From 89fba848e188ec2f1fe933a4b3c2f9574189f85a Mon Sep 17 00:00:00 2001
From: Marek Marczykowski <marmarek@mimuw.edu.pl>
Date: Sun, 24 Jul 2011 21:54:10 +0200
Subject: [PATCH 01/11] dom0+vm: Polishing qvm-dom0-upgrade (#287)

Do not print error message when no package downloaded. Also some more covenient
usage when dowloading new packages (implied --resolve --nogui).
---
 common/qubes_download_dom0_updates.sh | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/common/qubes_download_dom0_updates.sh b/common/qubes_download_dom0_updates.sh
index 8ca153e..1b1ea0b 100755
--- a/common/qubes_download_dom0_updates.sh
+++ b/common/qubes_download_dom0_updates.sh
@@ -28,6 +28,8 @@ PKGLIST="$*"
 if [ "x$PKGLIST" = "x" ]; then
     echo "Checking for dom0 updates..."
     PKGLIST=`yum --installroot $DOM0_UPDATES_DIR check-update -q | cut -f 1 -d ' '`
+else
+    PKGS_FROM_CMDLINE=1
 fi
 
 if [ -z "$PKGLIST" ]; then
@@ -35,23 +37,32 @@ if [ -z "$PKGLIST" ]; then
     exit 0
 fi
 
-if [ "$DOIT" != "1" ]; then
+if [ "$DOIT" != "1" -a "$PKGS_FROM_CMDLINE" != "1" ]; then
     PKGCOUNT=`echo $PKGLIST|wc -w`
     zenity --question --title="Qubes Dom0 updates" \
       --text="$PKGCOUNT updates for dom0 available. Do you want to download its now?" || exit 0
 fi
 
+if [ "$PKGS_FROM_CMDLINE" == 1 ]; then
+    OPTS="--resolve"
+    GUI=0
+fi
+
 mkdir -p "$DOM0_UPDATES_DIR/packages"
 
 set -e
 
 if [ "$GUI" = 1 ]; then
     ( echo "1"
-    yumdownloader --destdir "$DOM0_UPDATES_DIR/packages" --installroot "$DOM0_UPDATES_DIR" $PKGLIST
+    yumdownloader --destdir "$DOM0_UPDATES_DIR/packages" --installroot "$DOM0_UPDATES_DIR" $OPTS $PKGLIST
     echo 100 ) | zenity --progress --pulsate --auto-close --auto-kill \
          --text="Downloading updates for Dom0, please wait..." --title="Qubes Dom0 updates"
 else
-    yumdownloader --destdir "$DOM0_UPDATES_DIR/packages" --installroot "$DOM0_UPDATES_DIR" $PKGLIST
+    yumdownloader --destdir "$DOM0_UPDATES_DIR/packages" --installroot "$DOM0_UPDATES_DIR" $OPTS $PKGLIST
 fi
 
-/usr/lib/qubes/qrexec_client_vm dom0 qubes.ReceiveUpdates /usr/lib/qubes/qfile-agent $DOM0_UPDATES_DIR/packages/*.rpm
+if ls $DOM0_UPDATES_DIR/packages/*.rpm > /dev/null 2>&1; then
+    /usr/lib/qubes/qrexec_client_vm dom0 qubes.ReceiveUpdates /usr/lib/qubes/qfile-agent $DOM0_UPDATES_DIR/packages/*.rpm
+else
+    echo "No packages downloaded"
+fi

From 1acbe95f64d1c1aae1060fc84bb5565e517d7883 Mon Sep 17 00:00:00 2001
From: Joanna Rutkowska <joanna@invisiblethingslab.com>
Date: Mon, 25 Jul 2011 15:29:37 +0200
Subject: [PATCH 02/11] version 1.6.12

---
 version_vm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/version_vm b/version_vm
index 99c026b..9e7398a 100644
--- a/version_vm
+++ b/version_vm
@@ -1 +1 @@
-1.6.11
+1.6.12

From bcb4dfe0071738e9164c646acc167a5211fa092f Mon Sep 17 00:00:00 2001
From: Rafal Wojtczuk <rafal@invisiblethingslab.com>
Date: Fri, 29 Jul 2011 16:50:12 +0200
Subject: [PATCH 03/11] firewall: call iptables-restore once per domain (#311)

qubes.py now places rules for each domain in a separate key under
/local/domain/fw_XID/qubes_iptables_domainrules/
plus the header in /local/domain/fw_XID/qubes_iptables_header.
/local/domain/fw_XID/qubes_iptables is now just a trigger.
So, if iptables-restore fails dues to e.g. error resolving a domain name
in a rules for a domain, then only this domain will not get connectivity,
others will work fine.
---
 proxyvm/bin/qubes_firewall | 40 ++++++++++++++++++++------------------
 1 file changed, 21 insertions(+), 19 deletions(-)

diff --git a/proxyvm/bin/qubes_firewall b/proxyvm/bin/qubes_firewall
index fbac295..13f5ba2 100755
--- a/proxyvm/bin/qubes_firewall
+++ b/proxyvm/bin/qubes_firewall
@@ -3,9 +3,9 @@ set -e
 
 PIDFILE=/var/run/qubes/qubes_firewall.pid
 XENSTORE_IPTABLES=qubes_iptables
+XENSTORE_IPTABLES_HEADER=qubes_iptables_header
 XENSTORE_ERROR=qubes_iptables_error
 OLD_RULES=""
-
 # PIDfile handling
 [[ -e $PIDFILE ]] && kill -s 0 $(<$PIDFILE) 2>/dev/null && exit 0
 echo $$ >$PIDFILE
@@ -13,24 +13,26 @@ echo $$ >$PIDFILE
 trap 'exit 0' SIGTERM
 
 while true; do
-	RULES=$(/usr/bin/xenstore-read $XENSTORE_IPTABLES)
-
-	if [[ "$RULES" != "$OLD_RULES" ]]; then
-		IPTABLES_SAVE=$(/sbin/iptables-save | sed '/^\*filter/,/^COMMIT/d')
-		OUT=`echo -e "$RULES\n$IPTABLES_SAVE" | /sbin/iptables-restore 2>&1 || :`
-		/usr/bin/xenstore-write $XENSTORE_ERROR "$OUT"
-		if [ "$OUT" ]; then
-			DISPLAY=:0 /usr/bin/notify-send -t 3000 "Firewall loading error ($HOSTNAME)" "$OUT" || :
-		fi
-
-		if [[ -z "$OUT" ]]; then
-			# If OK save it for later
-			/sbin/service iptables save >/dev/null
-		fi
-
-		OLD_RULES="$RULES"
-	fi
-
 	# Wait for changes in xenstore file
 	/usr/bin/xenstore-watch-qubes $XENSTORE_IPTABLES
+	TRIGGER=$(/usr/bin/xenstore-read $XENSTORE_IPTABLES)
+
+	if ! [ "$TRIGGER" = "reload" ]; then continue ; fi
+	RULES=$(/usr/bin/xenstore-read $XENSTORE_IPTABLES_HEADER)
+	IPTABLES_SAVE=$(/sbin/iptables-save | sed '/^\*filter/,/^COMMIT/d')
+	OUT=`echo -e "$RULES\n$IPTABLES_SAVE" | /sbin/iptables-restore 2>&1 || :`
+
+	for i in $(xenstore-list qubes_iptables_domainrules) ; do 
+		RULES=$(/usr/bin/xenstore-read qubes_iptables_domainrules/"$i")
+		ERRS=`echo -e "$RULES" | /sbin/iptables-restore -n 2>&1 || :`
+		OUT="$OUT""$ERRS"
+	done		
+	/usr/bin/xenstore-write $XENSTORE_ERROR "$OUT"
+	if [ "$OUT" ]; then
+		DISPLAY=:0 /usr/bin/notify-send -t 3000 "Firewall loading error ($HOSTNAME)" "$OUT" || :
+	fi
+	if [[ -z "$OUT" ]]; then
+		# If OK save it for later
+		/sbin/service iptables save >/dev/null
+	fi
 done

From 9b515d41d6c29446579dd7a97da599a477631d51 Mon Sep 17 00:00:00 2001
From: Joanna Rutkowska <joanna@invisiblethingslab.com>
Date: Sat, 30 Jul 2011 11:15:47 +0200
Subject: [PATCH 04/11] vm: Blacklist unnecessary packge updates

---
 rpm_spec/core-commonvm.spec | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/rpm_spec/core-commonvm.spec b/rpm_spec/core-commonvm.spec
index ad7b300..791ea7b 100644
--- a/rpm_spec/core-commonvm.spec
+++ b/rpm_spec/core-commonvm.spec
@@ -214,6 +214,9 @@ mkdir -p /rw
 #mv /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.orig
 #grep -v HWADDR /etc/sysconfig/network-scripts/ifcfg-eth0.orig > /etc/sysconfig/network-scripts/ifcfg-eth0
 
+# Prevent unnecessary updates in VMs:
+echo 'exclude = kernel, xorg-*' >> yum.conf
+
 %preun
 if [ "$1" = 0 ] ; then
     # no more packages left

From 92f4e67eaaa297594bff4e0637fe5ef6bad1b3d0 Mon Sep 17 00:00:00 2001
From: Joanna Rutkowska <joanna@invisiblethingslab.com>
Date: Sat, 30 Jul 2011 11:21:50 +0200
Subject: [PATCH 05/11] version 1.6.13

---
 version_vm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/version_vm b/version_vm
index 9e7398a..d4ca915 100644
--- a/version_vm
+++ b/version_vm
@@ -1 +1 @@
-1.6.12
+1.6.13

From 310c137f25f61fa835de9cc01348093c1757f2e1 Mon Sep 17 00:00:00 2001
From: Joanna Rutkowska <joanna@invisiblethingslab.com>
Date: Sat, 30 Jul 2011 11:30:21 +0200
Subject: [PATCH 06/11] vm: Fix modules blacklisting

---
 rpm_spec/core-commonvm.spec | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rpm_spec/core-commonvm.spec b/rpm_spec/core-commonvm.spec
index 791ea7b..e4518ed 100644
--- a/rpm_spec/core-commonvm.spec
+++ b/rpm_spec/core-commonvm.spec
@@ -215,7 +215,7 @@ mkdir -p /rw
 #grep -v HWADDR /etc/sysconfig/network-scripts/ifcfg-eth0.orig > /etc/sysconfig/network-scripts/ifcfg-eth0
 
 # Prevent unnecessary updates in VMs:
-echo 'exclude = kernel, xorg-*' >> yum.conf
+echo 'exclude = kernel, xorg-*' >> /etc/yum.conf
 
 %preun
 if [ "$1" = 0 ] ; then

From f92566a2c06ce4dc776307abe3e9bd6078452d49 Mon Sep 17 00:00:00 2001
From: Joanna Rutkowska <joanna@invisiblethingslab.com>
Date: Sat, 30 Jul 2011 11:31:20 +0200
Subject: [PATCH 07/11] version 1.6.14-vm

---
 version_vm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/version_vm b/version_vm
index d4ca915..5577648 100644
--- a/version_vm
+++ b/version_vm
@@ -1 +1 @@
-1.6.13
+1.6.14

From 968308c55f6753c98ebc66994c1f88c5bde081d0 Mon Sep 17 00:00:00 2001
From: Rafal Wojtczuk <rafal@invisiblethingslab.com>
Date: Mon, 1 Aug 2011 15:06:01 +0200
Subject: [PATCH 08/11] qvm-prefs: allow on the fly netvm switch (#302)

When changing netvm of a running vm, detach/attach eth0.
Some functionality of qubes_core_netvm thus is duplicated in setup_ip.
REQUIRES http://git.qubes-os.org/?p=rafal/xen.git;a=commit;h=42c72e6173586a807f8f153391e2e57352d362b1
---
 common/setup_ip | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/common/setup_ip b/common/setup_ip
index 61f197c..79f389a 100755
--- a/common/setup_ip
+++ b/common/setup_ip
@@ -10,4 +10,14 @@ if [ x$ip != x ]; then
     /sbin/route add default dev $INTERFACE
     echo "nameserver $gateway" > /etc/resolv.conf
     echo "nameserver $secondary_dns" >> /etc/resolv.conf
+	network=$(/usr/bin/xenstore-read qubes_netvm_network 2>/dev/null)
+	if [ "x$network" != "x" ]; then
+		gateway=$(/usr/bin/xenstore-read qubes_netvm_gateway)
+		netmask=$(/usr/bin/xenstore-read qubes_netvm_netmask)
+		secondary_dns=$(/usr/bin/xenstore-read qubes_netvm_secondary_dns)
+		echo "NS1=$gateway" > /var/run/qubes/qubes_ns
+		echo "NS2=$secondary_dns" >> /var/run/qubes/qubes_ns
+		/usr/lib/qubes/qubes_setup_dnat_to_ns
+	fi
+
 fi

From a4491dac0835f72a585c732c53d58ea2ec2a6f87 Mon Sep 17 00:00:00 2001
From: Joanna Rutkowska <joanna@invisiblethingslab.com>
Date: Tue, 2 Aug 2011 17:15:41 +0200
Subject: [PATCH 09/11] version 1.6.18

Actually, also update version_vm, as qvm-prefs requires
this for dynamic NetVM changing.
---
 version_vm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/version_vm b/version_vm
index 5577648..7a9d793 100644
--- a/version_vm
+++ b/version_vm
@@ -1 +1 @@
-1.6.14
+1.6.18

From 5cbb38a2a92e93a1019f14d1f86524c8a61d608c Mon Sep 17 00:00:00 2001
From: Rafal Wojtczuk <rafal@invisiblethingslab.com>
Date: Tue, 2 Aug 2011 19:27:45 +0200
Subject: [PATCH 10/11] setup_ip: turn off sg

Apparently vif frontend has broken sg implementation; we already worked around
it in init.d script via ethtool; now do the same in setup_ip. It is relevant
when attaching firewallvm to a different netvm on the fly.
---
 common/setup_ip | 1 +
 1 file changed, 1 insertion(+)

diff --git a/common/setup_ip b/common/setup_ip
index 79f389a..ad42cf4 100755
--- a/common/setup_ip
+++ b/common/setup_ip
@@ -8,6 +8,7 @@ if [ x$ip != x ]; then
     /sbin/ifconfig $INTERFACE $ip netmask 255.255.255.255
     /sbin/ifconfig $INTERFACE up
     /sbin/route add default dev $INTERFACE
+    /sbin/ethtool -K $INTERFACE sg off
     echo "nameserver $gateway" > /etc/resolv.conf
     echo "nameserver $secondary_dns" >> /etc/resolv.conf
 	network=$(/usr/bin/xenstore-read qubes_netvm_network 2>/dev/null)

From d7afe01bd16190264c7dd6f65ec80d0b39770b7d Mon Sep 17 00:00:00 2001
From: Joanna Rutkowska <joanna@invisiblethingslab.com>
Date: Tue, 2 Aug 2011 19:37:41 +0200
Subject: [PATCH 11/11] version 1.6.19-vm

---
 version_vm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/version_vm b/version_vm
index 7a9d793..e55f803 100644
--- a/version_vm
+++ b/version_vm
@@ -1 +1 @@
-1.6.18
+1.6.19