From ed1b3bd8910859416283793dcb82e85639527de7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicolas=20Mass=C3=A9?= <nmasse@redhat.com>
Date: Fri, 12 Sep 2025 14:11:07 -0400
Subject: [PATCH] wip

---
 bootc/base/Containerfile                        |  2 +-
 bootc/scenario3a/root/etc/nftables/libvirt.nft  | 17 +++++++++++------
 .../root/usr/local/bin/bootstrap-vm.sh          |  4 ++--
 3 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/bootc/base/Containerfile b/bootc/base/Containerfile
index 85314d5..6d84adb 100644
--- a/bootc/base/Containerfile
+++ b/bootc/base/Containerfile
@@ -11,7 +11,7 @@ dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarc
 dnf install -y mkpasswd podman skopeo flightctl-agent cockpit cockpit-machines cockpit-podman \
                cockpit-files cockpit-ostree cockpit-pcp cockpit-system libvirt libvirt-daemon-kvm \
                virt-install virt-top libguestfs-tools genisoimage greenboot greenboot-default-health-checks \
-               stress-ng yq podman-compose tmux
+               stress-ng yq podman-compose tmux smartmontools hdparm tcpdump
 dnf clean all
 
 if [ -n "$ADMIN_USERNAME" ]; then
diff --git a/bootc/scenario3a/root/etc/nftables/libvirt.nft b/bootc/scenario3a/root/etc/nftables/libvirt.nft
index 39cb545..8a035a5 100755
--- a/bootc/scenario3a/root/etc/nftables/libvirt.nft
+++ b/bootc/scenario3a/root/etc/nftables/libvirt.nft
@@ -12,16 +12,21 @@ table ip libvirt-nat {
         type filter hook forward priority filter - 10
         policy accept
         
-        iifname != "virbr0" ip daddr 192.168.122.2/24 tcp dport { 80 } ct state { new } counter accept
-        ip daddr 192.168.122.2/24 ct state { related, established } counter accept
-        ip saddr 192.168.122.2/24 ct state { related, established } counter accept
+        # Accept packets related to existing connections
+        ct state invalid counter drop
+        ct state { established, related } counter accept
+
+        oifname "virbr0" ip daddr 192.168.122.2/24 tcp dport { 80, 9090 } ct state { new } counter accept
     }
 
     chain Pre-Routing {
-        type nat hook prerouting priority dstnat
+        type nat hook prerouting priority dstnat - 10
         policy accept
 
-        # Redirect port 80 to the Nextcloud VM
-        ip daddr 192.168.2.0/24 iifname != "virbr0" tcp dport { 80 } counter dnat to 192.168.122.2
+        # Redirect HTTP connections to the Nextcloud VM
+        iifname != "virbr0" ip daddr 192.168.2.0/24 tcp dport 80 counter dnat to 192.168.122.2
+
+        # Redirect Cockpit connections to the Nextcloud VM
+        iifname != "virbr0" ip daddr 192.168.2.0/24 tcp dport 9091 counter dnat to 192.168.122.2:9090
     }
 }
diff --git a/bootc/scenario3a/root/usr/local/bin/bootstrap-vm.sh b/bootc/scenario3a/root/usr/local/bin/bootstrap-vm.sh
index 731658b..0512d18 100755
--- a/bootc/scenario3a/root/usr/local/bin/bootstrap-vm.sh
+++ b/bootc/scenario3a/root/usr/local/bin/bootstrap-vm.sh
@@ -8,7 +8,7 @@ if [[ $# -ne 1 ]]; then
 fi
 
 VM="${1}"
-if [ -f "/var/lib/libvirt/images/${VM}/root.qcow2" ]; then
+if [ -d "/var/lib/libvirt/images/${VM}/" ]; then
   echo "VM ${VM} already exists. Please remove it first."
   exit 1
 fi
@@ -21,7 +21,7 @@ cleanup() {
     echo "An error occurred. Cleaning up..."
     virsh destroy "${VM}" || true
     virsh undefine "${VM}" --nvram || true
-    rm -f "/var/lib/libvirt/images/${VM}/root.qcow2"
+    rm -rf "/var/lib/libvirt/images/${VM}/"
   fi
 }
 trap cleanup EXIT