Qubes/core-admin
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

dom0 as netvm fixes

Browse Source 
Use /etc/sysconfig/iptables
Replace dnsmasq with DNAT
This commit is contained in:
Rafal Wojtczuk 2010-05-31 15:23:51 +02:00
parent 2f51c6f673
commit 4e6e4115e2
3 changed files with 43 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
dom0/init.d/iptables Normal file
View File

@ -0,0 +1,23 @@
# Generated by iptables-save v1.4.5 on Mon May 31 14:15:17 2010
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 10.0.0.0/16 -d 224.0.0.0/8 -j ACCEPT
-A POSTROUTING -s 10.0.0.0/16 ! -d 10.0.0.0/16 -j MASQUERADE
COMMIT
# Completed on Mon May 31 14:15:17 2010
# Generated by iptables-save v1.4.5 on Mon May 31 14:15:17 2010
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -d 10.0.0.0/16 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.0.0.0/16 -i br0 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Mon May 31 14:15:17 2010

10
dom0/init.d/qubes_netvm
View File

@ -33,13 +33,11 @@ start()
/etc/init.d/NetworkManager start /etc/init.d/NetworkManager start
brctl addbr br0 || exit 1 brctl addbr br0 || exit 1
ifconfig br0 10.0.0.1 netmask 255.255.0.0 up || exit 1 ifconfig br0 10.0.0.1 netmask 255.255.0.0 up || exit 1
ifconfig br0:1 10.0.255.254 netmask 255.255.0.0 up || exit 1
echo "NS1=10.0.0.1" > /var/run/qubes_ns
echo "NS2=10.0.255.254" >> /var/run/qubes_ns
qubes_setup_dnat_to_ns
echo "1" > /proc/sys/net/ipv4/ip_forward || exit 1 echo "1" > /proc/sys/net/ipv4/ip_forward || exit 1
/usr/sbin/dnsmasq --listen-address 10.0.0.1 --bind-interfaces || exit 1
iptables -t nat -A POSTROUTING -s 10.0.0.0/16 '!' -d 10.0.0.0/16 -j MASQUERADE || exit 1
iptables -I INPUT 1 -i br0 -s 10.0.0.0/16 -j ACCEPT || exit 1
iptables -I FORWARD 1 -i br0 -s 10.0.0.0/16 -j ACCEPT || exit 1
iptables -I FORWARD 1 -o br0 -d 10.0.0.0/16 -m state --state ESTABLISHED,RELATED -j ACCEPT || exit 1
else else
echo -n $"Starting default NetVM:" echo -n $"Starting default NetVM:"

16
rpm_spec/core-dom0.spec
View File

@ -86,7 +86,19 @@ cp icons/*.png $RPM_BUILD_ROOT/usr/share/qubes/icons
mkdir -p $RPM_BUILD_ROOT/etc/yum.repos.d mkdir -p $RPM_BUILD_ROOT/etc/yum.repos.d
cp ../common/qubes.repo $RPM_BUILD_ROOT/etc/yum.repos.d cp ../common/qubes.repo $RPM_BUILD_ROOT/etc/yum.repos.d
mkdir -p $RPM_BUILD_ROOT/usr/bin
cp ../common/qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/usr/bin
mkdir -p $RPM_BUILD_ROOT/etc/dhclient.d
ln -s /usr/bin/qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/etc/dhclient.d/qubes_setup_dnat_to_ns.sh
mkdir -p $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/
cp ../common/qubes_nmhook $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/
mkdir -p $RPM_BUILD_ROOT/etc/sysconfig
cp init.d/iptables $RPM_BUILD_ROOT/etc/sysconfig
%post %post
chkconfig iptables on
sed 's/^net.ipv4.ip_forward.*/net.ipv4.ip_forward = 1/' -i /etc/sysctl.conf
if [ "$1" != 1 ] ; then if [ "$1" != 1 ] ; then
# do this whole %post thing only when updating for the first time... # do this whole %post thing only when updating for the first time...
exit 0 exit 0
@ -164,3 +176,7 @@ fi
%attr(770,root,qubes) %dir /var/lib/qubes/backup %attr(770,root,qubes) %dir /var/lib/qubes/backup
%dir /usr/share/qubes/icons/*.png %dir /usr/share/qubes/icons/*.png
/etc/yum.repos.d/qubes.repo /etc/yum.repos.d/qubes.repo
/usr/bin/qubes_setup_dnat_to_ns
/etc/dhclient.d/qubes_setup_dnat_to_ns.sh
/etc/NetworkManager/dispatcher.d/qubes_nmhook
/etc/sysconfig/iptables