From 84e54147af294e66e58ed6af0c015b2f4ecf30b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Pierret=20=28fepitre=29?= Date: Thu, 30 May 2019 15:57:00 +0200 Subject: [PATCH 1/2] Add doc for Qubes network hooks --- user/advanced-configuration/config-files.md | 23 +++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/user/advanced-configuration/config-files.md b/user/advanced-configuration/config-files.md index bcb53f5d..ff0d57ce 100644 --- a/user/advanced-configuration/config-files.md +++ b/user/advanced-configuration/config-files.md @@ -44,6 +44,29 @@ The scripts here all run as root. The file is used only in a VM with PCI devices attached. Intended for use with problematic device drivers. +- `/rw/config/network-hooks.d` - folder of scripts to be ran when configuring Qubes interfaces. For each script, the `command`, `vif`, `vif_type` and `ip` is passed as arguments (see `/etc/xen/scripts/vif-route-qubes`). For example, consider an PV AppVM `work` with IP `10.137.0.100` and `sys-firewall` as NetVM. Assuming it's Xen domain id is arbitrary `12` then, the following script located at `/rw/config/network-hooks.d/hook-100.sh` in `sys-firewall`: + ~~~ + #!/bin/bash + + command="$1" + vif="$2" + vif_type="$3" + ip="$4" + + if [ "$ip" == '10.137.0.100' ]; then + case "$command" in + online) + ip route add 192.168.0.100 via 10.137.0.100 + ;; + offline) + ip route del 192.168.0.100 + ;; + esac + fi + ~~~ + + will be executed with arguments `online vif12.0 vif 10.137.0.100` when starting `work`. Please note that in case of HVM, the vif type is `vif_ioemu`. + Note that scripts need to be executable (chmod +x) to be used. Also, take a look at [bind-dirs](/doc/bind-dirs) for instructions on how to easily modify arbitrary system files in an AppVM and have those changes persist. From 40f7c883d735ce0c605e51d593c8b93ad72404da Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Pierret=20=28fepitre=29?= Date: Thu, 30 May 2019 16:58:46 +0200 Subject: [PATCH 2/2] network-hooks: clarify the context in which it's executed and give more details for HVM From Marek's comment: https://github.com/QubesOS/qubes-doc/pull/824#pullrequestreview-243813651 --- user/advanced-configuration/config-files.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user/advanced-configuration/config-files.md b/user/advanced-configuration/config-files.md index ff0d57ce..ab43d6cd 100644 --- a/user/advanced-configuration/config-files.md +++ b/user/advanced-configuration/config-files.md @@ -44,7 +44,7 @@ The scripts here all run as root. The file is used only in a VM with PCI devices attached. Intended for use with problematic device drivers. -- `/rw/config/network-hooks.d` - folder of scripts to be ran when configuring Qubes interfaces. For each script, the `command`, `vif`, `vif_type` and `ip` is passed as arguments (see `/etc/xen/scripts/vif-route-qubes`). For example, consider an PV AppVM `work` with IP `10.137.0.100` and `sys-firewall` as NetVM. Assuming it's Xen domain id is arbitrary `12` then, the following script located at `/rw/config/network-hooks.d/hook-100.sh` in `sys-firewall`: +- In NetVMs/ProxyVMs, scripts placed in `/rw/config/network-hooks.d` will be ran when configuring Qubes interfaces. For each script, the `command`, `vif`, `vif_type` and `ip` is passed as arguments (see `/etc/xen/scripts/vif-route-qubes`). For example, consider an PV AppVM `work` with IP `10.137.0.100` and `sys-firewall` as NetVM. Assuming it's Xen domain id is arbitrary `12` then, the following script located at `/rw/config/network-hooks.d/hook-100.sh` in `sys-firewall`: ~~~ #!/bin/bash @@ -65,7 +65,7 @@ The scripts here all run as root. fi ~~~ - will be executed with arguments `online vif12.0 vif 10.137.0.100` when starting `work`. Please note that in case of HVM, the vif type is `vif_ioemu`. + will be executed with arguments `online vif12.0 vif 10.137.0.100` when starting `work`. Please note that in case of HVM, the script will be called twice - once with vif_type `vif`, then with vif_type `vif_ioemu` (and different interface names). As long as the ioemu interface exists, it should be preferred (up to the hook script). When VM decide to use PV interface (vif_type `vif`), the ioemu one will be unplugged. Note that scripts need to be executable (chmod +x) to be used.