|
@@ -3,6 +3,15 @@
|
|
|
# Source Qubes library.
|
|
|
# shellcheck disable=SC1091
|
|
|
. /usr/lib/qubes/init/functions
|
|
|
+set -uo pipefail
|
|
|
+
|
|
|
+add_host_route () {
|
|
|
+ /sbin/ip -- route replace to unicast "$1" dev "$2" onlink scope host
|
|
|
+}
|
|
|
+
|
|
|
+add_default_route () {
|
|
|
+ /sbin/ip -- route replace to unicast default via "$1" dev "$2" onlink
|
|
|
+}
|
|
|
|
|
|
configure_network() {
|
|
|
local MAC="$1"
|
|
@@ -15,22 +24,27 @@ configure_network() {
|
|
|
local gateway6="$8"
|
|
|
local primary_dns="$9"
|
|
|
local secondary_dns="${10}"
|
|
|
+ local netvm_mac=fe:ff:ff:ff:ff:ff
|
|
|
|
|
|
/sbin/ifconfig "$INTERFACE" "$ip" netmask "$netmask"
|
|
|
+ /sbin/ip -- neighbour replace to "$gateway" dev "$INTERFACE" \
|
|
|
+ lladdr "$netvm_mac" nud permanent
|
|
|
if [ -n "$ip6" ]; then
|
|
|
/sbin/ifconfig "$INTERFACE" add "$ip6/$netmask6"
|
|
|
+ /sbin/ip -- neighbour replace to "$gateway6" dev "$INTERFACE" \
|
|
|
+ lladdr "$netvm_mac" nud permanent
|
|
|
fi
|
|
|
/sbin/ifconfig "$INTERFACE" up
|
|
|
|
|
|
if [ -n "$gateway" ]; then
|
|
|
- /sbin/route add -host "$gateway" dev "$INTERFACE"
|
|
|
+ add_host_route "$gateway" "$INTERFACE"
|
|
|
if [ -n "$gateway6" ] && ! echo "$gateway6" | grep -q "^fe80:"; then
|
|
|
- /sbin/route -6 add "$gateway6/$netmask6" dev "$INTERFACE"
|
|
|
+ add_host_route "$gateway6/$netmask6" "$INTERFACE"
|
|
|
fi
|
|
|
if ! qsvc disable-default-route ; then
|
|
|
- /sbin/route add default gw "$gateway"
|
|
|
+ add_default_route "$gateway" "$INTERFACE"
|
|
|
if [ -n "$gateway6" ]; then
|
|
|
- /sbin/route -6 add default gw "$gateway6" dev "$INTERFACE"
|
|
|
+ add_default_route "$gateway6" "$INTERFACE"
|
|
|
fi
|
|
|
fi
|
|
|
fi
|
|
@@ -159,67 +173,80 @@ qubes_ip_change_hook() {
|
|
|
|
|
|
have_qubesdb || exit 0
|
|
|
|
|
|
-if [ -n "$INTERFACE" ]; then
|
|
|
- if [ "$ACTION" == "add" ]; then
|
|
|
- MAC="$(get_mac_from_iface "$INTERFACE")"
|
|
|
- if [ -n "$MAC" ]; then
|
|
|
- ip="$(/usr/bin/qubesdb-read "/net-config/$MAC/ip" 2> /dev/null)"
|
|
|
- ip6="$(/usr/bin/qubesdb-read "/net-config/$MAC/ip6" 2> /dev/null)"
|
|
|
- netmask="$(/usr/bin/qubesdb-read "/net-config/$MAC/netmask" 2> /dev/null)"
|
|
|
- netmask6="$(/usr/bin/qubesdb-read "/net-config/$MAC/netmask6" 2> /dev/null)"
|
|
|
- gateway="$(/usr/bin/qubesdb-read "/net-config/$MAC/gateway" 2> /dev/null)"
|
|
|
- gateway6="$(/usr/bin/qubesdb-read "/net-config/$MAC/gateway6" 2> /dev/null)"
|
|
|
-
|
|
|
- # Handle legacy values
|
|
|
- LEGACY_MAC="$(/usr/bin/qubesdb-read /qubes-mac 2> /dev/null)"
|
|
|
- if [ "$MAC" == "$LEGACY_MAC" ] || [ -z "$LEGACY_MAC" ]; then
|
|
|
- if [ -z "$ip" ]; then
|
|
|
- ip="$(/usr/bin/qubesdb-read /qubes-ip 2> /dev/null)"
|
|
|
- fi
|
|
|
- if [ -z "$ip6" ]; then
|
|
|
- ip6="$(/usr/bin/qubesdb-read /qubes-ip6 2> /dev/null)"
|
|
|
- fi
|
|
|
- if [ -z "$gateway" ]; then
|
|
|
- gateway="$(/usr/bin/qubesdb-read /qubes-gateway 2> /dev/null)"
|
|
|
- fi
|
|
|
- if [ -z "$gateway6" ]; then
|
|
|
- gateway6="$(/usr/bin/qubesdb-read /qubes-gateway6 2> /dev/null)"
|
|
|
- fi
|
|
|
- fi
|
|
|
+ACTION="$1"
|
|
|
+INTERFACE="$2"
|
|
|
+
|
|
|
+if [ -z "$INTERFACE" ]; then
|
|
|
+ echo "Missing INTERFACE argument" >&2
|
|
|
+ exit 1
|
|
|
+fi
|
|
|
|
|
|
- if [ -z "$netmask" ]; then
|
|
|
- netmask="255.255.255.255"
|
|
|
+if [ "$ACTION" == "add" ]; then
|
|
|
+ MAC="$(get_mac_from_iface "$INTERFACE")"
|
|
|
+ if [ -n "$MAC" ]; then
|
|
|
+ ip="$(/usr/bin/qubesdb-read "/net-config/$MAC/ip" 2> /dev/null)" || ip=
|
|
|
+ ip6="$(/usr/bin/qubesdb-read "/net-config/$MAC/ip6" 2> /dev/null)" || ip6=
|
|
|
+ netmask="$(/usr/bin/qubesdb-read "/net-config/$MAC/netmask" 2> /dev/null)" || netmask=
|
|
|
+ netmask6="$(/usr/bin/qubesdb-read "/net-config/$MAC/netmask6" 2> /dev/null)" || netmask6=
|
|
|
+ gateway="$(/usr/bin/qubesdb-read "/net-config/$MAC/gateway" 2> /dev/null)" || gateway=
|
|
|
+ gateway6="$(/usr/bin/qubesdb-read "/net-config/$MAC/gateway6" 2> /dev/null)" || gateway6=
|
|
|
+
|
|
|
+ # Handle legacy values
|
|
|
+ LEGACY_MAC="$(/usr/bin/qubesdb-read /qubes-mac 2> /dev/null)" || LEGACY_MAC=
|
|
|
+ if [ "$MAC" == "$LEGACY_MAC" ] || [ -z "$LEGACY_MAC" ]; then
|
|
|
+ if [ -z "$ip" ]; then
|
|
|
+ ip="$(/usr/bin/qubesdb-read /qubes-ip 2> /dev/null)" || ip=
|
|
|
fi
|
|
|
- if [ -z "$netmask6" ]; then
|
|
|
- netmask6="128"
|
|
|
+ if [ -z "$ip6" ]; then
|
|
|
+ ip6="$(/usr/bin/qubesdb-read /qubes-ip6 2> /dev/null)" || ip6=
|
|
|
fi
|
|
|
+ if [ -z "$gateway" ]; then
|
|
|
+ gateway="$(/usr/bin/qubesdb-read /qubes-gateway 2> /dev/null)" || gateway=
|
|
|
+ fi
|
|
|
+ if [ -z "$gateway6" ]; then
|
|
|
+ gateway6="$(/usr/bin/qubesdb-read /qubes-gateway6 2> /dev/null)" || gateway6=
|
|
|
+ fi
|
|
|
+ fi
|
|
|
+
|
|
|
+ if [ -z "$netmask" ]; then
|
|
|
+ netmask="255.255.255.255"
|
|
|
+ fi
|
|
|
+ if [ -z "$netmask6" ]; then
|
|
|
+ netmask6="128"
|
|
|
+ fi
|
|
|
|
|
|
- primary_dns=$(/usr/bin/qubesdb-read /qubes-primary-dns 2>/dev/null)
|
|
|
- secondary_dns=$(/usr/bin/qubesdb-read /qubes-secondary-dns 2>/dev/null)
|
|
|
+ primary_dns=$(/usr/bin/qubesdb-read /qubes-primary-dns 2>/dev/null) || primary_dns=
|
|
|
+ secondary_dns=$(/usr/bin/qubesdb-read /qubes-secondary-dns 2>/dev/null) || secondary_dns=
|
|
|
|
|
|
- if [ -n "$ip" ]; then
|
|
|
- /sbin/ethtool -K "$INTERFACE" sg off
|
|
|
- /sbin/ethtool -K "$INTERFACE" tx off
|
|
|
+ if [ -n "$ip" ]; then
|
|
|
+ /sbin/ethtool -K "$INTERFACE" sg off
|
|
|
+ /sbin/ethtool -K "$INTERFACE" tx off
|
|
|
|
|
|
- # If NetworkManager is enabled, let it configure the network
|
|
|
- if qsvc network-manager && [ -e /usr/bin/nmcli ]; then
|
|
|
- configure_network_nm "$MAC" "$INTERFACE" "$ip" "$ip6" "$netmask" "$netmask6" "$gateway" "$gateway6" "$primary_dns" "$secondary_dns"
|
|
|
- else
|
|
|
- configure_network "$MAC" "$INTERFACE" "$ip" "$ip6" "$netmask" "$netmask6" "$gateway" "$gateway6" "$primary_dns" "$secondary_dns"
|
|
|
- fi
|
|
|
+ # If NetworkManager is enabled, let it configure the network
|
|
|
+ if qsvc network-manager && [ -e /usr/bin/nmcli ]; then
|
|
|
+ configure_network_nm "$MAC" "$INTERFACE" "$ip" "$ip6" "$netmask" "$netmask6" "$gateway" "$gateway6" "$primary_dns" "$secondary_dns"
|
|
|
+ else
|
|
|
+ configure_network "$MAC" "$INTERFACE" "$ip" "$ip6" "$netmask" "$netmask6" "$gateway" "$gateway6" "$primary_dns" "$secondary_dns"
|
|
|
+ fi
|
|
|
|
|
|
- network=$(qubesdb-read /qubes-netvm-network 2>/dev/null)
|
|
|
- if [ -n "$network" ]; then
|
|
|
- if ! qsvc disable-dns-server; then
|
|
|
- configure_qubes_ns
|
|
|
- fi
|
|
|
- qubes_ip_change_hook
|
|
|
+ network=$(qubesdb-read /qubes-netvm-network 2>/dev/null) || network=
|
|
|
+ if [ -n "$network" ]; then
|
|
|
+ if ! qsvc disable-dns-server; then
|
|
|
+ configure_qubes_ns
|
|
|
fi
|
|
|
+ qubes_ip_change_hook
|
|
|
fi
|
|
|
fi
|
|
|
- elif [ "$ACTION" == "remove" ]; then
|
|
|
- # If exists, we delete NetworkManager configuration file to prevent duplicate entries
|
|
|
- nm_config="/etc/NetworkManager/system-connections/qubes-uplink-$INTERFACE"
|
|
|
- rm -rf "$nm_config"
|
|
|
fi
|
|
|
+elif [ "$ACTION" == "remove" ]; then
|
|
|
+ # make sure network is disabled, especially on shutdown, to prevent
|
|
|
+ # leaks when firewall will get stopped too
|
|
|
+ ip link set "$INTERFACE" down 2>/dev/null || :
|
|
|
+
|
|
|
+ # If exists, we delete NetworkManager configuration file to prevent duplicate entries
|
|
|
+ nm_config="/etc/NetworkManager/system-connections/qubes-uplink-$INTERFACE"
|
|
|
+ rm -rf "$nm_config"
|
|
|
+else
|
|
|
+ echo "Invalid action '$ACTION'" >&2
|
|
|
+ exit 1
|
|
|
fi
|