ange/VMs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: nftables atomic update

Browse Source
This commit is contained in:
ange 2025-06-18 08:45:58 +00:00
parent 261d1ba557
commit 0173cc75f9
Signed by: ange
GPG Key ID: 9E0C4157BB7BEB1D
3 changed files with 27 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
lib.sh
View File

@ -54,20 +54,21 @@ qemu() {
local net; net="$(_getnet)" local net; net="$(_getnet)"
(set -x (set -x
qemu-system-x86_64 -accel kvm \ qemu-system-x86_64 \
-monitor stdio \ -accel kvm \
-M q35 \ -M q35 \
-bios /usr/share/edk2/x64/OVMF.4m.fd \ -bios /usr/share/edk2/x64/OVMF.4m.fd \
-cpu host \ -monitor stdio \
-m "$ram,maxmem=$maxram" \ -cpu host \
-vga virtio \ -m "$ram,maxmem=$maxram" \
-audio pipewire,model=hda \ -vga virtio \
-drive if=virtio,file=hda.qcow2 \ -audio pipewire,model=hda \
-nic "model=virtio-net-pci,type=$net" \ -nic "model=virtio-net-pci,type=$net" \
-device qemu-xhci \ -device qemu-xhci \
-object "memory-backend-ram,id=mem,size=$ram,share=on" \ -object "memory-backend-ram,id=mem,size=$ram,share=on" \
-numa node,memdev=mem \ -numa node,memdev=mem \
"${OPTS[@]}" \ -drive if=virtio,file=hda.qcow2 \
"$@" "${OPTS[@]}" \
"$@"
) )
} }

25
startnat.sh
View File

@ -2,17 +2,14 @@
DIR="$(dirname "${BASH_SOURCE[0]}")" DIR="$(dirname "${BASH_SOURCE[0]}")"
fix_nft_drops() { fix_nft_drops() {
local j h chain local j s='"add chain \(.family) \(.table) \(.name) { policy \(.policy); }"'
: > "$DIR/restore-nft.conf" if [ -f "$DIR/restore-nft.conf" ]; then
nft -f "$DIR/restore-nft.conf"
fi
j="$(nft -j list chains | jq '.[][].chain | select(.policy == "drop")')" j="$(nft -j list chains | jq '.[][].chain | select(.policy == "drop")')"
while read -r h; do jq -r ".policy=\"accept\" | $s" <<< "$j"
mapfile -t chain < <(jq -r "select(.policy != \"accept\" and .hook == \"$h\") | .family,.table,.name,.policy" <<< "$j") jq -r "$s" <<< "$j" > "$DIR/restore-nft.conf"
if [ -n "${chain[0]}" ]; then
nft add chain "${chain[0]}" "${chain[1]}" "${chain[2]}" '{ policy accept; }'
echo "add chain ${chain[0]} ${chain[1]} ${chain[2]} { policy ${chain[3]}; }" >> "$DIR/restore-nft.conf"
fi
done < <(nft -j list chains | jq -r '.[][].chain | select(.table == "qemu") | .hook')
} }
command -V dnsmasq > /dev/null command -V dnsmasq > /dev/null
@ -36,15 +33,15 @@ ip address flush dev "$BRIDGE"
ip address add 192.168.123.1/24 dev "$BRIDGE" ip address add 192.168.123.1/24 dev "$BRIDGE"
nft -f- <<EOF nft -f- <<EOF
destroy table ip qemu; $(fix_nft_drops)
table ip qemu { destroy table ip qemu; table ip qemu {
chain input { chain input {
type filter hook input priority filter; policy accept; type filter hook input priority filter; policy accept;
iifname "$BRIDGE" counter iifname "$BRIDGE" counter accept
} }
chain forward { chain forward {
type filter hook forward priority filter; policy accept; type filter hook forward priority filter; policy accept;
iifname "$BRIDGE" counter iifname "$BRIDGE" counter accept
} }
chain postrouting { chain postrouting {
type nat hook postrouting priority srcnat; policy accept; type nat hook postrouting priority srcnat; policy accept;
@ -53,8 +50,6 @@ table ip qemu {
} }
EOF EOF
fix_nft_drops
if ! pidof dnsmasq | grep -q "$(cat /var/run/dnsmasq-virbr0.pid)"; then if ! pidof dnsmasq | grep -q "$(cat /var/run/dnsmasq-virbr0.pid)"; then
dnsmasq -z \ dnsmasq -z \
-i "$BRIDGE" \ -i "$BRIDGE" \

2
w11iotltsc/run.sh
View File

@ -9,7 +9,7 @@ ISO=(
) )
if ! [ -f hda.qcow2 ]; then if ! [ -f hda.qcow2 ]; then
qemu-img create -f qcow2 hda.qcow2 40G qemu-img create -f qcow2 hda.qcow2 64G
download_isos download_isos
fi fi