I want to use a HVM as a NetVM, cat assign vif+ interface

[Andreas Moreiro]

Qubes dev said in his last post here, that it can not be done in 2014.
https://groups.google.com/d/topic/qubes-users/RFXoZ3zt-PE

I tried it for myself, and I can assign the PCI device, and get an eth0
interface, however I can't assign the virtual interface vif+ to the HVM.

I tried attaching in Dom0 with:
xl network-attach whonix-gw-clone-1
script=/etc/xen/scripts/vif-route-qubes ip=... backend=firewallVM
and got an error:
libx: error:libx.c:2044device_addrm_aocomplete: unable to add device


Tried to start the firewallvm, with the HVM as its netVM, and got these
errors in the log:

libxl_device.c:1081:device_backend_callback: unable to add device with path
libxl_device.c:1512:device_attach_devices: unable to add nic devices
libxl_device.c:1081:device_backend_callback: unable to remove device with
path
libxl.c:1669:devices_destroy_cb: libxl_devices_destroy failed

i used some parts of this tutorial for inspiration:
https://garlicgambit.wordpress.com/2016/04/22/how-to-run-tails-from-a-qubes-live-cd/

Thanks for reading. Any suggestions?

[awokd]

Sys-net is already an HVM. Are you trying to make a custom template? You
shouldn't have to manually assign interfaces. Did you check the "provides
network" box when creating your custom sys-net?

[lit...@gmail.com]

Thanks for replying akwod. Standalone HVM - the kind you start from an ISO

[lit...@gmail.com]

Also I thought HVM implies that it is a VM that can be started from an ISO.
https://www.qubes-os.org/doc/hvm/
And the fact that I posted the link to the tutorial should make it easier to understand what I want to do here: use Ubuntu as a netVM

[Unman]

There's a difference between a qube running in HVM virt_mode, which is
what sys-net does, and a HVM as StandAlone.

There is a work round which you can try, which uses the Qubes
infrastructure.
Create a non networked firewall and attach the HVM to it.
This gives you a vif+ in the Ubuntu HVM.

Attach your qubes to the new firewall.
Change the routing and iptables on the new firewall to allow traffic
flows between the vif+ interfaces as appropriate.
Insert a new rule to forward DNS to your chosen server.

The advantage is this requires no configuration on the qube side, so you
can switch easily between different netvm egress points, by attaching to
different firewalls.
The native Qubes firewall tools work fine.

I do this to run OpenBSD as one of my netvms.

unman

[lit...@gmail.com]

It works!! Thanks very much unman, very cool trick

[lit...@gmail.com]

post your pf.conf?