From 0ce79d4895f652c5bd3ba6057d2fafb1b756480f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Pierret=20=28fepitre=29?= Date: Sun, 12 May 2019 23:29:48 +0200 Subject: [PATCH 1/6] Handle non-default 'eth0' Qubes managed interface --- init/functions | 15 +++++++++++++++ network/network-manager-prepare-conf-dir | 6 +++++- vm-init.d/qubes-firewall | 2 +- vm-systemd/misc-post.sh | 5 ++++- vm-systemd/network-proxy-setup.sh | 6 +++++- 5 files changed, 30 insertions(+), 4 deletions(-) diff --git a/init/functions b/init/functions index 19a522e..4f099dd 100644 --- a/init/functions +++ b/init/functions @@ -128,6 +128,21 @@ umount_retry() { return 0 } +get_iface_from_mac() { + local mac="$1" + local iface + iface="$(ip -o link | grep -i "$mac" | awk '{print $2}' | cut -d ':' -f1)" + echo "$iface" +} + +get_qubes_managed_iface() { + local mac + local qubes_iface + mac="$(qubesdb-read /qubes-mac)" + qubes_iface="$(get_iface_from_mac "$mac")" + echo "$qubes_iface" +} + initialize_home() { local home_root local mode diff --git a/network/network-manager-prepare-conf-dir b/network/network-manager-prepare-conf-dir index 7eb09c1..e76ce01 100755 --- a/network/network-manager-prepare-conf-dir +++ b/network/network-manager-prepare-conf-dir @@ -1,5 +1,9 @@ #!/bin/sh +# Source Qubes library. +# shellcheck source=init/functions +. /usr/lib/qubes/init/functions + NM_CONFIG_DIR=/etc/NetworkManager/system-connections if [ -d $NM_CONFIG_DIR ] && [ ! -h $NM_CONFIG_DIR ]; then mkdir -p /rw/config/NM-system-connections @@ -20,7 +24,7 @@ sed -r -i -e "s/^#?plugins=.*/plugins=keyfile/" /etc/NetworkManager/NetworkManag # starting NetworkManager, otherwise it will try default DHCP configuration # first and only after a timeout fallback to static one - introducing delay in # network connectivity -export INTERFACE=eth0 +export INTERFACE="$(get_qubes_managed_iface)" if qubesdb-read /qubes-ip >/dev/null 2>/dev/null && [ -e /sys/class/net/$INTERFACE ] && [ ! -r /etc/NetworkManager/system-connections/qubes-uplink-$INTERFACE ]; then diff --git a/vm-init.d/qubes-firewall b/vm-init.d/qubes-firewall index 483debc..1db1c72 100755 --- a/vm-init.d/qubes-firewall +++ b/vm-init.d/qubes-firewall @@ -19,7 +19,7 @@ start() if qsvc qubes-firewall ; then echo -n $"Starting Qubes Firewall monitor:" - /sbin/ethtool -K eth0 sg off + /sbin/ethtool -K "$(get_qubes_managed_iface)" sg off /usr/sbin/qubes-firewall & success echo "" diff --git a/vm-systemd/misc-post.sh b/vm-systemd/misc-post.sh index 031e8a7..0533013 100755 --- a/vm-systemd/misc-post.sh +++ b/vm-systemd/misc-post.sh @@ -15,7 +15,10 @@ fi # DispVM (to override DispVM-template IP) and in case when qubes-ip was # called by udev before loading evtchn kernel module - in which case # qubesdb-read fails -INTERFACE=eth0 /usr/lib/qubes/setup-ip +QUBES_MANAGED_IFACE="$(get_qubes_managed_iface)" +if [ "x$QUBES_MANAGED_IFACE" != "x" ]; then +INTERFACE="$QUBES_MANAGED_IFACE" /usr/lib/qubes/setup-ip +fi if [ -x /rw/config/rc.local ] ; then /rw/config/rc.local diff --git a/vm-systemd/network-proxy-setup.sh b/vm-systemd/network-proxy-setup.sh index ec8504e..418db31 100755 --- a/vm-systemd/network-proxy-setup.sh +++ b/vm-systemd/network-proxy-setup.sh @@ -1,5 +1,9 @@ #!/bin/sh +# Source Qubes library. +# shellcheck source=init/functions +. /usr/lib/qubes/init/functions + # Setup gateway for all the VMs this netVM is serviceing... network=$(qubesdb-read /qubes-netvm-network 2>/dev/null) if [ "x$network" != "x" ]; then @@ -24,5 +28,5 @@ if [ "x$network" != "x" ]; then if [ -n "$gateway6" ]; then echo 1 > /proc/sys/net/ipv6/conf/all/forwarding fi - /sbin/ethtool -K eth0 sg off || true + /sbin/ethtool -K "$(get_qubes_managed_iface)" sg off || true fi From b18efe3257bae64b0ce3769c131df66117857ed7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Pierret=20=28fepitre=29?= Date: Thu, 16 May 2019 18:11:50 +0200 Subject: [PATCH 2/6] Make ShellCheck happy --- network/network-manager-prepare-conf-dir | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/network/network-manager-prepare-conf-dir b/network/network-manager-prepare-conf-dir index e76ce01..e9e6231 100755 --- a/network/network-manager-prepare-conf-dir +++ b/network/network-manager-prepare-conf-dir @@ -24,10 +24,11 @@ sed -r -i -e "s/^#?plugins=.*/plugins=keyfile/" /etc/NetworkManager/NetworkManag # starting NetworkManager, otherwise it will try default DHCP configuration # first and only after a timeout fallback to static one - introducing delay in # network connectivity -export INTERFACE="$(get_qubes_managed_iface)" +INTERFACE="$(get_qubes_managed_iface)" +export INTERFACE if qubesdb-read /qubes-ip >/dev/null 2>/dev/null && - [ -e /sys/class/net/$INTERFACE ] && - [ ! -r /etc/NetworkManager/system-connections/qubes-uplink-$INTERFACE ]; then + [ -e "/sys/class/net/$INTERFACE" ] && + [ ! -r "/etc/NetworkManager/system-connections/qubes-uplink-$INTERFACE" ]; then /usr/lib/qubes/setup-ip fi From da162d76152facc080e7fdfcb6a5a2b5cb2fb9dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Pierret=20=28fepitre=29?= Date: Thu, 16 May 2019 22:18:12 +0200 Subject: [PATCH 3/6] Handle default value for get_qubes_managed_iface --- init/functions | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/init/functions b/init/functions index 4f099dd..29573a7 100644 --- a/init/functions +++ b/init/functions @@ -140,7 +140,11 @@ get_qubes_managed_iface() { local qubes_iface mac="$(qubesdb-read /qubes-mac)" qubes_iface="$(get_iface_from_mac "$mac")" - echo "$qubes_iface" + if [ "x$qubes_iface" != "x" ]; then + echo "$qubes_iface" + else + echo eth0 + fi } initialize_home() { From 902da9f837e9273a2166b0f4b1094b8f5587a5e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Pierret=20=28fepitre=29?= Date: Sat, 18 May 2019 10:42:13 +0200 Subject: [PATCH 4/6] Handle default value for get_iface_from_mac --- init/functions | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/init/functions b/init/functions index 29573a7..4ed27e6 100644 --- a/init/functions +++ b/init/functions @@ -131,7 +131,9 @@ umount_retry() { get_iface_from_mac() { local mac="$1" local iface - iface="$(ip -o link | grep -i "$mac" | awk '{print $2}' | cut -d ':' -f1)" + if [ "x$mac" != "x" ]; then + iface="$(ip -o link | grep -i "$mac" | awk '{print $2}' | cut -d ':' -f1)" + fi echo "$iface" } From f7dd41206d5626ab0c05d15abf3f3ae1d08c755c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Pierret=20=28fepitre=29?= Date: Sat, 18 May 2019 12:19:54 +0200 Subject: [PATCH 5/6] setup-ip: only assign IP configuration of Qubes managed iface --- init/functions | 9 +++ network/setup-ip | 169 ++++++++++++++++++++++++----------------------- 2 files changed, 96 insertions(+), 82 deletions(-) diff --git a/init/functions b/init/functions index 4ed27e6..1c6a012 100644 --- a/init/functions +++ b/init/functions @@ -128,6 +128,15 @@ umount_retry() { return 0 } +get_mac_from_iface() { + local iface="$1" + local mac + if [ "x$iface" != "x" ]; then + mac="$(cat "/sys/class/net/$iface/address")" + fi + echo "$mac" +} + get_iface_from_mac() { local mac="$1" local iface diff --git a/network/setup-ip b/network/setup-ip index 04b4d7b..d833520 100755 --- a/network/setup-ip +++ b/network/setup-ip @@ -6,20 +6,24 @@ have_qubesdb || exit 0 -ip=$(/usr/bin/qubesdb-read /qubes-ip 2> /dev/null) -ip6=$(/usr/bin/qubesdb-read /qubes-ip6 2> /dev/null) -if [ "x$ip" != x ]; then - #netmask=$(/usr/bin/qubesdb-read /qubes-netmask) - gateway=$(/usr/bin/qubesdb-read /qubes-gateway) - gateway6=$(/usr/bin/qubesdb-read /qubes-gateway6) - primary_dns=$(/usr/bin/qubesdb-read /qubes-primary-dns 2>/dev/null || echo "$gateway") - secondary_dns=$(/usr/bin/qubesdb-read /qubes-secondary-dns) - /sbin/ethtool -K "$INTERFACE" sg off - /sbin/ethtool -K "$INTERFACE" tx off - # If NetworkManager is enabled, let it configure the network - if qsvc network-manager ; then - nm_config=/etc/NetworkManager/system-connections/qubes-uplink-$INTERFACE - cat > "$nm_config" <<__EOF__ +mac="$(/usr/bin/qubesdb-read /qubes-mac 2> /dev/null)" +current_mac="$(get_mac_from_iface "$INTERFACE")" + +if [ "$mac" = "$current_mac" ]; then + ip="$(/usr/bin/qubesdb-read /qubes-ip 2> /dev/null)" + ip6="$(/usr/bin/qubesdb-read /qubes-ip6 2> /dev/null)" + if [ "x$ip" != x ]; then + #netmask=$(/usr/bin/qubesdb-read /qubes-netmask) + gateway=$(/usr/bin/qubesdb-read /qubes-gateway) + gateway6=$(/usr/bin/qubesdb-read /qubes-gateway6) + primary_dns=$(/usr/bin/qubesdb-read /qubes-primary-dns 2>/dev/null || echo "$gateway") + secondary_dns=$(/usr/bin/qubesdb-read /qubes-secondary-dns) + /sbin/ethtool -K "$INTERFACE" sg off + /sbin/ethtool -K "$INTERFACE" tx off + # If NetworkManager is enabled, let it configure the network + if qsvc network-manager ; then + nm_config="/etc/NetworkManager/system-connections/qubes-uplink-$INTERFACE" + cat > "$nm_config" <<__EOF__ [802-3-ethernet] duplex=full @@ -31,100 +35,101 @@ id=VM uplink $INTERFACE uuid=de85f79b-8c3d-405f-a652-cb4c10b4f9ef type=802-3-ethernet __EOF__ - ip4_nm_config="" - ip6_nm_config="" - if ! qsvc disable-dns-server ; then - ip4_nm_config="${ip4_nm_config} + ip4_nm_config="" + ip6_nm_config="" + if ! qsvc disable-dns-server ; then + ip4_nm_config="${ip4_nm_config} dns=${primary_dns};${secondary_dns}" - fi - if ! qsvc disable-default-route ; then - ip4_nm_config="${ip4_nm_config} + fi + if ! qsvc disable-default-route ; then + ip4_nm_config="${ip4_nm_config} addresses1=$ip;32;$gateway" - if [ -n "$ip6" ]; then - ip6_nm_config="${ip6_nm_config} + if [ -n "$ip6" ]; then + ip6_nm_config="${ip6_nm_config} addresses1=$ip6;128;$gateway6" - fi - else - ip4_nm_config="${ip4_nm_config} + fi + else + ip4_nm_config="${ip4_nm_config} addresses1=$ip;32" - if [ -n "$ip6" ]; then - ip6_nm_config="${ip6_nm_config} + if [ -n "$ip6" ]; then + ip6_nm_config="${ip6_nm_config} addresses1=$ip6;128" + fi fi - fi - if [ -n "$ip4_nm_config" ]; then - cat >> "$nm_config" <<__EOF__ + if [ -n "$ip4_nm_config" ]; then + cat >> "$nm_config" <<__EOF__ [ipv4] method=manual may-fail=false $ip4_nm_config __EOF__ - else - cat >> "$nm_config" <<__EOF__ + else + cat >> "$nm_config" <<__EOF__ [ipv4] method=ignore __EOF__ - fi + fi - if [ -n "$ip6_nm_config" ]; then - cat >> "$nm_config" <<__EOF__ + if [ -n "$ip6_nm_config" ]; then + cat >> "$nm_config" <<__EOF__ [ipv6] method=manual may-fail=false $ip6_nm_config __EOF__ - else - cat >> "$nm_config" <<__EOF__ + else + cat >> "$nm_config" <<__EOF__ [ipv6] method=ignore __EOF__ - fi + fi - chmod 600 "$nm_config" - # reload connection - nmcli connection load "$nm_config" || : - else - # No NetworkManager enabled, configure the network manually - /sbin/ifconfig "$INTERFACE" "$ip" netmask 255.255.255.255 - if [ -n "$ip6" ]; then - /sbin/ifconfig "$INTERFACE" add "$ip6"/128 - fi - /sbin/ifconfig "$INTERFACE" up - /sbin/route add -host "$gateway" dev "$INTERFACE" - if [ -n "$gateway6" ] && ! echo "$gateway6" | grep -q "^fe80:"; then - /sbin/route -6 add "$gateway6/128" dev "$INTERFACE" - fi - if ! qsvc disable-default-route ; then - /sbin/route add default gw "$gateway" - if [ -n "$gateway6" ]; then - /sbin/route -6 add default gw "$gateway6" dev "$INTERFACE" + chmod 600 "$nm_config" + # reload connection + nmcli connection load "$nm_config" || : + else + # No NetworkManager enabled, configure the network manually + /sbin/ifconfig "$INTERFACE" "$ip" netmask 255.255.255.255 + if [ -n "$ip6" ]; then + /sbin/ifconfig "$INTERFACE" add "$ip6"/128 + fi + /sbin/ifconfig "$INTERFACE" up + /sbin/route add -host "$gateway" dev "$INTERFACE" + if [ -n "$gateway6" ] && ! echo "$gateway6" | grep -q "^fe80:"; then + /sbin/route -6 add "$gateway6/128" dev "$INTERFACE" + fi + if ! qsvc disable-default-route ; then + /sbin/route add default gw "$gateway" + if [ -n "$gateway6" ]; then + /sbin/route -6 add default gw "$gateway6" dev "$INTERFACE" + fi + fi + if ! is_protected_file /etc/resolv.conf ; then + echo > /etc/resolv.conf + if ! qsvc disable-dns-server ; then + echo "nameserver $primary_dns" > /etc/resolv.conf + echo "nameserver $secondary_dns" >> /etc/resolv.conf + fi fi fi - if ! is_protected_file /etc/resolv.conf ; then - echo > /etc/resolv.conf - if ! qsvc disable-dns-server ; then - echo "nameserver $primary_dns" > /etc/resolv.conf - echo "nameserver $secondary_dns" >> /etc/resolv.conf + network=$(qubesdb-read /qubes-netvm-network 2>/dev/null) + if [ "x$network" != "x" ] && ! qsvc disable-dns-server ; then + gateway=$(qubesdb-read /qubes-netvm-gateway) + #netmask=$(qubesdb-read /qubes-netvm-netmask) + primary_dns=$(qubesdb-read /qubes-netvm-primary-dns 2>/dev/null || echo "$gateway") + secondary_dns=$(qubesdb-read /qubes-netvm-secondary-dns) + echo "NS1=$primary_dns" > /var/run/qubes/qubes-ns + echo "NS2=$secondary_dns" >> /var/run/qubes/qubes-ns + /usr/lib/qubes/qubes-setup-dnat-to-ns + fi + if [ "x$network" != "x" ]; then + if [ -x /rw/config/qubes-ip-change-hook ]; then + /rw/config/qubes-ip-change-hook + fi + # XXX: Backward compatibility + if [ -x /rw/config/qubes_ip_change_hook ]; then + /rw/config/qubes_ip_change_hook fi fi fi - network=$(qubesdb-read /qubes-netvm-network 2>/dev/null) - if [ "x$network" != "x" ] && ! qsvc disable-dns-server ; then - gateway=$(qubesdb-read /qubes-netvm-gateway) - #netmask=$(qubesdb-read /qubes-netvm-netmask) - primary_dns=$(qubesdb-read /qubes-netvm-primary-dns 2>/dev/null || echo "$gateway") - secondary_dns=$(qubesdb-read /qubes-netvm-secondary-dns) - echo "NS1=$primary_dns" > /var/run/qubes/qubes-ns - echo "NS2=$secondary_dns" >> /var/run/qubes/qubes-ns - /usr/lib/qubes/qubes-setup-dnat-to-ns - fi - if [ "x$network" != "x" ]; then - if [ -x /rw/config/qubes-ip-change-hook ]; then - /rw/config/qubes-ip-change-hook - fi - # XXX: Backward compatibility - if [ -x /rw/config/qubes_ip_change_hook ]; then - /rw/config/qubes_ip_change_hook - fi - fi -fi +fi \ No newline at end of file From 27fddadc2286c245464358016c434ad923ce87b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Pierret=20=28fepitre=29?= Date: Tue, 21 May 2019 17:32:05 +0200 Subject: [PATCH 6/6] setup-ip: handle default conf if /qubes-mac returns empty value --- network/setup-ip | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/network/setup-ip b/network/setup-ip index d833520..a7ec8f6 100755 --- a/network/setup-ip +++ b/network/setup-ip @@ -9,7 +9,7 @@ have_qubesdb || exit 0 mac="$(/usr/bin/qubesdb-read /qubes-mac 2> /dev/null)" current_mac="$(get_mac_from_iface "$INTERFACE")" -if [ "$mac" = "$current_mac" ]; then +if [ "$mac" = "$current_mac" ] || [ "x$mac" = "x" ] ; then ip="$(/usr/bin/qubesdb-read /qubes-ip 2> /dev/null)" ip6="$(/usr/bin/qubesdb-read /qubes-ip6 2> /dev/null)" if [ "x$ip" != x ]; then @@ -132,4 +132,4 @@ __EOF__ fi fi fi -fi \ No newline at end of file +fi