From b62665d63ca3cbe4e5b83b1565fcfeac37a4e446 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Tue, 27 Jan 2015 00:27:08 +0100
Subject: [PATCH] network: support for not setting DNS and/or default gateway

This patch introduces two new qvm-services:
 - set-default-route
 - set-dns-server
Both enabled by default. You can disable any of them to not set default
route and/or DNS servers in the VM. Those settings have no effect on
NetVM, where such settings are controlled by NetworkManager.

This is based on patch sent by Joonas Lehtonen
<joonas.lehtonen@openmailbox.org>
https://groups.google.com/d/msgid/qubes-devel/54C39656.3090303%40openmailbox.org
---
 network/setup-ip            | 32 +++++++++++++++++++++++---------
 vm-init.d/qubes-core        |  2 ++
 vm-systemd/qubes-sysinit.sh |  9 +++++----
 3 files changed, 30 insertions(+), 13 deletions(-)

diff --git a/network/setup-ip b/network/setup-ip
index 03ac42f..08d2d5c 100755
--- a/network/setup-ip
+++ b/network/setup-ip
@@ -14,16 +14,22 @@ if [ x$ip != x ]; then
     /sbin/ifconfig $INTERFACE $ip netmask 255.255.255.255
     /sbin/ifconfig $INTERFACE up
     /sbin/route add -host $gateway dev $INTERFACE
-    /sbin/route add default gw $gateway
+    if [ -f /var/run/qubes-service/set-default-route ]; then
+        /sbin/route add default gw $gateway
+    fi
     /sbin/ethtool -K $INTERFACE sg off
     /sbin/ethtool -K $INTERFACE tx off
-    echo "nameserver $gateway" > /etc/resolv.conf
-    echo "nameserver $secondary_dns" >> /etc/resolv.conf
+    echo > /etc/resolv.conf
+    if [ -f /var/run/qubes-service/set-dns-server ]; then
+        echo "nameserver $gateway" > /etc/resolv.conf
+        echo "nameserver $secondary_dns" >> /etc/resolv.conf
+    fi
     if [ -f /var/run/qubes-service/network-manager ]; then
-        cat > /etc/NetworkManager/system-connections/qubes-uplink-$INTERFACE <<__EOF__
+        nm_config=/etc/NetworkManager/system-connections/qubes-uplink-$INTERFACE
+        cat > $nm_config <<__EOF__
 [802-3-ethernet]
 duplex=full
- 
+
 [ethernet]
 mac-address=`ip l show dev $INTERFACE |grep link|awk '{print $2}'`
 
@@ -37,20 +43,28 @@ method=ignore
 
 [ipv4]
 method=manual
-dns=$gateway;$secondary_dns
-address1=$ip/32,$gateway
 may-fail=false
 __EOF__
-        chmod 600 /etc/NetworkManager/system-connections/qubes-uplink-$INTERFACE
+        if [ -f /var/run/qubes-service/set-dns-server ]; then
+            echo "dns=$gateway;$secondary_dns" >> $nm_config
+        fi
+        if [ -f /var/run/qubes-service/set-default-route ]; then
+            echo "address1=$ip/32,$gateway" >> $nm_config
+        else
+            echo "address1=$ip/32" >> $nm_config
+        fi
+        chmod 600 $nm_config
     fi
 	network=$($XENSTORE_READ qubes-netvm-network 2>/dev/null)
-	if [ "x$network" != "x" ]; then
+	if [ "x$network" != "x" ] && [ -f /var/run/qubes-service/set-dns-server ]; then
 		gateway=$($XENSTORE_READ qubes-netvm-gateway)
 		netmask=$($XENSTORE_READ qubes-netvm-netmask)
 		secondary_dns=$($XENSTORE_READ qubes-netvm-secondary-dns)
 		echo "NS1=$gateway" > /var/run/qubes/qubes-ns
 		echo "NS2=$secondary_dns" >> /var/run/qubes/qubes-ns
 		/usr/lib/qubes/qubes-setup-dnat-to-ns
+    fi
+    if [ "x$network" != "x" ]; then
 		[ -x /rw/config/qubes-ip-change-hook ] && /rw/config/qubes-ip-change-hook
 		# XXX: Backward compatibility
 		[ -x /rw/config/qubes_ip_change_hook ] && /rw/config/qubes_ip_change_hook
diff --git a/vm-init.d/qubes-core b/vm-init.d/qubes-core
index 77a71bf..432979e 100755
--- a/vm-init.d/qubes-core
+++ b/vm-init.d/qubes-core
@@ -38,6 +38,8 @@ start()
 		echo "ZONE=\"$timezone\"" >> /etc/sysconfig/clock
 	fi
 
+    touch /var/run/qubes-service/set-default-route
+    touch /var/run/qubes-service/set-dns-server
 	yum_proxy_setup=$(/usr/bin/xenstore-read qubes-service/yum-proxy-setup 2> /dev/null || /usr/bin/xenstore-read qubes-service/updates-proxy-setup 2>/dev/null )
     type=$(/usr/bin/xenstore-read qubes-vm-type)
 	if [ "$yum_proxy_setup" != "0" ] || [ -z "$yum_proxy_setup" -a "$type" == "TemplateVM" ]; then
diff --git a/vm-systemd/qubes-sysinit.sh b/vm-systemd/qubes-sysinit.sh
index 54f7138..dac90d0 100755
--- a/vm-systemd/qubes-sysinit.sh
+++ b/vm-systemd/qubes-sysinit.sh
@@ -1,11 +1,12 @@
 #!/bin/bash
 
 # List of services enabled by default (in case of absence of xenstore entry)
-DEFAULT_ENABLED_NETVM="network-manager qubes-network qubes-update-check qubes-updates-proxy"
-DEFAULT_ENABLED_PROXYVM="meminfo-writer qubes-network qubes-firewall qubes-netwatcher qubes-update-check"
-DEFAULT_ENABLED_APPVM="meminfo-writer cups qubes-update-check"
+DEFAULT_ENABLED_ALL="set-default-route set-dns-server"
+DEFAULT_ENABLED_NETVM="$DEFAULT_ENABLED_ALL network-manager qubes-network qubes-update-check qubes-updates-proxy"
+DEFAULT_ENABLED_PROXYVM="$DEFAULT_ENABLED_ALL meminfo-writer qubes-network qubes-firewall qubes-netwatcher qubes-update-check"
+DEFAULT_ENABLED_APPVM="$DEFAULT_ENABLED_ALL meminfo-writer cups qubes-update-check"
 DEFAULT_ENABLED_TEMPLATEVM="$DEFAULT_ENABLED_APPVM updates-proxy-setup"
-DEFAULT_ENABLED="meminfo-writer"
+DEFAULT_ENABLED="$DEFAULT_ENABLED_ALL meminfo-writer"
 
 XS_READ=/usr/bin/xenstore-read
 [ -x /usr/sbin/xenstore-read ] && XS_READ=/usr/sbin/xenstore-read