diff --git a/common/vif-route-qubes b/common/vif-route-qubes new file mode 100755 index 00000000..5359063d --- /dev/null +++ b/common/vif-route-qubes @@ -0,0 +1,58 @@ +#!/bin/bash +#============================================================================ +# /etc/xen/vif-route-qubes +# +# Script for configuring a vif in routed mode. +# The hotplugging system will call this script if it is specified either in +# the device configuration given to Xend, or the default Xend configuration +# in /etc/xen/xend-config.sxp. If the script is specified in neither of those +# places, then vif-bridge is the default. +# +# Usage: +# vif-route (add|remove|online|offline) +# +# Environment vars: +# vif vif interface name (required). +# XENBUS_PATH path to this device's details in the XenStore (required). +# +# Read from the store: +# ip list of IP networks for the vif, space-separated (default given in +# this script). +#============================================================================ + +dir=$(dirname "$0") +. "$dir/vif-common.sh" + +#main_ip=$(dom0_ip) + +case "$command" in + online) + ifconfig ${vif} up + echo 1 >/proc/sys/net/ipv4/conf/${vif}/proxy_arp + ipcmd='add' + iptables_cmd='-I FORWARD 1' + cmdprefix='' + ;; + offline) + do_without_error ifdown ${vif} + ipcmd='del' + iptables_cmd='-D FORWARD' + cmdprefix='do_without_error' + ;; +esac + +if [ "${ip}" ] ; then + # If we've been given a list of IP addresses, then add routes from dom0 to + # the guest using those addresses. + for addr in ${ip} ; do + ${cmdprefix} ip route ${ipcmd} ${addr} dev ${vif} + done + echo ${cmdprefix} iptables $iptables_cmd -i ${vif} \! -s ${ip} -j DROP + ${cmdprefix} iptables $iptables_cmd -i ${vif} \! -s ${ip} -j DROP +fi + +log debug "Successful vif-route-qubes $command for $vif." +if [ "$command" = "online" ] +then + success +fi diff --git a/dom0/init.d/qubes_netvm b/dom0/init.d/qubes_netvm index 5e66b695..fca85fd1 100755 --- a/dom0/init.d/qubes_netvm +++ b/dom0/init.d/qubes_netvm @@ -30,11 +30,6 @@ start() elif [ $NETVM = "dom0" ] ; then echo -n $"Setting up net backend in Dom0:" - brctl addbr br0 || exit 1 - brctl stp br0 off - brctl setfd br0 1 - ifconfig br0 10.0.0.1 netmask 255.255.0.0 up || exit 1 - ifconfig br0:1 10.0.255.254 netmask 255.255.0.0 up || exit 1 echo "NS1=10.0.0.1" > /var/run/qubes/qubes_ns echo "NS2=10.0.255.254" >> /var/run/qubes/qubes_ns /usr/lib/qubes/qubes_setup_dnat_to_ns @@ -62,12 +57,7 @@ stop() elif [ $NETVM = "dom0" ] ; then echo -n $"Stopping Qubes networking in Dom0:" - iptables -t nat -F PREROUTING - - ifconfig br0 down - brctl delbr br0 - - else + else echo -n $"Stopping default NetVM:" qvm-run -q --shutdown --wait $NETVM diff --git a/netvm/qubes_core b/netvm/qubes_core index 99b8f5cb..dbfaad7a 100755 --- a/netvm/qubes_core +++ b/netvm/qubes_core @@ -19,26 +19,15 @@ start() hostname $name # Setup gateway for all the VMs this netVM is serviceing... - brctl addbr br0 - brctl stp br0 off - brctl setfd br0 1 modprobe netbk gateway=$(/usr/bin/xenstore-read qubes_netvm_gateway) netmask=$(/usr/bin/xenstore-read qubes_netvm_netmask) network=$(/usr/bin/xenstore-read qubes_netvm_network) secondary_dns=$(/usr/bin/xenstore-read qubes_netvm_secondary_dns) - ifconfig br0 $gateway netmask $netmask up - ifconfig br0:1 $secondary_dns netmask $netmask echo "NS1=$gateway" > /var/run/qubes/qubes_ns echo "NS2=$secondary_dns" >> /var/run/qubes/qubes_ns /usr/lib/qubes/qubes_setup_dnat_to_ns echo "1" > /proc/sys/net/ipv4/ip_forward -#now no need for dnsmasq -# dnsmasq --listen-address $gateway --bind-interfaces -#now done by iptables rc script -# iptables -t nat -A POSTROUTING -s $network/$netmask -j MASQUERADE -#no, we cannot put ip-dependent stuff in sysconfig/iptables -#so make it ip-independent success echo "" return 0 diff --git a/rpm_spec/core-dom0.spec b/rpm_spec/core-dom0.spec index 123002aa..58ba4e1d 100644 --- a/rpm_spec/core-dom0.spec +++ b/rpm_spec/core-dom0.spec @@ -61,6 +61,7 @@ cp pendrive_swapper/qfilexchgd $RPM_BUILD_ROOT/usr/bin mkdir -p $RPM_BUILD_ROOT/etc/xen/scripts cp restore/block.qubes $RPM_BUILD_ROOT/etc/xen/scripts +cp ../common/vif-route-qubes $RPM_BUILD_ROOT/etc/xen/scripts mkdir -p $RPM_BUILD_ROOT%{python_sitearch}/qubes cp qvm-core/qubes.py $RPM_BUILD_ROOT%{python_sitearch}/qubes @@ -221,4 +222,5 @@ fi /usr/lib/qubes/qubes_restore /usr/lib/qubes/qubes_prepare_saved_domain.sh /etc/xen/scripts/block.qubes +/etc/xen/scripts/vif-route-qubes %attr(4750,root,qubes) /usr/lib/qubes/xenfreepages diff --git a/rpm_spec/core-netvm.spec b/rpm_spec/core-netvm.spec index 6ac0246d..88255aee 100644 --- a/rpm_spec/core-netvm.spec +++ b/rpm_spec/core-netvm.spec @@ -72,6 +72,8 @@ cp ../common/qubes_serial_login $RPM_BUILD_ROOT/sbin mkdir -p $RPM_BUILD_ROOT/etc cp ../common/serial.conf $RPM_BUILD_ROOT/var/lib/qubes/ mkdir -p $RPM_BUILD_ROOT/var/run/qubes +mkdir -p $RPM_BUILD_ROOT/etc/xen/scripts +cp ../common/vif-route-qubes $RPM_BUILD_ROOT/etc/xen/scripts %triggerin -- initscripts cp /var/lib/qubes/serial.conf /etc/init/serial.conf @@ -174,4 +176,5 @@ rm -rf $RPM_BUILD_ROOT /etc/NetworkManager/dispatcher.d/qubes_nmhook /etc/yum.repos.d/qubes.repo /sbin/qubes_serial_login +/etc/xen/scripts/vif-route-qubes %dir /var/run/qubes