ange/VMs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: CPU/RAM limit + port forward docs

Browse Source
This commit is contained in:
ange 2024-03-10 22:42:43 +01:00
parent a3e2f8b5ed
commit 9974777698
Signed by: ange
GPG Key ID: 9E0C4157BB7BEB1D
6 changed files with 397 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
README.md
View File

@ -1,12 +1,29 @@
# VMs # VMs
## HOW-TO ## HOW-TO
To start (or create) a VM, go in the desired folder and run To start (or create) a VM, go in the desired folder and run
```console ```console
$ ./run.sh $ ./run.sh
``` ```
## USB passthrough ### CPU/RAM limit
See QEMU(1) for CPU limit<br>.
Default RAM flag: `-m "2G,maxmem=$((MAX_RAM - 2))G"`.<br>
You can limit the CPU/RAM usage with these flags:
```
./run.sh -smp "$NB_CPUS,maxcpus=$MAX_CPUS" \
-m "${RAM}G,maxmem=${MAX_RAM}G"
```
You can make this permanent in run.sh (this VM only) or lib.sh (all VMs).
### Port forwarding
To forward host port 2222 to guest 22:
```
./run.sh -nic user,hostfwd=tcp::2222-:22
```
You can make this permanent in run.sh (this VM only) or lib.sh (all VMs).
### USB passthrough
If you need USB passthrough, uncomment and fill in the corresponding line in If you need USB passthrough, uncomment and fill in the corresponding line in
`run.sh`. `run.sh`.

369
fedora39/nft Normal file
View File

@ -0,0 +1,369 @@
table inet firewalld {
ct helper helper-netbios-ns-udp {
type "netbios-ns" protocol udp
l3proto ip
}
chain mangle_PREROUTING {
type filter hook prerouting priority mangle + 10; policy accept;
jump mangle_PREROUTING_POLICIES
}
chain mangle_PREROUTING_POLICIES {
iifname "enp0s2" jump mangle_PRE_policy_allow-host-ipv6
iifname "enp0s2" jump mangle_PRE_FedoraWorkstation
iifname "enp0s2" return
jump mangle_PRE_policy_allow-host-ipv6
jump mangle_PRE_FedoraWorkstation
return
}
chain nat_PREROUTING {
type nat hook prerouting priority dstnat + 10; policy accept;
jump nat_PREROUTING_POLICIES
}
chain nat_PREROUTING_POLICIES {
iifname "enp0s2" jump nat_PRE_policy_allow-host-ipv6
iifname "enp0s2" jump nat_PRE_FedoraWorkstation
iifname "enp0s2" return
jump nat_PRE_policy_allow-host-ipv6
jump nat_PRE_FedoraWorkstation
return
}
chain nat_POSTROUTING {
type nat hook postrouting priority srcnat + 10; policy accept;
jump nat_POSTROUTING_POLICIES
}
chain nat_POSTROUTING_POLICIES {
iifname "enp0s2" oifname "enp0s2" jump nat_POST_FedoraWorkstation
iifname "enp0s2" oifname "enp0s2" return
oifname "enp0s2" jump nat_POST_FedoraWorkstation
oifname "enp0s2" return
iifname "enp0s2" jump nat_POST_FedoraWorkstation
iifname "enp0s2" return
jump nat_POST_FedoraWorkstation
return
}
chain nat_OUTPUT {
type nat hook output priority -90; policy accept;
jump nat_OUTPUT_POLICIES
}
chain nat_OUTPUT_POLICIES {
oifname "enp0s2" jump nat_OUT_FedoraWorkstation
oifname "enp0s2" return
jump nat_OUT_FedoraWorkstation
return
}
chain filter_PREROUTING {
type filter hook prerouting priority filter + 10; policy accept;
icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
meta nfproto ipv6 fib saddr . mark . iif oif missing drop
}
chain filter_INPUT {
type filter hook input priority filter + 10; policy accept;
ct state { established, related } accept
ct status dnat accept
iifname "lo" accept
ct state invalid drop
jump filter_INPUT_POLICIES
reject with icmpx admin-prohibited
}
chain filter_FORWARD {
type filter hook forward priority filter + 10; policy accept;
ct state { established, related } accept
ct status dnat accept
iifname "lo" accept
ct state invalid drop
ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
jump filter_FORWARD_POLICIES
reject with icmpx admin-prohibited
}
chain filter_OUTPUT {
type filter hook output priority filter + 10; policy accept;
ct state { established, related } accept
oifname "lo" accept
ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
jump filter_OUTPUT_POLICIES
}
chain filter_INPUT_POLICIES {
iifname "enp0s2" jump filter_IN_policy_allow-host-ipv6
iifname "enp0s2" jump filter_IN_FedoraWorkstation
iifname "enp0s2" reject with icmpx admin-prohibited
jump filter_IN_policy_allow-host-ipv6
jump filter_IN_FedoraWorkstation
reject with icmpx admin-prohibited
}
chain filter_FORWARD_POLICIES {
iifname "enp0s2" oifname "enp0s2" jump filter_FWD_FedoraWorkstation
iifname "enp0s2" oifname "enp0s2" reject with icmpx admin-prohibited
iifname "enp0s2" jump filter_FWD_FedoraWorkstation
iifname "enp0s2" reject with icmpx admin-prohibited
oifname "enp0s2" jump filter_FWD_FedoraWorkstation
oifname "enp0s2" reject with icmpx admin-prohibited
jump filter_FWD_FedoraWorkstation
reject with icmpx admin-prohibited
}
chain filter_OUTPUT_POLICIES {
oifname "enp0s2" jump filter_OUT_FedoraWorkstation
oifname "enp0s2" return
jump filter_OUT_FedoraWorkstation
return
}
chain filter_IN_FedoraWorkstation {
jump filter_IN_FedoraWorkstation_pre
jump filter_IN_FedoraWorkstation_log
jump filter_IN_FedoraWorkstation_deny
jump filter_IN_FedoraWorkstation_allow
jump filter_IN_FedoraWorkstation_post
meta l4proto { icmp, ipv6-icmp } accept
}
chain filter_IN_FedoraWorkstation_pre {
}
chain filter_IN_FedoraWorkstation_log {
}
chain filter_IN_FedoraWorkstation_deny {
}
chain filter_IN_FedoraWorkstation_allow {
ip6 daddr fe80::/64 udp dport 546 accept
tcp dport 22 accept
udp dport 137 ct helper set "helper-netbios-ns-udp"
udp dport 137 accept
udp dport 138 accept
ip daddr 224.0.0.251 udp dport 5353 accept
ip6 daddr ff02::fb udp dport 5353 accept
udp dport 1025-65535 accept
tcp dport 1025-65535 accept
}
chain filter_IN_FedoraWorkstation_post {
}
chain filter_OUT_FedoraWorkstation {
jump filter_OUT_FedoraWorkstation_pre
jump filter_OUT_FedoraWorkstation_log
jump filter_OUT_FedoraWorkstation_deny
jump filter_OUT_FedoraWorkstation_allow
jump filter_OUT_FedoraWorkstation_post
}
chain filter_OUT_FedoraWorkstation_pre {
}
chain filter_OUT_FedoraWorkstation_log {
}
chain filter_OUT_FedoraWorkstation_deny {
}
chain filter_OUT_FedoraWorkstation_allow {
}
chain filter_OUT_FedoraWorkstation_post {
}
chain nat_OUT_FedoraWorkstation {
jump nat_OUT_FedoraWorkstation_pre
jump nat_OUT_FedoraWorkstation_log
jump nat_OUT_FedoraWorkstation_deny
jump nat_OUT_FedoraWorkstation_allow
jump nat_OUT_FedoraWorkstation_post
}
chain nat_OUT_FedoraWorkstation_pre {
}
chain nat_OUT_FedoraWorkstation_log {
}
chain nat_OUT_FedoraWorkstation_deny {
}
chain nat_OUT_FedoraWorkstation_allow {
}
chain nat_OUT_FedoraWorkstation_post {
}
chain nat_POST_FedoraWorkstation {
jump nat_POST_FedoraWorkstation_pre
jump nat_POST_FedoraWorkstation_log
jump nat_POST_FedoraWorkstation_deny
jump nat_POST_FedoraWorkstation_allow
jump nat_POST_FedoraWorkstation_post
}
chain nat_POST_FedoraWorkstation_pre {
}
chain nat_POST_FedoraWorkstation_log {
}
chain nat_POST_FedoraWorkstation_deny {
}
chain nat_POST_FedoraWorkstation_allow {
}
chain nat_POST_FedoraWorkstation_post {
}
chain filter_FWD_FedoraWorkstation {
jump filter_FWD_FedoraWorkstation_pre
jump filter_FWD_FedoraWorkstation_log
jump filter_FWD_FedoraWorkstation_deny
jump filter_FWD_FedoraWorkstation_allow
jump filter_FWD_FedoraWorkstation_post
}
chain filter_FWD_FedoraWorkstation_pre {
}
chain filter_FWD_FedoraWorkstation_log {
}
chain filter_FWD_FedoraWorkstation_deny {
}
chain filter_FWD_FedoraWorkstation_allow {
oifname "enp0s2" accept
}
chain filter_FWD_FedoraWorkstation_post {
}
chain nat_PRE_FedoraWorkstation {
jump nat_PRE_FedoraWorkstation_pre
jump nat_PRE_FedoraWorkstation_log
jump nat_PRE_FedoraWorkstation_deny
jump nat_PRE_FedoraWorkstation_allow
jump nat_PRE_FedoraWorkstation_post
}
chain nat_PRE_FedoraWorkstation_pre {
}
chain nat_PRE_FedoraWorkstation_log {
}
chain nat_PRE_FedoraWorkstation_deny {
}
chain nat_PRE_FedoraWorkstation_allow {
}
chain nat_PRE_FedoraWorkstation_post {
}
chain mangle_PRE_FedoraWorkstation {
jump mangle_PRE_FedoraWorkstation_pre
jump mangle_PRE_FedoraWorkstation_log
jump mangle_PRE_FedoraWorkstation_deny
jump mangle_PRE_FedoraWorkstation_allow
jump mangle_PRE_FedoraWorkstation_post
}
chain mangle_PRE_FedoraWorkstation_pre {
}
chain mangle_PRE_FedoraWorkstation_log {
}
chain mangle_PRE_FedoraWorkstation_deny {
}
chain mangle_PRE_FedoraWorkstation_allow {
}
chain mangle_PRE_FedoraWorkstation_post {
}
chain filter_IN_policy_allow-host-ipv6 {
jump filter_IN_policy_allow-host-ipv6_pre
jump filter_IN_policy_allow-host-ipv6_log
jump filter_IN_policy_allow-host-ipv6_deny
jump filter_IN_policy_allow-host-ipv6_allow
jump filter_IN_policy_allow-host-ipv6_post
}
chain filter_IN_policy_allow-host-ipv6_pre {
}
chain filter_IN_policy_allow-host-ipv6_log {
}
chain filter_IN_policy_allow-host-ipv6_deny {
}
chain filter_IN_policy_allow-host-ipv6_allow {
icmpv6 type nd-neighbor-advert accept
icmpv6 type nd-neighbor-solicit accept
icmpv6 type nd-router-advert accept
icmpv6 type nd-redirect accept
}
chain filter_IN_policy_allow-host-ipv6_post {
}
chain nat_PRE_policy_allow-host-ipv6 {
jump nat_PRE_policy_allow-host-ipv6_pre
jump nat_PRE_policy_allow-host-ipv6_log
jump nat_PRE_policy_allow-host-ipv6_deny
jump nat_PRE_policy_allow-host-ipv6_allow
jump nat_PRE_policy_allow-host-ipv6_post
}
chain nat_PRE_policy_allow-host-ipv6_pre {
}
chain nat_PRE_policy_allow-host-ipv6_log {
}
chain nat_PRE_policy_allow-host-ipv6_deny {
}
chain nat_PRE_policy_allow-host-ipv6_allow {
}
chain nat_PRE_policy_allow-host-ipv6_post {
}
chain mangle_PRE_policy_allow-host-ipv6 {
jump mangle_PRE_policy_allow-host-ipv6_pre
jump mangle_PRE_policy_allow-host-ipv6_log
jump mangle_PRE_policy_allow-host-ipv6_deny
jump mangle_PRE_policy_allow-host-ipv6_allow
jump mangle_PRE_policy_allow-host-ipv6_post
}
chain mangle_PRE_policy_allow-host-ipv6_pre {
}
chain mangle_PRE_policy_allow-host-ipv6_log {
}
chain mangle_PRE_policy_allow-host-ipv6_deny {
}
chain mangle_PRE_policy_allow-host-ipv6_allow {
}
chain mangle_PRE_policy_allow-host-ipv6_post {
}
}

2
fedora39/run.sh
View File

@ -3,7 +3,7 @@ cd "$(dirname "$0")"
. ../lib.sh . ../lib.sh
ISO=( ISO=(
[fedora39.iso]='https://download.fedoraproject.org/pub/fedora/linux/releases/39/Workstation/x86_64/iso/Fedora-Workstation-Live-x86_64-39-1.5.iso' [fedora39]='https://download.fedoraproject.org/pub/fedora/linux/releases/39/Workstation/x86_64/iso/Fedora-Workstation-Live-x86_64-39-1.5.iso'
) )
if ! [ -f hda.qcow2 ]; then if ! [ -f hda.qcow2 ]; then

1
fedora39/todo Normal file
View File

@ -0,0 +1 @@
/var/lib/misc/dnsmasq.leases

12
lib.sh
View File

@ -21,12 +21,15 @@ function ask_yn() {
declare -A ISO declare -A ISO
declare -a OPTS declare -a OPTS
function download_isos() { function download_isos() {
local file
for iso in "${!ISO[@]}"; do for iso in "${!ISO[@]}"; do
if ! [ -f "$iso" ] && ask_yn "download $iso?"; then file="$iso.iso"
curl -LC- -o "$iso" "${ISO[$iso]}" if ! [ -f "$file" ] && ask_yn "download $file?"; then
curl -LC- -o "$file" "${ISO[$iso]}"
fi fi
if [ -f "$iso" ]; then if [ -f "$file" ]; then
OPTS+=(-drive "file=$iso,media=cdrom,readonly=on") OPTS+=(-drive "file=$file,media=cdrom,readonly=on")
fi fi
done done
} }
@ -51,7 +54,6 @@ function _getnet() {
echo "$net" echo "$net"
} }
# TODO: -bios /usr/share/OVMF/OVMF_CODE.fd
function qemu() { function qemu() {
local maxram; maxram="$(_getmaxram)" local maxram; maxram="$(_getmaxram)"
local net; net="$(_getnet)" local net; net="$(_getnet)"

1
startnat.sh
View File

@ -36,7 +36,6 @@ ip link set dev "$BRIDGE" up
ip address flush dev "$BRIDGE" ip address flush dev "$BRIDGE"
ip address add 192.168.123.1/24 dev "$BRIDGE" ip address add 192.168.123.1/24 dev "$BRIDGE"
# TODO: firewalld/nft?
newtable INPUT newtable INPUT
newtable FORWARD newtable FORWARD
newtable POSTROUTING -tnat newtable POSTROUTING -tnat