[run-virt] Fix DNS blocking

3 files changed, 12 insertions, 10 deletions

diff --git a/core/modules/run-virt/data/opt/openslx/vmchooser/data/doh-servers b/core/modules/run-virt/data/opt/openslx/vmchooser/data/doh-servers
index 1c845d2b..8cce36ff 100644
--- a/core/modules/run-virt/data/opt/openslx/vmchooser/data/doh-servers
+++ b/core/modules/run-virt/data/opt/openslx/vmchooser/data/doh-servers
@@ -1,5 +1,7 @@
+1.0.0.1
 1.0.0.2
 1.0.0.3
+1.1.1.1
 102.211.206.93
 103.111.114.25
 103.114.162.65
diff --git a/core/modules/run-virt/data/opt/openslx/vmchooser/run-virt.d/setup_firewall.inc b/core/modules/run-virt/data/opt/openslx/vmchooser/run-virt.d/setup_firewall.inc
index 22b3bd10..c62a0862 100644
--- a/core/modules/run-virt/data/opt/openslx/vmchooser/run-virt.d/setup_firewall.inc
+++ b/core/modules/run-virt/data/opt/openslx/vmchooser/run-virt.d/setup_firewall.inc
@@ -33,14 +33,15 @@ setup_firewall () {
 		cat >> "$DNSMASQ_CONF" <<-DNSCONF
 		keep-in-foreground
 		pid-file=/tmp/dns-$RANDOM.$RANDOM.$RANDOM
+
 		no-hosts
 		no-resolv
 		port=$port
 		interface=lo
 		bind-interfaces
+		log-facility=-
 		DNSCONF
-		add_cleanup "cleanup_firewall"
-		if ! dnsmasq --test --conf-file "$DNSMASQ_CONF" &> "${DNSMASQ_CONF}.tmp"; then
+		if ! dnsmasq --test --conf-file="$DNSMASQ_CONF" &> "${DNSMASQ_CONF}.tmp"; then
 			cat "${DNSMASQ_CONF}.tmp" >> "${DNSMASQ_CONF}"
 			rm -f -- "${DNSMASQ_CONF}.tmp"
 			slxlog -s -d "virt-firewall" "Invalid dnsmasq.conf was generated" "$DNSMASQ_CONF"
@@ -58,7 +59,7 @@ run_dnsmasq_fw () {
 	trap 'exit 0' INT TERM
 	trap 'kill "$dnspid"' EXIT
 	while [ -s "$DNSMASQ_CONF" ]; do
-		dnsmasq --conf-file "$DNSMASQ_CONF" &
+		dnsmasq --conf-file="$DNSMASQ_CONF" &
 		dnspid=$!
 		wait "$dnspid"
 	done
diff --git a/core/modules/run-virt/data/opt/openslx/vmchooser/scripts/set-firewall b/core/modules/run-virt/data/opt/openslx/vmchooser/scripts/set-firewall
index f10c12af..3dd19778 100644
--- a/core/modules/run-virt/data/opt/openslx/vmchooser/scripts/set-firewall
+++ b/core/modules/run-virt/data/opt/openslx/vmchooser/scripts/set-firewall
@@ -218,9 +218,7 @@ if ! (
 						[ -z "$blockall" ] && blockall=1
 					else
 						# A host - map to 0.0.0.0
-						for dnsip in $dnslist; do
-							echo "address=/$DEST/"
-						done >> "$DNSCFG"
+						echo "address=/$DEST/" >> "$DNSCFG"
 					fi
 				else
 					# ACCEPT
@@ -228,7 +226,7 @@ if ! (
 						# Special case: '*' - degault rule, so ACCEPT -> default servers
 						[ -z "$blockall" ] && blockall=0
 					else
-						# specifically map to out DNS servers
+						# specifically map to our DNS servers
 						for dnsip in $dnslist; do
 							echo "server=/$DEST/$dnsip"
 						done >> "$DNSCFG"
@@ -266,10 +264,10 @@ if ! (
 		# (then check for invalid/private addresses)
 		for DEST in $( cat /opt/openslx/vmchooser/data/doh-servers ); do
 			if [[ $DEST =~ $V6 ]]; then
-				ip6tables -w -I runvirt-INPUT 1 -d "$DEST" -p tcp --dport 443 \
+				ip6tables -w -I runvirt-OUTPUT 1 -d "$DEST" -p tcp --dport 443 \
 					-j REJECT --reject-with tcp-reset
 			else
-				iptables -w -I runvirt-INPUT 1 -d "$DEST" -p tcp --dport 443 \
+				iptables -w -I runvirt-OUTPUT 1 -d "$DEST" -p tcp --dport 443 \
 					-j REJECT --reject-with tcp-reset
 			fi
 		done
@@ -283,12 +281,13 @@ if ! (
 		fi
 		# Redirect UDP:53 to dnsmasq on whatever port
 		# physdev /sys/class/net/br0/brif/
-		cat "$DNS_IPT_FILE" <<-EOF
+		cat >> "$DNS_IPT_FILE" <<-EOF
 		iptables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-port "$DNSPORT"
 		iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-port "$DNSPORT"
 		ip6tables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-port "$DNSPORT"
 		ip6tables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-port "$DNSPORT"
 		EOF
+		chmod +x "$DNS_IPT_FILE"
 	fi
 ); then
 	echo "Setting up one or more firewall rules via iptables failed."