sane-vpn: port to bunpen
This commit is contained in:
@@ -201,10 +201,10 @@ let
|
|||||||
pname = "sane-vpn";
|
pname = "sane-vpn";
|
||||||
srcRoot = ./src;
|
srcRoot = ./src;
|
||||||
pkgs = [
|
pkgs = [
|
||||||
|
"bunpen"
|
||||||
"iproute2"
|
"iproute2"
|
||||||
"networkmanager-split.nmcli"
|
"networkmanager-split.nmcli"
|
||||||
"sane-scripts.ip-check"
|
"sane-scripts.ip-check"
|
||||||
"sanebox"
|
|
||||||
"systemd"
|
"systemd"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
@@ -1,5 +1,5 @@
|
|||||||
#!/usr/bin/env nix-shell
|
#!/usr/bin/env nix-shell
|
||||||
#!nix-shell -i python3 -p iproute2 -p networkmanager-split.nmcli -p python3 -p sane-scripts.ip-check -p sanebox -p systemd
|
#!nix-shell -i python3 -p bunpen -p iproute2 -p networkmanager-split.nmcli -p python3 -p sane-scripts.ip-check -p systemd
|
||||||
# vim: set filetype=python :
|
# vim: set filetype=python :
|
||||||
"""
|
"""
|
||||||
sane-vpn: tool to route all system internet traffic through some VPN, or just one application's
|
sane-vpn: tool to route all system internet traffic through some VPN, or just one application's
|
||||||
@@ -226,24 +226,23 @@ def get_vpn(vpn_name: str) -> VpnConfig:
|
|||||||
|
|
||||||
def vpn_do(config: VpnConfig, cmd: list[str]) -> None:
|
def vpn_do(config: VpnConfig, cmd: list[str]) -> None:
|
||||||
net_flags = []
|
net_flags = []
|
||||||
net_flags += [ "--sanebox-net-dev", config.dev ]
|
net_flags += [ "--bunpen-net-dev", config.dev ]
|
||||||
for d in config.dns:
|
for d in config.dns:
|
||||||
net_flags += [ "--sanebox-dns", d ]
|
net_flags += [ "--bunpen-dns", d ]
|
||||||
if config.addr_v4:
|
if config.addr_v4:
|
||||||
net_flags += [ "--sanebox-net-gateway", config.addr_v4 ]
|
net_flags += [ "--bunpen-net-gateway", config.addr_v4 ]
|
||||||
|
|
||||||
wrapped_cmd = [
|
wrapped_cmd = [
|
||||||
"sanebox",
|
"bunpen",
|
||||||
# method: pastaonly, should be enough, but it leaves us as root in the user namespace.
|
"--bunpen-keep-ipc",
|
||||||
# some apps don't like that -- bwrap is the fix to have uid mapping
|
"--bunpen-keep-pid",
|
||||||
"--sanebox-method", "bwrap",
|
"--bunpen-try-keep-users",
|
||||||
"--sanebox-keep-namespace", "all",
|
"--bunpen-path", "/",
|
||||||
"--sanebox-path", "/",
|
|
||||||
] + net_flags + cmd
|
] + net_flags + cmd
|
||||||
|
|
||||||
logger.debug(f"exec {wrapped_cmd}")
|
logger.debug(f"exec {wrapped_cmd}")
|
||||||
# exec instead of subprocess so that (hopefully) the process inherits stdin/stdout.
|
# exec instead of subprocess so that (hopefully) the process inherits stdin/stdout.
|
||||||
os.execvp("sanebox", wrapped_cmd)
|
os.execvp("bunpen", wrapped_cmd)
|
||||||
|
|
||||||
def vpn_toggle(config: VpnConfig, dir_: ToggleDir) -> None:
|
def vpn_toggle(config: VpnConfig, dir_: ToggleDir) -> None:
|
||||||
print("old IP address ...")
|
print("old IP address ...")
|
||||||
|
Reference in New Issue
Block a user