network: integrate vif-route-qubes-nat into vif-route-qubes

Since 'script' xenstore entry no longer allows passing arguments
(actually this always was a side effect, not intended behaviour), we
need to pass additional parameters some other way. Natural choice for
Qubes-specific script is to use QubesDB.
And since those parameters are passed some other way, it is no longer
necessary to keep it as separate script.

Fixes QubesOS/qubes-issues#1143

Makefile

@@ -192,7 +192,6 @@ install-common:
 	install -d $(DESTDIR)/etc/NetworkManager/dispatcher.d/
 	install network/{qubes-nmhook,30-qubes-external-ip} $(DESTDIR)/etc/NetworkManager/dispatcher.d/
 	install -D network/vif-route-qubes $(DESTDIR)/etc/xen/scripts/vif-route-qubes
-	install -D network/vif-route-qubes-nat $(DESTDIR)/etc/xen/scripts/vif-route-qubes-nat
 	install -D network/vif-qubes-nat.sh $(DESTDIR)/etc/xen/scripts/vif-qubes-nat.sh
 	install -m 0644 -D network/tinyproxy-updates.conf $(DESTDIR)/etc/tinyproxy/tinyproxy-updates.conf
 	install -m 0644 -D network/updates-blacklist $(DESTDIR)/etc/tinyproxy/updates-blacklist

network/vif-route-qubes

@@ -26,6 +26,30 @@ dir=$(dirname "$0")
 #main_ip=$(dom0_ip)
 lockfile=/var/run/xen-hotplug/vif-lock
 
+if [ "${ip}" ]; then
+    # IPs as seen by this VM
+    netvm_ip="$ip"
+    netvm_gw_ip=`qubesdb-read /qubes-netvm-gateway`
+    netvm_dns2_ip=`qubesdb-read /qubes-netvm-secondary-dns`
+
+    back_ip="$netvm_gw_ip"
+
+    # IPs as seen by the VM - if other than $netvm_ip
+    appvm_gw_ip="`qubesdb-read /mapped-ip/$ip/visible-gateway 2>/dev/null || :`"
+    appvm_ip="`qubesdb-read /mapped-ip/$ip/visible-ip 2>/dev/null || :`"
+fi
+
+# Apply NAT if IP visible from the VM is different than the "real" one
+# See vif-qubes-nat.sh for details
+if [ -n "$appvm_ip" -a -n "$appvm_gw_ip" -a "$appvm_ip" != "$netvm_ip" ]; then
+    if test "$command" == online; then
+        echo 1 >/proc/sys/net/ipv4/conf/${vif}/proxy_arp
+    fi
+
+    . "$dir/vif-qubes-nat.sh"
+fi
+
+
 case "$command" in
 	online)
 		ifconfig ${vif} up
@@ -55,7 +79,6 @@ if [ "${ip}" ] ; then
 	done
 	echo -e "*raw\n$iptables_cmd -i ${vif} ! -s ${ip} -j DROP\nCOMMIT" | \
 		${cmdprefix} flock $lockfile iptables-restore --noflush
-	back_ip=`qubesdb-read /qubes-netvm-gateway`
 	${cmdprefix} ip addr ${ipcmd} ${back_ip}/32 dev ${vif}
 fi
 

network/vif-route-qubes-nat

@@ -1,93 +0,0 @@
-#!/bin/bash
-#============================================================================
-# /etc/xen/vif-route-qubes-nat
-#
-# Script for configuring a vif in routed mode.
-# The hotplugging system will call this script if it is specified either in
-# the device configuration given to Xend, or the default Xend configuration
-# in /etc/xen/xend-config.sxp.  If the script is specified in neither of those
-# places, then vif-bridge is the default.
-#
-# Usage:
-# vif-route (add|remove|online|offline)
-#
-# Environment vars:
-# vif         vif interface name (required).
-# XENBUS_PATH path to this device's details in the XenStore (required).
-#
-# Read from the store:
-# ip      list of IP networks for the vif, space-separated (default given in
-#         this script).
-#============================================================================
-
-# IPs as seen by the VM
-appvm_gw_ip="$1"
-appvm_ip="$2"
-shift 2
-
-dir=$(dirname "$0")
-. "$dir/vif-common.sh"
-
-if [ "${ip}" ]; then
-    # IPs as seen by this VM
-    netvm_ip="$ip"
-    netvm_gw_ip=`qubesdb-read /qubes-netvm-gateway`
-    netvm_dns2_ip=`qubesdb-read /qubes-netvm-secondary-dns`
-
-    ip="$netvm_ip"
-    back_ip="$netvm_gw_ip"
-fi
-
-#echo "$appvm_ip $appvm_gw_ip $netvm_ip $netvm_gw_ip" >> /var/log/qubes-nat.log
-
-#main_ip=$(dom0_ip)
-lockfile=/var/run/xen-hotplug/vif-lock
-
-if [ "${ip}" ]; then
-    if test "$command" == online; then
-        echo 1 >/proc/sys/net/ipv4/conf/${vif}/proxy_arp
-    fi
-
-    . "$dir/vif-qubes-nat.sh"
-fi
-
-case "$command" in
-    online)
-        ifconfig ${vif} up
-        echo 1 >/proc/sys/net/ipv4/conf/${vif}/proxy_arp
-        ipcmd='add'
-        iptables_cmd='-I PREROUTING 1'
-        cmdprefix=''
-        ;;
-    offline)
-        do_without_error ifdown ${vif}
-        ipcmd='del'
-        iptables_cmd='-D PREROUTING'
-        cmdprefix='do_without_error'
-        ;;
-esac
-
-domid=${vif/vif/}
-domid=${domid/.*/}
-# metric must be possitive, but prefer later interface
-#  32752 is max XID aka domid
-metric=$[ 32752 - $domid ]
-
-if [ "${ip}" ] ; then
-    # If we've been given a list of IP addresses, then add routes from dom0 to
-    # the guest using those addresses.
-    for addr in ${ip} ; do
-        ${cmdprefix} ip route ${ipcmd} ${addr} dev ${vif} metric $metric
-    done
-    echo -e "*raw\n$iptables_cmd -i ${vif} ! -s ${ip} -j DROP\nCOMMIT" | \
-        ${cmdprefix} flock $lockfile iptables-restore --noflush
-    ${cmdprefix} ip addr ${ipcmd} ${back_ip}/32 dev ${vif}
-fi
-
-log debug "Successful vif-route-qubes-nat $command for $vif."
-if [ "$command" = "online" ]
-then
-    # disable tx checksumming offload, apparently it doesn't work with our ancient qemu in stubdom
-    do_without_error ethtool -K $vif tx off
-    success
-fi

rpm_spec/core-vm.spec

@@ -372,7 +372,6 @@ rm -f %{name}-%{version}
 %config(noreplace) /etc/qubes-suspend-module-blacklist
 /etc/xdg/autostart/00-qubes-show-hide-nm-applet.desktop
 /etc/xen/scripts/vif-route-qubes
-/etc/xen/scripts/vif-route-qubes-nat
 /etc/xen/scripts/vif-qubes-nat.sh
 %config(noreplace) /etc/yum.conf.d/qubes-proxy.conf
 %config(noreplace) /etc/yum.repos.d/qubes-r3.repo