From 58a4b4c82bc53f9727b8e414325f62f5a22c04f9 Mon Sep 17 00:00:00 2001
From: Tomasz Sterna <tomek@xiaoka.com>
Date: Wed, 9 Mar 2011 19:47:12 +0100
Subject: [PATCH] Implemented qubes_netvm_external_ip feature.

---
 dom0/qvm-core/qubes.py | 47 +++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 46 insertions(+), 1 deletion(-)

diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py
index 93934f5e..e7c75b3d 100755
--- a/dom0/qvm-core/qubes.py
+++ b/dom0/qvm-core/qubes.py
@@ -883,6 +883,8 @@ class QubesNetVm(QubesServiceVm):
         self.__gateway = self.netprefix + "0.1"
         self.__secondary_dns = self.netprefix + "255.254"
 
+        self.__external_ip_allowed_xids = set()
+
         if "label" not in kwargs or kwargs["label"] is None:
             kwargs["label"] = default_servicevm_label
         super(QubesNetVm, self).__init__(installed_by_rpm=True, **kwargs)
@@ -913,6 +915,42 @@ class QubesNetVm(QubesServiceVm):
         assert hi >= 0 and hi <= 254 and lo >= 2 and lo <= 254, "Wrong IP address for VM"
         return self.netprefix  + "{0}.{1}".format(hi,lo)
 
+    def create_xenstore_entries(self, xid):
+        if dry_run:
+            return
+
+        super(QubesNetVm, self).create_xenstore_entries(xid)
+        retcode = subprocess.check_call ([
+            "/usr/bin/xenstore-write",
+            "/local/domain/{0}/qubes_netvm_external_ip".format(xid),
+            ""])
+        self.update_external_ip_permissions()
+
+    def update_external_ip_permissions(self):
+        xid = self.get_xid()
+        command = [
+                "/usr/bin/xenstore-chmod",
+                "/local/domain/{0}/qubes_netvm_external_ip".format(xid)
+            ]
+
+        command.append("r{0}".format(xid,xid))
+        command.append("w{0}".format(xid,xid))
+
+        for id in self.__external_ip_allowed_xids:
+            command.append("r{0}".format(id))
+
+        return subprocess.check_call(command)
+
+    def add_external_ip_permission(self, xid):
+        if int(xid) < 0:
+            return
+        self.__external_ip_allowed_xids.add(int(xid))
+        self.update_external_ip_permissions()
+
+    def remove_external_ip_permission(self, xid):
+        self.__external_ip_allowed_xids.discard(int(xid))
+        self.update_external_ip_permissions()
+
     def create_xml_element(self):
         element = xml.etree.ElementTree.Element(
             "QubesNetVm",
@@ -934,11 +972,18 @@ class QubesFirewallVm(QubesNetVm):
     def __init__(self, **kwargs):
         super(QubesFirewallVm, self).__init__(uses_default_netvm=False, **kwargs)
         self.rules_applied = None
+        self.netvm_vm.add_external_ip_permission(self.get_xid())
 
     @property
     def type(self):
         return "FirewallVM"
 
+    def force_shutdown(self):
+        if dry_run:
+            return
+        self.netvm_vm.remove_external_ip_permission(self.get_xid())
+        super(QubesFirewallVm, self).force_shutdown()
+
     def create_xenstore_entries(self, xid):
         if dry_run:
             return
@@ -951,7 +996,7 @@ class QubesFirewallVm(QubesNetVm):
         retcode = subprocess.check_call ([
             "/usr/bin/xenstore-chmod",
             "/local/domain/{0}/qubes_iptables_error".format(xid),
-            "n0", "r{0}".format(xid), "w{0}".format(xid)])
+            "r{0}".format(xid), "w{0}".format(xid)])
         self.write_iptables_xenstore_entry()
 
     def write_iptables_xenstore_entry(self):