diff options
4 files changed, 23 insertions, 14 deletions
diff --git a/core/modules/run-virt/data/opt/openslx/vmchooser/data/doh-servers b/core/modules/run-virt/data/opt/openslx/vmchooser/data/doh-servers index 1c845d2b..8cce36ff 100644 --- a/core/modules/run-virt/data/opt/openslx/vmchooser/data/doh-servers +++ b/core/modules/run-virt/data/opt/openslx/vmchooser/data/doh-servers @@ -1,5 +1,7 @@ +1.0.0.1 1.0.0.2 1.0.0.3 +1.1.1.1 102.211.206.93 103.111.114.25 103.114.162.65 diff --git a/core/modules/run-virt/data/opt/openslx/vmchooser/run-virt.d/setup_firewall.inc b/core/modules/run-virt/data/opt/openslx/vmchooser/run-virt.d/setup_firewall.inc index 22b3bd10..c62a0862 100644 --- a/core/modules/run-virt/data/opt/openslx/vmchooser/run-virt.d/setup_firewall.inc +++ b/core/modules/run-virt/data/opt/openslx/vmchooser/run-virt.d/setup_firewall.inc @@ -33,14 +33,15 @@ setup_firewall () { cat >> "$DNSMASQ_CONF" <<-DNSCONF keep-in-foreground pid-file=/tmp/dns-$RANDOM.$RANDOM.$RANDOM + no-hosts no-resolv port=$port interface=lo bind-interfaces + log-facility=- DNSCONF - add_cleanup "cleanup_firewall" - if ! dnsmasq --test --conf-file "$DNSMASQ_CONF" &> "${DNSMASQ_CONF}.tmp"; then + if ! dnsmasq --test --conf-file="$DNSMASQ_CONF" &> "${DNSMASQ_CONF}.tmp"; then cat "${DNSMASQ_CONF}.tmp" >> "${DNSMASQ_CONF}" rm -f -- "${DNSMASQ_CONF}.tmp" slxlog -s -d "virt-firewall" "Invalid dnsmasq.conf was generated" "$DNSMASQ_CONF" @@ -58,7 +59,7 @@ run_dnsmasq_fw () { trap 'exit 0' INT TERM trap 'kill "$dnspid"' EXIT while [ -s "$DNSMASQ_CONF" ]; do - dnsmasq --conf-file "$DNSMASQ_CONF" & + dnsmasq --conf-file="$DNSMASQ_CONF" & dnspid=$! wait "$dnspid" done diff --git a/core/modules/run-virt/data/opt/openslx/vmchooser/scripts/set-firewall b/core/modules/run-virt/data/opt/openslx/vmchooser/scripts/set-firewall index f10c12af..3dd19778 100644 --- a/core/modules/run-virt/data/opt/openslx/vmchooser/scripts/set-firewall +++ b/core/modules/run-virt/data/opt/openslx/vmchooser/scripts/set-firewall @@ -218,9 +218,7 @@ if ! ( [ -z "$blockall" ] && blockall=1 else # A host - map to 0.0.0.0 - for dnsip in $dnslist; do - echo "address=/$DEST/" - done >> "$DNSCFG" + echo "address=/$DEST/" >> "$DNSCFG" fi else # ACCEPT @@ -228,7 +226,7 @@ if ! ( # Special case: '*' - degault rule, so ACCEPT -> default servers [ -z "$blockall" ] && blockall=0 else - # specifically map to out DNS servers + # specifically map to our DNS servers for dnsip in $dnslist; do echo "server=/$DEST/$dnsip" done >> "$DNSCFG" @@ -266,10 +264,10 @@ if ! ( # (then check for invalid/private addresses) for DEST in $( cat /opt/openslx/vmchooser/data/doh-servers ); do if [[ $DEST =~ $V6 ]]; then - ip6tables -w -I runvirt-INPUT 1 -d "$DEST" -p tcp --dport 443 \ + ip6tables -w -I runvirt-OUTPUT 1 -d "$DEST" -p tcp --dport 443 \ -j REJECT --reject-with tcp-reset else - iptables -w -I runvirt-INPUT 1 -d "$DEST" -p tcp --dport 443 \ + iptables -w -I runvirt-OUTPUT 1 -d "$DEST" -p tcp --dport 443 \ -j REJECT --reject-with tcp-reset fi done @@ -283,12 +281,13 @@ if ! ( fi # Redirect UDP:53 to dnsmasq on whatever port # physdev /sys/class/net/br0/brif/ - cat "$DNS_IPT_FILE" <<-EOF + cat >> "$DNS_IPT_FILE" <<-EOF iptables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-port "$DNSPORT" iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-port "$DNSPORT" ip6tables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-port "$DNSPORT" ip6tables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-port "$DNSPORT" EOF + chmod +x "$DNS_IPT_FILE" fi ); then echo "Setting up one or more firewall rules via iptables failed." diff --git a/core/modules/run-virt/fwtool/main.c b/core/modules/run-virt/fwtool/main.c index aa6e70f3..f7d5b120 100644 --- a/core/modules/run-virt/fwtool/main.c +++ b/core/modules/run-virt/fwtool/main.c @@ -4,20 +4,27 @@ #include <sys/types.h> #include <unistd.h> +#define MAXARGS 10 + int main(int argc, char **argv) { if (argc < 2) { puts("Nee\n"); return 1; } - char * const nargv[] = { + char* vnargv[MAXARGS] = { "bash", "/opt/openslx/vmchooser/scripts/set-firewall", - argv[1], - 0 }; + for (int i = 1; i < MAXARGS - 2; ++i) { + vnargv[i+1] = argv[i]; + if (argv[i] == 0) + break; + } + vnargv[MAXARGS - 1] = 0; + char * const * nargv = vnargv; char * const nenv[] = { - "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/sbin:/opt/openslx/bin", + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/opt/openslx/sbin:/opt/openslx/bin", "HOME=/root", "LC_ALL=C.UTF-8", "LANG=C.UTF-8", |