58 lines
1.3 KiB
Bash
Executable File
58 lines
1.3 KiB
Bash
Executable File
#!/bin/bash -eu
|
|
|
|
fix_nft_drops() {
|
|
local j s='"add chain \(.family) \(.table) \(.name) { policy \(.policy); }"'
|
|
|
|
if [ -f /tmp/restore-nft.conf ]; then
|
|
nft -f /tmp/restore-nft.conf
|
|
fi
|
|
j="$(nft -j list chains | jq '.[][].chain | select(.policy == "drop")')"
|
|
jq -r ".policy=\"accept\" | $s" <<< "$j"
|
|
jq -r "$s" <<< "$j" > /tmp/restore-nft.conf
|
|
}
|
|
|
|
command -V dnsmasq > /dev/null
|
|
command -V nft > /dev/null
|
|
|
|
if [ "$EUID" != 0 ]; then
|
|
echo 'this script must be run as root' >&2
|
|
exit 1
|
|
fi
|
|
|
|
BRIDGE="${1-virbr0}"
|
|
|
|
modprobe nft_masq
|
|
sysctl net.ipv4.conf.all.forwarding=1
|
|
|
|
if ! ip link show "$BRIDGE" 2> /dev/null; then
|
|
ip link add "$BRIDGE" type bridge
|
|
fi
|
|
ip link set dev "$BRIDGE" up
|
|
ip address add 192.168.123.1/24 dev "$BRIDGE"
|
|
|
|
nft -f- <<EOF
|
|
$(fix_nft_drops)
|
|
destroy table ip qemu; table ip qemu {
|
|
chain input {
|
|
type filter hook input priority filter; policy accept;
|
|
iifname "$BRIDGE" counter accept
|
|
}
|
|
chain forward {
|
|
type filter hook forward priority filter; policy accept;
|
|
iifname "$BRIDGE" counter accept
|
|
}
|
|
chain postrouting {
|
|
type nat hook postrouting priority srcnat; policy accept;
|
|
masquerade
|
|
}
|
|
}
|
|
EOF
|
|
|
|
if ! [ -f /var/run/dnsmasq-virbr0.pid ]; then
|
|
dnsmasq -z \
|
|
-i "$BRIDGE" \
|
|
-F 192.168.123.2,192.168.123.254,255.255.255.0 \
|
|
-x /var/run/dnsmasq-virbr0.pid \
|
|
--server 1.1.1.1
|
|
fi
|