diff --git a/appvm/qubes_core b/appvm/qubes_core index dfedb9fc..5873aaee 100755 --- a/appvm/qubes_core +++ b/appvm/qubes_core @@ -52,10 +52,12 @@ start() ip=$(/usr/bin/xenstore-read qubes_ip) netmask=$(/usr/bin/xenstore-read qubes_netmask) gateway=$(/usr/bin/xenstore-read qubes_gateway) + secondary_dns=$(/usr/bin/xenstore-read qubes_secondary_dns) if [ x$ip != x ]; then /sbin/ifconfig eth0 $ip netmask $netmask up /sbin/route add default gw $gateway echo "nameserver $gateway" > /etc/resolv.conf + echo "nameserver $secondary_dns" >> /etc/resolv.conf fi fi diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py index 6e5a686b..23812709 100755 --- a/dom0/qvm-core/qubes.py +++ b/dom0/qvm-core/qubes.py @@ -213,6 +213,13 @@ class QubesVm(object): else: return None + @property + def secondary_dns(self): + if self.netvm_vm is not None: + return self.netvm_vm.secondary_dns + else: + return None + def is_updateable(self): return self.updateable @@ -405,6 +412,11 @@ class QubesVm(object): "/local/domain/{0}/qubes_netvm_gateway".format(xid), self.gateway]) + retcode = subprocess.check_call ([ + "/usr/bin/xenstore-write", + "/local/domain/{0}/qubes_netvm_secondary_dns".format(xid), + self.secondary_dns]) + retcode = subprocess.check_call ([ "/usr/bin/xenstore-write", "/local/domain/{0}/qubes_netvm_netmask".format(xid), @@ -430,6 +442,11 @@ class QubesVm(object): "/usr/bin/xenstore-write", "/local/domain/{0}/qubes_gateway".format(xid), self.gateway]) + + retcode = subprocess.check_call ([ + "/usr/bin/xenstore-write", + "/local/domain/{0}/qubes_secondary_dns".format(xid), + self.secondary_dns]) else: pass @@ -813,6 +830,7 @@ class QubesNetVm(QubesServiceVm): self.netprefix = "10.{0}.".format(netid) self.__netmask = vm_default_netmask self.__gateway = self.netprefix + "0.1" + self.__secondary_dns = self.netprefix + "255.254" if "label" not in kwargs or kwargs["label"] is None: kwargs["label"] = default_servicevm_label @@ -822,6 +840,10 @@ class QubesNetVm(QubesServiceVm): def gateway(self): return self.__gateway + @property + def secondary_dns(self): + return self.__secondary_dns + @property def netmask(self): return self.__netmask diff --git a/netvm/iptables b/netvm/iptables index 67d2d808..bbe68df6 100644 --- a/netvm/iptables +++ b/netvm/iptables @@ -1,17 +1,20 @@ -# Generated by iptables-save v1.4.5 on Thu Apr 1 10:55:18 2010 +# Generated by iptables-save v1.4.5 on Thu May 20 06:02:32 2010 *nat -:PREROUTING ACCEPT [3:696] -:POSTROUTING ACCEPT [1:67] -:OUTPUT ACCEPT [1:67] --A POSTROUTING -s 10.1.0.0/16 -j MASQUERADE +:PREROUTING ACCEPT [2:362] +:POSTROUTING ACCEPT [4:228] +:OUTPUT ACCEPT [0:0] COMMIT -# Completed on Thu Apr 1 10:55:18 2010 -# Generated by iptables-save v1.4.5 on Thu Apr 1 10:55:18 2010 +# Completed on Thu May 20 06:02:32 2010 +# Generated by iptables-save v1.4.5 on Thu May 20 06:02:32 2010 *filter -:INPUT ACCEPT [0:0] +:INPUT ACCEPT [3:84] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] --A INPUT -i br0 -p udp -m udp --dport 68 -j DROP +-A INPUT -i br+ -p udp -m udp --dport 68 -j DROP -A INPUT -i vif+ -p udp -m udp --dport 68 -j DROP +-A FORWARD -i vif+ -j ACCEPT +-A FORWARD -i br+ -j ACCEPT +-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT +-A FORWARD -j DROP COMMIT -# Completed on Thu Apr 1 10:55:18 2010 +# Completed on Thu May 20 06:02:32 2010 diff --git a/netvm/qubes_core b/netvm/qubes_core index 776fa7a9..eade0eaf 100755 --- a/netvm/qubes_core +++ b/netvm/qubes_core @@ -23,12 +23,20 @@ start() gateway=$(/usr/bin/xenstore-read qubes_netvm_gateway) netmask=$(/usr/bin/xenstore-read qubes_netvm_netmask) network=$(/usr/bin/xenstore-read qubes_netvm_network) + secondary_dns=$(/usr/bin/xenstore-read qubes_netvm_secondary_dns) ifconfig br0 $gateway netmask $netmask up + ifconfig br0:1 $secondary_dns netmask $netmask + echo "NS1=$gateway" > /var/run/qubes_ns + echo "NS2=$secondary_dns" >> /var/run/qubes_ns + qubes_setup_dnat_to_ns echo "1" > /proc/sys/net/ipv4/ip_forward - dnsmasq --listen-address $gateway --bind-interfaces +#now no need for dnsmasq +# dnsmasq --listen-address $gateway --bind-interfaces #now done by iptables rc script # iptables -t nat -A POSTROUTING -s $network/$netmask -j MASQUERADE - +#no, we cannot put ip-dependent stuff in sysconfig/iptables + iptables -t nat -A POSTROUTING -s $network/$netmask -d 224.0.0.0/8 -j ACCEPT + iptables -t nat -A POSTROUTING -s $network/$netmask \! -d $network/$netmask -j MASQUERADE success echo "" return 0 diff --git a/netvm/qubes_nmhook b/netvm/qubes_nmhook new file mode 100755 index 00000000..d06cd57d --- /dev/null +++ b/netvm/qubes_nmhook @@ -0,0 +1,2 @@ +#!/bin/sh +/usr/bin/qubes_setup_dnat_to_ns diff --git a/netvm/qubes_setup_dnat_to_ns b/netvm/qubes_setup_dnat_to_ns new file mode 100755 index 00000000..37f3e44c --- /dev/null +++ b/netvm/qubes_setup_dnat_to_ns @@ -0,0 +1,20 @@ +#!/bin/sh +addrule() +{ + if [ $FIRSTONE = yes ] ; then + NS=$NS1 + FIRSTONE=no + else + NS=$NS2 + fi + iptables -A PREROUTING -t nat -d $NS -p udp --dport 53 -j DNAT \ + --to "$1" +} +export PATH=$PATH:/sbin:/bin +source /var/run/qubes_ns +if [ "X"$NS1 = "X" ] ; then exit ; fi +iptables -t nat -F PREROUTING +FIRSTONE=yes +grep ^nameserver /etc/resolv.conf | head -2 | while read x y z ; do + addrule "$y" +done diff --git a/rpm_spec/core-netvm.spec b/rpm_spec/core-netvm.spec index 39a0cdfb..2e921e17 100644 --- a/rpm_spec/core-netvm.spec +++ b/rpm_spec/core-netvm.spec @@ -55,7 +55,12 @@ cp fstab $RPM_BUILD_ROOT/etc/fstab mkdir -p $RPM_BUILD_ROOT/etc/init.d cp qubes_core $RPM_BUILD_ROOT/etc/init.d/ mkdir -p $RPM_BUILD_ROOT/var/lib/qubes - +mkdir -p $RPM_BUILD_ROOT/usr/bin +cp qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/usr/bin +mkdir -p $RPM_BUILD_ROOT/etc/dhclient.d +ln -s /usr/bin/qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/etc/dhclient.d/qubes_setup_dnat_to_ns.sh +mkdir -p $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/ +cp qubes_nmhook $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/ %post if [ "$1" != 1 ] ; then @@ -140,3 +145,6 @@ rm -rf $RPM_BUILD_ROOT /etc/sysconfig/iptables /etc/init.d/qubes_core %dir /var/lib/qubes +/usr/bin/qubes_setup_dnat_to_ns +/etc/dhclient.d/qubes_setup_dnat_to_ns.sh +/etc/NetworkManager/dispatcher.d/qubes_nmhook