From 6a551eba6756c87cdbb3940d63d4345d2f212ba5 Mon Sep 17 00:00:00 2001
From: Ben Grande <ben.grande.b@gmail.com>
Date: Tue, 26 Dec 2023 19:46:35 +0100
Subject: [PATCH] refactor: pihole nft rules for Qubes 4.2

---
 .../files/server/dnsmasq.d/00-pihole.conf     |  7 ++
 .../{flush.sh => 50-sys-pihole.sh}            |  7 +-
 .../files/server/network-hooks.d/flush        | 13 ---
 salt/sys-pihole/files/server/network/eth0     |  9 --
 .../server/qubes-firewall.d/50-sys-pihole     | 29 +++++++
 .../qubes-firewall.d/50-sys-pihole-filter     | 18 ----
 .../60-sys-pihole-internalise                 | 15 ----
 .../server/qubes-firewall.d/70-sys-pihole-nat | 18 ----
 salt/sys-pihole/install.sls                   | 83 ++++---------------
 9 files changed, 56 insertions(+), 143 deletions(-)
 create mode 100644 salt/sys-pihole/files/server/dnsmasq.d/00-pihole.conf
 rename salt/sys-pihole/files/server/network-hooks.d/{flush.sh => 50-sys-pihole.sh} (54%)
 delete mode 100644 salt/sys-pihole/files/server/network-hooks.d/flush
 delete mode 100644 salt/sys-pihole/files/server/network/eth0
 create mode 100644 salt/sys-pihole/files/server/qubes-firewall.d/50-sys-pihole
 delete mode 100644 salt/sys-pihole/files/server/qubes-firewall.d/50-sys-pihole-filter
 delete mode 100644 salt/sys-pihole/files/server/qubes-firewall.d/60-sys-pihole-internalise
 delete mode 100644 salt/sys-pihole/files/server/qubes-firewall.d/70-sys-pihole-nat

diff --git a/salt/sys-pihole/files/server/dnsmasq.d/00-pihole.conf b/salt/sys-pihole/files/server/dnsmasq.d/00-pihole.conf
new file mode 100644
index 0000000..89073f5
--- /dev/null
+++ b/salt/sys-pihole/files/server/dnsmasq.d/00-pihole.conf
@@ -0,0 +1,7 @@
+# SPDX-FileCopyrightText: 2023 unman <unman@thirdeyesecurity.org>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+# vim: ft=dnsmasq
+
+interface=lo
+bind-interfaces
diff --git a/salt/sys-pihole/files/server/network-hooks.d/flush.sh b/salt/sys-pihole/files/server/network-hooks.d/50-sys-pihole.sh
similarity index 54%
rename from salt/sys-pihole/files/server/network-hooks.d/flush.sh
rename to salt/sys-pihole/files/server/network-hooks.d/50-sys-pihole.sh
index 60fccf4..d06304a 100644
--- a/salt/sys-pihole/files/server/network-hooks.d/flush.sh
+++ b/salt/sys-pihole/files/server/network-hooks.d/50-sys-pihole.sh
@@ -7,4 +7,9 @@
 
 set -eu
 
-nft -f /rw/config/network-hooks.d/flush
+nft -f /rw/config/qubes-firewall.d/50-sys-pihole
+
+for vif in /proc/sys/net/ipv4/conf/vif*/route_localnet; do
+  test -w "${vif}" || continue
+  echo 1 | tee "${vif}" >/dev/null
+done
diff --git a/salt/sys-pihole/files/server/network-hooks.d/flush b/salt/sys-pihole/files/server/network-hooks.d/flush
deleted file mode 100644
index 837fcd1..0000000
--- a/salt/sys-pihole/files/server/network-hooks.d/flush
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/usr/sbin/nft -f
-
-# SPDX-FileCopyrightText: 2022 - 2023 unman <unman@thirdeyesecurity.org>
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-flush chain ip  qubes dnat-dns
-flush chain ip6 qubes dnat-dns
-
-insert rule ip  qubes dnat-dns iifname "vif*" tcp dport 53 dnat to 127.0.0.1
-insert rule ip  qubes dnat-dns iifname "vif*" udp dport 53 dnat to 127.0.0.1
-insert rule ip6 qubes dnat-dns iifname "vif*" tcp dport 53 dnat to 127.0.0.1
-insert rule ip6 qubes dnat-dns iifname "vif*" udp dport 53 dnat to 127.0.0.1
diff --git a/salt/sys-pihole/files/server/network/eth0 b/salt/sys-pihole/files/server/network/eth0
deleted file mode 100644
index 0dae8f1..0000000
--- a/salt/sys-pihole/files/server/network/eth0
+++ /dev/null
@@ -1,9 +0,0 @@
-# SPDX-FileCopyrightText: 2022 - 2023 unman <unman@thirdeyesecurity.org>
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-auto eth0
-iface eth0 inet static
-address
-netmask 255.0.0.0
-gateway
diff --git a/salt/sys-pihole/files/server/qubes-firewall.d/50-sys-pihole b/salt/sys-pihole/files/server/qubes-firewall.d/50-sys-pihole
new file mode 100644
index 0000000..417900d
--- /dev/null
+++ b/salt/sys-pihole/files/server/qubes-firewall.d/50-sys-pihole
@@ -0,0 +1,29 @@
+#!/usr/sbin/nft -f
+# vim: ft=nftables
+# SPDX-FileCopyrightText: 2022 - 2023 unman <unman@thirdeyesecurity.org>
+# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+add chain ip6 qubes dnat-dns { type nat hook prerouting priority dstnat; policy accept; }
+
+flush chain ip  qubes dnat-dns
+flush chain ip6 qubes dnat-dns
+insert rule ip  qubes dnat-dns iifname "vif*" tcp dport 53 dnat to 127.0.0.1
+insert rule ip  qubes dnat-dns iifname "vif*" udp dport 53 dnat to 127.0.0.1
+insert rule ip6 qubes dnat-dns iifname "vif*" tcp dport 53 dnat to ::1
+insert rule ip6 qubes dnat-dns iifname "vif*" udp dport 53 dnat to ::1
+
+flush chain ip  qubes custom-forward
+flush chain ip6 qubes custom-forward
+insert rule ip  qubes custom-forward tcp dport 53 drop
+insert rule ip  qubes custom-forward udp dport 53 drop
+insert rule ip6 qubes custom-forward tcp dport 53 drop
+insert rule ip6 qubes custom-forward udp dport 53 drop
+
+flush chain ip  qubes custom-input
+flush chain ip6 qubes custom-input
+insert rule ip  qubes custom-input iifname "vif*" tcp dport 53 accept
+insert rule ip  qubes custom-input iifname "vif*" udp dport 53 accept
+insert rule ip6 qubes custom-input iifname "vif*" tcp dport 53 accept
+insert rule ip6 qubes custom-input iifname "vif*" udp dport 53 accept
diff --git a/salt/sys-pihole/files/server/qubes-firewall.d/50-sys-pihole-filter b/salt/sys-pihole/files/server/qubes-firewall.d/50-sys-pihole-filter
deleted file mode 100644
index faea35f..0000000
--- a/salt/sys-pihole/files/server/qubes-firewall.d/50-sys-pihole-filter
+++ /dev/null
@@ -1,18 +0,0 @@
-#!/bin/sh
-
-# SPDX-FileCopyrightText: 2022 - 2023 unman <unman@thirdeyesecurity.org>
-# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-set -eu
-
-nft insert rule ip qubes custom-forward tcp dport 53 drop
-nft insert rule ip qubes custom-forward udp dport 53 drop
-
-## TODO: Is this working?
-handle="$(nft -a list table qubes |
-    awk 'BEGIN{c0} /related,established/{c++; if (c==1) print $NF}')"
-
-nft add rule ip qubes custom-input position "$handle" iifname "vif*" tcp dport 53 accept
-nft add rule ip qubes custom-input position "$handle" iifname "vif*" udp dport 53 accept
diff --git a/salt/sys-pihole/files/server/qubes-firewall.d/60-sys-pihole-internalise b/salt/sys-pihole/files/server/qubes-firewall.d/60-sys-pihole-internalise
deleted file mode 100644
index 27fdf57..0000000
--- a/salt/sys-pihole/files/server/qubes-firewall.d/60-sys-pihole-internalise
+++ /dev/null
@@ -1,15 +0,0 @@
-#!/bin/sh
-
-# SPDX-FileCopyrightText: 2022 - 2023 unman <unman@thirdeyesecurity.org>
-# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-set -eu
-
-for vif in /proc/sys/net/ipv4/conf/vif*; do
-  test -d "${vif}" || continue
-  test -f "${vif}/route_localnet" || continue
-  test -w "${vif}/route_localnet" || continue
-  echo 1 | tee "${vif}/route_localnet"
-done
diff --git a/salt/sys-pihole/files/server/qubes-firewall.d/70-sys-pihole-nat b/salt/sys-pihole/files/server/qubes-firewall.d/70-sys-pihole-nat
deleted file mode 100644
index 6a7ba52..0000000
--- a/salt/sys-pihole/files/server/qubes-firewall.d/70-sys-pihole-nat
+++ /dev/null
@@ -1,18 +0,0 @@
-#!/usr/sbin/nft -f
-
-# SPDX-FileCopyrightText: 2022 - 2023 unman <unman@thirdeyesecurity.org>
-# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
-#
-# SPDX-License-Identifier: AGPL-3.0-or-later
-
-#flush chain nat PR-QBS
-#insert rule nat PR-QBS iifname "vif*" tcp dport 53 dnat to 127.0.0.1
-#insert rule nat PR-QBS iifname "vif*" udp dport 53 dnat to 127.0.0.1
-
-flush chain ip  qubes dnat-dns
-flush chain ip6 qubes dnat-dns
-
-insert rule ip  qubes dnat-dns iifname "vif*" tcp dport 53 dnat to 127.0.0.1
-insert rule ip  qubes dnat-dns iifname "vif*" udp dport 53 dnat to 127.0.0.1
-insert rule ip6 qubes dnat-dns iifname "vif*" tcp dport 53 dnat to 127.0.0.1
-insert rule ip6 qubes dnat-dns iifname "vif*" udp dport 53 dnat to 127.0.0.1
diff --git a/salt/sys-pihole/install.sls b/salt/sys-pihole/install.sls
index ffd0fc0..29bd530 100644
--- a/salt/sys-pihole/install.sls
+++ b/salt/sys-pihole/install.sls
@@ -12,37 +12,6 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 include:
   - dotfiles.copy-x11
 
-{% set qubes_ip = salt['cmd.shell']('qubesdb-read /qubes-ip') %}
-{% set qubes_gateway = salt['cmd.shell']('qubesdb-read /qubes-gateway') %}
-
-"{{ slsdotpath }}-set-eth0-interface":
-  file.managed:
-    - name: /etc/network/interfaces.d/eth0
-    - source: salt://{{ slsdotpath }}/files/server/network/eth0
-    - mode: '0644'
-    - user: root
-    - group: root
-    - makedirs: True
-
-"{{ slsdotpath }}-set-ip":
-  file.line:
-    - name: /etc/network/interfaces.d/eth0
-    - match: address
-    - mode: replace
-    - content: "address {{ qubes_ip }}"
-
-"{{ slsdotpath }}-set-gateway":
-  file.line:
-    - name: /etc/network/interfaces.d/eth0
-    - match: gateway
-    - mode: replace
-    - content: "gateway {{ qubes_gateway }}"
-
-"{{ slsdotpath }}-restart-networking":
-  cmd.run:
-    - name: systemctl restart networking
-    - runas: root
-
 "{{ slsdotpath }}-updated":
   pkg.uptodate:
     - refresh: True
@@ -71,6 +40,7 @@ include:
       - php-sqlite3
       - php-xml
       - unzip
+      - bash-completion
 
 "{{ slsdotpath }}-disable-external-admin-interface":
   file.managed:
@@ -152,57 +122,32 @@ include:
     - cwd: '/root/pi-hole/automated install'
     - runas: root
 
-"{{ slsdotpath }}-firewall-nat":
+"{{ slsdotpath }}-firewall":
   file.managed:
-    - name: /rw/config/qubes-firewall.d/70-sys-pihole-nat
-    - source: salt://{{ slsdotpath }}/files/server/qubes-firewall.d/70-sys-pihole-nat
+    - name: /rw/config/qubes-firewall.d/50-sys-pihole
+    - source: salt://{{ slsdotpath }}/files/server/qubes-firewall.d/50-sys-pihole
     - mode: '0755'
     - user: root
     - group: root
     - makedirs: True
 
-"{{ slsdotpath }}-firewall-filter":
+"{{ slsdotpath }}-network-hooks":
   file.managed:
-    - name: /rw/config/qubes-firewall.d/50-sys-pihole-filter
-    - source: salt://{{ slsdotpath }}/files/server/qubes-firewall.d/50-sys-pihole-filter
-    - mode: '0755'
-    - user: root
-    - group: root
-    - makedirs: True
-
-"{{ slsdotpath }}-firewall-internalise":
-  file.managed:
-    - name: /rw/config/network-hooks.d/60-sys-pihole-internalise
-    - source: salt://{{ slsdotpath }}/files/server/qubes-firewall.d/60-sys-pihole-internalise
-    - mode: '0755'
-    - user: root
-    - group: root
-    - makedirs: True
-
-"{{ slsdotpath }}-firewall-flush":
-  file.managed:
-    - name: /rw/config/network-hooks.d/flush.sh
-    - source: salt://{{ slsdotpath }}/files/server/network-hooks.d/flush.sh
-    - mode: '0755'
-    - user: root
-    - group: root
-    - makedirs: True
-
-"{{ slsdotpath }}-firewall-flush-rules":
-  file.managed:
-    - name: /rw/config/network-hooks.d/flush
-    - source: salt://{{ slsdotpath }}/files/server/network-hooks.d/flush
+    - name: /rw/config/network-hooks.d/50-sys-pihole.sh
+    - source: salt://{{ slsdotpath }}/files/server/network-hooks.d/50-sys-pihole.sh
     - mode: '0755'
     - user: root
     - group: root
     - makedirs: True
 
 "{{ slsdotpath }}-dnsmasq":
-  file.prepend:
-    - name: /etc/dnsmasq.conf
-    - text:
-      - interface=lo
-      - bind-interfaces
+  file.managed:
+    - name: /etc/dnsmasq.d/00-pihole.conf
+    - source: salt://{{ slsdotpath }}/files/server/dnsmasq.d/00-pihole.conf
+    - mode: '0644'
+    - user: root
+    - group: root
+    - makedirs: True
 
 "{{ slsdotpath }}-desktop-application-browser":
   file.managed: