network: fix issues found by shellcheck
This commit is contained in:
Marek Marczykowski-Górecki
parent
d332a43f6a
commit
bb220ce2eb
@ -1,8 +1,8 @@
|
||||
#!/bin/sh
|
||||
if [ x$2 = xup ]; then
|
||||
INET=$(/sbin/ip addr show dev $1 | /bin/grep inet)
|
||||
if [ "x$2" = xup ]; then
|
||||
INET=$(/sbin/ip addr show dev "$1" | /bin/grep inet)
|
||||
qubesdb-write /qubes-netvm-external-ip "$INET"
|
||||
fi
|
||||
if [ x$2 = xdown ]; then
|
||||
if [ "x$2" = xdown ]; then
|
||||
qubesdb-write /qubes-netvm-external-ip ""
|
||||
fi
|
||||
|
||||
@ -14,7 +14,9 @@ COMMIT
|
||||
__EOF__
|
||||
else
|
||||
# Remove rules
|
||||
# shellcheck disable=SC2086
|
||||
iptables -D $RULE_FILTER
|
||||
# shellcheck disable=SC2086
|
||||
iptables -t nat -D $RULE_NAT
|
||||
exit 0
|
||||
fi
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
#!/bin/sh
|
||||
|
||||
NM_CONFIG_DIR=/etc/NetworkManager/system-connections
|
||||
if [ -d $NM_CONFIG_DIR -a ! -h $NM_CONFIG_DIR ]; then
|
||||
if [ -d $NM_CONFIG_DIR ] && [ ! -h $NM_CONFIG_DIR ]; then
|
||||
mkdir -p /rw/config/NM-system-connections
|
||||
mv $NM_CONFIG_DIR/* /rw/config/NM-system-connections/ 2> /dev/null || true
|
||||
rmdir $NM_CONFIG_DIR
|
||||
|
||||
@ -1,19 +1,19 @@
|
||||
#!/bin/sh
|
||||
FILE=/etc/NetworkManager/NetworkManager.conf
|
||||
VIFMAC=mac:fe:ff:ff:ff:ff:ff
|
||||
if ! grep -q ^plugins.*keyfile $FILE ; then
|
||||
if ! grep -q '^plugins.*keyfile' $FILE ; then
|
||||
sed -i 's/^plugins.*$/&,keyfile/' $FILE
|
||||
fi
|
||||
if grep -q ^plugins.*ifcfg-rh $FILE ; then
|
||||
if grep -q '^plugins.*ifcfg-rh' $FILE ; then
|
||||
sed -i 's/^plugins=\(.*\)ifcfg-rh,\(.*\)$/plugins=\1\2/' $FILE
|
||||
fi
|
||||
if ! grep -q '^\[keyfile\]$' $FILE ; then
|
||||
echo '[keyfile]' >> $FILE
|
||||
fi
|
||||
if ! grep -q ^unmanaged-devices $FILE ; then
|
||||
if ! grep -q '^unmanaged-devices' $FILE ; then
|
||||
sed -i 's/^\[keyfile\]$/\[keyfile\]\x0aunmanaged-devices='$VIFMAC/ $FILE
|
||||
fi
|
||||
if ! grep -q ^unmanaged-devices.*$VIFMAC $FILE ; then
|
||||
if ! grep -q "^unmanaged-devices.*$VIFMAC" $FILE ; then
|
||||
sed -i 's/^unmanaged-devices.*$/&,'$VIFMAC/ $FILE
|
||||
fi
|
||||
exit 0
|
||||
|
||||
@ -35,8 +35,9 @@ start() {
|
||||
|
||||
echo -n $"${CMD}: Applying firewall rules: "
|
||||
|
||||
$CMD-restore $IPTABLES_DATA
|
||||
if [ $? -eq 0 ]; then
|
||||
"$CMD-restore" "$IPTABLES_DATA"
|
||||
ret="$?"
|
||||
if [ "$ret" -eq 0 ]; then
|
||||
echo OK
|
||||
else
|
||||
echo FAIL; return 1
|
||||
|
||||
@ -1,6 +1,7 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Source Qubes library.
|
||||
# shellcheck source=init/functions
|
||||
. /usr/lib/qubes/init/functions
|
||||
|
||||
/usr/lib/qubes/qubes-setup-dnat-to-ns
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
#!/bin/sh
|
||||
addrule()
|
||||
{
|
||||
if [ $FIRSTONE = yes ] ; then
|
||||
if [ "$FIRSTONE" = yes ] ; then
|
||||
FIRSTONE=no
|
||||
RULE1="-A PR-QBS -d $NS1 -p udp --dport 53 -j DNAT --to $1
|
||||
-A PR-QBS -d $NS1 -p tcp --dport 53 -j DNAT --to $1"
|
||||
@ -10,17 +10,18 @@ addrule()
|
||||
else
|
||||
RULE2="-A PR-QBS -d $NS2 -p udp --dport 53 -j DNAT --to $1
|
||||
-A PR-QBS -d $NS2 -p tcp --dport 53 -j DNAT --to $1"
|
||||
NS=$NS2
|
||||
fi
|
||||
}
|
||||
export PATH=$PATH:/sbin:/bin
|
||||
# shellcheck disable=SC1091
|
||||
. /var/run/qubes/qubes-ns
|
||||
if [ "X"$NS1 = "X" ] ; then exit ; fi
|
||||
if [ "X$NS1" = "X" ] ; then exit ; fi
|
||||
iptables -t nat -F PR-QBS
|
||||
FIRSTONE=yes
|
||||
grep ^nameserver /etc/resolv.conf | grep -v ":.*:" | head -2 |
|
||||
(
|
||||
while read x y z ; do
|
||||
# shellcheck disable=SC2034
|
||||
while read -r x y z ; do
|
||||
addrule "$y"
|
||||
done
|
||||
(echo "*nat"; echo "$RULE1"; echo "$RULE2"; echo COMMIT) | iptables-restore -n
|
||||
|
||||
@ -1,27 +1,28 @@
|
||||
#!/bin/sh
|
||||
|
||||
# Source Qubes library.
|
||||
# shellcheck disable=SC1091
|
||||
. /usr/lib/qubes/init/functions
|
||||
|
||||
have_qubesdb || exit 0
|
||||
|
||||
ip=`/usr/bin/qubesdb-read /qubes-ip 2> /dev/null`
|
||||
if [ x$ip != x ]; then
|
||||
netmask=`/usr/bin/qubesdb-read /qubes-netmask`
|
||||
gateway=`/usr/bin/qubesdb-read /qubes-gateway`
|
||||
primary_dns=`/usr/bin/qubesdb-read /qubes-primary-dns 2>/dev/null || echo $gateway`
|
||||
secondary_dns=`/usr/bin/qubesdb-read /qubes-secondary-dns`
|
||||
/sbin/ethtool -K $INTERFACE sg off
|
||||
/sbin/ethtool -K $INTERFACE tx off
|
||||
ip=$(/usr/bin/qubesdb-read /qubes-ip 2> /dev/null)
|
||||
if [ "x$ip" != x ]; then
|
||||
#netmask=$(/usr/bin/qubesdb-read /qubes-netmask)
|
||||
gateway=$(/usr/bin/qubesdb-read /qubes-gateway)
|
||||
primary_dns=$(/usr/bin/qubesdb-read /qubes-primary-dns 2>/dev/null || echo "$gateway")
|
||||
secondary_dns=$(/usr/bin/qubesdb-read /qubes-secondary-dns)
|
||||
/sbin/ethtool -K "$INTERFACE" sg off
|
||||
/sbin/ethtool -K "$INTERFACE" tx off
|
||||
# If NetworkManager is enabled, let it configure the network
|
||||
if qsvc network-manager ; then
|
||||
nm_config=/etc/NetworkManager/system-connections/qubes-uplink-$INTERFACE
|
||||
cat > $nm_config <<__EOF__
|
||||
cat > "$nm_config" <<__EOF__
|
||||
[802-3-ethernet]
|
||||
duplex=full
|
||||
|
||||
[ethernet]
|
||||
mac-address=`ip l show dev $INTERFACE |grep link|awk '{print $2}'`
|
||||
mac-address=$(ip l show dev "$INTERFACE" |grep link|awk '{print $2}')
|
||||
|
||||
[connection]
|
||||
id=VM uplink $INTERFACE
|
||||
@ -36,23 +37,23 @@ method=manual
|
||||
may-fail=false
|
||||
__EOF__
|
||||
if ! qsvc disable-dns-server ; then
|
||||
echo "dns=$primary_dns;$secondary_dns" >> $nm_config
|
||||
echo "dns=$primary_dns;$secondary_dns" >> "$nm_config"
|
||||
fi
|
||||
if ! qsvc disable-default-route ; then
|
||||
echo "addresses1=$ip;32;$gateway" >> $nm_config
|
||||
echo "addresses1=$ip;32;$gateway" >> "$nm_config"
|
||||
else
|
||||
echo "addresses1=$ip;32" >> $nm_config
|
||||
echo "addresses1=$ip;32" >> "$nm_config"
|
||||
fi
|
||||
chmod 600 $nm_config
|
||||
chmod 600 "$nm_config"
|
||||
# reload connection
|
||||
nmcli connection load $nm_config || :
|
||||
nmcli connection load "$nm_config" || :
|
||||
else
|
||||
# No NetworkManager enabled, configure the network manually
|
||||
/sbin/ifconfig $INTERFACE $ip netmask 255.255.255.255
|
||||
/sbin/ifconfig $INTERFACE up
|
||||
/sbin/route add -host $gateway dev $INTERFACE
|
||||
/sbin/ifconfig "$INTERFACE" "$ip" netmask 255.255.255.255
|
||||
/sbin/ifconfig "$INTERFACE" up
|
||||
/sbin/route add -host "$gateway" dev "$INTERFACE"
|
||||
if ! qsvc disable-default-route ; then
|
||||
/sbin/route add default gw $gateway
|
||||
/sbin/route add default gw "$gateway"
|
||||
fi
|
||||
if ! is_protected_file /etc/resolv.conf ; then
|
||||
echo > /etc/resolv.conf
|
||||
@ -65,8 +66,8 @@ __EOF__
|
||||
network=$(qubesdb-read /qubes-netvm-network 2>/dev/null)
|
||||
if [ "x$network" != "x" ] && ! qsvc disable-dns-server ; then
|
||||
gateway=$(qubesdb-read /qubes-netvm-gateway)
|
||||
netmask=$(qubesdb-read /qubes-netvm-netmask)
|
||||
primary_dns=$(qubesdb-read /qubes-netvm-primary-dns 2>/dev/null || echo $gateway)
|
||||
#netmask=$(qubesdb-read /qubes-netvm-netmask)
|
||||
primary_dns=$(qubesdb-read /qubes-netvm-primary-dns 2>/dev/null || echo "$gateway")
|
||||
secondary_dns=$(qubesdb-read /qubes-netvm-secondary-dns)
|
||||
echo "NS1=$primary_dns" > /var/run/qubes/qubes-ns
|
||||
echo "NS2=$secondary_dns" >> /var/run/qubes/qubes-ns
|
||||
|
||||
@ -1,8 +1,9 @@
|
||||
#!/bin/sh
|
||||
|
||||
type nm-applet > /dev/null 2>&1 || exit 0
|
||||
command -v nm-applet > /dev/null 2>&1 || exit 0
|
||||
|
||||
# Source Qubes library.
|
||||
# shellcheck source=init/functions
|
||||
. /usr/lib/qubes/init/functions
|
||||
|
||||
# Hide nm-applet when network-manager is disabled
|
||||
|
||||
@ -22,6 +22,7 @@
|
||||
#
|
||||
|
||||
# Source Qubes library.
|
||||
# shellcheck source=init/functions
|
||||
. /usr/lib/qubes/init/functions
|
||||
|
||||
BEGIN_MARKER="### QUBES BEGIN ###"
|
||||
@ -37,24 +38,25 @@ update_conf() {
|
||||
local CONF_OPTIONS="$2"
|
||||
|
||||
# Ensure that Qubes conf markers are present in the file
|
||||
if ! grep -q "$BEGIN_MARKER" $CONF_PATH; then
|
||||
if grep -q "$END_MARKER" $CONF_PATH; then
|
||||
if ! grep -q "$BEGIN_MARKER" "$CONF_PATH"; then
|
||||
if grep -q "$END_MARKER" "$CONF_PATH"; then
|
||||
echo "ERROR: found QUBES END marker but not QUBES BEGIN in ${CONF_PATH}" >&2
|
||||
echo "Fix the file by either removing both of them, or adding missing back and retry" >&2
|
||||
exit 1
|
||||
fi
|
||||
cp $CONF_PATH ${CONF_PATH}.qubes-orig
|
||||
echo "$BEGIN_MARKER" >> $CONF_PATH
|
||||
echo "$END_MARKER" >> $CONF_PATH
|
||||
elif ! grep -q "$END_MARKER" $CONF_PATH; then
|
||||
cp "$CONF_PATH" "${CONF_PATH}.qubes-orig"
|
||||
echo "$BEGIN_MARKER" >> "$CONF_PATH"
|
||||
echo "$END_MARKER" >> "$CONF_PATH"
|
||||
elif ! grep -q "$END_MARKER" "$CONF_PATH"; then
|
||||
echo "ERROR: found QUBES BEGIN marker but not QUBES END in ${CONF_PATH}" >&2
|
||||
echo "Fix the file by either removing both of them, or adding missing back and retry" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Prepare config block
|
||||
local tmpfile=`mktemp`
|
||||
cat > ${tmpfile} <<EOF
|
||||
local tmpfile
|
||||
tmpfile=$(mktemp)
|
||||
cat > "${tmpfile}" <<EOF
|
||||
# This part of configuration, until QUBES END, is automatically generated by
|
||||
# $0. All changes here will be overriden.
|
||||
# If you want to override any option set here, set it again to desired value,
|
||||
@ -67,8 +69,8 @@ EOF
|
||||
/^$END_MARKER$/b
|
||||
/^$BEGIN_MARKER$/!d
|
||||
r ${tmpfile}
|
||||
}" ${CONF_PATH}
|
||||
rm -f ${tmpfile}
|
||||
}" "${CONF_PATH}"
|
||||
rm -f "${tmpfile}"
|
||||
}
|
||||
|
||||
### helper functions end
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
#!/bin/bash
|
||||
# shellcheck disable=SC2154
|
||||
#set -x
|
||||
|
||||
undetectable_netvm_ips=
|
||||
|
||||
@ -21,46 +21,51 @@
|
||||
#============================================================================
|
||||
|
||||
dir=$(dirname "$0")
|
||||
# shellcheck disable=SC1091,SC1090
|
||||
. "$dir/vif-common.sh"
|
||||
|
||||
#main_ip=$(dom0_ip)
|
||||
lockfile=/var/run/xen-hotplug/vif-lock
|
||||
|
||||
# shellcheck disable=SC2154
|
||||
if [ "${ip}" ]; then
|
||||
# IPs as seen by this VM
|
||||
netvm_ip="$ip"
|
||||
netvm_gw_ip=`qubesdb-read /qubes-netvm-gateway`
|
||||
netvm_dns1_ip=`qubesdb-read /qubes-netvm-primary-dns`
|
||||
netvm_dns2_ip=`qubesdb-read /qubes-netvm-secondary-dns`
|
||||
netvm_gw_ip=$(qubesdb-read /qubes-netvm-gateway)
|
||||
netvm_dns1_ip=$(qubesdb-read /qubes-netvm-primary-dns)
|
||||
netvm_dns2_ip=$(qubesdb-read /qubes-netvm-secondary-dns)
|
||||
|
||||
back_ip="$netvm_gw_ip"
|
||||
|
||||
# IPs as seen by the VM - if other than $netvm_ip
|
||||
appvm_gw_ip="`qubesdb-read /mapped-ip/$ip/visible-gateway 2>/dev/null || :`"
|
||||
appvm_ip="`qubesdb-read /mapped-ip/$ip/visible-ip 2>/dev/null || :`"
|
||||
appvm_gw_ip="$(qubesdb-read "/mapped-ip/$ip/visible-gateway" 2>/dev/null || :)"
|
||||
appvm_ip="$(qubesdb-read "/mapped-ip/$ip/visible-ip" 2>/dev/null || :)"
|
||||
fi
|
||||
|
||||
# Apply NAT if IP visible from the VM is different than the "real" one
|
||||
# See vif-qubes-nat.sh for details
|
||||
if [ -n "$appvm_ip" -a -n "$appvm_gw_ip" -a "$appvm_ip" != "$netvm_ip" ]; then
|
||||
if [ -n "$appvm_ip" ] && [ -n "$appvm_gw_ip" ] && [ "$appvm_ip" != "$netvm_ip" ]; then
|
||||
# shellcheck disable=SC2154
|
||||
if test "$command" == online; then
|
||||
echo 1 >/proc/sys/net/ipv4/conf/${vif}/proxy_arp
|
||||
# shellcheck disable=SC2154
|
||||
echo 1 >"/proc/sys/net/ipv4/conf/${vif}/proxy_arp"
|
||||
fi
|
||||
|
||||
# shellcheck source=network/vif-qubes-nat.sh
|
||||
. "$dir/vif-qubes-nat.sh"
|
||||
fi
|
||||
|
||||
|
||||
# shellcheck disable=SC2154
|
||||
case "$command" in
|
||||
online)
|
||||
ifconfig ${vif} up
|
||||
echo 1 >/proc/sys/net/ipv4/conf/${vif}/proxy_arp
|
||||
ifconfig "${vif}" up
|
||||
echo 1 >"/proc/sys/net/ipv4/conf/${vif}/proxy_arp"
|
||||
ipcmd='add'
|
||||
iptables_cmd='-I PREROUTING 1'
|
||||
cmdprefix=''
|
||||
;;
|
||||
offline)
|
||||
do_without_error ifdown ${vif}
|
||||
do_without_error ifdown "${vif}"
|
||||
ipcmd='del'
|
||||
iptables_cmd='-D PREROUTING'
|
||||
cmdprefix='do_without_error'
|
||||
@ -71,23 +76,23 @@ domid=${vif/vif/}
|
||||
domid=${domid/.*/}
|
||||
# metric must be possitive, but prefer later interface
|
||||
# 32752 is max XID aka domid
|
||||
metric=$[ 32752 - $domid ]
|
||||
metric=$(( 32752 - domid ))
|
||||
|
||||
if [ "${ip}" ] ; then
|
||||
# If we've been given a list of IP addresses, then add routes from dom0 to
|
||||
# the guest using those addresses.
|
||||
for addr in ${ip} ; do
|
||||
${cmdprefix} ip route ${ipcmd} ${addr} dev ${vif} metric $metric
|
||||
${cmdprefix} ip route "${ipcmd}" "${addr}" dev "${vif}" metric "$metric"
|
||||
done
|
||||
echo -e "*raw\n$iptables_cmd -i ${vif} ! -s ${ip} -j DROP\nCOMMIT" | \
|
||||
${cmdprefix} flock $lockfile iptables-restore --noflush
|
||||
${cmdprefix} ip addr ${ipcmd} ${back_ip}/32 dev ${vif}
|
||||
${cmdprefix} ip addr "${ipcmd}" "${back_ip}/32" dev "${vif}"
|
||||
fi
|
||||
|
||||
log debug "Successful vif-route-qubes $command for $vif."
|
||||
if [ "$command" = "online" ]
|
||||
then
|
||||
# disable tx checksumming offload, apparently it doesn't work with our ancient qemu in stubdom
|
||||
do_without_error ethtool -K $vif tx off
|
||||
do_without_error ethtool -K "$vif" tx off
|
||||
success
|
||||
fi
|
||||
|
||||
Loading…
Reference in New Issue
Block a user