From a39beab0e60ef12acaf94a1c5e52b22fcd4b8409 Mon Sep 17 00:00:00 2001
From: Rafal Wojtczuk <rafal@invisiblethingslab.com>
Date: Fri, 4 Jun 2010 13:28:29 +0200
Subject: [PATCH 1/2] Get rid of /sbin/iptables from qubes_core in netvm

---
 netvm/iptables   | 16 +++++++++-------
 netvm/qubes_core |  3 +--
 2 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/netvm/iptables b/netvm/iptables
index bbe68df..3d01ee2 100644
--- a/netvm/iptables
+++ b/netvm/iptables
@@ -1,13 +1,15 @@
-# Generated by iptables-save v1.4.5 on Thu May 20 06:02:32 2010
+# Generated by iptables-save v1.4.5 on Fri Jun  4 07:17:12 2010
 *nat
-:PREROUTING ACCEPT [2:362]
-:POSTROUTING ACCEPT [4:228]
+:PREROUTING ACCEPT [8:818]
+:POSTROUTING ACCEPT [1:84]
 :OUTPUT ACCEPT [0:0]
+-A POSTROUTING -o br+ -j ACCEPT
+-A POSTROUTING -j MASQUERADE
 COMMIT
-# Completed on Thu May 20 06:02:32 2010
-# Generated by iptables-save v1.4.5 on Thu May 20 06:02:32 2010
+# Completed on Fri Jun  4 07:17:12 2010
+# Generated by iptables-save v1.4.5 on Fri Jun  4 07:17:12 2010
 *filter
-:INPUT ACCEPT [3:84]
+:INPUT ACCEPT [168:4704]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 -A INPUT -i br+ -p udp -m udp --dport 68 -j DROP
@@ -17,4 +19,4 @@ COMMIT
 -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A FORWARD -j DROP
 COMMIT
-# Completed on Thu May 20 06:02:32 2010
+# Completed on Fri Jun  4 07:17:12 2010
diff --git a/netvm/qubes_core b/netvm/qubes_core
index eade0ea..d63fbe2 100755
--- a/netvm/qubes_core
+++ b/netvm/qubes_core
@@ -35,8 +35,7 @@ start()
 #now done by iptables rc script
 #    iptables -t nat -A POSTROUTING -s $network/$netmask -j MASQUERADE
 #no, we cannot put ip-dependent stuff in sysconfig/iptables
-    iptables -t nat -A POSTROUTING -s $network/$netmask -d 224.0.0.0/8 -j ACCEPT	
-    iptables -t nat -A POSTROUTING -s $network/$netmask \! -d $network/$netmask -j MASQUERADE	
+#so make it ip-independent
 	success
 	echo ""
 	return 0

From 8af8b3986decb4be636b2b1cf9db0003ecf51d44 Mon Sep 17 00:00:00 2001
From: Rafal Wojtczuk <rafal@invisiblethingslab.com>
Date: Fri, 4 Jun 2010 13:44:18 +0200
Subject: [PATCH 2/2] Use iptables-restore in qubes_setup_dnat_to_ns

---
 common/qubes_setup_dnat_to_ns | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/common/qubes_setup_dnat_to_ns b/common/qubes_setup_dnat_to_ns
index 37f3e44..e484191 100755
--- a/common/qubes_setup_dnat_to_ns
+++ b/common/qubes_setup_dnat_to_ns
@@ -2,19 +2,23 @@
 addrule()
 {
         if [ $FIRSTONE = yes ] ; then
-                NS=$NS1
                 FIRSTONE=no
+                RULE1="-A PREROUTING -d $NS1 -p udp --dport 53 -j DNAT --to $1"
         else
+                RULE2="-A PREROUTING -d $NS2 -p udp --dport 53 -j DNAT --to $1"
                 NS=$NS2
         fi
-        iptables -A PREROUTING -t nat -d $NS -p udp --dport 53 -j DNAT \
-                --to "$1"
 }
 export PATH=$PATH:/sbin:/bin
 source /var/run/qubes_ns
 if [ "X"$NS1 = "X" ] ; then exit ; fi
 iptables -t nat -F PREROUTING
 FIRSTONE=yes
-grep ^nameserver /etc/resolv.conf | head -2 | while read x y z ; do
-        addrule "$y"
-done
+grep ^nameserver /etc/resolv.conf | head -2 |
+        (
+        while read x y z ; do
+                addrule "$y"
+        done
+        (echo "*nat"; echo $RULE1; echo $RULE2; echo COMMIT) | iptables-restore -n
+        )
+