feat: nftables atomic update
This commit is contained in:
parent
261d1ba557
commit
0173cc75f9
GPG Key ID:
9E0C4157BB7BEB1D
7
lib.sh
7
lib.sh
@ -54,19 +54,20 @@ qemu() {
|
||||
local net; net="$(_getnet)"
|
||||
|
||||
(set -x
|
||||
qemu-system-x86_64 -accel kvm \
|
||||
-monitor stdio \
|
||||
qemu-system-x86_64 \
|
||||
-accel kvm \
|
||||
-M q35 \
|
||||
-bios /usr/share/edk2/x64/OVMF.4m.fd \
|
||||
-monitor stdio \
|
||||
-cpu host \
|
||||
-m "$ram,maxmem=$maxram" \
|
||||
-vga virtio \
|
||||
-audio pipewire,model=hda \
|
||||
-drive if=virtio,file=hda.qcow2 \
|
||||
-nic "model=virtio-net-pci,type=$net" \
|
||||
-device qemu-xhci \
|
||||
-object "memory-backend-ram,id=mem,size=$ram,share=on" \
|
||||
-numa node,memdev=mem \
|
||||
-drive if=virtio,file=hda.qcow2 \
|
||||
"${OPTS[@]}" \
|
||||
"$@"
|
||||
)
|
||||
|
||||
25
startnat.sh
25
startnat.sh
@ -2,17 +2,14 @@
|
||||
DIR="$(dirname "${BASH_SOURCE[0]}")"
|
||||
|
||||
fix_nft_drops() {
|
||||
local j h chain
|
||||
local j s='"add chain \(.family) \(.table) \(.name) { policy \(.policy); }"'
|
||||
|
||||
: > "$DIR/restore-nft.conf"
|
||||
j="$(nft -j list chains | jq '.[][].chain | select(.policy == "drop")')"
|
||||
while read -r h; do
|
||||
mapfile -t chain < <(jq -r "select(.policy != \"accept\" and .hook == \"$h\") | .family,.table,.name,.policy" <<< "$j")
|
||||
if [ -n "${chain[0]}" ]; then
|
||||
nft add chain "${chain[0]}" "${chain[1]}" "${chain[2]}" '{ policy accept; }'
|
||||
echo "add chain ${chain[0]} ${chain[1]} ${chain[2]} { policy ${chain[3]}; }" >> "$DIR/restore-nft.conf"
|
||||
if [ -f "$DIR/restore-nft.conf" ]; then
|
||||
nft -f "$DIR/restore-nft.conf"
|
||||
fi
|
||||
done < <(nft -j list chains | jq -r '.[][].chain | select(.table == "qemu") | .hook')
|
||||
j="$(nft -j list chains | jq '.[][].chain | select(.policy == "drop")')"
|
||||
jq -r ".policy=\"accept\" | $s" <<< "$j"
|
||||
jq -r "$s" <<< "$j" > "$DIR/restore-nft.conf"
|
||||
}
|
||||
|
||||
command -V dnsmasq > /dev/null
|
||||
@ -36,15 +33,15 @@ ip address flush dev "$BRIDGE"
|
||||
ip address add 192.168.123.1/24 dev "$BRIDGE"
|
||||
|
||||
nft -f- <<EOF
|
||||
destroy table ip qemu;
|
||||
table ip qemu {
|
||||
$(fix_nft_drops)
|
||||
destroy table ip qemu; table ip qemu {
|
||||
chain input {
|
||||
type filter hook input priority filter; policy accept;
|
||||
iifname "$BRIDGE" counter
|
||||
iifname "$BRIDGE" counter accept
|
||||
}
|
||||
chain forward {
|
||||
type filter hook forward priority filter; policy accept;
|
||||
iifname "$BRIDGE" counter
|
||||
iifname "$BRIDGE" counter accept
|
||||
}
|
||||
chain postrouting {
|
||||
type nat hook postrouting priority srcnat; policy accept;
|
||||
@ -53,8 +50,6 @@ table ip qemu {
|
||||
}
|
||||
EOF
|
||||
|
||||
fix_nft_drops
|
||||
|
||||
if ! pidof dnsmasq | grep -q "$(cat /var/run/dnsmasq-virbr0.pid)"; then
|
||||
dnsmasq -z \
|
||||
-i "$BRIDGE" \
|
||||
|
||||
@ -9,7 +9,7 @@ ISO=(
|
||||
)
|
||||
|
||||
if ! [ -f hda.qcow2 ]; then
|
||||
qemu-img create -f qcow2 hda.qcow2 40G
|
||||
qemu-img create -f qcow2 hda.qcow2 64G
|
||||
download_isos
|
||||
fi
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user