From 23e11f5f6fe336cffb7934afaed0f592b47ee616 Mon Sep 17 00:00:00 2001
From: Rafal Wojtczuk <rafal@invisiblethingslab.com>
Date: Mon, 6 Sep 2010 17:07:42 +0200
Subject: [PATCH] Switch to routed VM network (instead of bridging)

No headache from layer 2 attacks.
---
 common/vif-route-qubes   | 58 ++++++++++++++++++++++++++++++++++++++++
 netvm/qubes_core         | 11 --------
 rpm_spec/core-netvm.spec |  3 +++
 3 files changed, 61 insertions(+), 11 deletions(-)
 create mode 100755 common/vif-route-qubes

diff --git a/common/vif-route-qubes b/common/vif-route-qubes
new file mode 100755
index 0000000..5359063
--- /dev/null
+++ b/common/vif-route-qubes
@@ -0,0 +1,58 @@
+#!/bin/bash                              
+#============================================================================
+# /etc/xen/vif-route-qubes                                                   
+#                                                                            
+# Script for configuring a vif in routed mode.                               
+# The hotplugging system will call this script if it is specified either in  
+# the device configuration given to Xend, or the default Xend configuration  
+# in /etc/xen/xend-config.sxp.  If the script is specified in neither of those
+# places, then vif-bridge is the default.                                     
+#                                                                             
+# Usage:                                                                      
+# vif-route (add|remove|online|offline)                                       
+#                                                                             
+# Environment vars:                                                           
+# vif         vif interface name (required).                                  
+# XENBUS_PATH path to this device's details in the XenStore (required).       
+#                                                                             
+# Read from the store:                                                        
+# ip      list of IP networks for the vif, space-separated (default given in  
+#         this script).                                                       
+#============================================================================ 
+
+dir=$(dirname "$0")
+. "$dir/vif-common.sh"
+
+#main_ip=$(dom0_ip)
+
+case "$command" in
+	online)
+		ifconfig ${vif} up
+		echo 1 >/proc/sys/net/ipv4/conf/${vif}/proxy_arp
+		ipcmd='add'
+		iptables_cmd='-I FORWARD 1'
+		cmdprefix=''
+		;;
+	offline)
+		do_without_error ifdown ${vif}
+		ipcmd='del'
+		iptables_cmd='-D FORWARD'
+		cmdprefix='do_without_error'
+		;;
+esac
+
+if [ "${ip}" ] ; then
+	# If we've been given a list of IP addresses, then add routes from dom0 to
+	# the guest using those addresses.
+	for addr in ${ip} ; do
+		${cmdprefix} ip route ${ipcmd} ${addr} dev ${vif}
+	done
+		echo ${cmdprefix} iptables $iptables_cmd -i ${vif} \! -s ${ip} -j DROP
+		${cmdprefix} iptables $iptables_cmd -i ${vif} \! -s ${ip} -j DROP
+fi
+
+log debug "Successful vif-route-qubes $command for $vif."
+if [ "$command" = "online" ]
+then
+  success
+fi
diff --git a/netvm/qubes_core b/netvm/qubes_core
index 99b8f5c..dbfaad7 100755
--- a/netvm/qubes_core
+++ b/netvm/qubes_core
@@ -19,26 +19,15 @@ start()
 	hostname $name
 
     # Setup gateway for all the VMs this netVM is serviceing...
-    brctl addbr br0
-    brctl stp br0 off
-    brctl setfd br0 1
     modprobe netbk
     gateway=$(/usr/bin/xenstore-read qubes_netvm_gateway)
     netmask=$(/usr/bin/xenstore-read qubes_netvm_netmask)
     network=$(/usr/bin/xenstore-read qubes_netvm_network)
     secondary_dns=$(/usr/bin/xenstore-read qubes_netvm_secondary_dns)
-    ifconfig br0 $gateway netmask $netmask up
-    ifconfig br0:1 $secondary_dns netmask $netmask
     echo "NS1=$gateway" > /var/run/qubes/qubes_ns
     echo "NS2=$secondary_dns" >> /var/run/qubes/qubes_ns
     /usr/lib/qubes/qubes_setup_dnat_to_ns
     echo "1" > /proc/sys/net/ipv4/ip_forward
-#now no need for dnsmasq
-#    dnsmasq --listen-address $gateway --bind-interfaces
-#now done by iptables rc script
-#    iptables -t nat -A POSTROUTING -s $network/$netmask -j MASQUERADE
-#no, we cannot put ip-dependent stuff in sysconfig/iptables
-#so make it ip-independent
 	success
 	echo ""
 	return 0
diff --git a/rpm_spec/core-netvm.spec b/rpm_spec/core-netvm.spec
index 6ac0246..88255ae 100644
--- a/rpm_spec/core-netvm.spec
+++ b/rpm_spec/core-netvm.spec
@@ -72,6 +72,8 @@ cp ../common/qubes_serial_login $RPM_BUILD_ROOT/sbin
 mkdir -p $RPM_BUILD_ROOT/etc
 cp ../common/serial.conf $RPM_BUILD_ROOT/var/lib/qubes/
 mkdir -p $RPM_BUILD_ROOT/var/run/qubes
+mkdir -p $RPM_BUILD_ROOT/etc/xen/scripts
+cp ../common/vif-route-qubes $RPM_BUILD_ROOT/etc/xen/scripts
 
 %triggerin -- initscripts
 cp /var/lib/qubes/serial.conf /etc/init/serial.conf
@@ -174,4 +176,5 @@ rm -rf $RPM_BUILD_ROOT
 /etc/NetworkManager/dispatcher.d/qubes_nmhook
 /etc/yum.repos.d/qubes.repo
 /sbin/qubes_serial_login
+/etc/xen/scripts/vif-route-qubes
 %dir /var/run/qubes