Connect to outside world from inside a Trellis slice

diff --git a/factory/setup-nat b/factory/setup-nat
new file mode 100755 (executable)
index 0000000..61344a4
--- /dev/null
+++ b/factory/setup-nat
@@ -0,0 +1,57 @@
+#!/bin/sh +x
+
+IP=/sbin/ip
+
+SLICE=$1
+SLICEID=`id -u $SLICE`
+read KEY
+
+modprobe etun
+
+### Setup etun
+ETUN0=vnat0k$KEY
+ETUN1=vnat1k$KEY
+echo $ETUN0,$ETUN1 > /sys/module/etun/parameters/newif
+ifconfig $ETUN1 10.0.$KEY.1 up
+
+/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+/sbin/iptables -A FORWARD -i eth0 -o $ETUN1 -m state --state RELATED,ESTABLISHED -j ACCEPT
+/sbin/iptables -A FORWARD -i $ETUN1 -o eth0 -j ACCEPT
+
+### Create "grab link" script
+GRAB=/vsys/grab-$ETUN0
+echo $SLICE > $GRAB.acl 
+rm -f $GRAB
+cat > $GRAB <<EOF
+#!/bin/sh
+
+read PID
+
+chcontext --ctx 1 -- echo \$PID > /sys/class/net/$ETUN0/new_ns_pid 
+EOF
+chmod +x $GRAB
+
+### Create "delete link" script
+DELETE=/vsys/delete-$ETUN0
+echo $SLICE > $DELETE.acl 
+rm -f $DELETE
+cat > $DELETE <<EOF
+#!/bin/sh
+
+read NULL
+
+# Remove iptables rules
+/sbin/iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+/sbin/iptables -D FORWARD -i eth0 -o $ETUN1 -m state --state RELATED,ESTABLISHED -j ACCEPT
+/sbin/iptables -D FORWARD -i $ETUN1 -o eth0 -j ACCEPT
+
+# Get rid of etun devices, only need name of one of them
+echo $ETUN1 > /sys/module/etun/parameters/delif
+
+# Clean up files
+rm -f $GRAB $GRAB.acl
+rm -f $DELETE $DELETE.acl
+
+EOF
+chmod +x $DELETE
+