Qubes/core-agent-linux
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Get rid of dnsmasq in netvm.

Browse Source 
qubes_setup_dnat_to_ns script sets up DNAT rules for DNS traffic; it is
triggered by dhclient or NetworkManager, and manually (in case there is
a static resolv.conf).

Put IP-dependent rules in qubes-core, after local ip is known. It could be
further improved by introducing custom chains, to enable iptables save.

Restrict FORWARD.
This commit is contained in:
Rafal Wojtczuk 2010-05-19 16:19:01 +02:00 committed by Joanna Rutkowska
parent 0b9ae5e370
commit 952d2f1d8e
6 changed files with 56 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
appvm/qubes_core
View File

@ -52,10 +52,12 @@ start()
ip=$(/usr/bin/xenstore-read qubes_ip) ip=$(/usr/bin/xenstore-read qubes_ip)
netmask=$(/usr/bin/xenstore-read qubes_netmask) netmask=$(/usr/bin/xenstore-read qubes_netmask)
gateway=$(/usr/bin/xenstore-read qubes_gateway) gateway=$(/usr/bin/xenstore-read qubes_gateway)
secondary_dns=$(/usr/bin/xenstore-read qubes_secondary_dns)
if [ x$ip != x ]; then if [ x$ip != x ]; then
/sbin/ifconfig eth0 $ip netmask $netmask up /sbin/ifconfig eth0 $ip netmask $netmask up
/sbin/route add default gw $gateway /sbin/route add default gw $gateway
echo "nameserver $gateway" > /etc/resolv.conf echo "nameserver $gateway" > /etc/resolv.conf
echo "nameserver $secondary_dns" >> /etc/resolv.conf
fi fi
fi fi

23
netvm/iptables
View File

@ -1,17 +1,20 @@
# Generated by iptables-save v1.4.5 on Thu Apr 1 10:55:18 2010 # Generated by iptables-save v1.4.5 on Thu May 20 06:02:32 2010
*nat *nat
:PREROUTING ACCEPT [3:696] :PREROUTING ACCEPT [2:362]
:POSTROUTING ACCEPT [1:67] :POSTROUTING ACCEPT [4:228]
:OUTPUT ACCEPT [1:67] :OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 10.1.0.0/16 -j MASQUERADE
COMMIT COMMIT
# Completed on Thu Apr 1 10:55:18 2010 # Completed on Thu May 20 06:02:32 2010
# Generated by iptables-save v1.4.5 on Thu Apr 1 10:55:18 2010 # Generated by iptables-save v1.4.5 on Thu May 20 06:02:32 2010
*filter *filter
:INPUT ACCEPT [0:0] :INPUT ACCEPT [3:84]
:FORWARD ACCEPT [0:0] :FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
-A INPUT -i br0 -p udp -m udp --dport 68 -j DROP -A INPUT -i br+ -p udp -m udp --dport 68 -j DROP
-A INPUT -i vif+ -p udp -m udp --dport 68 -j DROP -A INPUT -i vif+ -p udp -m udp --dport 68 -j DROP
-A FORWARD -i vif+ -j ACCEPT
-A FORWARD -i br+ -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j DROP
COMMIT COMMIT
# Completed on Thu Apr 1 10:55:18 2010 # Completed on Thu May 20 06:02:32 2010

12
netvm/qubes_core
View File

@ -23,12 +23,20 @@ start()
gateway=$(/usr/bin/xenstore-read qubes_netvm_gateway) gateway=$(/usr/bin/xenstore-read qubes_netvm_gateway)
netmask=$(/usr/bin/xenstore-read qubes_netvm_netmask) netmask=$(/usr/bin/xenstore-read qubes_netvm_netmask)
network=$(/usr/bin/xenstore-read qubes_netvm_network) network=$(/usr/bin/xenstore-read qubes_netvm_network)
secondary_dns=$(/usr/bin/xenstore-read qubes_netvm_secondary_dns)
ifconfig br0 $gateway netmask $netmask up ifconfig br0 $gateway netmask $netmask up
ifconfig br0:1 $secondary_dns netmask $netmask
echo "NS1=$gateway" > /var/run/qubes_ns
echo "NS2=$secondary_dns" >> /var/run/qubes_ns
qubes_setup_dnat_to_ns
echo "1" > /proc/sys/net/ipv4/ip_forward echo "1" > /proc/sys/net/ipv4/ip_forward
dnsmasq --listen-address $gateway --bind-interfaces #now no need for dnsmasq
# dnsmasq --listen-address $gateway --bind-interfaces
#now done by iptables rc script #now done by iptables rc script
# iptables -t nat -A POSTROUTING -s $network/$netmask -j MASQUERADE # iptables -t nat -A POSTROUTING -s $network/$netmask -j MASQUERADE
#no, we cannot put ip-dependent stuff in sysconfig/iptables
iptables -t nat -A POSTROUTING -s $network/$netmask -d 224.0.0.0/8 -j ACCEPT
iptables -t nat -A POSTROUTING -s $network/$netmask \! -d $network/$netmask -j MASQUERADE
success success
echo "" echo ""
return 0 return 0

2
netvm/qubes_nmhook Executable file
View File

@ -0,0 +1,2 @@
#!/bin/sh
/usr/bin/qubes_setup_dnat_to_ns

20
netvm/qubes_setup_dnat_to_ns Executable file
View File

@ -0,0 +1,20 @@
#!/bin/sh
addrule()
{
if [ $FIRSTONE = yes ] ; then
NS=$NS1
FIRSTONE=no
else
NS=$NS2
fi
iptables -A PREROUTING -t nat -d $NS -p udp --dport 53 -j DNAT \
--to "$1"
}
export PATH=$PATH:/sbin:/bin
source /var/run/qubes_ns
if [ "X"$NS1 = "X" ] ; then exit ; fi
iptables -t nat -F PREROUTING
FIRSTONE=yes
grep ^nameserver /etc/resolv.conf | head -2 | while read x y z ; do
addrule "$y"
done

10
rpm_spec/core-netvm.spec
View File

@ -55,7 +55,12 @@ cp fstab $RPM_BUILD_ROOT/etc/fstab
mkdir -p $RPM_BUILD_ROOT/etc/init.d mkdir -p $RPM_BUILD_ROOT/etc/init.d
cp qubes_core $RPM_BUILD_ROOT/etc/init.d/ cp qubes_core $RPM_BUILD_ROOT/etc/init.d/
mkdir -p $RPM_BUILD_ROOT/var/lib/qubes mkdir -p $RPM_BUILD_ROOT/var/lib/qubes
mkdir -p $RPM_BUILD_ROOT/usr/bin
cp qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/usr/bin
mkdir -p $RPM_BUILD_ROOT/etc/dhclient.d
ln -s /usr/bin/qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/etc/dhclient.d/qubes_setup_dnat_to_ns.sh
mkdir -p $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/
cp qubes_nmhook $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/
%post %post
if [ "$1" != 1 ] ; then if [ "$1" != 1 ] ; then
@ -140,3 +145,6 @@ rm -rf $RPM_BUILD_ROOT
/etc/sysconfig/iptables /etc/sysconfig/iptables
/etc/init.d/qubes_core /etc/init.d/qubes_core
%dir /var/lib/qubes %dir /var/lib/qubes
/usr/bin/qubes_setup_dnat_to_ns
/etc/dhclient.d/qubes_setup_dnat_to_ns.sh
/etc/NetworkManager/dispatcher.d/qubes_nmhook