summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--core/modules/run-virt/data/opt/openslx/vmchooser/data/doh-servers2
-rw-r--r--core/modules/run-virt/data/opt/openslx/vmchooser/run-virt.d/setup_firewall.inc7
-rw-r--r--core/modules/run-virt/data/opt/openslx/vmchooser/scripts/set-firewall13
-rw-r--r--core/modules/run-virt/fwtool/main.c15
4 files changed, 23 insertions, 14 deletions
diff --git a/core/modules/run-virt/data/opt/openslx/vmchooser/data/doh-servers b/core/modules/run-virt/data/opt/openslx/vmchooser/data/doh-servers
index 1c845d2b..8cce36ff 100644
--- a/core/modules/run-virt/data/opt/openslx/vmchooser/data/doh-servers
+++ b/core/modules/run-virt/data/opt/openslx/vmchooser/data/doh-servers
@@ -1,5 +1,7 @@
+1.0.0.1
1.0.0.2
1.0.0.3
+1.1.1.1
102.211.206.93
103.111.114.25
103.114.162.65
diff --git a/core/modules/run-virt/data/opt/openslx/vmchooser/run-virt.d/setup_firewall.inc b/core/modules/run-virt/data/opt/openslx/vmchooser/run-virt.d/setup_firewall.inc
index 22b3bd10..c62a0862 100644
--- a/core/modules/run-virt/data/opt/openslx/vmchooser/run-virt.d/setup_firewall.inc
+++ b/core/modules/run-virt/data/opt/openslx/vmchooser/run-virt.d/setup_firewall.inc
@@ -33,14 +33,15 @@ setup_firewall () {
cat >> "$DNSMASQ_CONF" <<-DNSCONF
keep-in-foreground
pid-file=/tmp/dns-$RANDOM.$RANDOM.$RANDOM
+
no-hosts
no-resolv
port=$port
interface=lo
bind-interfaces
+ log-facility=-
DNSCONF
- add_cleanup "cleanup_firewall"
- if ! dnsmasq --test --conf-file "$DNSMASQ_CONF" &> "${DNSMASQ_CONF}.tmp"; then
+ if ! dnsmasq --test --conf-file="$DNSMASQ_CONF" &> "${DNSMASQ_CONF}.tmp"; then
cat "${DNSMASQ_CONF}.tmp" >> "${DNSMASQ_CONF}"
rm -f -- "${DNSMASQ_CONF}.tmp"
slxlog -s -d "virt-firewall" "Invalid dnsmasq.conf was generated" "$DNSMASQ_CONF"
@@ -58,7 +59,7 @@ run_dnsmasq_fw () {
trap 'exit 0' INT TERM
trap 'kill "$dnspid"' EXIT
while [ -s "$DNSMASQ_CONF" ]; do
- dnsmasq --conf-file "$DNSMASQ_CONF" &
+ dnsmasq --conf-file="$DNSMASQ_CONF" &
dnspid=$!
wait "$dnspid"
done
diff --git a/core/modules/run-virt/data/opt/openslx/vmchooser/scripts/set-firewall b/core/modules/run-virt/data/opt/openslx/vmchooser/scripts/set-firewall
index f10c12af..3dd19778 100644
--- a/core/modules/run-virt/data/opt/openslx/vmchooser/scripts/set-firewall
+++ b/core/modules/run-virt/data/opt/openslx/vmchooser/scripts/set-firewall
@@ -218,9 +218,7 @@ if ! (
[ -z "$blockall" ] && blockall=1
else
# A host - map to 0.0.0.0
- for dnsip in $dnslist; do
- echo "address=/$DEST/"
- done >> "$DNSCFG"
+ echo "address=/$DEST/" >> "$DNSCFG"
fi
else
# ACCEPT
@@ -228,7 +226,7 @@ if ! (
# Special case: '*' - degault rule, so ACCEPT -> default servers
[ -z "$blockall" ] && blockall=0
else
- # specifically map to out DNS servers
+ # specifically map to our DNS servers
for dnsip in $dnslist; do
echo "server=/$DEST/$dnsip"
done >> "$DNSCFG"
@@ -266,10 +264,10 @@ if ! (
# (then check for invalid/private addresses)
for DEST in $( cat /opt/openslx/vmchooser/data/doh-servers ); do
if [[ $DEST =~ $V6 ]]; then
- ip6tables -w -I runvirt-INPUT 1 -d "$DEST" -p tcp --dport 443 \
+ ip6tables -w -I runvirt-OUTPUT 1 -d "$DEST" -p tcp --dport 443 \
-j REJECT --reject-with tcp-reset
else
- iptables -w -I runvirt-INPUT 1 -d "$DEST" -p tcp --dport 443 \
+ iptables -w -I runvirt-OUTPUT 1 -d "$DEST" -p tcp --dport 443 \
-j REJECT --reject-with tcp-reset
fi
done
@@ -283,12 +281,13 @@ if ! (
fi
# Redirect UDP:53 to dnsmasq on whatever port
# physdev /sys/class/net/br0/brif/
- cat "$DNS_IPT_FILE" <<-EOF
+ cat >> "$DNS_IPT_FILE" <<-EOF
iptables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-port "$DNSPORT"
iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-port "$DNSPORT"
ip6tables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-port "$DNSPORT"
ip6tables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-port "$DNSPORT"
EOF
+ chmod +x "$DNS_IPT_FILE"
fi
); then
echo "Setting up one or more firewall rules via iptables failed."
diff --git a/core/modules/run-virt/fwtool/main.c b/core/modules/run-virt/fwtool/main.c
index aa6e70f3..f7d5b120 100644
--- a/core/modules/run-virt/fwtool/main.c
+++ b/core/modules/run-virt/fwtool/main.c
@@ -4,20 +4,27 @@
#include <sys/types.h>
#include <unistd.h>
+#define MAXARGS 10
+
int main(int argc, char **argv)
{
if (argc < 2) {
puts("Nee\n");
return 1;
}
- char * const nargv[] = {
+ char* vnargv[MAXARGS] = {
"bash",
"/opt/openslx/vmchooser/scripts/set-firewall",
- argv[1],
- 0
};
+ for (int i = 1; i < MAXARGS - 2; ++i) {
+ vnargv[i+1] = argv[i];
+ if (argv[i] == 0)
+ break;
+ }
+ vnargv[MAXARGS - 1] = 0;
+ char * const * nargv = vnargv;
char * const nenv[] = {
- "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/sbin:/opt/openslx/bin",
+ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/opt/openslx/sbin:/opt/openslx/bin",
"HOME=/root",
"LC_ALL=C.UTF-8",
"LANG=C.UTF-8",