network: reformat vif-route-qubes-nat
Use 4-space indentation, remove trailing spaces. No functional change.
This commit is contained in:
Marek Marczykowski-Górecki
parent
3131bb6135
commit
be86c7da1f
@ -11,13 +11,13 @@ netns_appvm_if="${vif}"
|
||||
|
||||
function run
|
||||
{
|
||||
#echo "$@" >> /var/log/qubes-nat.log
|
||||
"$@"
|
||||
#echo "$@" >> /var/log/qubes-nat.log
|
||||
"$@"
|
||||
}
|
||||
|
||||
function netns
|
||||
{
|
||||
run ip netns exec "$netns" "$@"
|
||||
run ip netns exec "$netns" "$@"
|
||||
}
|
||||
|
||||
|
||||
@ -26,54 +26,54 @@ run ip addr flush dev "$netns_appvm_if"
|
||||
run ip netns delete "$netns" || :
|
||||
|
||||
if test "$command" == online; then
|
||||
run ip netns add "$netns"
|
||||
run ip link set "$netns_appvm_if" netns "$netns"
|
||||
run ip netns add "$netns"
|
||||
run ip link set "$netns_appvm_if" netns "$netns"
|
||||
|
||||
run ip link add "$netns_netvm_if" type veth peer name "$netvm_if"
|
||||
run ip link set "$netns_netvm_if" netns "$netns"
|
||||
run ip link add "$netns_netvm_if" type veth peer name "$netvm_if"
|
||||
run ip link set "$netns_netvm_if" netns "$netns"
|
||||
|
||||
|
||||
netns ip6tables -t raw -I PREROUTING -j DROP
|
||||
netns ip6tables -P INPUT DROP
|
||||
netns ip6tables -P FORWARD DROP
|
||||
netns ip6tables -P OUTPUT DROP
|
||||
netns ip6tables -t raw -I PREROUTING -j DROP
|
||||
netns ip6tables -P INPUT DROP
|
||||
netns ip6tables -P FORWARD DROP
|
||||
netns ip6tables -P OUTPUT DROP
|
||||
|
||||
netns sh -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'
|
||||
netns sh -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'
|
||||
|
||||
netns iptables -t raw -I PREROUTING -i "$netns_appvm_if" ! -s "$appvm_ip" -j DROP
|
||||
netns iptables -t raw -I PREROUTING -i "$netns_appvm_if" ! -s "$appvm_ip" -j DROP
|
||||
|
||||
if test -n "$undetectable_netvm_ips"; then
|
||||
# prevent an AppVM connecting to its own ProxyVM IP because that makes the internal IPs detectable even with no firewall rules
|
||||
netns iptables -t raw -I PREROUTING -i "$netns_appvm_if" -d "$netvm_ip" -j DROP
|
||||
if test -n "$undetectable_netvm_ips"; then
|
||||
# prevent an AppVM connecting to its own ProxyVM IP because that makes the internal IPs detectable even with no firewall rules
|
||||
netns iptables -t raw -I PREROUTING -i "$netns_appvm_if" -d "$netvm_ip" -j DROP
|
||||
|
||||
# same for the gateway/DNS IPs
|
||||
netns iptables -t raw -I PREROUTING -i "$netns_appvm_if" -d "$netvm_gw_ip" -j DROP
|
||||
netns iptables -t raw -I PREROUTING -i "$netns_appvm_if" -d "$netvm_dns2_ip" -j DROP
|
||||
fi
|
||||
# same for the gateway/DNS IPs
|
||||
netns iptables -t raw -I PREROUTING -i "$netns_appvm_if" -d "$netvm_gw_ip" -j DROP
|
||||
netns iptables -t raw -I PREROUTING -i "$netns_appvm_if" -d "$netvm_dns2_ip" -j DROP
|
||||
fi
|
||||
|
||||
netns iptables -t nat -I PREROUTING -i "$netns_netvm_if" -j DNAT --to-destination "$appvm_ip"
|
||||
netns iptables -t nat -I POSTROUTING -o "$netns_netvm_if" -j SNAT --to-source "$netvm_ip"
|
||||
netns iptables -t nat -I PREROUTING -i "$netns_netvm_if" -j DNAT --to-destination "$appvm_ip"
|
||||
netns iptables -t nat -I POSTROUTING -o "$netns_netvm_if" -j SNAT --to-source "$netvm_ip"
|
||||
|
||||
netns iptables -t nat -I PREROUTING -i "$netns_appvm_if" -d "$appvm_gw_ip" -j DNAT --to-destination "$netvm_gw_ip"
|
||||
netns iptables -t nat -I POSTROUTING -o "$netns_appvm_if" -s "$netvm_gw_ip" -j SNAT --to-source "$appvm_gw_ip"
|
||||
netns iptables -t nat -I PREROUTING -i "$netns_appvm_if" -d "$appvm_gw_ip" -j DNAT --to-destination "$netvm_gw_ip"
|
||||
netns iptables -t nat -I POSTROUTING -o "$netns_appvm_if" -s "$netvm_gw_ip" -j SNAT --to-source "$appvm_gw_ip"
|
||||
|
||||
if test -n "$appvm_dns2_ip"; then
|
||||
netns iptables -t nat -I PREROUTING -i "$netns_appvm_if" -d "$appvm_dns2_ip" -j DNAT --to-destination "$netvm_dns2_ip"
|
||||
netns iptables -t nat -I POSTROUTING -o "$netns_appvm_if" -s "$netvm_dns2_ip" -j SNAT --to-source "$appvm_dns2_ip"
|
||||
fi
|
||||
if test -n "$appvm_dns2_ip"; then
|
||||
netns iptables -t nat -I PREROUTING -i "$netns_appvm_if" -d "$appvm_dns2_ip" -j DNAT --to-destination "$netvm_dns2_ip"
|
||||
netns iptables -t nat -I POSTROUTING -o "$netns_appvm_if" -s "$netvm_dns2_ip" -j SNAT --to-source "$appvm_dns2_ip"
|
||||
fi
|
||||
|
||||
netns ip addr add "$netvm_ip$netvm_subnet" dev "$netns_netvm_if"
|
||||
netns ip addr add "$appvm_gw_ip" dev "$netns_appvm_if"
|
||||
netns ip addr add "$netvm_ip$netvm_subnet" dev "$netns_netvm_if"
|
||||
netns ip addr add "$appvm_gw_ip" dev "$netns_appvm_if"
|
||||
|
||||
netns ip link set "$netns_netvm_if" up
|
||||
netns ip link set "$netns_appvm_if" up
|
||||
netns ip link set "$netns_netvm_if" up
|
||||
netns ip link set "$netns_appvm_if" up
|
||||
|
||||
netns ip route add "$appvm_ip" dev "$netns_appvm_if" src "$appvm_gw_ip"
|
||||
netns ip route add default via "$netvm_gw_ip" dev "$netns_netvm_if" src "$netvm_ip"
|
||||
netns ip route add "$appvm_ip" dev "$netns_appvm_if" src "$appvm_gw_ip"
|
||||
netns ip route add default via "$netvm_gw_ip" dev "$netns_netvm_if" src "$netvm_ip"
|
||||
|
||||
|
||||
#run ip addr add "$netvm_gw_ip" dev "$netvm_if"
|
||||
#run ip link set "$netvm_if" up
|
||||
#run ip route add "$netvm_ip" dev "$netvm_if" src "$netvm_gw_ip"
|
||||
#run ip addr add "$netvm_gw_ip" dev "$netvm_if"
|
||||
#run ip link set "$netvm_if" up
|
||||
#run ip route add "$netvm_ip" dev "$netvm_if" src "$netvm_gw_ip"
|
||||
fi
|
||||
|
||||
|
||||
@ -1,24 +1,24 @@
|
||||
#!/bin/bash
|
||||
#!/bin/bash
|
||||
#============================================================================
|
||||
# /etc/xen/vif-route-qubes-nat
|
||||
#
|
||||
# Script for configuring a vif in routed mode.
|
||||
# The hotplugging system will call this script if it is specified either in
|
||||
# the device configuration given to Xend, or the default Xend configuration
|
||||
# /etc/xen/vif-route-qubes-nat
|
||||
#
|
||||
# Script for configuring a vif in routed mode.
|
||||
# The hotplugging system will call this script if it is specified either in
|
||||
# the device configuration given to Xend, or the default Xend configuration
|
||||
# in /etc/xen/xend-config.sxp. If the script is specified in neither of those
|
||||
# places, then vif-bridge is the default.
|
||||
#
|
||||
# Usage:
|
||||
# vif-route (add|remove|online|offline)
|
||||
#
|
||||
# Environment vars:
|
||||
# vif vif interface name (required).
|
||||
# XENBUS_PATH path to this device's details in the XenStore (required).
|
||||
#
|
||||
# Read from the store:
|
||||
# ip list of IP networks for the vif, space-separated (default given in
|
||||
# this script).
|
||||
#============================================================================
|
||||
# places, then vif-bridge is the default.
|
||||
#
|
||||
# Usage:
|
||||
# vif-route (add|remove|online|offline)
|
||||
#
|
||||
# Environment vars:
|
||||
# vif vif interface name (required).
|
||||
# XENBUS_PATH path to this device's details in the XenStore (required).
|
||||
#
|
||||
# Read from the store:
|
||||
# ip list of IP networks for the vif, space-separated (default given in
|
||||
# this script).
|
||||
#============================================================================
|
||||
|
||||
appvm_gw_ip="$1"
|
||||
netvm_ip="$2"
|
||||
@ -28,12 +28,12 @@ dir=$(dirname "$0")
|
||||
. "$dir/vif-common.sh"
|
||||
|
||||
if [ "${ip}" ]; then
|
||||
appvm_ip="$ip"
|
||||
netvm_gw_ip=`qubesdb-read /qubes-netvm-gateway`
|
||||
netvm_dns2_ip=`qubesdb-read /qubes-netvm-secondary-dns`
|
||||
appvm_ip="$ip"
|
||||
netvm_gw_ip=`qubesdb-read /qubes-netvm-gateway`
|
||||
netvm_dns2_ip=`qubesdb-read /qubes-netvm-secondary-dns`
|
||||
|
||||
ip="$netvm_ip"
|
||||
back_ip="$netvm_gw_ip"
|
||||
ip="$netvm_ip"
|
||||
back_ip="$netvm_gw_ip"
|
||||
fi
|
||||
|
||||
#echo "$appvm_ip $appvm_gw_ip $netvm_ip $netvm_gw_ip" >> /var/log/qubes-nat.log
|
||||
@ -42,27 +42,27 @@ fi
|
||||
lockfile=/var/run/xen-hotplug/vif-lock
|
||||
|
||||
if [ "${ip}" ]; then
|
||||
if test "$command" == online; then
|
||||
echo 1 >/proc/sys/net/ipv4/conf/${vif}/proxy_arp
|
||||
fi
|
||||
if test "$command" == online; then
|
||||
echo 1 >/proc/sys/net/ipv4/conf/${vif}/proxy_arp
|
||||
fi
|
||||
|
||||
. "$dir/vif-qubes-nat.sh"
|
||||
. "$dir/vif-qubes-nat.sh"
|
||||
fi
|
||||
|
||||
case "$command" in
|
||||
online)
|
||||
ifconfig ${vif} up
|
||||
echo 1 >/proc/sys/net/ipv4/conf/${vif}/proxy_arp
|
||||
ipcmd='add'
|
||||
iptables_cmd='-I PREROUTING 1'
|
||||
cmdprefix=''
|
||||
;;
|
||||
offline)
|
||||
do_without_error ifdown ${vif}
|
||||
ipcmd='del'
|
||||
iptables_cmd='-D PREROUTING'
|
||||
cmdprefix='do_without_error'
|
||||
;;
|
||||
online)
|
||||
ifconfig ${vif} up
|
||||
echo 1 >/proc/sys/net/ipv4/conf/${vif}/proxy_arp
|
||||
ipcmd='add'
|
||||
iptables_cmd='-I PREROUTING 1'
|
||||
cmdprefix=''
|
||||
;;
|
||||
offline)
|
||||
do_without_error ifdown ${vif}
|
||||
ipcmd='del'
|
||||
iptables_cmd='-D PREROUTING'
|
||||
cmdprefix='do_without_error'
|
||||
;;
|
||||
esac
|
||||
|
||||
domid=${vif/vif/}
|
||||
@ -72,20 +72,20 @@ domid=${domid/.*/}
|
||||
metric=$[ 32752 - $domid ]
|
||||
|
||||
if [ "${ip}" ] ; then
|
||||
# If we've been given a list of IP addresses, then add routes from dom0 to
|
||||
# the guest using those addresses.
|
||||
for addr in ${ip} ; do
|
||||
${cmdprefix} ip route ${ipcmd} ${addr} dev ${vif} metric $metric
|
||||
done
|
||||
echo -e "*raw\n$iptables_cmd -i ${vif} ! -s ${ip} -j DROP\nCOMMIT" | \
|
||||
${cmdprefix} flock $lockfile iptables-restore --noflush
|
||||
${cmdprefix} ip addr ${ipcmd} ${back_ip}/32 dev ${vif}
|
||||
# If we've been given a list of IP addresses, then add routes from dom0 to
|
||||
# the guest using those addresses.
|
||||
for addr in ${ip} ; do
|
||||
${cmdprefix} ip route ${ipcmd} ${addr} dev ${vif} metric $metric
|
||||
done
|
||||
echo -e "*raw\n$iptables_cmd -i ${vif} ! -s ${ip} -j DROP\nCOMMIT" | \
|
||||
${cmdprefix} flock $lockfile iptables-restore --noflush
|
||||
${cmdprefix} ip addr ${ipcmd} ${back_ip}/32 dev ${vif}
|
||||
fi
|
||||
|
||||
log debug "Successful vif-route-qubes-nat $command for $vif."
|
||||
if [ "$command" = "online" ]
|
||||
then
|
||||
# disable tx checksumming offload, apparently it doesn't work with our ancient qemu in stubdom
|
||||
do_without_error ethtool -K $vif tx off
|
||||
success
|
||||
# disable tx checksumming offload, apparently it doesn't work with our ancient qemu in stubdom
|
||||
do_without_error ethtool -K $vif tx off
|
||||
success
|
||||
fi
|
||||
|
||||
Loading…
Reference in New Issue
Block a user