From a2df8d8a7cdd38d6814e0de78db3b6c394e1e9c8 Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Thu, 8 Mar 2012 12:44:41 +0100 Subject: [PATCH 1/7] version 1.7.15 --- version_vm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version_vm b/version_vm index 68ced4b..25eebeb 100644 --- a/version_vm +++ b/version_vm @@ -1 +1 @@ -1.7.14 +1.7.15 From 0ad42ab63fc4aac61eda8ad830345f41f2e39c35 Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Thu, 8 Mar 2012 21:45:55 +0100 Subject: [PATCH 2/7] version 1.7.16 --- version_vm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version_vm b/version_vm index 25eebeb..15421b3 100644 --- a/version_vm +++ b/version_vm @@ -1 +1 @@ -1.7.15 +1.7.16 From 531449b16fe2ad1317d611b468fcef0ef4f3f67a Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Fri, 9 Mar 2012 00:21:39 +0100 Subject: [PATCH 3/7] vm/qubes_netwatcher: correct type in service name (#465) This prevented netwatcher being started in the firewallvm. --- network/qubes_netwatcher | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/network/qubes_netwatcher b/network/qubes_netwatcher index afd7cda..44d56a0 100755 --- a/network/qubes_netwatcher +++ b/network/qubes_netwatcher @@ -18,8 +18,8 @@ while true; do # thus, no sanitization ready # but be careful when passing it to other shell scripts if [[ "$UNTRUSTED_NETCFG" != "$CURR_NETCFG" ]]; then - /sbin/service qubes_firewall stop - /sbin/service qubes_firewall start + /sbin/service qubes-firewall stop + /sbin/service qubes-firewall start CURR_NETCFG="$UNTRUSTED_NETCFG" /usr/bin/xenstore-write qubes_netvm_external_ip "$CURR_NETCFG" fi From aa0d767e8a2a3ba08d3a657254e01061714287fe Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 9 Mar 2012 01:01:30 +0100 Subject: [PATCH 4/7] vm/netwatcher: watch also for netvm change (#478) --- network/qubes_netwatcher | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/network/qubes_netwatcher b/network/qubes_netwatcher index 44d56a0..a0e54fb 100755 --- a/network/qubes_netwatcher +++ b/network/qubes_netwatcher @@ -24,8 +24,8 @@ while true; do /usr/bin/xenstore-write qubes_netvm_external_ip "$CURR_NETCFG" fi - /usr/bin/xenstore-watch-qubes /local/domain/$NET_DOMID/qubes_netvm_external_ip + /usr/bin/xenstore-watch -n 2 /local/domain/$NET_DOMID/qubes_netvm_external_ip qubes_netvm_domid else - /usr/bin/xenstore-watch-qubes qubes_netvm_domid + /usr/bin/xenstore-watch -n 1 qubes_netvm_domid fi done From 4401c3e52595b2cc25f02c117551539f0d4077ba Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 9 Mar 2012 01:03:59 +0100 Subject: [PATCH 5/7] vm/init.d: make firewall and netwatcher service consistent with systemd --- rpm_spec/core-vm.spec | 12 ++++++------ vm-init.d/{qubes_firewall => qubes-firewall} | 0 vm-init.d/{qubes_netwatcher => qubes-netwatcher} | 0 3 files changed, 6 insertions(+), 6 deletions(-) rename vm-init.d/{qubes_firewall => qubes-firewall} (100%) rename vm-init.d/{qubes_netwatcher => qubes-netwatcher} (100%) diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index f02cdcc..c11b699 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -411,8 +411,8 @@ The Qubes core startup configuration for SysV init (or upstart). /etc/init.d/qubes_core /etc/init.d/qubes_core_appvm /etc/init.d/qubes_core_netvm -/etc/init.d/qubes_firewall -/etc/init.d/qubes_netwatcher +/etc/init.d/qubes-firewall +/etc/init.d/qubes-netwatcher %post sysvinit @@ -443,8 +443,8 @@ chkconfig --add qubes_core_appvm || echo "WARNING: Cannot add service qubes_core chkconfig qubes_core_appvm on || echo "WARNING: Cannot enable service qubes_core!" chkconfig --add qubes_firewall || echo "WARNING: Cannot add service qubes_core!" chkconfig qubes_firewall on || echo "WARNING: Cannot enable service qubes_core!" -chkconfig --add qubes_netwatcher || echo "WARNING: Cannot add service qubes_core!" -chkconfig qubes_netwatcher on || echo "WARNING: Cannot enable service qubes_core!" +chkconfig --add qubes-netwatcher || echo "WARNING: Cannot add service qubes_core!" +chkconfig qubes-netwatcher on || echo "WARNING: Cannot enable service qubes_core!" # TODO: make this not display the silly message about security context... sed -i s/^id:.:initdefault:/id:3:initdefault:/ /etc/inittab @@ -455,8 +455,8 @@ if [ "$1" = 0 ] ; then chkconfig qubes_core off chkconfig qubes_core_netvm off chkconfig qubes_core_appvm off - chkconfig qubes_firewall off - chkconfig qubes_netwatcher off + chkconfig qubes-firewall off + chkconfig qubes-netwatcher off fi %package systemd diff --git a/vm-init.d/qubes_firewall b/vm-init.d/qubes-firewall similarity index 100% rename from vm-init.d/qubes_firewall rename to vm-init.d/qubes-firewall diff --git a/vm-init.d/qubes_netwatcher b/vm-init.d/qubes-netwatcher similarity index 100% rename from vm-init.d/qubes_netwatcher rename to vm-init.d/qubes-netwatcher From 9de77d7fe42dfd9171fe51f07823b45e8351c7fc Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 9 Mar 2012 01:44:27 +0100 Subject: [PATCH 6/7] vm/qvm-firewall: force firewall reload on service start (#478) This makes firewall reload triggered by qubes-netwatcher working again. --- network/qubes_firewall | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/network/qubes_firewall b/network/qubes_firewall index 81dbca7..30670b8 100755 --- a/network/qubes_firewall +++ b/network/qubes_firewall @@ -12,13 +12,20 @@ echo $$ >$PIDFILE trap 'exit 0' SIGTERM +FIRST_TIME=yes + while true; do echo "1" > /proc/sys/net/ipv4/ip_forward - # Wait for changes in xenstore file - /usr/bin/xenstore-watch-qubes $XENSTORE_IPTABLES - TRIGGER=$(/usr/bin/xenstore-read $XENSTORE_IPTABLES) + if [ "$FIRST_TIME" ]; then + FIRST_TIME= + TRIGGER=reload + else + # Wait for changes in xenstore file + /usr/bin/xenstore-watch-qubes $XENSTORE_IPTABLES + TRIGGER=$(/usr/bin/xenstore-read $XENSTORE_IPTABLES) + fi if ! [ "$TRIGGER" = "reload" ]; then continue ; fi From 703c74397fb48ba3c0970534bfdc14295f315876 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 9 Mar 2012 01:54:16 +0100 Subject: [PATCH 7/7] vm/netwatcher: fix watch --- network/qubes_netwatcher | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/network/qubes_netwatcher b/network/qubes_netwatcher index a0e54fb..2512f73 100755 --- a/network/qubes_netwatcher +++ b/network/qubes_netwatcher @@ -24,8 +24,8 @@ while true; do /usr/bin/xenstore-write qubes_netvm_external_ip "$CURR_NETCFG" fi - /usr/bin/xenstore-watch -n 2 /local/domain/$NET_DOMID/qubes_netvm_external_ip qubes_netvm_domid + /usr/bin/xenstore-watch -n 3 /local/domain/$NET_DOMID/qubes_netvm_external_ip qubes_netvm_domid else - /usr/bin/xenstore-watch -n 1 qubes_netvm_domid + /usr/bin/xenstore-watch -n 2 qubes_netvm_domid fi done