From 4e6e4115e24fcb41e7ab461795520bccf62375a1 Mon Sep 17 00:00:00 2001
From: Rafal Wojtczuk <rafal@invisiblethingslab.com>
Date: Mon, 31 May 2010 15:23:51 +0200
Subject: [PATCH] dom0 as netvm fixes

Use /etc/sysconfig/iptables
Replace dnsmasq with DNAT
---
 dom0/init.d/iptables    | 23 +++++++++++++++++++++++
 dom0/init.d/qubes_netvm | 10 ++++------
 rpm_spec/core-dom0.spec | 16 ++++++++++++++++
 3 files changed, 43 insertions(+), 6 deletions(-)
 create mode 100644 dom0/init.d/iptables

diff --git a/dom0/init.d/iptables b/dom0/init.d/iptables
new file mode 100644
index 00000000..043ff46c
--- /dev/null
+++ b/dom0/init.d/iptables
@@ -0,0 +1,23 @@
+# Generated by iptables-save v1.4.5 on Mon May 31 14:15:17 2010
+*nat
+:PREROUTING ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A POSTROUTING -s 10.0.0.0/16 -d 224.0.0.0/8 -j ACCEPT 
+-A POSTROUTING -s 10.0.0.0/16 ! -d 10.0.0.0/16 -j MASQUERADE 
+COMMIT
+# Completed on Mon May 31 14:15:17 2010
+# Generated by iptables-save v1.4.5 on Mon May 31 14:15:17 2010
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
+-A INPUT -p icmp -j ACCEPT 
+-A INPUT -i lo -j ACCEPT 
+-A INPUT -j REJECT --reject-with icmp-host-prohibited 
+-A FORWARD -d 10.0.0.0/16 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
+-A FORWARD -s 10.0.0.0/16 -i br0 -j ACCEPT 
+-A FORWARD -j REJECT --reject-with icmp-host-prohibited 
+COMMIT
+# Completed on Mon May 31 14:15:17 2010
diff --git a/dom0/init.d/qubes_netvm b/dom0/init.d/qubes_netvm
index 84ab0e10..4fe1ab4a 100755
--- a/dom0/init.d/qubes_netvm
+++ b/dom0/init.d/qubes_netvm
@@ -33,13 +33,11 @@ start()
         /etc/init.d/NetworkManager start
         brctl addbr br0 || exit 1
         ifconfig br0 10.0.0.1 netmask 255.255.0.0 up || exit 1
+        ifconfig br0:1 10.0.255.254 netmask 255.255.0.0 up || exit 1
+        echo "NS1=10.0.0.1" > /var/run/qubes_ns
+        echo "NS2=10.0.255.254" >> /var/run/qubes_ns
+	qubes_setup_dnat_to_ns
         echo "1" > /proc/sys/net/ipv4/ip_forward || exit 1
-        /usr/sbin/dnsmasq  --listen-address 10.0.0.1 --bind-interfaces || exit 1
-        iptables -t nat -A POSTROUTING -s 10.0.0.0/16 '!' -d 10.0.0.0/16 -j MASQUERADE || exit 1
-        iptables -I INPUT 1 -i br0 -s 10.0.0.0/16 -j ACCEPT || exit 1
-        iptables -I FORWARD 1 -i br0 -s 10.0.0.0/16 -j ACCEPT || exit 1
-        iptables -I FORWARD 1 -o br0 -d 10.0.0.0/16 -m state --state ESTABLISHED,RELATED -j  ACCEPT || exit 1
-
     else
 
         echo -n $"Starting default NetVM:"
diff --git a/rpm_spec/core-dom0.spec b/rpm_spec/core-dom0.spec
index f50c0a49..cf48c3da 100644
--- a/rpm_spec/core-dom0.spec
+++ b/rpm_spec/core-dom0.spec
@@ -86,7 +86,19 @@ cp icons/*.png $RPM_BUILD_ROOT/usr/share/qubes/icons
 mkdir -p $RPM_BUILD_ROOT/etc/yum.repos.d
 cp ../common/qubes.repo $RPM_BUILD_ROOT/etc/yum.repos.d
 
+mkdir -p $RPM_BUILD_ROOT/usr/bin
+cp ../common/qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/usr/bin
+mkdir -p $RPM_BUILD_ROOT/etc/dhclient.d
+ln -s /usr/bin/qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/etc/dhclient.d/qubes_setup_dnat_to_ns.sh 
+mkdir -p $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/
+cp ../common/qubes_nmhook $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/
+mkdir -p $RPM_BUILD_ROOT/etc/sysconfig
+cp init.d/iptables $RPM_BUILD_ROOT/etc/sysconfig
 %post
+
+chkconfig iptables on
+sed 's/^net.ipv4.ip_forward.*/net.ipv4.ip_forward = 1/'  -i /etc/sysctl.conf
+
 if [ "$1" !=  1 ] ; then
 # do this whole %post thing only when updating for the first time...
 exit 0
@@ -164,3 +176,7 @@ fi
 %attr(770,root,qubes) %dir /var/lib/qubes/backup
 %dir /usr/share/qubes/icons/*.png
 /etc/yum.repos.d/qubes.repo
+/usr/bin/qubes_setup_dnat_to_ns
+/etc/dhclient.d/qubes_setup_dnat_to_ns.sh
+/etc/NetworkManager/dispatcher.d/qubes_nmhook
+/etc/sysconfig/iptables