feat: CPU/RAM limit + port forward docs

2024-03-10 22:42:43 +01:00 · 2024-03-10 22:42:43 +01:00 · 9974777698
commit 9974777698
parent a3e2f8b5ed
6 changed files with 397 additions and 9 deletions
--- a/README.md
+++ b/README.md
@ -6,7 +6,24 @@ To start (or create) a VM, go in the desired folder and run
 $ ./run.sh
 ```

-## USB passthrough
+### CPU/RAM limit
+See QEMU(1) for CPU limit<br>.
+Default RAM flag: `-m "2G,maxmem=$((MAX_RAM - 2))G"`.<br>
+You can limit the CPU/RAM usage with these flags:
+```
+./run.sh -smp "$NB_CPUS,maxcpus=$MAX_CPUS" \
+         -m "${RAM}G,maxmem=${MAX_RAM}G"
+```
+You can make this permanent in run.sh (this VM only) or lib.sh (all VMs).
+
+### Port forwarding
+To forward host port 2222 to guest 22:
+```
+./run.sh -nic user,hostfwd=tcp::2222-:22
+```
+You can make this permanent in run.sh (this VM only) or lib.sh (all VMs).
+
+### USB passthrough

 If you need USB passthrough, uncomment and fill in the corresponding line in
 `run.sh`.
--- a/fedora39/nft
+++ b/fedora39/nft
@ -0,0 +1,369 @@
+table inet firewalld {
+	ct helper helper-netbios-ns-udp {
+		type "netbios-ns" protocol udp
+		l3proto ip
+	}
+
+	chain mangle_PREROUTING {
+		type filter hook prerouting priority mangle + 10; policy accept;
+		jump mangle_PREROUTING_POLICIES
+	}
+
+	chain mangle_PREROUTING_POLICIES {
+		iifname "enp0s2" jump mangle_PRE_policy_allow-host-ipv6
+		iifname "enp0s2" jump mangle_PRE_FedoraWorkstation
+		iifname "enp0s2" return
+		jump mangle_PRE_policy_allow-host-ipv6
+		jump mangle_PRE_FedoraWorkstation
+		return
+	}
+
+	chain nat_PREROUTING {
+		type nat hook prerouting priority dstnat + 10; policy accept;
+		jump nat_PREROUTING_POLICIES
+	}
+
+	chain nat_PREROUTING_POLICIES {
+		iifname "enp0s2" jump nat_PRE_policy_allow-host-ipv6
+		iifname "enp0s2" jump nat_PRE_FedoraWorkstation
+		iifname "enp0s2" return
+		jump nat_PRE_policy_allow-host-ipv6
+		jump nat_PRE_FedoraWorkstation
+		return
+	}
+
+	chain nat_POSTROUTING {
+		type nat hook postrouting priority srcnat + 10; policy accept;
+		jump nat_POSTROUTING_POLICIES
+	}
+
+	chain nat_POSTROUTING_POLICIES {
+		iifname "enp0s2" oifname "enp0s2" jump nat_POST_FedoraWorkstation
+		iifname "enp0s2" oifname "enp0s2" return
+		oifname "enp0s2" jump nat_POST_FedoraWorkstation
+		oifname "enp0s2" return
+		iifname "enp0s2" jump nat_POST_FedoraWorkstation
+		iifname "enp0s2" return
+		jump nat_POST_FedoraWorkstation
+		return
+	}
+
+	chain nat_OUTPUT {
+		type nat hook output priority -90; policy accept;
+		jump nat_OUTPUT_POLICIES
+	}
+
+	chain nat_OUTPUT_POLICIES {
+		oifname "enp0s2" jump nat_OUT_FedoraWorkstation
+		oifname "enp0s2" return
+		jump nat_OUT_FedoraWorkstation
+		return
+	}
+
+	chain filter_PREROUTING {
+		type filter hook prerouting priority filter + 10; policy accept;
+		icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
+		meta nfproto ipv6 fib saddr . mark . iif oif missing drop
+	}
+
+	chain filter_INPUT {
+		type filter hook input priority filter + 10; policy accept;
+		ct state { established, related } accept
+		ct status dnat accept
+		iifname "lo" accept
+		ct state invalid drop
+		jump filter_INPUT_POLICIES
+		reject with icmpx admin-prohibited
+	}
+
+	chain filter_FORWARD {
+		type filter hook forward priority filter + 10; policy accept;
+		ct state { established, related } accept
+		ct status dnat accept
+		iifname "lo" accept
+		ct state invalid drop
+		ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
+		jump filter_FORWARD_POLICIES
+		reject with icmpx admin-prohibited
+	}
+
+	chain filter_OUTPUT {
+		type filter hook output priority filter + 10; policy accept;
+		ct state { established, related } accept
+		oifname "lo" accept
+		ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
+		jump filter_OUTPUT_POLICIES
+	}
+
+	chain filter_INPUT_POLICIES {
+		iifname "enp0s2" jump filter_IN_policy_allow-host-ipv6
+		iifname "enp0s2" jump filter_IN_FedoraWorkstation
+		iifname "enp0s2" reject with icmpx admin-prohibited
+		jump filter_IN_policy_allow-host-ipv6
+		jump filter_IN_FedoraWorkstation
+		reject with icmpx admin-prohibited
+	}
+
+	chain filter_FORWARD_POLICIES {
+		iifname "enp0s2" oifname "enp0s2" jump filter_FWD_FedoraWorkstation
+		iifname "enp0s2" oifname "enp0s2" reject with icmpx admin-prohibited
+		iifname "enp0s2" jump filter_FWD_FedoraWorkstation
+		iifname "enp0s2" reject with icmpx admin-prohibited
+		oifname "enp0s2" jump filter_FWD_FedoraWorkstation
+		oifname "enp0s2" reject with icmpx admin-prohibited
+		jump filter_FWD_FedoraWorkstation
+		reject with icmpx admin-prohibited
+	}
+
+	chain filter_OUTPUT_POLICIES {
+		oifname "enp0s2" jump filter_OUT_FedoraWorkstation
+		oifname "enp0s2" return
+		jump filter_OUT_FedoraWorkstation
+		return
+	}
+
+	chain filter_IN_FedoraWorkstation {
+		jump filter_IN_FedoraWorkstation_pre
+		jump filter_IN_FedoraWorkstation_log
+		jump filter_IN_FedoraWorkstation_deny
+		jump filter_IN_FedoraWorkstation_allow
+		jump filter_IN_FedoraWorkstation_post
+		meta l4proto { icmp, ipv6-icmp } accept
+	}
+
+	chain filter_IN_FedoraWorkstation_pre {
+	}
+
+	chain filter_IN_FedoraWorkstation_log {
+	}
+
+	chain filter_IN_FedoraWorkstation_deny {
+	}
+
+	chain filter_IN_FedoraWorkstation_allow {
+		ip6 daddr fe80::/64 udp dport 546 accept
+		tcp dport 22 accept
+		udp dport 137 ct helper set "helper-netbios-ns-udp"
+		udp dport 137 accept
+		udp dport 138 accept
+		ip daddr 224.0.0.251 udp dport 5353 accept
+		ip6 daddr ff02::fb udp dport 5353 accept
+		udp dport 1025-65535 accept
+		tcp dport 1025-65535 accept
+	}
+
+	chain filter_IN_FedoraWorkstation_post {
+	}
+
+	chain filter_OUT_FedoraWorkstation {
+		jump filter_OUT_FedoraWorkstation_pre
+		jump filter_OUT_FedoraWorkstation_log
+		jump filter_OUT_FedoraWorkstation_deny
+		jump filter_OUT_FedoraWorkstation_allow
+		jump filter_OUT_FedoraWorkstation_post
+	}
+
+	chain filter_OUT_FedoraWorkstation_pre {
+	}
+
+	chain filter_OUT_FedoraWorkstation_log {
+	}
+
+	chain filter_OUT_FedoraWorkstation_deny {
+	}
+
+	chain filter_OUT_FedoraWorkstation_allow {
+	}
+
+	chain filter_OUT_FedoraWorkstation_post {
+	}
+
+	chain nat_OUT_FedoraWorkstation {
+		jump nat_OUT_FedoraWorkstation_pre
+		jump nat_OUT_FedoraWorkstation_log
+		jump nat_OUT_FedoraWorkstation_deny
+		jump nat_OUT_FedoraWorkstation_allow
+		jump nat_OUT_FedoraWorkstation_post
+	}
+
+	chain nat_OUT_FedoraWorkstation_pre {
+	}
+
+	chain nat_OUT_FedoraWorkstation_log {
+	}
+
+	chain nat_OUT_FedoraWorkstation_deny {
+	}
+
+	chain nat_OUT_FedoraWorkstation_allow {
+	}
+
+	chain nat_OUT_FedoraWorkstation_post {
+	}
+
+	chain nat_POST_FedoraWorkstation {
+		jump nat_POST_FedoraWorkstation_pre
+		jump nat_POST_FedoraWorkstation_log
+		jump nat_POST_FedoraWorkstation_deny
+		jump nat_POST_FedoraWorkstation_allow
+		jump nat_POST_FedoraWorkstation_post
+	}
+
+	chain nat_POST_FedoraWorkstation_pre {
+	}
+
+	chain nat_POST_FedoraWorkstation_log {
+	}
+
+	chain nat_POST_FedoraWorkstation_deny {
+	}
+
+	chain nat_POST_FedoraWorkstation_allow {
+	}
+
+	chain nat_POST_FedoraWorkstation_post {
+	}
+
+	chain filter_FWD_FedoraWorkstation {
+		jump filter_FWD_FedoraWorkstation_pre
+		jump filter_FWD_FedoraWorkstation_log
+		jump filter_FWD_FedoraWorkstation_deny
+		jump filter_FWD_FedoraWorkstation_allow
+		jump filter_FWD_FedoraWorkstation_post
+	}
+
+	chain filter_FWD_FedoraWorkstation_pre {
+	}
+
+	chain filter_FWD_FedoraWorkstation_log {
+	}
+
+	chain filter_FWD_FedoraWorkstation_deny {
+	}
+
+	chain filter_FWD_FedoraWorkstation_allow {
+		oifname "enp0s2" accept
+	}
+
+	chain filter_FWD_FedoraWorkstation_post {
+	}
+
+	chain nat_PRE_FedoraWorkstation {
+		jump nat_PRE_FedoraWorkstation_pre
+		jump nat_PRE_FedoraWorkstation_log
+		jump nat_PRE_FedoraWorkstation_deny
+		jump nat_PRE_FedoraWorkstation_allow
+		jump nat_PRE_FedoraWorkstation_post
+	}
+
+	chain nat_PRE_FedoraWorkstation_pre {
+	}
+
+	chain nat_PRE_FedoraWorkstation_log {
+	}
+
+	chain nat_PRE_FedoraWorkstation_deny {
+	}
+
+	chain nat_PRE_FedoraWorkstation_allow {
+	}
+
+	chain nat_PRE_FedoraWorkstation_post {
+	}
+
+	chain mangle_PRE_FedoraWorkstation {
+		jump mangle_PRE_FedoraWorkstation_pre
+		jump mangle_PRE_FedoraWorkstation_log
+		jump mangle_PRE_FedoraWorkstation_deny
+		jump mangle_PRE_FedoraWorkstation_allow
+		jump mangle_PRE_FedoraWorkstation_post
+	}
+
+	chain mangle_PRE_FedoraWorkstation_pre {
+	}
+
+	chain mangle_PRE_FedoraWorkstation_log {
+	}
+
+	chain mangle_PRE_FedoraWorkstation_deny {
+	}
+
+	chain mangle_PRE_FedoraWorkstation_allow {
+	}
+
+	chain mangle_PRE_FedoraWorkstation_post {
+	}
+
+	chain filter_IN_policy_allow-host-ipv6 {
+		jump filter_IN_policy_allow-host-ipv6_pre
+		jump filter_IN_policy_allow-host-ipv6_log
+		jump filter_IN_policy_allow-host-ipv6_deny
+		jump filter_IN_policy_allow-host-ipv6_allow
+		jump filter_IN_policy_allow-host-ipv6_post
+	}
+
+	chain filter_IN_policy_allow-host-ipv6_pre {
+	}
+
+	chain filter_IN_policy_allow-host-ipv6_log {
+	}
+
+	chain filter_IN_policy_allow-host-ipv6_deny {
+	}
+
+	chain filter_IN_policy_allow-host-ipv6_allow {
+		icmpv6 type nd-neighbor-advert accept
+		icmpv6 type nd-neighbor-solicit accept
+		icmpv6 type nd-router-advert accept
+		icmpv6 type nd-redirect accept
+	}
+
+	chain filter_IN_policy_allow-host-ipv6_post {
+	}
+
+	chain nat_PRE_policy_allow-host-ipv6 {
+		jump nat_PRE_policy_allow-host-ipv6_pre
+		jump nat_PRE_policy_allow-host-ipv6_log
+		jump nat_PRE_policy_allow-host-ipv6_deny
+		jump nat_PRE_policy_allow-host-ipv6_allow
+		jump nat_PRE_policy_allow-host-ipv6_post
+	}
+
+	chain nat_PRE_policy_allow-host-ipv6_pre {
+	}
+
+	chain nat_PRE_policy_allow-host-ipv6_log {
+	}
+
+	chain nat_PRE_policy_allow-host-ipv6_deny {
+	}
+
+	chain nat_PRE_policy_allow-host-ipv6_allow {
+	}
+
+	chain nat_PRE_policy_allow-host-ipv6_post {
+	}
+
+	chain mangle_PRE_policy_allow-host-ipv6 {
+		jump mangle_PRE_policy_allow-host-ipv6_pre
+		jump mangle_PRE_policy_allow-host-ipv6_log
+		jump mangle_PRE_policy_allow-host-ipv6_deny
+		jump mangle_PRE_policy_allow-host-ipv6_allow
+		jump mangle_PRE_policy_allow-host-ipv6_post
+	}
+
+	chain mangle_PRE_policy_allow-host-ipv6_pre {
+	}
+
+	chain mangle_PRE_policy_allow-host-ipv6_log {
+	}
+
+	chain mangle_PRE_policy_allow-host-ipv6_deny {
+	}
+
+	chain mangle_PRE_policy_allow-host-ipv6_allow {
+	}
+
+	chain mangle_PRE_policy_allow-host-ipv6_post {
+	}
+}
--- a/fedora39/run.sh
+++ b/fedora39/run.sh
@ -3,7 +3,7 @@ cd "$(dirname "$0")"
 . ../lib.sh

 ISO=(
-    [fedora39.iso]='https://download.fedoraproject.org/pub/fedora/linux/releases/39/Workstation/x86_64/iso/Fedora-Workstation-Live-x86_64-39-1.5.iso'
+    [fedora39]='https://download.fedoraproject.org/pub/fedora/linux/releases/39/Workstation/x86_64/iso/Fedora-Workstation-Live-x86_64-39-1.5.iso'
 )

 if ! [ -f hda.qcow2 ]; then
--- a/fedora39/todo
+++ b/fedora39/todo
@ -0,0 +1 @@
+/var/lib/misc/dnsmasq.leases
--- a/lib.sh
+++ b/lib.sh
@ -21,12 +21,15 @@ function ask_yn() {
 declare -A ISO
 declare -a OPTS
 function download_isos() {
+    local file
+
    for iso in "${!ISO[@]}"; do
-        if ! [ -f "$iso" ] && ask_yn "download $iso?"; then
-            curl -LC- -o "$iso" "${ISO[$iso]}"
+        file="$iso.iso"
+        if ! [ -f "$file" ] && ask_yn "download $file?"; then
+            curl -LC- -o "$file" "${ISO[$iso]}"
        fi
-        if [ -f "$iso" ]; then
-            OPTS+=(-drive "file=$iso,media=cdrom,readonly=on")
+        if [ -f "$file" ]; then
+            OPTS+=(-drive "file=$file,media=cdrom,readonly=on")
        fi
    done
 }
@ -51,7 +54,6 @@ function _getnet() {
    echo "$net"
 }

-# TODO: -bios /usr/share/OVMF/OVMF_CODE.fd
 function qemu() {
    local maxram; maxram="$(_getmaxram)"
    local net; net="$(_getnet)"
--- a/startnat.sh
+++ b/startnat.sh
@ -36,7 +36,6 @@ ip link set dev "$BRIDGE" up
 ip address flush dev "$BRIDGE"
 ip address add 192.168.123.1/24 dev "$BRIDGE"

-# TODO: firewalld/nft?
 newtable INPUT
 newtable FORWARD
 newtable POSTROUTING -tnat