From 76bf222dd2265b8c125c75b761d916ba57cacd4b Mon Sep 17 00:00:00 2001
From: Tomasz Sterna <tomek@xiaoka.com>
Date: Wed, 9 Mar 2011 20:50:13 +0100
Subject: [PATCH] Added FirewallVM related VM scripts

---
 fwvm/bin/qubes_firewall    | 33 +++++++++++++++++++
 fwvm/init.d/qubes_core     | 67 ++++++++++++++++++++++++++++++++++++++
 fwvm/init.d/qubes_firewall | 42 ++++++++++++++++++++++++
 netvm/30-qubes_external_ip |  8 +++++
 rpm_spec/core-netvm.spec   |  1 +
 5 files changed, 151 insertions(+)
 create mode 100755 fwvm/bin/qubes_firewall
 create mode 100755 fwvm/init.d/qubes_core
 create mode 100755 fwvm/init.d/qubes_firewall
 create mode 100755 netvm/30-qubes_external_ip

diff --git a/fwvm/bin/qubes_firewall b/fwvm/bin/qubes_firewall
new file mode 100755
index 0000000..6f1cc26
--- /dev/null
+++ b/fwvm/bin/qubes_firewall
@@ -0,0 +1,33 @@
+#!/bin/bash
+set -e
+
+PIDFILE=/var/run/qubes/qubes_firewall.pid
+XENSTORE_IPTABLES=qubes_iptables
+XENSTORE_ERROR=qubes_iptables_error
+OLD_RULES=""
+
+# PIDfile handling
+[[ -e $PIDFILE ]] && kill -s 0 $(<$PIDFILE) 2>/dev/null && exit 0
+echo $$ >$PIDFILE
+
+trap 'exit 0' SIGTERM
+
+while true; do
+	RULES=$(/usr/bin/xenstore-read $XENSTORE_IPTABLES)
+
+	if [[ "$RULES" != "$OLD_RULES" ]]; then
+		IPTABLES_SAVE=$(/sbin/iptables-save | sed '/^\*filter/,/^COMMIT/d')
+		OUT=`echo -e "$RULES\n$IPTABLES_SAVE" | /sbin/iptables-restore 2>&1 || :`
+		/usr/bin/xenstore-write $XENSTORE_ERROR "$OUT"
+
+		if [[ -z "$OUT" ]]; then
+			# If OK save it for later
+			/sbin/service iptables save >/dev/null
+		fi
+
+		OLD_RULES="$RULES"
+	fi
+
+	# Wait for changes in xenstore file
+	/usr/bin/xenstore-watch $XENSTORE_IPTABLES
+done
diff --git a/fwvm/init.d/qubes_core b/fwvm/init.d/qubes_core
new file mode 100755
index 0000000..d6bcac2
--- /dev/null
+++ b/fwvm/init.d/qubes_core
@@ -0,0 +1,67 @@
+#!/bin/sh
+#
+# chkconfig: 345 90 90
+# description: Executes Qubes core scripts at VM boot
+#
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+start()
+{
+	echo -n $"Executing Qubes Core scripts FirewallVM:"
+
+	if ! [ -x /usr/bin/xenstore-read ] ; then
+		echo "ERROR: /usr/bin/xenstore-read not found!"
+		exit 1
+	fi
+
+	name=$(/usr/bin/xenstore-read name)
+	hostname $name
+
+	# Setup gateway for all the VMs this netVM is serviceing...
+	modprobe netbk
+	gateway=$(/usr/bin/xenstore-read qubes_netvm_gateway)
+	netmask=$(/usr/bin/xenstore-read qubes_netvm_netmask)
+	network=$(/usr/bin/xenstore-read qubes_netvm_network)
+	secondary_dns=$(/usr/bin/xenstore-read qubes_netvm_secondary_dns)
+	echo "NS1=$gateway" > /var/run/qubes/qubes_ns
+	echo "NS2=$secondary_dns" >> /var/run/qubes/qubes_ns
+	/usr/lib/qubes/qubes_setup_dnat_to_ns
+	echo "1" > /proc/sys/net/ipv4/ip_forward
+
+	# Now setup "AppVM" part of FirewallVM
+	ip=$(/usr/bin/xenstore-read qubes_ip)
+	netmask=$(/usr/bin/xenstore-read qubes_netmask)
+	gateway=$(/usr/bin/xenstore-read qubes_gateway)
+	secondary_dns=$(/usr/bin/xenstore-read qubes_secondary_dns)
+	if [ x$ip != x ]; then
+		/sbin/ifconfig eth0 $ip netmask 255.255.255.255 up
+		/sbin/route add default dev eth0
+		echo "nameserver $gateway" > /etc/resolv.conf
+		echo "nameserver $secondary_dns" >> /etc/resolv.conf
+	fi
+
+	success
+	echo ""
+	return 0
+}
+
+stop()
+{
+	return 0
+}
+
+case "$1" in
+  start)
+	start
+	;;
+  stop)
+	stop
+	;;
+  *)
+	echo $"Usage: $0 {start|stop}"
+	exit 3
+	;;
+esac
+
+exit $RETVAL
diff --git a/fwvm/init.d/qubes_firewall b/fwvm/init.d/qubes_firewall
new file mode 100755
index 0000000..f970734
--- /dev/null
+++ b/fwvm/init.d/qubes_firewall
@@ -0,0 +1,42 @@
+#!/bin/sh
+#
+# chkconfig: 345 91 91
+# description: Starts Qubes Firewall monitor
+#
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+PIDFILE=/var/run/qubes/qubes_firewall.pid
+
+start()
+{
+	echo -n $"Starting Qubes Firewall monitor:"
+	/sbin/ethtool -K eth0 sg off
+	/usr/bin/qubes_firewall &
+	success
+	echo ""
+	return 0
+}
+
+stop()
+{
+	echo -n "Stopping Qubes Firewall monitor:"
+	kill $(cat $PIDFILE) 2>/dev/null  && success || failure
+	echo ""
+	return 0
+}
+
+case "$1" in
+  start)
+	start
+	;;
+  stop)
+	stop
+	;;
+  *)
+	echo $"Usage: $0 {start|stop}"
+	exit 3
+	;;
+esac
+
+exit $RETVAL
diff --git a/netvm/30-qubes_external_ip b/netvm/30-qubes_external_ip
new file mode 100755
index 0000000..66ae526
--- /dev/null
+++ b/netvm/30-qubes_external_ip
@@ -0,0 +1,8 @@
+#!/bin/sh
+if [ x$2 == xup ]; then
+	INET=$(/sbin/ip addr show dev $1 | /bin/grep inet)
+	/usr/bin/xenstore-write qubes_netvm_external_ip "$INET"
+fi
+if [ x$2 == xdown ]; then
+	/usr/bin/xenstore-write qubes_netvm_external_ip ""
+fi
diff --git a/rpm_spec/core-netvm.spec b/rpm_spec/core-netvm.spec
index 83d88c2..47a04ff 100644
--- a/rpm_spec/core-netvm.spec
+++ b/rpm_spec/core-netvm.spec
@@ -67,6 +67,7 @@ mkdir -p $RPM_BUILD_ROOT/etc/dhclient.d
 ln -s /usr/lib/qubes/qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/etc/dhclient.d/qubes_setup_dnat_to_ns.sh 
 mkdir -p $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/
 cp ../common/qubes_nmhook $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/
+cp ../netvm/30-qubes_external_ip $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/
 mkdir -p $RPM_BUILD_ROOT/etc/yum.repos.d
 cp ../netvm/qubes.repo $RPM_BUILD_ROOT/etc/yum.repos.d
 mkdir -p $RPM_BUILD_ROOT/sbin