clean-net

#!/bin/sh -efu
# vim:et:sw=4
#
# Copyright (c) 2019-2025 Nikita (sh1r4s3) Ermakov <sh1r4s3@mail.si-head.nl>
# SPDX-License-Identifier: MIT
#

# Help message
help()
{
    cat <<EOF
${0##*/} -- remove network namespace and cleanup iptables -t nat rule added by build-net.sh

Usage: ${0##*/} [options]

Options:
  -h | --help              print this help message
  -n | --name              namespace name
  -r | --reattach          reattach to namespace to another interface
  -f | --disable-forward   disable IPv4 forwarding
EOF
    exit 0
}

before_exit()
{
    ip netns del "$NS"
}

[ $# -ge 1 ] || help

# Parse command line arguments
TMPARGS="$(getopt -n "$0" -o n:,f,r:,h -l name:,disable-forward,reattach:,help -- "$@")" || help
eval set -- "$TMPARGS"

NS=
while :
do
    case "$1" in
        --)
            shift; break ;;
        -n|--name)
            shift; NS="$1" ;;
        -f|--disable-forward)
            shift; DISABLE_FORWARD=1; break ;;
        -r|--reattach)
            shift; REATTACH="$1" ;;
        *)
            help ;;
    esac
    shift
done

# Check PIDs
if [ -z "${REATTACH-}" ]; then
    pids="$(ip netns pids "$NS")"
    if [ "$(ip netns pids "$NS")" != "" ]
    then
        echo -ne "WARNING: $NS has follwing PIDs:\n$pids\n"
        echo -ne "Do you want to kill automatically or manually?\n(a/m) > "
        read KILL
        if [ "$KILL" = "a" ]
        then
            for i in $pids
            do
                kill "$i" || continue
                while [ -e "/proc/$i" ]
                do
                    sleep 1
                    echo "Waiting for $i..."
                done
            done

            if [ "$(ip netns pids "$NS")" != "" ]
            then
                echo "Can't kill all PIDs. Exit."
                exit 1
            fi
        else
            exit 0
        fi
    fi
fi

# Get ip route and veth pair
IPT="$(ip -netns "$NS" route | awk '/^172\.24.*eth0/{print $1}')"
VPND="$(ip -human -oneline -details link | awk "/link-netns $NS/{match(\$0, /^[0-9]+:[ ]*([^ ]*)@if/, m); print m[1]}")"
INT="$(iptables -S | awk "/.*-o ${VPND}.*/{if(match(\$0, /.*-i ([^ ]+) .*/, m)){print m[1]}}")"

# Find rulenum in case of reattach mode or delete rules
if [ -n "${REATTACH-}" ]; then
    RULENUM="$(iptables -S FORWARD | grep '^-[^P].*' | awk "/-A FORWARD -i $INT -o $VPND -j ACCEPT/{print NR}")"
    iptables -R FORWARD "$RULENUM" -i "$REATTACH" -o "$VPND" -j ACCEPT
    RULENUM="$(iptables -S FORWARD | grep '^-[^P].*' | awk "/-A FORWARD -i $VPND -o $INT -j ACCEPT/{print NR}")"
    iptables -R FORWARD "$RULENUM" -i "$VPND" -o "$REATTACH" -j ACCEPT
    RULENUM="$(iptables -t nat -S POSTROUTING | grep '^-[^P].*' | awk "/-A POSTROUTING -s ${IPT/\//\\/} -o $INT -j MASQUERADE/{print NR}")"
    iptables -t nat -R POSTROUTING "$RULENUM" -s "$IPT" -o "$REATTACH" -j MASQUERADE
else
    trap before_exit EXIT HUP PIPE INT QUIT TERM

    # Delete iptables rule and network namespace
    iptables -D FORWARD -i "$VPND" -o "$INT" -j ACCEPT
    iptables -D FORWARD -o "$VPND" -i "$INT" -j ACCEPT
    iptables -t nat -D POSTROUTING -s "$IPT" -o "$INT" -j MASQUERADE
    ip route del "$IPT"
    ip link del "$VPND"

    # Delete resolv.conf setup
    [ ! -d "/etc/netns/$NS" ] || rm -rf "/etc/netns/$NS"
    # Disable IPv4 forward
    [ -z "${DISABLE_FORWARD-}" ] || echo "0" > /proc/sys/net/ipv4/ip_forward
fi