more dns-ification work
diff --git a/roles/config-virt/handlers/main.yml b/roles/config-virt/handlers/main.yml
new file mode 100644
index 0000000..d3708e6
--- /dev/null
+++ b/roles/config-virt/handlers/main.yml
@@ -0,0 +1,15 @@
+---
+# roles/juju-setup/handlers/tasks.yml
+
+- name: recreate default network
+  command: virsh net-destroy default ; virsh net-start default
+
+- name: reload libvirt-bin
+  service:
+    name=libvirt-bin
+    state=restarted
+
+- name: run qemu hook
+  command: /etc/libvirt/hooks/qemu start start
+
+
diff --git a/roles/config-virt/tasks/main.yml b/roles/config-virt/tasks/main.yml
new file mode 100644
index 0000000..76f14ae
--- /dev/null
+++ b/roles/config-virt/tasks/main.yml
@@ -0,0 +1,28 @@
+---
+# roles/config-virt/main/tasks.yml
+
+- name: Get ubuntu image for uvtool
+  command: uvt-simplestreams-libvirt sync --source http://cloud-images.ubuntu.com/daily \
+    release={{ ansible_distribution_release }} arch=amd64
+
+- name: Have libvirt enable port forwarding to VM's
+  become: yes
+  template:
+    src={{ item }}.j2
+    dest=/etc/libvirt/hooks/{{ item }}
+    mode=0755 owner=root
+  with_items:
+    - daemon
+    - qemu
+  notify:
+    - reload libvirt-bin
+    - run qemu hook
+
+- name: configure libvirt mgmtbr network DHCP range and IP assignments
+  virt_net:
+    command=define
+    name=default
+    xml='{{ lookup("template", "default.xml.j2") }}'
+    autostart=yes
+    state=active
+
diff --git a/roles/config-virt/templates/daemon.j2 b/roles/config-virt/templates/daemon.j2
new file mode 100644
index 0000000..c79bf4a
--- /dev/null
+++ b/roles/config-virt/templates/daemon.j2
@@ -0,0 +1,39 @@
+#!/bin/sh
+
+SHELL="/bin/bash"
+
+NIC=$( route|grep default|awk '{print $NF}' )
+
+NAME="${1}"
+OP="${2}"
+SUBOP="${3}"
+ARGS="${4}"
+
+add_port_fwd_rule() {
+    DPORT=$1
+    VMIP=$2
+    TOPORT=$3
+
+    iptables -t nat -C PREROUTING -p tcp -i $NIC --dport $DPORT -j DNAT --to-destination $VMIP:$TOPORT
+    if [ "$?" -ne 0 ]
+    then
+        iptables -t nat -A PREROUTING -p tcp -i $NIC --dport $DPORT -j DNAT --to-destination $VMIP:$TOPORT
+    fi
+}
+
+if [ "$OP" = "start" ] || [ "$OP" = "reload" ]
+then
+    iptables -t nat -F
+
+{% for vm in head_vm_list -%}
+{% if vm.forwarded_ports is defined -%}
+{% for port in vm.forwarded_ports -%}
+    add_port_fwd_rule {{ port.ext }} "{{ mgmtbr_prefix }}.{{ vm.ipv4_last_octet }}" {{ port.int }}
+{% endfor -%}
+{% endif -%}
+{% endfor -%}
+
+    # Also flush the filter table before rules re-added
+    iptables -F
+fi
+
diff --git a/roles/config-virt/templates/default.xml.j2 b/roles/config-virt/templates/default.xml.j2
new file mode 100644
index 0000000..5183aca
--- /dev/null
+++ b/roles/config-virt/templates/default.xml.j2
@@ -0,0 +1,19 @@
+<network>
+  <name>default</name>
+  <bridge name="virbr0"/>
+  <forward/>
+  <domain name="{{ site_suffix }}" localonly="no"/>
+  <dns>
+{% for ns in dns_servers %}
+  <forwarder addr="{{ ns }}"/>
+{% endfor %}
+  </dns>
+  <ip address="{{ mgmtbr_prefix }}.1" netmask="255.255.255.0">
+    <dhcp>
+      <range start="{{ mgmtbr_prefix }}.2" end="{{ mgmtbr_prefix }}.254"/>
+{% for vm in head_vm_list %}
+      <host name='{{ vm.name }}' ip='{{ mgmtbr_prefix }}.{{ vm.ipv4_last_octet }}'/>
+{% endfor %}
+    </dhcp>
+  </ip>
+</network>
diff --git a/roles/config-virt/templates/qemu.j2 b/roles/config-virt/templates/qemu.j2
new file mode 100644
index 0000000..1c947f9
--- /dev/null
+++ b/roles/config-virt/templates/qemu.j2
@@ -0,0 +1,44 @@
+#!/bin/sh
+
+SHELL="/bin/bash"
+
+NIC=$( route|grep default|awk '{print $NF}' )
+PORTAL=$( dig +short portal.opencloud.us | tail -1 )
+
+NAME="${1}"
+OP="${2}"
+SUBOP="${3}"
+ARGS="${4}"
+
+add_rule() {
+    CHAIN=$1
+    ARGS=$2
+    iptables -C $CHAIN $ARGS
+    if [ "$?" -ne 0 ]
+    then
+        iptables -I $CHAIN 1 $ARGS
+    fi
+}
+
+add_local_access_rules() {
+    SUBNET=$( ip addr show $NIC|grep "inet "|awk '{print $2}' )
+    PRIVATENET=$( ip addr show virbr0|grep "inet "|awk '{print $2}' )
+    add_rule "FORWARD" "-s $SUBNET -j ACCEPT"
+    # Don't NAT traffic from service VMs destined to the local subnet
+    add_rule "POSTROUTING" "-t nat -s $PRIVATENET -d $SUBNET -j RETURN"
+}
+
+add_portal_access_rules() {
+    add_rule "FORWARD" "-s $PORTAL -j ACCEPT"
+}
+
+add_web_access_rules() {
+    add_rule "FORWARD" "-p tcp --dport 80 -j ACCEPT"
+}
+
+if [ "$OP" = "start" ]
+then
+	add_local_access_rules
+	add_portal_access_rules
+	add_web_access_rules
+fi