Qubes/core-admin
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Get rid of dnsmasq in netvm.

Browse Source 
qubes_setup_dnat_to_ns script sets up DNAT rules for DNS traffic; it is
triggered by dhclient or NetworkManager, and manually (in case there is
a static resolv.conf).

Put IP-dependent rules in qubes-core, after local ip is known. It could be
further improved by introducing custom chains, to enable iptables save.

Restrict FORWARD.
This commit is contained in:
Rafal Wojtczuk 2010-05-19 16:19:01 +02:00 committed by Joanna Rutkowska
parent 34d369e50e
commit 8da2dd6957
7 changed files with 78 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
appvm/qubes_core
View File

@ -52,10 +52,12 @@ start()
ip=$(/usr/bin/xenstore-read qubes_ip)
netmask=$(/usr/bin/xenstore-read qubes_netmask)
gateway=$(/usr/bin/xenstore-read qubes_gateway)
secondary_dns=$(/usr/bin/xenstore-read qubes_secondary_dns)
if [ x$ip != x ]; then
/sbin/ifconfig eth0 $ip netmask $netmask up
/sbin/route add default gw $gateway
echo "nameserver $gateway" > /etc/resolv.conf
echo "nameserver $secondary_dns" >> /etc/resolv.conf
fi
fi

22
dom0/qvm-core/qubes.py
View File

@ -213,6 +213,13 @@ class QubesVm(object):
else:
return None
@property
def secondary_dns(self):
if self.netvm_vm is not None:
return self.netvm_vm.secondary_dns
else:
return None
def is_updateable(self):
return self.updateable
@ -405,6 +412,11 @@ class QubesVm(object):
"/local/domain/{0}/qubes_netvm_gateway".format(xid),
self.gateway])
retcode = subprocess.check_call ([
"/usr/bin/xenstore-write",
"/local/domain/{0}/qubes_netvm_secondary_dns".format(xid),
self.secondary_dns])
retcode = subprocess.check_call ([
"/usr/bin/xenstore-write",
"/local/domain/{0}/qubes_netvm_netmask".format(xid),
@ -430,6 +442,11 @@ class QubesVm(object):
"/usr/bin/xenstore-write",
"/local/domain/{0}/qubes_gateway".format(xid),
self.gateway])
retcode = subprocess.check_call ([
"/usr/bin/xenstore-write",
"/local/domain/{0}/qubes_secondary_dns".format(xid),
self.secondary_dns])
else:
pass
@ -813,6 +830,7 @@ class QubesNetVm(QubesServiceVm):
self.netprefix = "10.{0}.".format(netid)
self.__netmask = vm_default_netmask
self.__gateway = self.netprefix + "0.1"
self.__secondary_dns = self.netprefix + "255.254"
if "label" not in kwargs or kwargs["label"] is None:
kwargs["label"] = default_servicevm_label
@ -822,6 +840,10 @@ class QubesNetVm(QubesServiceVm):
def gateway(self):
return self.__gateway
@property
def secondary_dns(self):
return self.__secondary_dns
@property
def netmask(self):
return self.__netmask

23
netvm/iptables
View File

@ -1,17 +1,20 @@
# Generated by iptables-save v1.4.5 on Thu Apr 1 10:55:18 2010
# Generated by iptables-save v1.4.5 on Thu May 20 06:02:32 2010
*nat
:PREROUTING ACCEPT [3:696]
:POSTROUTING ACCEPT [1:67]
:OUTPUT ACCEPT [1:67]
-A POSTROUTING -s 10.1.0.0/16 -j MASQUERADE
:PREROUTING ACCEPT [2:362]
:POSTROUTING ACCEPT [4:228]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Thu Apr 1 10:55:18 2010
# Generated by iptables-save v1.4.5 on Thu Apr 1 10:55:18 2010
# Completed on Thu May 20 06:02:32 2010
# Generated by iptables-save v1.4.5 on Thu May 20 06:02:32 2010
*filter
:INPUT ACCEPT [0:0]
:INPUT ACCEPT [3:84]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i br0 -p udp -m udp --dport 68 -j DROP
-A INPUT -i br+ -p udp -m udp --dport 68 -j DROP
-A INPUT -i vif+ -p udp -m udp --dport 68 -j DROP
-A FORWARD -i vif+ -j ACCEPT
-A FORWARD -i br+ -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j DROP
COMMIT
# Completed on Thu Apr 1 10:55:18 2010
# Completed on Thu May 20 06:02:32 2010

12
netvm/qubes_core
View File

@ -23,12 +23,20 @@ start()
gateway=$(/usr/bin/xenstore-read qubes_netvm_gateway)
netmask=$(/usr/bin/xenstore-read qubes_netvm_netmask)
network=$(/usr/bin/xenstore-read qubes_netvm_network)
secondary_dns=$(/usr/bin/xenstore-read qubes_netvm_secondary_dns)
ifconfig br0 $gateway netmask $netmask up
ifconfig br0:1 $secondary_dns netmask $netmask
echo "NS1=$gateway" > /var/run/qubes_ns
echo "NS2=$secondary_dns" >> /var/run/qubes_ns
qubes_setup_dnat_to_ns
echo "1" > /proc/sys/net/ipv4/ip_forward
dnsmasq --listen-address $gateway --bind-interfaces
#now no need for dnsmasq
# dnsmasq --listen-address $gateway --bind-interfaces
#now done by iptables rc script
# iptables -t nat -A POSTROUTING -s $network/$netmask -j MASQUERADE
#no, we cannot put ip-dependent stuff in sysconfig/iptables
iptables -t nat -A POSTROUTING -s $network/$netmask -d 224.0.0.0/8 -j ACCEPT
iptables -t nat -A POSTROUTING -s $network/$netmask \! -d $network/$netmask -j MASQUERADE
success
echo ""
return 0

2
netvm/qubes_nmhook Executable file
View File

@ -0,0 +1,2 @@
#!/bin/sh
/usr/bin/qubes_setup_dnat_to_ns

20
netvm/qubes_setup_dnat_to_ns Executable file
View File

@ -0,0 +1,20 @@
#!/bin/sh
addrule()
{
if [ $FIRSTONE = yes ] ; then
NS=$NS1
FIRSTONE=no
else
NS=$NS2
fi
iptables -A PREROUTING -t nat -d $NS -p udp --dport 53 -j DNAT \
--to "$1"
}
export PATH=$PATH:/sbin:/bin
source /var/run/qubes_ns
if [ "X"$NS1 = "X" ] ; then exit ; fi
iptables -t nat -F PREROUTING
FIRSTONE=yes
grep ^nameserver /etc/resolv.conf | head -2 | while read x y z ; do
addrule "$y"
done

10
rpm_spec/core-netvm.spec
View File

@ -55,7 +55,12 @@ cp fstab $RPM_BUILD_ROOT/etc/fstab
mkdir -p $RPM_BUILD_ROOT/etc/init.d
cp qubes_core $RPM_BUILD_ROOT/etc/init.d/
mkdir -p $RPM_BUILD_ROOT/var/lib/qubes
mkdir -p $RPM_BUILD_ROOT/usr/bin
cp qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/usr/bin
mkdir -p $RPM_BUILD_ROOT/etc/dhclient.d
ln -s /usr/bin/qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/etc/dhclient.d/qubes_setup_dnat_to_ns.sh
mkdir -p $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/
cp qubes_nmhook $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/
%post
if [ "$1" != 1 ] ; then
@ -140,3 +145,6 @@ rm -rf $RPM_BUILD_ROOT
/etc/sysconfig/iptables
/etc/init.d/qubes_core
%dir /var/lib/qubes
/usr/bin/qubes_setup_dnat_to_ns
/etc/dhclient.d/qubes_setup_dnat_to_ns.sh
/etc/NetworkManager/dispatcher.d/qubes_nmhook