It works, now!

And it works better here than irl (not implemented yet), lol :-D

README.md

@@ -31,3 +31,4 @@ TODO
 - [ ] Dynamic address assignment
 - [ ] network booting and diskless machines
 - [ ] Horrible networks that use *all* of the RFC 1918 IPv4 addresses in the inside infra (gateways, DNS servers) and therefore clash with *any/most* private network on the host
+- [ ] Firewalls

init-shim.sh

@@ -1,2 +1,2 @@
 #!/bin/sh
-unshare -rnm ./init.sh
+unshare -rnmpf --mount-proc ./init.sh

init.sh

@@ -6,6 +6,8 @@ set -eu
 
 mount -t tmpfs -o size=100M horror ./state
 
+tmux new-session -t nethorror -d
+
 # TODO: Set some sysctls in order not to interact with the networks
 
 for net in networks/*; do
@@ -16,4 +18,4 @@ for mach in machines/*; do
 	$mach/run-shim.sh
 done
 
-tmux
+tmux -N attach

lib.shs

@@ -1,6 +1,9 @@
 #!/bin/false
 
-mach=$(basename $(dirname "$0"))
+mach="${0#*machines/}"
+mach="${mach%%/*}"
+net="${0#*networks/}"
+net="${net%%/*}"
 
 netns=netns
 nethorror_root="`pwd`" # and hope?
@@ -49,7 +52,7 @@ bridge_name() {
 }
 
 make_bridge() {
-	br="$(bridge_name "$mach")"
+	br="$(bridge_name "$net")"
 	ip link add name "$br" type bridge
 	ip link set dev "$br" up
 }

machines/loc1xe/setup.sh

@@ -13,4 +13,25 @@ ip addr add 192.168.0.3/24 dev wifi
 ip link set dev wifi up
 ip route add default via 192.168.0.1 dev wifi
 
-wireguard wg1 ./machines/$mach/wg1.conf 2a01:4f8:c0c:36b8:ff01:8000:10:f03/128
+wireguard wg1 ./machines/$mach/wg1.conf 2a01:4f8:c0c:36b8:ff01:8000:10:f03/108
+
+# Netns for running public VMs
+vm_netns="./state/$mach/vm_netns"
+touch "$vm_netns"
+unshare --net="$vm_netns" /bin/true
+ip link add name wg-vms type wireguard
+wg setconf wg-vms ./machines/$mach/wg-vms.conf
+ip link set wg-vms netns "$vm_netns"
+nsenter --net="$vm_netns" ip link set wg-vms up
+nsenter --net="$vm_netns" ip route add 2a01:4f8:c0c:36b8:ff01:8000:0:0001/128 dev wg-vms onlink
+nsenter --net="$vm_netns" ip route add default via 2a01:4f8:c0c:36b8:ff01:8000:0:0001 dev wg-vms
+nsenter --net="$vm_netns" sysctl net.ipv6.conf.all.forwarding=1
+
+tmux -N new-window -d -n vm1 socat stdio unix-listen:state/$mach/vm1.sock
+nsenter --net="$vm_netns" ./machines/$mach/vm1/start.sh
+# We *do* have an IPv6 address just because the VM simulates ethernet, which is broadcast and runs NDP and so we need to respond.
+# However, we should avoid *any* interaction with the packets, that is, probably just drop everything in input and output chains, TODO
+# FIXME: I think the correct range is fe80::/64, not fe80:whatever::/64… But this works…
+nsenter --net="$vm_netns" ip addr add fe80:ff01:8000::2/64 dev tap-vm1 scope link
+nsenter --net="$vm_netns" ip link set dev tap-vm1 up
+nsenter --net="$vm_netns" ip route add 2a01:4f8:c0c:36b8:ff01:8000:0:0003/128 dev tap-vm1 onlink

machines/loc1xe/vm1/create.sh

@@ -0,0 +1,22 @@
+#!/bin/sh
+
+# LEdoian's absurdly simple initrd generator (ad-hoc arc)
+
+here="$(dirname "$0")"
+
+set -eu
+outdir="$1"
+
+mkdir "$outdir/initrd"
+cp "$here/init" "$outdir/initrd/"
+
+busybox="$(which busybox)"
+cp "$busybox" "$outdir/initrd/busybox"
+
+# TODO: get kernel version from /boot/vmlinuz-linux (which we use)
+kver="$(uname -r)"
+zstdcat /usr/lib/modules/$kver/kernel/drivers/net/ethernet/intel/e1000/e1000.ko.zst > "$outdir/initrd/e1000.ko"
+
+pushd "$outdir/initrd"
+find . | cpio -o -H newc > ../initrd.img
+popd

machines/loc1xe/vm1/init

@@ -0,0 +1,13 @@
+#!/busybox ash
+
+/busybox echo START
+#/busybox mdev -s
+# we know the modules, lol :-)
+/busybox insmod /e1000.ko
+/busybox ip link set lo up
+/busybox ip addr add 2a01:4f8:c0c:36b8:ff01:8000:0:3/128 dev eth0
+/busybox ip addr add fe80:ff01:8000::3 dev eth0 scope link
+/busybox ip link set eth0 up
+/busybox ip route add default via fe80:ff01:8000::2 dev eth0
+
+/busybox ash

machines/loc1xe/vm1/run.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+set -eu
+
+arch=x86_64
+kernel=/boot/vmlinuz-linux
+initrd_dir="$1"
+sockpath="$2"
+shift 2
+qemu-system-"$arch" -m 1G -nic tap,id=net0,ifname=tap-vm1,script=no,downscript=no -kernel "$kernel" -initrd "$initrd_dir/initrd.img" -chardev socket,id=sock0,path="$sockpath",mux=on,server=off -serial chardev:sock0 -mon chardev=sock0,mode=readline -daemonize -display none -append console=ttyS0,115200n1 "$@"

machines/loc1xe/vm1/start.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+. ./lib.shs
+
+set -eu
+
+mkdir state/$mach/initdir
+machines/$mach/vm1/create.sh state/$mach/initdir
+machines/$mach/vm1/run.sh state/$mach/initdir state/$mach/vm1.sock

machines/uo/setup.sh

@@ -15,4 +15,8 @@ ip link set dev up_ve up
 ip route add default via 100.100.0.1 dev up_ve
 ip route add default via fe80:ff01::1 dev up_ve
 
-wireguard wg1 ./machines/$mach/wg1.conf 2a01:4f8:c0c:36b8:ff01:8000:10:f06/128
+wireguard wg1 ./machines/$mach/wg1.conf 2a01:4f8:c0c:36b8:ff01:8000:10:f06/108
+wireguard wg-vms ./machines/$mach/wg-vms.conf 2a01:4f8:c0c:36b8:ff01:8000:0:0001/112
+
+# FIXME: Firewall this!
+sysctl net.ipv6.conf.all.forwarding=1

machines/uo/wg-vms.conf

@@ -6,4 +6,4 @@ ListenPort = 62421
 # Xe
 [Peer]
 PublicKey = TISpt9e6DkduZVO4vxtq2xc5obdQk+oVAmASGwO+QC4=
-AllowedIPs = 2a01:4f8:c0c:36b8:ff01:8000:0:0003/128 2a01:4f8:c0c:36b8:ff01:8000:0:0004/128
+AllowedIPs = 2a01:4f8:c0c:36b8:ff01:8000:0:0003/128, 2a01:4f8:c0c:36b8:ff01:8000:0:0004/128