diff --git a/pihole.spec b/pihole.spec index 10760f8..31d6870 100644 --- a/pihole.spec +++ b/pihole.spec @@ -14,10 +14,8 @@ The package will create a new standalone qube, sys-pihole. It is a drop in replacement for sys-firewall. Sys-pihole is attached to sys-net. If you have sys-firewall as the default netvm, this will be changed to sys-pihole. +The installation will try to move all qubes with netvm of sys-firewall to sys-iphole. sys-firewall will *not* be removed, so you can still use it for some qubes if you want. -To use sys-pihole simply change the netvm. -If you want to change all your qubes from sys-firewall to sys-pihole, a script is provided: -Run `sudo /srv/salt/pihole/change_netvm.sh` . If you want to use Tor, then you should reconfigure your system like this: qubes -> sys-pihole ->Tor-gateway -> sys-firewall -> sys-net @@ -49,7 +47,7 @@ cp -rv %{SOURCE0}/ %{buildroot}/srv/salt if [ $1 -eq 1 ]; then qubesctl state.apply pihole.create qubesctl --skip-dom0 --targets=sys-pihole state.apply pihole.install - if [[ $(qubes-prefs default_netvm sys-firewall |grep sys-firewall ) ]]; then qubes-prefs default_netvm sys-pihole; fi + /srv/salt/pihole/change_netvm.sh fi %preun diff --git a/pihole/change_netvm.sh b/pihole/change_netvm.sh old mode 100644 new mode 100755 index 770aff1..9f8f032 --- a/pihole/change_netvm.sh +++ b/pihole/change_netvm.sh @@ -1,7 +1,10 @@ #!/usr/bin/bash -qvm-start sys-pihole -if [ $(qubes-prefs default_netvm sys-firewall |grep sys-firewall ) ]; then qubes-prefs default_netvm sys-pihole; fi -sleep 3 -for i in `qvm-ls -O NAME,NETVM | awk '/ sys-firewall/{ print $1 }'`; do qvm-prefs $i netvm sys-pihole; done - +qvm-start sys-pihole && sleep 5 +if [ $(qubes-prefs default_netvm sys-firewall |grep sys-firewall ) ]; then + qubes-prefs default_netvm sys-pihole +fi +for i in $(qvm-ls -ONAME,NETVM |awk '/ sys-firewall/{print $1} ') +do + qvm-prefs $i netvm sys-pihole +done diff --git a/pihole/flush b/pihole/flush new file mode 100644 index 0000000..2ece853 --- /dev/null +++ b/pihole/flush @@ -0,0 +1,4 @@ +#!/usr/sbin/nft -f +flush chain nat PR-QBS +insert rule nat PR-QBS iifname "vif*" tcp dport 53 dnat to 127.0.0.1 +insert rule nat PR-QBS iifname "vif*" udp dport 53 dnat to 127.0.0.1 diff --git a/pihole/flush.sh b/pihole/flush.sh new file mode 100644 index 0000000..d6de5e8 --- /dev/null +++ b/pihole/flush.sh @@ -0,0 +1,2 @@ +#!/bin/sh +nft -f /rw/config/network-hooks.d/flush diff --git a/pihole/install.sls b/pihole/install.sls index 6acb715..d379166 100644 --- a/pihole/install.sls +++ b/pihole/install.sls @@ -90,7 +90,7 @@ Pihole-setup: /rw/config/qubes-firewall-user-script: file.append: - text: + - text: - nft flush chain nat PR-QBS - nft insert rule nat PR-QBS iifname "vif*" tcp dport 53 dnat to 127.0.0.1 - nft insert rule nat PR-QBS iifname "vif*" udp dport 53 dnat to 127.0.0.1 @@ -113,6 +113,24 @@ Pihole-setup: - makedirs: True - mode: 755 +/rw/config/network-hooks.d/flush.sh: + file.managed: + - source: + - salt://pihole/flush.sh + - user: root + - group: root + - makedirs: True + - mode: 755 + +/rw/config/network-hooks.d/flush: + file.managed: + - source: + - salt://pihole/flush + - user: root + - group: root + - makedirs: True + - mode: 755 + /etc/dnsmasq.conf: file.prepend: - text: diff --git a/pihole/internalise.sh b/pihole/internalise.sh index 0c49c78..cc17a29 100644 --- a/pihole/internalise.sh +++ b/pihole/internalise.sh @@ -1,3 +1,2 @@ #!/bin/sh -/rw/config/qubes-firewall-user-script find /proc/sys/net/ipv4/conf -name "vif*" -exec bash -c 'echo 1 | sudo tee {}/route_localnet' \; diff --git a/pihole/update_nft.sh b/pihole/update_nft.sh index e9a26c3..ea6b1c9 100644 --- a/pihole/update_nft.sh +++ b/pihole/update_nft.sh @@ -1,10 +1,12 @@ -cat /rw/config/qubes-firewall.d/update_nft.sh #!/bin/sh get_handle(){ local my_handle=$( nft -a list table $1|awk 'BEGIN{c0} /related,established/{c++; if (c==1) print $NF}' ) echo $my_handle } +nft insert rule filter FORWARD tcp dport 53 drop +nft insert rule filter FORWARD udp dport 53 drop + handle=$(get_handle filter) nft add rule filter INPUT position $handle iifname "vif*" tcp dport 53 accept nft add rule filter INPUT position $handle iifname "vif*" udp dport 53 accept