proxy_ping_test

roles/ansible-gentoo_install/defaults/main.yml

@@ -14,7 +14,7 @@ AGI_PROXY_MODE: "{{PROXY_MODE|default('')}}"
 
 AGI_use_local_kernel: false
 AGI_install_disklabel: msdos
-AGI_install_timezone: UTC
+AGI_install_timezone: "{{ BASE_TIMEZONE|default('Etc/UTC') }}"
 AGI_install_locales:
   - en_US ISO-8859-1
   - en_US.UTF-8 UTF-8
@@ -28,9 +28,9 @@ AGI_install_network_interfaces:
     config: dhcp
 AGI_container_disk: /dev/vda
 
-AGI_install_syslog_daemon: syslog-ng # app-admin/sysklogd
-AGI_install_cron_daemon: cronie
-AGI_install_bootloader: syslinux
+AGI_install_syslog_daemon: syslog-ng # sysklogd
+AGI_install_cron_daemon: cronie # 
+AGI_install_bootloader: syslinux # grub:2
 
 AGI_install_syslinux_kernel_line:
   # this is required I think
@@ -48,11 +48,11 @@ AGI_install_syslinux_kernel_line:
   # =0x37f works too
   - vga=789
 # these may not all be needed or useful in a container
-  - pti=on
-  - iommu=pt
-  - amd_iommu=on
-  - intel_iommu=on
-  - debug
+#  - pti=on
+#  - iommu=pt
+#  - amd_iommu=on
+#  - intel_iommu=on
+#  - debug
 
 # remove the unused ones:
 AGI_install_syslinux_c32:

roles/ansible-gentoo_install/files/firewall.conf

@@ -0,0 +1,171 @@
+# Generated by iptables-save v1.8.5 on Wed Nov  4 01:14:37 2020
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:LIBVIRT_PRT - [0:0]
+-A INPUT -j LOG --log-prefix "iptables_libvirt mangle-i: " --log-uid
+-A POSTROUTING -j LIBVIRT_PRT
+COMMIT
+# Completed on Wed Nov  4 01:14:37 2020
+
+# Generated by iptables-save v1.8.5 on Wed Nov  4 01:14:37 2020
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:LIBVIRT_PRT - [0:0]
+
+# was ! -o lo
+-A OUTPUT -o wlan6 -p tcp --dport 53 -m tcp -j DNAT --to-destination 127.0.0.1:53
+-A OUTPUT -o wlan6 -p udp --dport 53 -m udp -j DNAT --to-destination 127.0.0.1:53
+
+# .onion mapped addresses redirection to Tor.
+-A OUTPUT -d 172.16.0.0/12 -p tcp -m tcp -j DNAT --to-destination 127.0.0.1:9040
+## Log.
+-A INPUT -j LOG --log-prefix "iptables_libvirt_nat-i: " --log-uid
+-A POSTROUTING -j LIBVIRT_PRT
+-A LIBVIRT_PRT -s 10.0.2.0/24 -d 224.0.0.0/24 -j RETURN
+-A LIBVIRT_PRT -s 10.0.2.0/24 -d 255.255.255.255/32 -j RETURN
+-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
+-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
+-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -j MASQUERADE
+COMMIT
+# Completed on Wed Nov  4 01:14:37 2020
+# Generated by iptables-save v1.8.5 on Wed Nov  4 01:14:37 2020
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT DROP [0:0]
+:LIBVIRT_FWI - [0:0]
+:LIBVIRT_FWO - [0:0]
+:LIBVIRT_FWX - [0:0]
+:LIBVIRT_INP - [0:0]
+:LIBVIRT_OUT - [0:0]
+
+## DROP PACKETS WITH INCOMING FRAGMENTS. THIS ATTACK ONCE RESULTED IN KERNEL PANICS
+-A INPUT -f -j DROP
+## DROP INCOMING MALFORMED XMAS PACKETS
+-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
+## DROP INCOMING MALFORMED NULL PACKETS
+-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
+
+-A INPUT -i lo -j ACCEPT
+## Traffic on the loopback interface is accepted.
+-A INPUT -i lo -j ACCEPT
+## Established incoming connections are accepted. RELATED?
+-A INPUT -m state --state ESTABLISHED -j ACCEPT
+### this is required for outgoing pings
+-A INPUT -i wlan6 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-i: " --log-uid
+-A INPUT -i wlan6 -p icmp -j ACCEPT
+
+# let dhcp through? - YES
+-A INPUT -i wlan6 -p udp -m udp --sport 137 -j DROP
+-A INPUT -i wlan6 -p udp -m udp --sport 138 -j DROP
+-A INPUT -i wlan6 -p udp -m udp --sport 139 -j DROP
+-A INPUT -i wlan6 -p tcp --sport 9055 -j DROP
+-A INPUT -i wlan6 -p tcp --sport 9054 -j DROP
+-A INPUT -i wlan6 -p tcp --sport 9053 -j DROP
+-A INPUT -i wlan6 -p tcp --sport 9051 -j DROP
+ -A INPUT -i wlan6 -p udp --sport 53 -j ACCEPT
+
+# SRC=0.0.0.0 DST=255.255.255.255 PROTO=UDP SPT=68 DPT=67
+-A INPUT -j LOG --log-prefix "iptables_libvirt_jLIBVIRT_INP-i: " --log-uid
+# -A INPUT -i wlan6 -p udp -j DROP
+-A INPUT  -i wlan6 -j DROP
+
+-A INPUT -j LIBVIRT_INP
+
+-A FORWARD -j LIBVIRT_FWX
+-A FORWARD -j LIBVIRT_FWI
+-A FORWARD -j LIBVIRT_FWO
+#d#-A OUTPUT -o wlan6 -p icmp -j LOG --log-prefix iptables_icmp_ACCEPT-o:  --log-uid
+## Traffic on the loopback interface is accepted.
+-A OUTPUT -o lo -j ACCEPT
+
+## Existing connections are accepted.
+-A OUTPUT -m state --state ESTABLISHED -j ACCEPT
+-A OUTPUT -o wlan6 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-o: " --log-uid
+-A OUTPUT -o wlan6 -p icmp -j ACCEPT
+# st-routers.mcast.net.
+-A OUTPUT -o wlan6 -p udp -d 224.0.0.0/8 -j REJECT
+
+## Accept outgoing connections to local network, Whonix-Workstation and VirtualBox,
+-A OUTPUT -d 192.168.1.0/24 -j ACCEPT
+-A OUTPUT -d 10.0.2.0/24 -j ACCEPT
+
+# gateway 
+#-A OUTPUT -d 10.0.2.0/24 -j ACCEPT
+
+-A OUTPUT -o wlan6 -d 10.16.238.0/24 -j ACCEPT
+-A OUTPUT -o wlan6 -d 10.0.0.0/8 -j DROP
+-A OUTPUT -o wlan6 -d 172.16.0.0/12 -j DROP
+#-A OUTPUT -o wlan6 -d 192.168.0.0/16 -j DROP
+-A OUTPUT -o wlan6 -d 224.0.0.0/4 -j DROP
+-A OUTPUT -o wlan6 -d 240.0.0.0/5 -j DROP
+
+# The ntp user is allowed to connect to services listening on the ntp port...
+# If root runs ntpdate manually you will see requests to port 53 UID=0
+#-A OUTPUT -o wlan6 -m owner --gid-owner 226 -p udp --dport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: "
+-A OUTPUT -o wlan6 -m owner --gid-owner 226 -p UDP --dport 123 -j ACCEPT
+-A OUTPUT -o wlan6 -m owner --uid-owner 0 -p UDP --dport 123 -j ACCEPT
+#-A OUTPUT -o wlan6 -m tcp -p TCP --dport 22 -j LOG --log-uid --log-prefix "IPTABLES_ssh_REJECT: "
+-A OUTPUT -o wlan6 -m tcp -p TCP --dport 22 -j REJECT --reject-with icmp-port-unreachable
+#test-A OUTPUT -o virbr1 -m tcp -p TCP --dport 22 -j LOG --log-uid --log-prefix "iptables_: "
+-A OUTPUT -o wlan6 -m owner -p tcp --gid-owner 216 -j ACCEPT
+-A OUTPUT -o wlan6 -m owner --gid-owner 1 -j ACCEPT
+
+-A OUTPUT -o virbr1 -m tcp -p TCP --dport 22 -j ACCEPT
+-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9028 -j LOG --log-uid --log-prefix "iptables_: "
+-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9028 -j ACCEPT
+-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9040 -j LOG --log-uid --log-prefix "iptables_: "
+-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9040 -j ACCEPT
+-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9050 -j LOG --log-uid --log-prefix "iptables_: "
+-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9050 -j ACCEPT
+-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9053 -j LOG --log-uid --log-prefix "iptables_: "
+-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9053 -j ACCEPT
+-A OUTPUT -o virbr1 -m udp -p udp --dport 9053 -j ACCEPT
+-A OUTPUT -j LIBVIRT_OUT
+-A LIBVIRT_FWI -o virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWI_REJECT-o: "
+-A LIBVIRT_FWI -o virbr2 -j REJECT --reject-with icmp-port-unreachable
+
+-A LIBVIRT_FWI -d 10.0.2.0/24 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+-A LIBVIRT_FWI -o virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWI_REJECT-o: "
+-A LIBVIRT_FWI -o virbr1 -j REJECT --reject-with icmp-port-unreachable
+
+-A LIBVIRT_FWO -i virbr2 -j LOG --log-uid --log-prefix "IPTABLES_FWO_REJECT-i: "
+-A LIBVIRT_FWO -i virbr2 -j REJECT --reject-with icmp-port-unreachable
+
+-A LIBVIRT_FWO -s 10.0.2.0/24 -i virbr1 -j ACCEPT
+
+-A LIBVIRT_FWO -i virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWO_REJECT-i: "
+-A LIBVIRT_FWO -i virbr1 -j REJECT --reject-with icmp-port-unreachable
+
+-A LIBVIRT_FWX -i virbr2 -o virbr2 -j ACCEPT
+-A LIBVIRT_FWX -i virbr1 -o virbr1 -j ACCEPT
+
+-A LIBVIRT_INP -i virbr2 -p udp -m udp --dport 53 -j ACCEPT
+-A LIBVIRT_INP -i virbr2 -p tcp -m tcp --dport 53 -j ACCEPT
+-A LIBVIRT_INP -i virbr2 -p udp -m udp --dport 67 -j ACCEPT
+-A LIBVIRT_INP -i virbr2 -p tcp -m tcp --dport 67 -j ACCEPT
+
+-A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 53 -j ACCEPT
+-A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
+-A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 67 -j ACCEPT
+-A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT
+
+-A LIBVIRT_OUT -o virbr2 -p udp -m udp --dport 53 -j ACCEPT
+-A LIBVIRT_OUT -o virbr2 -p tcp -m tcp --dport 53 -j ACCEPT
+-A LIBVIRT_OUT -o virbr2 -p udp -m udp --dport 68 -j ACCEPT
+-A LIBVIRT_OUT -o virbr2 -p tcp -m tcp --dport 68 -j ACCEPT
+
+-A LIBVIRT_OUT -o virbr1 -p udp -m udp --dport 53 -j ACCEPT
+-A LIBVIRT_OUT -o virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
+-A LIBVIRT_OUT -o virbr1 -p udp -m udp --dport 68 -j ACCEPT
+-A LIBVIRT_OUT -o virbr1 -p tcp -m tcp --dport 68 -j ACCEPT
+COMMIT
+# Completed on Wed Nov  4 01:14:37 2020

roles/ansible-gentoo_install/tasks/bootloader.yml

@@ -42,8 +42,8 @@
       label pentoo2019-Pen19-6.1.52-pentoo_2023_09_30_0x037f
         menu label pentoo2019_Pen19_6.1.52-pentoo_2023_09_30_0x037f
         menu default
-        kernel vmlinuz-6.1.52-pentoo_2023_09_30
-        INITRD initramfs-pentoo-x86_64-6.1.52-pentoo_2023_09_30.img
+        kernel /vmlinuz-6.1.52-pentoo_2023_09_30
+        INITRD /initramfs-pentoo-x86_64-6.1.52-pentoo_2023_09_30.img
         # was vga=0x315 
         APPEND root=LABEL=root {{''.join(AGI_install_syslinux_kernel_commands)}}
       
@@ -106,7 +106,39 @@
           -i /etc/default/grub
       grub-script-check  /etc/default/grub
 
-  when: AGI_install_bootloader == 'grub:2'
+  - name: roles/ansible-gentoo_install/tasks/
+    shell: |
+      LINE="rd.skipfsck=1  ipv6.disable=1 console=ttys0 lang=en keymap=us "
+      # LINE="$LINE pti=on doscsi iommu=pt  amd_iommu=on debugfs=off efi=disable_early_pci_dma extra_latent_entropy init_on_free=1 kvm.nx_huge_pages=force l1tf=full,force mce=0 mds=full,nosmt nosmt=force page_alloc.shuffle=1 pti=on random.trust_cpu=off slab_nomerge slub_debug=FZ spec_store_bypass_disable=on spectre_v2=on tsx_async_abort=full,nosmt vsyscall=none "
+      LINE="$LINE intel_iommu=on vga=0x315 text
+      df | grep /boot || mount /dev/vda1 /boot
+      [ -d /boot/grub ] || exit 2
+      [ -f /boot/grub/grub.cfg ] || exit 3
+      cd /
+      # boot/initramfs-pentoo-x86_64-6.1.52-pentoo_2023_09_30.img
+
+  - name: /etc/default/grub
+    lineinfile:
+      dest: /etc/default/grub
+      line: '{{item.from}}="{{item.to}}"'
+      regexp: '^#*{{item.from}}=.*'
+    with_items:
+      # Append parameters to the linux kernel command line for non-recovery entries
+      - from: GRUB_CMDLINE_LINUX_DEFAULT
+        to: " rd.skipfsck=1 ipv6.disable=1 console=ttyS0 lang=en keymap=us intel_iommu=on vga=0x315 text"
+      # The resolution used on graphical terminal.
+    # Note that you can use only modes which your graphic card supports via VBE.
+    # You can see them in real GRUB with the command `vbeinfo'.
+      - from: GRUB_GFXMODE
+        to: 640x480
+      # Set to 'text' to force the Linux kernel to boot in normal text
+      - from: GRUB_GFXPAYLOAD_LINUX
+        to: text
+      # Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to kernel
+      - from: GRUB_DISABLE_LINUX_UUID
+        to: true
+
+    when: AGI_install_bootloader == 'grub:2'
   
 - name: fstab root
   lineinfile:
@@ -151,54 +183,36 @@
     dest: /etc/conf.d/consolefont
     line: 'consolefont="ter-v{{AGI_consolefont_font_size}}b"'
     regexp: '^consolefont=.*'
-
-- name: /etc/default/grub
-  lineinfile:
-    dest: /etc/default/grub
-    line: '{{item.from}}="{{item.to}}"'
-    regexp: '^#*{{item.from}}=.*'
-  with_items:
-    # Append parameters to the linux kernel command line for non-recovery entries
-    - from: GRUB_CMDLINE_LINUX_DEFAULT
-      to: " rd.skipfsck=1 ipv6.disable=1 console=tty1 lang=en keymap=us intel_iommu=on vga=0x315 text"
-    # The resolution used on graphical terminal.
-  # Note that you can use only modes which your graphic card supports via VBE.
-  # You can see them in real GRUB with the command `vbeinfo'.
-    - from: GRUB_GFXMODE
-      to: 640x480
-    # Set to 'text' to force the Linux kernel to boot in normal text
-    - from: GRUB_GFXPAYLOAD_LINUX
-      to: text
-    # Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to kernel
-    - from: GRUB_DISABLE_LINUX_UUID
-      to: true
-
-- name: roles/ansible-gentoo_install/tasks/
-  shell: |
-    LINE="rd.skipfsck=1  ipv6.disable=1 console=tty1 lang=en keymap=us "
-    # LINE="$LINE pti=on doscsi iommu=pt  amd_iommu=on debugfs=off efi=disable_early_pci_dma extra_latent_entropy init_on_free=1 kvm.nx_huge_pages=force l1tf=full,force mce=0 mds=full,nosmt nosmt=force page_alloc.shuffle=1 pti=on random.trust_cpu=off slab_nomerge slub_debug=FZ spec_store_bypass_disable=on spectre_v2=on tsx_async_abort=full,nosmt vsyscall=none "
-    LINE="$LINE intel_iommu=on vga=0x315 text
-    df | grep /boot || mount /dev/vda1 /boot
-    [ -d /boot/grub ] || exit 2
-    [ -f /boot/grub/grub.cfg ] || exit 3
-    cd /
-#    ln -s boot/vmlinuz* vmlinuz
-    # boot/initramfs-pentoo-x86_64-6.1.52-pentoo_2023_09_30.img
-    ln -s boot/initramfs* initrd.img
-
+ 
 - name: consolefont
   shell: |
-    cat >> /etc/rc.local << EOF
+    grep -q /etc/init.d/consolefont /etc/rc.local || \
+      cat >> /etc/rc.local << EOF
+    #!/bin/sh
     /etc/init.d consolefont stop
     /etc/init.d consolefont start
-    stty -F /dev/tty1 cols 80 rows 24
+    # these are right for ter-v28b consolefont
+    if tty|grep -q /dev/ttyS0 ; then   
+        stty cols 80 rows 35 
+    elif tty|grep -q /dev/tty[1-6] ; then
+        stty cols 80 rows 22
+    fi 
     EOF
-    bash /etc/rc.local
+    chmod 755 /etc/rc.local
   ignore_errors: true
 
 - name: rc-update add bootlogd boot
   shell: |
+    [ -d /etc/modules-load.d ] || mkdir /etc/modules-load.d
+    [ -f /etc/modules-load.d/virtio.conf ] || \
+        echo "{{'\n'.join(AGI_bootstrap_modules)}}" \
+        > /etc/modules-load.d/virtio.conf
     rc-update add consolefont
     rc-update | grep -q 'bootlogd .* boot' || \
       rc-update add bootlogd boot
+    grep -q '^s0:' /etc/inittab || \
+        sed -e 's/^#s0:/s0:/' /etc/inittab
+
+
     exit 0
+

roles/ansible-gentoo_install/tasks/chroot.yml

@@ -18,9 +18,11 @@
 
 - name: copy resolv.conf into chroot
   copy:
-    src: /etc/resolv.conf
-    dest: "{{AGI_NBD_MP}}/etc/resolv.conf"
+    src: "/{{item}}"
+    dest: "{{AGI_NBD_MP}}/{{item}}"
+    mode: '0644'
     remote_src: yes
+  with_items: "{{AGI_bootstrap_files}}"
   when: not ansible_check_mode
 
 - name: mount /proc in chroot

roles/ansible-gentoo_install/tasks/libvirt.yml

@@ -0,0 +1,23 @@
+# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
+# localhost
+---
+- name: "DEBUG: ansible-gentoo_install libvirt"
+  debug:
+    verbosity: 1
+    msg: "DEBUG: ansible-gentoo_install libvirt"
+
+- name: test we are NOT in the chroot
+  shell: |
+    [ -n "{{AGI_NBD_MP}}" ] || exit 2
+    [ -d "{{AGI_NBD_MP}}" ] || exit 3
+  check_mode: false
+
+# - name: setup libvirt network
+# - name: setup libvirt iptables
+# net.ipv4.conf.virbr1.forwarding = 1
+# net.ipv4.ip_forward = 1
+# mkdir /etc/libvirt/qemu
+# qemu-ga -D > /etc/libvirt/qemu/qemu-ga.conf
+#    for elt in  unix-listen virtio-serial isa-serial vsock-listen ; do
+# /etc/conf.d/qemu-ga
+

roles/ansible-gentoo_install/tasks/local.yml

@@ -85,6 +85,7 @@
       state: mounted
     check_mode: false
 
+  - include: libvirt.yml
   - include: tarball.yml
   - include: copy.yml
     when: AGI_use_local_kernel

roles/ansible-gentoo_install/tasks/main.yml

@@ -131,13 +131,10 @@
       var: ansible_gentooimgr_out
 
   check_mode: false
-  when:
-    - ansible_connection in ['chroot', 'local', 'libvirt_qemu']
-    - ansible_distribution == 'Gentoo' or BOX_GENTOO_FROM_MP not in ['/', '']
-#    - nbd_disk|default('') == AGI_NBD_DISK
 
-- name: include_tasks local.yml
-  include_tasks: local.yml
+  - name: include_tasks local.yml
+    include_tasks: local.yml
+
   when:
     - ansible_connection in ['chroot', 'local']
     - ansible_distribution == 'Gentoo' or BOX_GENTOO_FROM_MP not in ['/', '']

roles/ansible-gentoo_install/tasks/misc.yml

@@ -15,6 +15,10 @@
     for elt in {{ AGI_bootstrap_mountpoints|join(' ') }} ; do
         [ -d $elt ] || mkdir $elt
       done
+    # 700 files from ansible umask
+    find /usr/local/*bin/ /usr/local/etc/ -name '*sh' -exec chmod 755 {} \;
+    find /usr/local/ -type f -exec chown ${BOX_USER_NAME}:${BOX_USER_GROUP} {} \;
+
     exit 0
   when: AGI_bootstrap_mountpoints|default([])|length > 0
 
@@ -32,7 +36,7 @@
     dest: /etc/localtime
     src: /usr/share/zoneinfo/{{ AGI_install_timezone }}
     state: link
-    force: yes
+    force: no
 
 - name: configure locales
   lineinfile:

roles/ansible-gentoo_install/templates/etc/firewall_External-tor.conf

@@ -0,0 +1,171 @@
+# Generated by iptables-save v1.8.5 on Wed Nov  4 01:14:37 2020
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:LIBVIRT_PRT - [0:0]
+-A INPUT -j LOG --log-prefix "iptables_libvirt mangle-i: " --log-uid
+-A POSTROUTING -j LIBVIRT_PRT
+COMMIT
+# Completed on Wed Nov  4 01:14:37 2020
+
+# Generated by iptables-save v1.8.5 on Wed Nov  4 01:14:37 2020
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:LIBVIRT_PRT - [0:0]
+
+# was ! -o lo
+-A OUTPUT -o wlan6 -p tcp --dport 53 -m tcp -j DNAT --to-destination 127.0.0.1:53
+-A OUTPUT -o wlan6 -p udp --dport 53 -m udp -j DNAT --to-destination 127.0.0.1:53
+
+# .onion mapped addresses redirection to Tor.
+-A OUTPUT -d 172.16.0.0/12 -p tcp -m tcp -j DNAT --to-destination 127.0.0.1:9040
+## Log.
+-A INPUT -j LOG --log-prefix "iptables_libvirt_nat-i: " --log-uid
+-A POSTROUTING -j LIBVIRT_PRT
+-A LIBVIRT_PRT -s 10.0.2.0/24 -d 224.0.0.0/24 -j RETURN
+-A LIBVIRT_PRT -s 10.0.2.0/24 -d 255.255.255.255/32 -j RETURN
+-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
+-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
+-A LIBVIRT_PRT -s 10.0.2.0/24 ! -d 10.0.2.0/24 -j MASQUERADE
+COMMIT
+# Completed on Wed Nov  4 01:14:37 2020
+# Generated by iptables-save v1.8.5 on Wed Nov  4 01:14:37 2020
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT DROP [0:0]
+:LIBVIRT_FWI - [0:0]
+:LIBVIRT_FWO - [0:0]
+:LIBVIRT_FWX - [0:0]
+:LIBVIRT_INP - [0:0]
+:LIBVIRT_OUT - [0:0]
+
+## DROP PACKETS WITH INCOMING FRAGMENTS. THIS ATTACK ONCE RESULTED IN KERNEL PANICS
+-A INPUT -f -j DROP
+## DROP INCOMING MALFORMED XMAS PACKETS
+-A INPUT -p tcp --tcp-flags ALL ALL -j DROP
+## DROP INCOMING MALFORMED NULL PACKETS
+-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
+
+-A INPUT -i lo -j ACCEPT
+## Traffic on the loopback interface is accepted.
+-A INPUT -i lo -j ACCEPT
+## Established incoming connections are accepted. RELATED?
+-A INPUT -m state --state ESTABLISHED -j ACCEPT
+### this is required for outgoing pings
+-A INPUT -i wlan6 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-i: " --log-uid
+-A INPUT -i wlan6 -p icmp -j ACCEPT
+
+# let dhcp through? - YES
+-A INPUT -i wlan6 -p udp -m udp --sport 137 -j DROP
+-A INPUT -i wlan6 -p udp -m udp --sport 138 -j DROP
+-A INPUT -i wlan6 -p udp -m udp --sport 139 -j DROP
+-A INPUT -i wlan6 -p tcp --sport 9055 -j DROP
+-A INPUT -i wlan6 -p tcp --sport 9054 -j DROP
+-A INPUT -i wlan6 -p tcp --sport 9053 -j DROP
+-A INPUT -i wlan6 -p tcp --sport 9051 -j DROP
+ -A INPUT -i wlan6 -p udp --sport 53 -j ACCEPT
+
+# SRC=0.0.0.0 DST=255.255.255.255 PROTO=UDP SPT=68 DPT=67
+-A INPUT -j LOG --log-prefix "iptables_libvirt_jLIBVIRT_INP-i: " --log-uid
+# -A INPUT -i wlan6 -p udp -j DROP
+-A INPUT  -i wlan6 -j DROP
+
+-A INPUT -j LIBVIRT_INP
+
+-A FORWARD -j LIBVIRT_FWX
+-A FORWARD -j LIBVIRT_FWI
+-A FORWARD -j LIBVIRT_FWO
+#d#-A OUTPUT -o wlan6 -p icmp -j LOG --log-prefix iptables_icmp_ACCEPT-o:  --log-uid
+## Traffic on the loopback interface is accepted.
+-A OUTPUT -o lo -j ACCEPT
+
+## Existing connections are accepted.
+-A OUTPUT -m state --state ESTABLISHED -j ACCEPT
+-A OUTPUT -o wlan6 -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-o: " --log-uid
+-A OUTPUT -o wlan6 -p icmp -j ACCEPT
+# st-routers.mcast.net.
+-A OUTPUT -o wlan6 -p udp -d 224.0.0.0/8 -j REJECT
+
+## Accept outgoing connections to local network, Whonix-Workstation and VirtualBox,
+-A OUTPUT -d 192.168.1.0/24 -j ACCEPT
+-A OUTPUT -d 10.0.2.0/24 -j ACCEPT
+
+# gateway 
+#-A OUTPUT -d 10.0.2.0/24 -j ACCEPT
+
+-A OUTPUT -o wlan6 -d 10.16.238.0/24 -j ACCEPT
+-A OUTPUT -o wlan6 -d 10.0.0.0/8 -j DROP
+-A OUTPUT -o wlan6 -d 172.16.0.0/12 -j DROP
+#-A OUTPUT -o wlan6 -d 192.168.0.0/16 -j DROP
+-A OUTPUT -o wlan6 -d 224.0.0.0/4 -j DROP
+-A OUTPUT -o wlan6 -d 240.0.0.0/5 -j DROP
+
+# The ntp user is allowed to connect to services listening on the ntp port...
+# If root runs ntpdate manually you will see requests to port 53 UID=0
+#-A OUTPUT -o wlan6 -m owner --gid-owner 226 -p udp --dport 123 -j LOG --log-uid --log-prefix "iptables_123_ACCEPT-o: "
+-A OUTPUT -o wlan6 -m owner --gid-owner 226 -p UDP --dport 123 -j ACCEPT
+-A OUTPUT -o wlan6 -m owner --uid-owner 0 -p UDP --dport 123 -j ACCEPT
+#-A OUTPUT -o wlan6 -m tcp -p TCP --dport 22 -j LOG --log-uid --log-prefix "IPTABLES_ssh_REJECT: "
+-A OUTPUT -o wlan6 -m tcp -p TCP --dport 22 -j REJECT --reject-with icmp-port-unreachable
+#test-A OUTPUT -o virbr1 -m tcp -p TCP --dport 22 -j LOG --log-uid --log-prefix "iptables_: "
+-A OUTPUT -o wlan6 -m owner -p tcp --gid-owner 216 -j ACCEPT
+-A OUTPUT -o wlan6 -m owner --gid-owner 1 -j ACCEPT
+
+-A OUTPUT -o virbr1 -m tcp -p TCP --dport 22 -j ACCEPT
+-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9028 -j LOG --log-uid --log-prefix "iptables_: "
+-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9028 -j ACCEPT
+-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9040 -j LOG --log-uid --log-prefix "iptables_: "
+-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9040 -j ACCEPT
+-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9050 -j LOG --log-uid --log-prefix "iptables_: "
+-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9050 -j ACCEPT
+-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9053 -j LOG --log-uid --log-prefix "iptables_: "
+-A OUTPUT -o virbr1 -m tcp -p TCP --dport 9053 -j ACCEPT
+-A OUTPUT -o virbr1 -m udp -p udp --dport 9053 -j ACCEPT
+-A OUTPUT -j LIBVIRT_OUT
+-A LIBVIRT_FWI -o virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWI_REJECT-o: "
+-A LIBVIRT_FWI -o virbr2 -j REJECT --reject-with icmp-port-unreachable
+
+-A LIBVIRT_FWI -d 10.0.2.0/24 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+-A LIBVIRT_FWI -o virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWI_REJECT-o: "
+-A LIBVIRT_FWI -o virbr1 -j REJECT --reject-with icmp-port-unreachable
+
+-A LIBVIRT_FWO -i virbr2 -j LOG --log-uid --log-prefix "IPTABLES_FWO_REJECT-i: "
+-A LIBVIRT_FWO -i virbr2 -j REJECT --reject-with icmp-port-unreachable
+
+-A LIBVIRT_FWO -s 10.0.2.0/24 -i virbr1 -j ACCEPT
+
+-A LIBVIRT_FWO -i virbr1 -j LOG --log-uid --log-prefix "IPTABLES_FWO_REJECT-i: "
+-A LIBVIRT_FWO -i virbr1 -j REJECT --reject-with icmp-port-unreachable
+
+-A LIBVIRT_FWX -i virbr2 -o virbr2 -j ACCEPT
+-A LIBVIRT_FWX -i virbr1 -o virbr1 -j ACCEPT
+
+-A LIBVIRT_INP -i virbr2 -p udp -m udp --dport 53 -j ACCEPT
+-A LIBVIRT_INP -i virbr2 -p tcp -m tcp --dport 53 -j ACCEPT
+-A LIBVIRT_INP -i virbr2 -p udp -m udp --dport 67 -j ACCEPT
+-A LIBVIRT_INP -i virbr2 -p tcp -m tcp --dport 67 -j ACCEPT
+
+-A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 53 -j ACCEPT
+-A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
+-A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 67 -j ACCEPT
+-A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT
+
+-A LIBVIRT_OUT -o virbr2 -p udp -m udp --dport 53 -j ACCEPT
+-A LIBVIRT_OUT -o virbr2 -p tcp -m tcp --dport 53 -j ACCEPT
+-A LIBVIRT_OUT -o virbr2 -p udp -m udp --dport 68 -j ACCEPT
+-A LIBVIRT_OUT -o virbr2 -p tcp -m tcp --dport 68 -j ACCEPT
+
+-A LIBVIRT_OUT -o virbr1 -p udp -m udp --dport 53 -j ACCEPT
+-A LIBVIRT_OUT -o virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
+-A LIBVIRT_OUT -o virbr1 -p udp -m udp --dport 68 -j ACCEPT
+-A LIBVIRT_OUT -o virbr1 -p tcp -m tcp --dport 68 -j ACCEPT
+COMMIT
+# Completed on Wed Nov  4 01:14:37 2020

roles/ansible-gentoo_install/templates/etc/libvirt/qemu/networks/External.xml

@@ -0,0 +1,18 @@
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+  virsh net-edit Whonix-External
+or other application using the libvirt API.
+-->
+
+<network>
+  <name>External</name>
+  <forward mode='nat'/>
+  <bridge name='virbr1' stp='on' delay='0'/>
+  <mac address='52:54:00:f7:fb:37'/>
+  <ip address='10.0.2.2' netmask='255.255.255.0'>
+    <dhcp>
+      <range start='10.0.2.20' end='10.0.2.254'/>
+    </dhcp>
+  </ip>
+</network>

roles/ansible-gentoo_install/vars/target_Gentoo2.yml

@@ -27,6 +27,9 @@ AGI_bootstrap_links:
   - from: /var/db/repos/gentoo
     to: /usr/portage
 
+AGI_bootstrap_modules:
+  - virtio_console
+  
 # NO LEADING /
 AGI_bootstrap_dirs:
   - usr/local/etc/local.d
@@ -49,6 +52,8 @@ AGI_bootstrap_files:
   - usr/local/etc/local.d/local.bash
   - usr/local/bin/usr_local_tput.bash
   - usr/local/bin/proxy_export.bash
+  - etc/hosts
+  - etc/resolv.conf
 
 AGI_bootstrap_uris:
   - http://distfiles.gentoo.org/distfiles/00/elfutils-0.190.tar.bz2
@@ -56,24 +61,35 @@ AGI_bootstrap_uris:
   - http://distfiles.gentoo.org/distfiles/60/shared-mime-info-2.2.tar.gz
   - http://distfiles.gentoo.org/distfiles/fc/qemu-8.0.3.tar.xz
 
+AGI_bootstrap_pips3:
+   - negotiator-guest
+   
+#    proxy_pkgs_inst:
 AGI_bootstrap_pkgs:
   - app-admin/sudo
   - sys-boot/grub:2
+  - sys-boot/syslinux
   - app-editors/mg
   - qemu-guest-agent
-  - app-admin/logrotate
-  - "sys-process/{{ AGI_install_cron_daemon }}"
-  - "{{ AGI_install_syslog_daemon}}"
-  - "sys-boot/{{ AGI_install_bootloader }}"  
-  - media-fonts/terminus-font
   - sys-apps/gptfdisk
   - net-analyzer/openbsd-netcat
+  - app-admin/logrotate
+  - "sys-process/{{ AGI_install_cron_daemon }}"
+  - "app-admin/{{ AGI_install_syslog_daemon}}"
+  - "sys-boot/{{ AGI_install_bootloader }}"  
+  - media-fonts/terminus-font
+  - net-misc/curl
+  - app-arch/unzip
+  - net-libs/pacparser
   - sys-process/lsof
   - dev-util/strace
-  - sys-libs/gpm
   - app-portage/eix
-  - net-misc/curl
+  - sys-libs/gpm
   - linux-firmware
+  - net-dns/bind-tools
+#  - www-client/lynx
+  - app-admin/supervisor
+  - dev-python/pip
 
 AGI_cloud_pkgs:
   # get these from base.json
@@ -94,4 +110,3 @@ AGI_cloud_pkgs:
   # get these from config.json
 #  - app-emulation/cloud-init
 #  - sys-block/open-iscsi
-

roles/toxcore/vars/mask.txt

@@ -0,0 +1,15 @@
+
+# /etc/portage/package.mask/2023_BROKEN.txt qemu
+      =app-emulation/qemu-guest-agent-8.0.2%
+
+# /etc/portage/package.mask/2023_BROKEN.txt qemu
+      =app-emulation/qemu-guest-agent-8.0.0%
+
+# /etc/portage/package.mask/2023_BROKEN.txt qemu
+      =app-emulation/qemu-guest-agent-8.0.3%
+
+# /etc/portage/package.mask/2023_BROKEN.txt libvirt
+      =app-emulation/libvirt-9.4.0-r1%
+
+# /etc/portage/package.mask/2022_BLOCKED.txt docker
+      app-containers/docker-compose%

roles/toxcore/vars/use.txt

@@ -0,0 +1,114 @@
+
+# /etc/portage/package.use/2017-01-01_libguestfs.txt iptables
+      net-firewall/iptables% nftables ipv6
+
+# /etc/portage/package.use/2017-08_testdisk.txt testdisk
+      app-admin/testdisk% ntfs qt5 -ewf
+
+# /etc/portage/package.use/2020-01_static-libs.txt zstd
+      app-arch/zstd% static-libs
+
+# /etc/portage/package.use/2020-03_jq.txt jq
+      app-misc/jq% oniguruma
+
+# /etc/portage/package.use/2016-11_world.txt libvpx
+      media-libs/libvpx% svc
+
+# /etc/portage/package.use/2019-02_electron.txt libvpx
+      media-libs/libvpx% postproc svc
+
+# /etc/portage/package.use/2021-04_world.txt libxcb
+      x11-libs/libxcb% xkb
+
+# /etc/portage/package.use/2018-01_qt.txt libxkbcommon
+      x11-libs/libxkbcommon% X tools
+
+# /etc/portage/package.use/2020-01_readline.txt libxml2
+      dev-libs/libxml2% -readline
+
+# /etc/portage/package.use/2021-00_verify-sig.txt libxml2
+      dev-libs/libxml2:2% verify-sig
+
+# /etc/portage/package.use/2021-04_world.txt libxml2
+      dev-libs/libxml2%  python icu ipv6 lzma
+
+# /etc/portage/package.use/2021-00_verify-sig.txt libvirt-python
+      dev-python/libvirt-python% verify-sig
+
+# /etc/portage/package.use/2021-08_wafw00f.txt requests
+      dev-python/requests% socks5
+
+# /etc/portage/package.use/2020-00_dbus.txt dbus
+      sys-apps/dbus% X elogind -systemd
+
+# /etc/portage/package.use/2020-01_dbus.txt dbus
+      sys-apps/dbus% X elogind -systemd
+
+# /etc/portage/package.use/2021-01_wayland.txt gtk+
+      x11-libs/gtk+% X -wayland
+
+# /etc/portage/package.use/2021-04_world.txt vte
+      x11-libs/vte% crypt -icu introspection vala -debug -gtk-doc -systemd -vanilla
+
+# /etc/portage/package.use/2022-01_xterms.txt vte
+      x11-libs/vte% vanilla
+
+# /etc/portage/package.use/2021-00_verify-sig.txt zfs-kmod
+      sys-fs/zfs-kmod% verify-sig
+
+# /etc/portage/package.use/2021-00_verify-sig.txt zfs
+      sys-fs/zfs% verify-sig
+
+# /etc/portage/package.use/2021-00_verify-sig.txt zfs
+      sys-fs/zfs-kmod% verify-sig
+
+# /etc/portage/package.use/2020-01_nls.txt qemu
+      app-emulation/qemu% -nls
+
+# /etc/portage/package.use/2021-04_qemu.txt qemu
+      app-emulation/qemu% -accessibility aio alsa bzip2 caps -capstone curl -debug doc fdt filecaps -fuse -glusterfs gnutls gtk -infiniband -io-uring -iscsi -jack -jemalloc jpeg lzo -multipath ncurses -nfs -nls numa opengl -oss pin-upstream-blobs plugins png -pulseaudio python -rbd sasl sdl sdl-image seccomp -selinux -slirp -smartcard snappy spice ssh -static -static-user -systemtap -test -udev usb usbredir vde vhost-net vhost-user-fs virgl virtfs vnc vte xattr -xen xfs zstd #
+
+# /etc/portage/package.use/2023-00_python-3.11.txt qemu
+      app-emulation/qemu%  -python_single_target_python3_10 python_single_target_python3_11 python_single_target_python3_11 -python_single_target_python3_10
+
+# /etc/portage/package.use/2019-11_aqemu.txt aqemu
+      app-emulation/aqemu% vnc
+
+# /etc/portage/package.use/2019-09_spice-gtk.txt spice-gtk
+      >=net-misc/spice-gtk-0.35% usbredir
+
+# /etc/portage/package.use/2020-01_polkit.txt spice-gtk
+      net-misc/spice-gtk% policykit
+
+# /etc/portage/package.use/2020-01_polkit.txt libvirt
+      app-emulation/libvirt% apparmor audit -bash-completion caps -dbus -dtrace -firewalld fuse -glusterfs -iscsi -iscsi-direct libssh libvirtd lvm lxc -macvtap -nfs -nls numa -openvz parted pcap -policykit qemu -rbd -sasl -selinux udev vepa verify-sig virt-network virtualbox -wireshark-plugins -xen -zfs
+
+# /etc/portage/package.use/2020-10_nfs.txt libvirt
+      app-emulation/libvirt% -nfs
+
+# /etc/portage/package.use/2021-00_verify-sig.txt libvirt
+      app-emulation/libvirt% verify-sig
+
+# /etc/portage/package.use/2021-00_verify-sig.txt libvirt
+      dev-python/libvirt-python% verify-sig
+
+# /etc/portage/package.use/2020-01_polkit.txt virt-manager
+      app-emulation/virt-manager% gtk -policykit virtualbox libvirtd caps dbus fuse libssh lxc macvtap numa parted pcap policykit qemu vepa virt-network
+
+# /etc/portage/package.use/2019-11_qxl.txt xf86-video-qxl
+      x11-drivers/xf86-video-qxl% xspice
+
+# /etc/portage/package.use/2019-11_libguestfs.txt libguestfs
+      app-emulation/libguestfs% parted virtualbox libvirt -erlang -lua perl fuse gtk inspect-icons introspection -ocaml python -ruby
+
+# /etc/portage/package.use/2023-00_python-3.11.txt libguestfs
+      app-emulation/libguestfs% python_single_target_python3_11
+
+# /etc/portage/package.use/2021-00_verify-sig.txt libvirt-python
+      dev-python/libvirt-python% verify-sig
+
+# /etc/portage/package.use/2017-02_docker.txt tini
+      sys-process/tini% static args
+
+# /etc/portage/package.use/2017-02_docker.txt docker
+      app-containers/docker% btrfs