Pi-hole - more haste,less speed

pihole.spec

@@ -14,10 +14,8 @@ The package will create a new standalone qube, sys-pihole.
 It is a drop in replacement for sys-firewall.
 Sys-pihole is attached to sys-net.
 If you have sys-firewall as the default netvm, this will be changed to sys-pihole.
+The installation will try to move all qubes with netvm of sys-firewall to sys-iphole.
 sys-firewall will *not* be removed, so you can still use it for some qubes if you want.
-To use sys-pihole simply change the netvm.
-If you want to change all your qubes from sys-firewall to sys-pihole, a script is provided:
-Run `sudo /srv/salt/pihole/change_netvm.sh` .
 
  If you want to use Tor, then you should reconfigure your system like this:
  qubes -> sys-pihole ->Tor-gateway -> sys-firewall -> sys-net
@@ -49,7 +47,7 @@ cp -rv %{SOURCE0}/  %{buildroot}/srv/salt
 if [ $1 -eq 1 ]; then
   qubesctl state.apply pihole.create
   qubesctl --skip-dom0 --targets=sys-pihole state.apply pihole.install
-  if [[ $(qubes-prefs default_netvm sys-firewall |grep sys-firewall ) ]]; then qubes-prefs default_netvm sys-pihole; fi
+  /srv/salt/pihole/change_netvm.sh
 fi
 
 %preun

pihole/change_netvm.sh

@@ -1,7 +1,10 @@
 #!/usr/bin/bash
-qvm-start sys-pihole
-if [ $(qubes-prefs default_netvm sys-firewall |grep sys-firewall ) ]; then qubes-prefs default_netvm sys-pihole; fi
-sleep 3
-for i in `qvm-ls -O NAME,NETVM | awk '/ sys-firewall/{ print $1 }'`; do qvm-prefs $i netvm sys-pihole; done
-
+qvm-start sys-pihole && sleep 5
+if [ $(qubes-prefs default_netvm sys-firewall |grep sys-firewall ) ]; then
+  qubes-prefs default_netvm sys-pihole
+fi
 
+for i in $(qvm-ls -ONAME,NETVM |awk '/ sys-firewall/{print  $1} ')
+do
+  qvm-prefs $i netvm sys-pihole
+done

pihole/flush

@@ -0,0 +1,4 @@
+#!/usr/sbin/nft -f
+flush chain nat PR-QBS
+insert rule nat PR-QBS iifname "vif*" tcp dport 53 dnat to 127.0.0.1
+insert rule nat PR-QBS iifname "vif*" udp dport 53 dnat to 127.0.0.1

pihole/flush.sh

@@ -0,0 +1,2 @@
+#!/bin/sh
+nft -f /rw/config/network-hooks.d/flush

pihole/install.sls

@@ -90,7 +90,7 @@ Pihole-setup:
 
 /rw/config/qubes-firewall-user-script:
   file.append:
-    text:
+    - text:
       - nft flush chain nat PR-QBS
       - nft insert rule nat PR-QBS iifname "vif*" tcp dport 53 dnat to 127.0.0.1
       - nft insert rule nat PR-QBS iifname "vif*" udp dport 53 dnat to 127.0.0.1
@@ -113,6 +113,24 @@ Pihole-setup:
     - makedirs: True
     - mode: 755
 
+/rw/config/network-hooks.d/flush.sh:
+  file.managed:
+    - source:
+      - salt://pihole/flush.sh
+    - user: root
+    - group: root
+    - makedirs: True
+    - mode: 755
+
+/rw/config/network-hooks.d/flush:
+  file.managed:
+    - source:
+      - salt://pihole/flush
+    - user: root
+    - group: root
+    - makedirs: True
+    - mode: 755
+
 /etc/dnsmasq.conf:
   file.prepend:
     - text:

pihole/internalise.sh

@@ -1,3 +1,2 @@
 #!/bin/sh
-/rw/config/qubes-firewall-user-script
 find /proc/sys/net/ipv4/conf -name "vif*" -exec bash -c 'echo 1 | sudo tee {}/route_localnet' \;

pihole/update_nft.sh

@@ -1,10 +1,12 @@
-cat /rw/config/qubes-firewall.d/update_nft.sh
 #!/bin/sh
 get_handle(){
 local my_handle=$( nft -a list table $1|awk 'BEGIN{c0} /related,established/{c++; if (c==1) print $NF}' )
 echo $my_handle
 }
 
+nft insert rule filter FORWARD tcp dport 53 drop
+nft insert rule filter FORWARD udp dport 53 drop
+
 handle=$(get_handle filter)
 nft add rule filter INPUT position $handle iifname "vif*" tcp dport 53 accept
 nft add rule filter INPUT position $handle iifname "vif*" udp dport 53 accept