proc/$slirp_pid/root/var
29
30		function cleanup {
31		kill -9 $child $slirp_pid
32		}
33		trap cleanup EXIT
34
35		nsenter --preserve-credentials -U -n --target=$child ip -a netconf \| grep tun11
36		nsenter --preserve-credentials -U -n --target=$child ip addr show tun11 \| grep -v inet
37
38		kill -9 $child $slirp_pid
39
40		# Test --userns-path= --netns-type=path
41		unshare -r -n sleep infinity &
42		child=$!
43
44		wait_for_network_namespace $child
45
46		slirp4netns --userns-path=/proc/$child/ns/user --netns-type=path /proc/$child/ns/net tun11 &
47		slirp_pid=$!
48
49		wait_for_network_device $child tun11
50
51		nsenter --preserve-credentials -U -n --target=$child ip -a netconf \| grep tun11
52		nsenter --preserve-credentials -U -n --target=$child ip addr show tun11 \| grep -v inet
53
54		kill -9 $child $slirp_pid
55
56		# Test --netns-type=path
57		unshare -r -n sleep infinity &
58		child=$!
59
60		wait_for_network_namespace $child
61
62		nsenter --preserve-credentials -U --target=$child slirp4netns --netns-type=path /proc/$child/ns/net tun11 &
63		slirp_pid=$!
64
65		wait_for_network_device $child tun11
66
67		nsenter --preserve-credentials -U -n --target=$child ip -a netconf \| grep tun11
68		nsenter --preserve-credentials -U -n --target=$child ip addr show tun11 \| grep -v inet
69
70		unshare -rm $(readlink -f $(dirname $0)/slirp4netns-no-unmount.sh)

+1

-1

vendor/README.md less more

0	0	# DO NOT EDIT MANUALLY
1	1
2	2	Vendored components:
3		* parson: https://github.com/kgabis/parson.git (`70dc239f8f54c80bf58477b25435fd3dd3102804`)
	3	* parson: https://github.com/kgabis/parson.git (`2d7b3ddf1280bf7f5ad82d26e09252240e7c4557`)
4	4
5	5	Please do not edit the contents under this directory manually.
6	6

+1

-1

vendor/parson/LICENSE less more

0	0	MIT License
1	1
2		Copyright (c) 2012 - 2019 Krzysztof Gabis
	2	Copyright (c) 2012 - 2021 Krzysztof Gabis
3	3
4	4	Permission is hereby granted, free of charge, to any person obtaining a copy
5	5	of this software and associated documentation files (the "Software"), to deal

+2

-1

vendor/parson/README.md less more

0	0	## About
1		Parson is a lighweight [json](http://json.org) library written in C.
	1	Parson is a lightweight [json](http://json.org) library written in C.
2	2
3	3	## Features
4	4	* Full JSON support

141	141	Remember to follow parson's code style and write appropriate tests.
142	142
143	143	## My other projects
	144	* [ape](https://github.com/kgabis/ape) - simple programming language implemented in C library
144	145	* [kgflags](https://github.com/kgabis/kgflags) - easy to use command-line flag parsing library
145	146	* [agnes](https://github.com/kgabis/agnes) - header-only NES emulation library
146	147

+142

-43

vendor/parson/parson.c less more

0	0	/*
1	1	SPDX-License-Identifier: MIT
2	2
3		Parson 1.0.2 ( http://kgabis.github.com/parson/ )
4		Copyright (c) 2012 - 2019 Krzysztof Gabis
	3	Parson 1.1.3 ( http://kgabis.github.com/parson/ )
	4	Copyright (c) 2012 - 2021 Krzysztof Gabis
5	5
6	6	Permission is hereby granted, free of charge, to any person obtaining a copy
7	7	of this software and associated documentation files (the "Software"), to deal

67	67
68	68	#define IS_CONT(b) (((unsigned char)(b) & 0xC0) == 0x80) /* is utf-8 continuation byte */
69	69
	70	typedef struct json_string {
	71	char *chars;
	72	size_t length;
	73	} JSON_String;
	74
70	75	/* Type definitions */
71	76	typedef union json_value_value {
72		char *string;
	77	JSON_String string;
73	78	double number;
74	79	JSON_Object *object;
75	80	JSON_Array *array;

127	132	static void json_array_free(JSON_Array *array);
128	133
129	134	/* JSON Value */
130		static JSON_Value * json_value_init_string_no_copy(char *string);
	135	static JSON_Value * json_value_init_string_no_copy(char *string, size_t length);
	136	static const JSON_String * json_value_get_string_desc(const JSON_Value *value);
131	137
132	138	/* Parser */
133	139	static JSON_Status skip_quotes(const char **string);
134	140	static int parse_utf16(const char unprocessed, char processed);
135		static char * process_string(const char *input, size_t len);
136		static char * get_quoted_string(const char **string);
	141	static char * process_string(const char input, size_t input_len, size_t output_len);
	142	static char * get_quoted_string(const char *string, size_t output_string_len);
137	143	static JSON_Value * parse_object_value(const char **string, size_t nesting);
138	144	static JSON_Value * parse_array_value(const char **string, size_t nesting);
139	145	static JSON_Value * parse_string_value(const char **string);

144	150
145	151	/* Serialization */
146	152	static int json_serialize_to_buffer_r(const JSON_Value value, char buf, int level, int is_pretty, char *num_buf);
147		static int json_serialize_string(const char string, char buf);
	153	static int json_serialize_string(const char string, size_t len, char buf);
148	154	static int append_indent(char *buf, int level);
149	155	static int append_string(char buf, const char string);
150	156
151	157	/* Various */
152	158	static char * parson_strndup(const char *string, size_t n) {
	159	/* We expect the caller has validated that 'n' fits within the input buffer. */
153	160	char output_string = (char)parson_malloc(n + 1);
154	161	if (!output_string) {
155	162	return NULL;

535	542	}
536	543
537	544	/* JSON Value */
538		static JSON_Value * json_value_init_string_no_copy(char *string) {
	545	static JSON_Value * json_value_init_string_no_copy(char *string, size_t length) {
539	546	JSON_Value new_value = (JSON_Value)parson_malloc(sizeof(JSON_Value));
540	547	if (!new_value) {
541	548	return NULL;
542	549	}
543	550	new_value->parent = NULL;
544	551	new_value->type = JSONString;
545		new_value->value.string = string;
	552	new_value->value.string.chars = string;
	553	new_value->value.string.length = length;
546	554	return new_value;
547	555	}
548	556

616	624
617	625	/* Copies and processes passed string up to supplied length.
618	626	Example: "\u006Corem ipsum" -> lorem ipsum */
619		static char* process_string(const char *input, size_t len) {
	627	static char* process_string(const char input, size_t input_len, size_t output_len) {
620	628	const char *input_ptr = input;
621		size_t initial_size = (len + 1) * sizeof(char);
	629	size_t initial_size = (input_len + 1) * sizeof(char);
622	630	size_t final_size = 0;
623	631	char output = NULL, output_ptr = NULL, *resized_output = NULL;
624	632	output = (char*)parson_malloc(initial_size);

626	634	goto error;
627	635	}
628	636	output_ptr = output;
629		while ((*input_ptr != '\0') && (size_t)(input_ptr - input) < len) {
	637	while ((*input_ptr != '\0') && (size_t)(input_ptr - input) < input_len) {
630	638	if (*input_ptr == '\\') {
631	639	input_ptr++;
632	640	switch (*input_ptr) {

663	671	goto error;
664	672	}
665	673	memcpy(resized_output, output, final_size);
	674	*output_len = final_size - 1;
666	675	parson_free(output);
667	676	return resized_output;
668	677	error:

672	681
673	682	/* Return processed contents of a string between quotes and
674	683	skips passed argument to a matching quote. */
675		static char * get_quoted_string(const char **string) {
	684	static char * get_quoted_string(const char *string, size_t output_string_len) {
676	685	const char string_start = string;
677		size_t string_len = 0;
	686	size_t input_string_len = 0;
678	687	JSON_Status status = skip_quotes(string);
679	688	if (status != JSONSuccess) {
680	689	return NULL;
681	690	}
682		string_len = string - string_start - 2; / length without quotes */
683		return process_string(string_start + 1, string_len);
	691	input_string_len = string - string_start - 2; / length without quotes */
	692	return process_string(string_start + 1, input_string_len, output_string_len);
684	693	}
685	694
686	695	static JSON_Value * parse_value(const char **string, size_t nesting) {

728	737	return output_value;
729	738	}
730	739	while (**string != '\0') {
731		new_key = get_quoted_string(string);
732		if (new_key == NULL) {
	740	size_t key_len = 0;
	741	new_key = get_quoted_string(string, &key_len);
	742	/* We do not support key names with embedded \0 chars */
	743	if (new_key == NULL \|\| key_len != strlen(new_key)) {
	744	if (new_key) {
	745	parson_free(new_key);
	746	}
733	747	json_value_free(output_value);
734	748	return NULL;
735	749	}

818	832
819	833	static JSON_Value * parse_string_value(const char **string) {
820	834	JSON_Value *value = NULL;
821		char *new_string = get_quoted_string(string);
	835	size_t new_string_len = 0;
	836	char *new_string = get_quoted_string(string, &new_string_len);
822	837	if (new_string == NULL) {
823	838	return NULL;
824	839	}
825		value = json_value_init_string_no_copy(new_string);
	840	value = json_value_init_string_no_copy(new_string, new_string_len);
826	841	if (value == NULL) {
827	842	parson_free(new_string);
828	843	return NULL;

848	863	double number = 0;
849	864	errno = 0;
850	865	number = strtod(*string, &end);
851		if (errno \|\| !is_decimal(string, end - string)) {
	866	if (errno == ERANGE && (number == -HUGE_VAL \|\| number == HUGE_VAL)) {
	867	return NULL;
	868	}
	869	if ((errno && errno != ERANGE) \|\| !is_decimal(string, end - string)) {
852	870	return NULL;
853	871	}
854	872	*string = end;

884	902	size_t i = 0, count = 0;
885	903	double num = 0.0;
886	904	int written = -1, written_total = 0;
	905	size_t len = 0;
887	906
888	907	switch (json_value_get_type(value)) {
889	908	case JSONArray:

933	952	if (is_pretty) {
934	953	APPEND_INDENT(level+1);
935	954	}
936		written = json_serialize_string(key, buf);
	955	/* We do not support key names with embedded \0 chars */
	956	written = json_serialize_string(key, strlen(key), buf);
937	957	if (written < 0) {
938	958	return -1;
939	959	}

945	965	if (is_pretty) {
946	966	APPEND_STRING(" ");
947	967	}
948		temp_value = json_object_get_value(object, key);
	968	temp_value = json_object_get_value_at(object, i);
949	969	written = json_serialize_to_buffer_r(temp_value, buf, level+1, is_pretty, num_buf);
950	970	if (written < 0) {
951	971	return -1;

971	991	if (string == NULL) {
972	992	return -1;
973	993	}
974		written = json_serialize_string(string, buf);
	994	len = json_value_get_string_len(value);
	995	written = json_serialize_string(string, len, buf);
975	996	if (written < 0) {
976	997	return -1;
977	998	}

1011	1032	}
1012	1033	}
1013	1034
1014		static int json_serialize_string(const char string, char buf) {
1015		size_t i = 0, len = strlen(string);
	1035	static int json_serialize_string(const char string, size_t len, char buf) {
	1036	size_t i = 0;
1016	1037	char c = '\0';
1017	1038	int written = -1, written_total = 0;
1018	1039	APPEND_STRING("\"");

1158	1179	return json_value_get_string(json_object_get_value(object, name));
1159	1180	}
1160	1181
	1182	size_t json_object_get_string_len(const JSON_Object object, const char name) {
	1183	return json_value_get_string_len(json_object_get_value(object, name));
	1184	}
	1185
1161	1186	double json_object_get_number(const JSON_Object object, const char name) {
1162	1187	return json_value_get_number(json_object_get_value(object, name));
1163	1188	}

1187	1212	return json_value_get_string(json_object_dotget_value(object, name));
1188	1213	}
1189	1214
	1215	size_t json_object_dotget_string_len(const JSON_Object object, const char name) {
	1216	return json_value_get_string_len(json_object_dotget_value(object, name));
	1217	}
	1218
1190	1219	double json_object_dotget_number(const JSON_Object object, const char name) {
1191	1220	return json_value_get_number(json_object_dotget_value(object, name));
1192	1221	}

1255	1284	return json_value_get_string(json_array_get_value(array, index));
1256	1285	}
1257	1286
	1287	size_t json_array_get_string_len(const JSON_Array *array, size_t index) {
	1288	return json_value_get_string_len(json_array_get_value(array, index));
	1289	}
	1290
1258	1291	double json_array_get_number(const JSON_Array *array, size_t index) {
1259	1292	return json_value_get_number(json_array_get_value(array, index));
1260	1293	}

1292	1325	return json_value_get_type(value) == JSONArray ? value->value.array : NULL;
1293	1326	}
1294	1327
	1328	static const JSON_String * json_value_get_string_desc(const JSON_Value *value) {
	1329	return json_value_get_type(value) == JSONString ? &value->value.string : NULL;
	1330	}
	1331
1295	1332	const char * json_value_get_string(const JSON_Value *value) {
1296		return json_value_get_type(value) == JSONString ? value->value.string : NULL;
	1333	const JSON_String *str = json_value_get_string_desc(value);
	1334	return str ? str->chars : NULL;
	1335	}
	1336
	1337	size_t json_value_get_string_len(const JSON_Value *value) {
	1338	const JSON_String *str = json_value_get_string_desc(value);
	1339	return str ? str->length : 0;
1297	1340	}
1298	1341
1299	1342	double json_value_get_number(const JSON_Value *value) {

1314	1357	json_object_free(value->value.object);
1315	1358	break;
1316	1359	case JSONString:
1317		parson_free(value->value.string);
	1360	parson_free(value->value.string.chars);
1318	1361	break;
1319	1362	case JSONArray:
1320	1363	json_array_free(value->value.array);

1356	1399	}
1357	1400
1358	1401	JSON_Value * json_value_init_string(const char *string) {
	1402	if (string == NULL) {
	1403	return NULL;
	1404	}
	1405	return json_value_init_string_with_len(string, strlen(string));
	1406	}
	1407
	1408	JSON_Value * json_value_init_string_with_len(const char *string, size_t length) {
1359	1409	char *copy = NULL;
1360	1410	JSON_Value *value;
1361		size_t string_len = 0;
1362	1411	if (string == NULL) {
1363	1412	return NULL;
1364	1413	}
1365		string_len = strlen(string);
1366		if (!is_valid_utf8(string, string_len)) {
1367		return NULL;
1368		}
1369		copy = parson_strndup(string, string_len);
	1414	if (!is_valid_utf8(string, length)) {
	1415	return NULL;
	1416	}
	1417	copy = parson_strndup(string, length);
1370	1418	if (copy == NULL) {
1371	1419	return NULL;
1372	1420	}
1373		value = json_value_init_string_no_copy(copy);
	1421	value = json_value_init_string_no_copy(copy, length);
1374	1422	if (value == NULL) {
1375	1423	parson_free(copy);
1376	1424	}

1416	1464	JSON_Value * json_value_deep_copy(const JSON_Value *value) {
1417	1465	size_t i = 0;
1418	1466	JSON_Value return_value = NULL, temp_value_copy = NULL, *temp_value = NULL;
1419		const char temp_string = NULL, temp_key = NULL;
	1467	const JSON_String *temp_string = NULL;
	1468	const char *temp_key = NULL;
1420	1469	char *temp_string_copy = NULL;
1421	1470	JSON_Array temp_array = NULL, temp_array_copy = NULL;
1422	1471	JSON_Object temp_object = NULL, temp_object_copy = NULL;

1470	1519	case JSONNumber:
1471	1520	return json_value_init_number(json_value_get_number(value));
1472	1521	case JSONString:
1473		temp_string = json_value_get_string(value);
	1522	temp_string = json_value_get_string_desc(value);
1474	1523	if (temp_string == NULL) {
1475	1524	return NULL;
1476	1525	}
1477		temp_string_copy = parson_strdup(temp_string);
	1526	temp_string_copy = parson_strndup(temp_string->chars, temp_string->length);
1478	1527	if (temp_string_copy == NULL) {
1479	1528	return NULL;
1480	1529	}
1481		return_value = json_value_init_string_no_copy(temp_string_copy);
	1530	return_value = json_value_init_string_no_copy(temp_string_copy, temp_string->length);
1482	1531	if (return_value == NULL) {
1483	1532	parson_free(temp_string_copy);
1484	1533	}

1650	1699	return JSONSuccess;
1651	1700	}
1652	1701
	1702	JSON_Status json_array_replace_string_with_len(JSON_Array array, size_t i, const char string, size_t len) {
	1703	JSON_Value *value = json_value_init_string_with_len(string, len);
	1704	if (value == NULL) {
	1705	return JSONFailure;
	1706	}
	1707	if (json_array_replace_value(array, i, value) == JSONFailure) {
	1708	json_value_free(value);
	1709	return JSONFailure;
	1710	}
	1711	return JSONSuccess;
	1712	}
	1713
1653	1714	JSON_Status json_array_replace_number(JSON_Array *array, size_t i, double number) {
1654	1715	JSON_Value *value = json_value_init_number(number);
1655	1716	if (value == NULL) {

1707	1768
1708	1769	JSON_Status json_array_append_string(JSON_Array array, const char string) {
1709	1770	JSON_Value *value = json_value_init_string(string);
	1771	if (value == NULL) {
	1772	return JSONFailure;
	1773	}
	1774	if (json_array_append_value(array, value) == JSONFailure) {
	1775	json_value_free(value);
	1776	return JSONFailure;
	1777	}
	1778	return JSONSuccess;
	1779	}
	1780
	1781	JSON_Status json_array_append_string_with_len(JSON_Array array, const char string, size_t len) {
	1782	JSON_Value *value = json_value_init_string_with_len(string, len);
1710	1783	if (value == NULL) {
1711	1784	return JSONFailure;
1712	1785	}

1783	1856	return status;
1784	1857	}
1785	1858
	1859	JSON_Status json_object_set_string_with_len(JSON_Object object, const char name, const char *string, size_t len) {
	1860	JSON_Value *value = json_value_init_string_with_len(string, len);
	1861	JSON_Status status = json_object_set_value(object, name, value);
	1862	if (status == JSONFailure) {
	1863	json_value_free(value);
	1864	}
	1865	return status;
	1866	}
	1867
1786	1868	JSON_Status json_object_set_number(JSON_Object object, const char name, double number) {
1787	1869	JSON_Value *value = json_value_init_number(number);
1788	1870	JSON_Status status = json_object_set_value(object, name, value);

1854	1936
1855	1937	JSON_Status json_object_dotset_string(JSON_Object object, const char name, const char *string) {
1856	1938	JSON_Value *value = json_value_init_string(string);
	1939	if (value == NULL) {
	1940	return JSONFailure;
	1941	}
	1942	if (json_object_dotset_value(object, name, value) == JSONFailure) {
	1943	json_value_free(value);
	1944	return JSONFailure;
	1945	}
	1946	return JSONSuccess;
	1947	}
	1948
	1949	JSON_Status json_object_dotset_string_with_len(JSON_Object object, const char name, const char *string, size_t len) {
	1950	JSON_Value *value = json_value_init_string_with_len(string, len);
1857	1951	if (value == NULL) {
1858	1952	return JSONFailure;
1859	1953	}

1984	2078	int json_value_equals(const JSON_Value a, const JSON_Value b) {
1985	2079	JSON_Object a_object = NULL, b_object = NULL;
1986	2080	JSON_Array a_array = NULL, b_array = NULL;
1987		const char a_string = NULL, b_string = NULL;
	2081	const JSON_String a_string = NULL, b_string = NULL;
1988	2082	const char *key = NULL;
1989	2083	size_t a_count = 0, b_count = 0, i = 0;
1990	2084	JSON_Value_Type a_type, b_type;

2026	2120	}
2027	2121	return 1;
2028	2122	case JSONString:
2029		a_string = json_value_get_string(a);
2030		b_string = json_value_get_string(b);
	2123	a_string = json_value_get_string_desc(a);
	2124	b_string = json_value_get_string_desc(b);
2031	2125	if (a_string == NULL \|\| b_string == NULL) {
2032	2126	return 0; /* shouldn't happen */
2033	2127	}
2034		return strcmp(a_string, b_string) == 0;
	2128	return a_string->length == b_string->length &&
	2129	memcmp(a_string->chars, b_string->chars, a_string->length) == 0;
2035	2130	case JSONBoolean:
2036	2131	return json_value_get_boolean(a) == json_value_get_boolean(b);
2037	2132	case JSONNumber:

2061	2156	return json_value_get_string(value);
2062	2157	}
2063	2158
	2159	size_t json_string_len(const JSON_Value *value) {
	2160	return json_value_get_string_len(value);
	2161	}
	2162
2064	2163	double json_number (const JSON_Value *value) {
2065	2164	return json_value_get_number(value);
2066	2165	}

+12

-2

vendor/parson/parson.h less more

0	0	/*
1	1	SPDX-License-Identifier: MIT
2	2
3		Parson 1.0.2 ( http://kgabis.github.com/parson/ )
4		Copyright (c) 2012 - 2019 Krzysztof Gabis
	3	Parson 1.1.3 ( http://kgabis.github.com/parson/ )
	4	Copyright (c) 2012 - 2021 Krzysztof Gabis
5	5
6	6	Permission is hereby granted, free of charge, to any person obtaining a copy
7	7	of this software and associated documentation files (the "Software"), to deal

113	113	*/
114	114	JSON_Value * json_object_get_value (const JSON_Object object, const char name);
115	115	const char * json_object_get_string (const JSON_Object object, const char name);
	116	size_t json_object_get_string_len(const JSON_Object object, const char name); /* doesn't account for last null character */
116	117	JSON_Object * json_object_get_object (const JSON_Object object, const char name);
117	118	JSON_Array * json_object_get_array (const JSON_Object object, const char name);
118	119	double json_object_get_number (const JSON_Object object, const char name); /* returns 0 on fail */

124	125	this way. */
125	126	JSON_Value * json_object_dotget_value (const JSON_Object object, const char name);
126	127	const char * json_object_dotget_string (const JSON_Object object, const char name);
	128	size_t json_object_dotget_string_len(const JSON_Object object, const char name); /* doesn't account for last null character */
127	129	JSON_Object * json_object_dotget_object (const JSON_Object object, const char name);
128	130	JSON_Array * json_object_dotget_array (const JSON_Object object, const char name);
129	131	double json_object_dotget_number (const JSON_Object object, const char name); /* returns 0 on fail */

147	149	* json_object_set_value does not copy passed value so it shouldn't be freed afterwards. */
148	150	JSON_Status json_object_set_value(JSON_Object object, const char name, JSON_Value *value);
149	151	JSON_Status json_object_set_string(JSON_Object object, const char name, const char *string);
	152	JSON_Status json_object_set_string_with_len(JSON_Object object, const char name, const char string, size_t len); / length shouldn't include last null character */
150	153	JSON_Status json_object_set_number(JSON_Object object, const char name, double number);
151	154	JSON_Status json_object_set_boolean(JSON_Object object, const char name, int boolean);
152	155	JSON_Status json_object_set_null(JSON_Object object, const char name);

155	158	* json_object_dotset_value does not copy passed value so it shouldn't be freed afterwards. */
156	159	JSON_Status json_object_dotset_value(JSON_Object object, const char name, JSON_Value *value);
157	160	JSON_Status json_object_dotset_string(JSON_Object object, const char name, const char *string);
	161	JSON_Status json_object_dotset_string_with_len(JSON_Object object, const char name, const char string, size_t len); / length shouldn't include last null character */
158	162	JSON_Status json_object_dotset_number(JSON_Object object, const char name, double number);
159	163	JSON_Status json_object_dotset_boolean(JSON_Object object, const char name, int boolean);
160	164	JSON_Status json_object_dotset_null(JSON_Object object, const char name);

173	177	*/
174	178	JSON_Value * json_array_get_value (const JSON_Array *array, size_t index);
175	179	const char * json_array_get_string (const JSON_Array *array, size_t index);
	180	size_t json_array_get_string_len(const JSON_Array array, size_t index); / doesn't account for last null character */
176	181	JSON_Object * json_array_get_object (const JSON_Array *array, size_t index);
177	182	JSON_Array * json_array_get_array (const JSON_Array *array, size_t index);
178	183	double json_array_get_number (const JSON_Array array, size_t index); / returns 0 on fail */

189	194	* json_array_replace_value does not copy passed value so it shouldn't be freed afterwards. */
190	195	JSON_Status json_array_replace_value(JSON_Array array, size_t i, JSON_Value value);
191	196	JSON_Status json_array_replace_string(JSON_Array array, size_t i, const char string);
	197	JSON_Status json_array_replace_string_with_len(JSON_Array array, size_t i, const char string, size_t len); /* length shouldn't include last null character */
192	198	JSON_Status json_array_replace_number(JSON_Array *array, size_t i, double number);
193	199	JSON_Status json_array_replace_boolean(JSON_Array *array, size_t i, int boolean);
194	200	JSON_Status json_array_replace_null(JSON_Array *array, size_t i);

200	206	* json_array_append_value does not copy passed value so it shouldn't be freed afterwards. */
201	207	JSON_Status json_array_append_value(JSON_Array array, JSON_Value value);
202	208	JSON_Status json_array_append_string(JSON_Array array, const char string);
	209	JSON_Status json_array_append_string_with_len(JSON_Array array, const char string, size_t len); /* length shouldn't include last null character */
203	210	JSON_Status json_array_append_number(JSON_Array *array, double number);
204	211	JSON_Status json_array_append_boolean(JSON_Array *array, int boolean);
205	212	JSON_Status json_array_append_null(JSON_Array *array);

210	217	JSON_Value * json_value_init_object (void);
211	218	JSON_Value * json_value_init_array (void);
212	219	JSON_Value * json_value_init_string (const char string); / copies passed string */
	220	JSON_Value * json_value_init_string_with_len(const char string, size_t length); / copies passed string, length shouldn't include last null character */
213	221	JSON_Value * json_value_init_number (double number);
214	222	JSON_Value * json_value_init_boolean(int boolean);
215	223	JSON_Value * json_value_init_null (void);

220	228	JSON_Object * json_value_get_object (const JSON_Value *value);
221	229	JSON_Array * json_value_get_array (const JSON_Value *value);
222	230	const char * json_value_get_string (const JSON_Value *value);
	231	size_t json_value_get_string_len(const JSON_Value value); / doesn't account for last null character */
223	232	double json_value_get_number (const JSON_Value *value);
224	233	int json_value_get_boolean(const JSON_Value *value);
225	234	JSON_Value * json_value_get_parent (const JSON_Value *value);

229	238	JSON_Object * json_object (const JSON_Value *value);
230	239	JSON_Array * json_array (const JSON_Value *value);
231	240	const char * json_string (const JSON_Value *value);
	241	size_t json_string_len(const JSON_Value value); / doesn't account for last null character */
232	242	double json_number (const JSON_Value *value);
233	243	int json_boolean(const JSON_Value *value);
234	244

+2

-2

vendor.sh less more

0	0	#!/bin/bash
1	1	set -eux -o pipefail
2	2
3		# Feb 21, 2020
4		PARSON_COMMIT=70dc239f8f54c80bf58477b25435fd3dd3102804
	3	# v1.1.3 (May 26, 2021)
	4	PARSON_COMMIT=2d7b3ddf1280bf7f5ad82d26e09252240e7c4557
5	5	PARSON_REPO=https://github.com/kgabis/parson.git
6	6
7	7	# prepare