dom0 as netvm fixes

Use /etc/sysconfig/iptables Replace dnsmasq with DNAT
2010-05-31 15:23:51 +02:00 · 2010-05-31 15:23:51 +02:00 · 4e6e4115e2
commit 4e6e4115e2
parent 2f51c6f673
3 changed files with 43 additions and 6 deletions
--- a/dom0/init.d/iptables
+++ b/dom0/init.d/iptables
@ -0,0 +1,23 @@
+# Generated by iptables-save v1.4.5 on Mon May 31 14:15:17 2010
+*nat
+:PREROUTING ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A POSTROUTING -s 10.0.0.0/16 -d 224.0.0.0/8 -j ACCEPT 
+-A POSTROUTING -s 10.0.0.0/16 ! -d 10.0.0.0/16 -j MASQUERADE 
+COMMIT
+# Completed on Mon May 31 14:15:17 2010
+# Generated by iptables-save v1.4.5 on Mon May 31 14:15:17 2010
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
+-A INPUT -p icmp -j ACCEPT 
+-A INPUT -i lo -j ACCEPT 
+-A INPUT -j REJECT --reject-with icmp-host-prohibited 
+-A FORWARD -d 10.0.0.0/16 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
+-A FORWARD -s 10.0.0.0/16 -i br0 -j ACCEPT 
+-A FORWARD -j REJECT --reject-with icmp-host-prohibited 
+COMMIT
+# Completed on Mon May 31 14:15:17 2010
--- a/dom0/init.d/qubes_netvm
+++ b/dom0/init.d/qubes_netvm
@ -33,13 +33,11 @@ start()
        /etc/init.d/NetworkManager start
        brctl addbr br0 || exit 1
        ifconfig br0 10.0.0.1 netmask 255.255.0.0 up || exit 1
+        ifconfig br0:1 10.0.255.254 netmask 255.255.0.0 up || exit 1
+        echo "NS1=10.0.0.1" > /var/run/qubes_ns
+        echo "NS2=10.0.255.254" >> /var/run/qubes_ns
+	qubes_setup_dnat_to_ns
        echo "1" > /proc/sys/net/ipv4/ip_forward || exit 1
-        /usr/sbin/dnsmasq  --listen-address 10.0.0.1 --bind-interfaces || exit 1
-        iptables -t nat -A POSTROUTING -s 10.0.0.0/16 '!' -d 10.0.0.0/16 -j MASQUERADE || exit 1
-        iptables -I INPUT 1 -i br0 -s 10.0.0.0/16 -j ACCEPT || exit 1
-        iptables -I FORWARD 1 -i br0 -s 10.0.0.0/16 -j ACCEPT || exit 1
-        iptables -I FORWARD 1 -o br0 -d 10.0.0.0/16 -m state --state ESTABLISHED,RELATED -j  ACCEPT || exit 1
-
    else

        echo -n $"Starting default NetVM:"
--- a/rpm_spec/core-dom0.spec
+++ b/rpm_spec/core-dom0.spec
@ -86,7 +86,19 @@ cp icons/*.png $RPM_BUILD_ROOT/usr/share/qubes/icons
 mkdir -p $RPM_BUILD_ROOT/etc/yum.repos.d
 cp ../common/qubes.repo $RPM_BUILD_ROOT/etc/yum.repos.d

+mkdir -p $RPM_BUILD_ROOT/usr/bin
+cp ../common/qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/usr/bin
+mkdir -p $RPM_BUILD_ROOT/etc/dhclient.d
+ln -s /usr/bin/qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/etc/dhclient.d/qubes_setup_dnat_to_ns.sh 
+mkdir -p $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/
+cp ../common/qubes_nmhook $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/
+mkdir -p $RPM_BUILD_ROOT/etc/sysconfig
+cp init.d/iptables $RPM_BUILD_ROOT/etc/sysconfig
 %post
+
+chkconfig iptables on
+sed 's/^net.ipv4.ip_forward.*/net.ipv4.ip_forward = 1/'  -i /etc/sysctl.conf
+
 if [ "$1" !=  1 ] ; then
 # do this whole %post thing only when updating for the first time...
 exit 0
@ -164,3 +176,7 @@ fi
 %attr(770,root,qubes) %dir /var/lib/qubes/backup
 %dir /usr/share/qubes/icons/*.png
 /etc/yum.repos.d/qubes.repo
+/usr/bin/qubes_setup_dnat_to_ns
+/etc/dhclient.d/qubes_setup_dnat_to_ns.sh
+/etc/NetworkManager/dispatcher.d/qubes_nmhook
+/etc/sysconfig/iptables