First net.py propragation poc
This commit is contained in:
parent
224a290cdf
commit
893d3f1a8e
@ -683,5 +683,28 @@ class Firewall:
|
|||||||
# exclude rules for another address family
|
# exclude rules for another address family
|
||||||
if rule.dsthost and rule.dsthost.type == exclude_dsttype:
|
if rule.dsthost and rule.dsthost.type == exclude_dsttype:
|
||||||
continue
|
continue
|
||||||
|
# exclude forwarding rules, managed separately
|
||||||
|
if rule.action == "forward":
|
||||||
|
continue
|
||||||
entries['{:04}'.format(ruleno)] = rule.rule
|
entries['{:04}'.format(ruleno)] = rule.rule
|
||||||
return entries
|
return entries
|
||||||
|
|
||||||
|
def qdb_forward_entries(self, addr_family=None):
|
||||||
|
''' In order to keep all the 'parsing' logic here and not in net.py,
|
||||||
|
directly separate forwarding rules from standard rules since they need
|
||||||
|
to be handled differently later.
|
||||||
|
'''
|
||||||
|
entries = {}
|
||||||
|
if addr_family is not None:
|
||||||
|
exclude_dsttype = 'dst4' if addr_family == 6 else 'dst6'
|
||||||
|
for ruleno, rule in zip(itertools.count(), self.rules):
|
||||||
|
if rule.expire and rule.expire.expired:
|
||||||
|
continue
|
||||||
|
# exclude rules for another address family
|
||||||
|
if rule.dsthost and rule.dsthost.type == exclude_dsttype:
|
||||||
|
continue
|
||||||
|
# include only forwarding rules
|
||||||
|
if rule.action != "forward":
|
||||||
|
continue
|
||||||
|
entries['{:04}'.format(ruleno)] = rule.rule
|
||||||
|
return entries
|
||||||
|
|||||||
@ -366,7 +366,7 @@ class NetVMMixin(qubes.events.Emitter):
|
|||||||
if self.netvm is None:
|
if self.netvm is None:
|
||||||
return
|
return
|
||||||
|
|
||||||
'''Recursively resolve netvm until tone has no netvm set'''
|
'''Recursively resolve netvm until no netvm is set, order is important'''
|
||||||
netpath = list()
|
netpath = list()
|
||||||
netvm = self.netvm
|
netvm = self.netvm
|
||||||
while netvm:
|
while netvm:
|
||||||
@ -390,10 +390,17 @@ class NetVMMixin(qubes.events.Emitter):
|
|||||||
# remove old entries if any (but don't touch base empty entry - it
|
# remove old entries if any (but don't touch base empty entry - it
|
||||||
# would trigger reload right away
|
# would trigger reload right away
|
||||||
self.untrusted_qdb.rm(base_dir)
|
self.untrusted_qdb.rm(base_dir)
|
||||||
# write new rules
|
# write new accept/drop rules
|
||||||
for key, value in vm.firewall.qdb_entries(
|
for key, value in vm.firewall.qdb_entries(
|
||||||
addr_family=addr_family).items():
|
addr_family=addr_family).items():
|
||||||
self.untrusted_qdb.write(base_dir + key, value)
|
self.untrusted_qdb.write(base_dir + key, value)
|
||||||
|
base_dir = '/qubes-firewall-forward/{}/'.format(ip)
|
||||||
|
self.untrusted_qdb.rm(base_dir)
|
||||||
|
# write new forward rules
|
||||||
|
for key, value in vm.firewall.qdb_forward_entries(
|
||||||
|
addr_family=addr_family).items():
|
||||||
|
for netvm in netpath:
|
||||||
|
self.untrusted_qdb.write(base_dir + key, value)
|
||||||
# signal its done
|
# signal its done
|
||||||
self.untrusted_qdb.write(base_dir[:-1], '')
|
self.untrusted_qdb.write(base_dir[:-1], '')
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user