diff --git a/appvm/qubes_core b/appvm/qubes_core index dfedb9f..5873aae 100755 --- a/appvm/qubes_core +++ b/appvm/qubes_core @@ -52,10 +52,12 @@ start() ip=$(/usr/bin/xenstore-read qubes_ip) netmask=$(/usr/bin/xenstore-read qubes_netmask) gateway=$(/usr/bin/xenstore-read qubes_gateway) + secondary_dns=$(/usr/bin/xenstore-read qubes_secondary_dns) if [ x$ip != x ]; then /sbin/ifconfig eth0 $ip netmask $netmask up /sbin/route add default gw $gateway echo "nameserver $gateway" > /etc/resolv.conf + echo "nameserver $secondary_dns" >> /etc/resolv.conf fi fi diff --git a/netvm/iptables b/netvm/iptables index 67d2d80..bbe68df 100644 --- a/netvm/iptables +++ b/netvm/iptables @@ -1,17 +1,20 @@ -# Generated by iptables-save v1.4.5 on Thu Apr 1 10:55:18 2010 +# Generated by iptables-save v1.4.5 on Thu May 20 06:02:32 2010 *nat -:PREROUTING ACCEPT [3:696] -:POSTROUTING ACCEPT [1:67] -:OUTPUT ACCEPT [1:67] --A POSTROUTING -s 10.1.0.0/16 -j MASQUERADE +:PREROUTING ACCEPT [2:362] +:POSTROUTING ACCEPT [4:228] +:OUTPUT ACCEPT [0:0] COMMIT -# Completed on Thu Apr 1 10:55:18 2010 -# Generated by iptables-save v1.4.5 on Thu Apr 1 10:55:18 2010 +# Completed on Thu May 20 06:02:32 2010 +# Generated by iptables-save v1.4.5 on Thu May 20 06:02:32 2010 *filter -:INPUT ACCEPT [0:0] +:INPUT ACCEPT [3:84] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] --A INPUT -i br0 -p udp -m udp --dport 68 -j DROP +-A INPUT -i br+ -p udp -m udp --dport 68 -j DROP -A INPUT -i vif+ -p udp -m udp --dport 68 -j DROP +-A FORWARD -i vif+ -j ACCEPT +-A FORWARD -i br+ -j ACCEPT +-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT +-A FORWARD -j DROP COMMIT -# Completed on Thu Apr 1 10:55:18 2010 +# Completed on Thu May 20 06:02:32 2010 diff --git a/netvm/qubes_core b/netvm/qubes_core index 776fa7a..eade0ea 100755 --- a/netvm/qubes_core +++ b/netvm/qubes_core @@ -23,12 +23,20 @@ start() gateway=$(/usr/bin/xenstore-read qubes_netvm_gateway) netmask=$(/usr/bin/xenstore-read qubes_netvm_netmask) network=$(/usr/bin/xenstore-read qubes_netvm_network) + secondary_dns=$(/usr/bin/xenstore-read qubes_netvm_secondary_dns) ifconfig br0 $gateway netmask $netmask up + ifconfig br0:1 $secondary_dns netmask $netmask + echo "NS1=$gateway" > /var/run/qubes_ns + echo "NS2=$secondary_dns" >> /var/run/qubes_ns + qubes_setup_dnat_to_ns echo "1" > /proc/sys/net/ipv4/ip_forward - dnsmasq --listen-address $gateway --bind-interfaces +#now no need for dnsmasq +# dnsmasq --listen-address $gateway --bind-interfaces #now done by iptables rc script # iptables -t nat -A POSTROUTING -s $network/$netmask -j MASQUERADE - +#no, we cannot put ip-dependent stuff in sysconfig/iptables + iptables -t nat -A POSTROUTING -s $network/$netmask -d 224.0.0.0/8 -j ACCEPT + iptables -t nat -A POSTROUTING -s $network/$netmask \! -d $network/$netmask -j MASQUERADE success echo "" return 0 diff --git a/netvm/qubes_nmhook b/netvm/qubes_nmhook new file mode 100755 index 0000000..d06cd57 --- /dev/null +++ b/netvm/qubes_nmhook @@ -0,0 +1,2 @@ +#!/bin/sh +/usr/bin/qubes_setup_dnat_to_ns diff --git a/netvm/qubes_setup_dnat_to_ns b/netvm/qubes_setup_dnat_to_ns new file mode 100755 index 0000000..37f3e44 --- /dev/null +++ b/netvm/qubes_setup_dnat_to_ns @@ -0,0 +1,20 @@ +#!/bin/sh +addrule() +{ + if [ $FIRSTONE = yes ] ; then + NS=$NS1 + FIRSTONE=no + else + NS=$NS2 + fi + iptables -A PREROUTING -t nat -d $NS -p udp --dport 53 -j DNAT \ + --to "$1" +} +export PATH=$PATH:/sbin:/bin +source /var/run/qubes_ns +if [ "X"$NS1 = "X" ] ; then exit ; fi +iptables -t nat -F PREROUTING +FIRSTONE=yes +grep ^nameserver /etc/resolv.conf | head -2 | while read x y z ; do + addrule "$y" +done diff --git a/rpm_spec/core-netvm.spec b/rpm_spec/core-netvm.spec index 39a0cdf..2e921e1 100644 --- a/rpm_spec/core-netvm.spec +++ b/rpm_spec/core-netvm.spec @@ -55,7 +55,12 @@ cp fstab $RPM_BUILD_ROOT/etc/fstab mkdir -p $RPM_BUILD_ROOT/etc/init.d cp qubes_core $RPM_BUILD_ROOT/etc/init.d/ mkdir -p $RPM_BUILD_ROOT/var/lib/qubes - +mkdir -p $RPM_BUILD_ROOT/usr/bin +cp qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/usr/bin +mkdir -p $RPM_BUILD_ROOT/etc/dhclient.d +ln -s /usr/bin/qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/etc/dhclient.d/qubes_setup_dnat_to_ns.sh +mkdir -p $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/ +cp qubes_nmhook $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/ %post if [ "$1" != 1 ] ; then @@ -140,3 +145,6 @@ rm -rf $RPM_BUILD_ROOT /etc/sysconfig/iptables /etc/init.d/qubes_core %dir /var/lib/qubes +/usr/bin/qubes_setup_dnat_to_ns +/etc/dhclient.d/qubes_setup_dnat_to_ns.sh +/etc/NetworkManager/dispatcher.d/qubes_nmhook