diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py index f5cff8bc..2d8ae4c9 100755 --- a/dom0/qvm-core/qubes.py +++ b/dom0/qvm-core/qubes.py @@ -1406,6 +1406,18 @@ class QubesVm(object): subprocess.call (['/usr/sbin/xl', 'destroy', self.name]) #xc.domain_destroy(self.get_xid()) + def pause(self): + if dry_run: + return + + xc.domain_pause(self.get_xid()) + + def unpause(self): + if dry_run: + return + + xc.domain_unpause(self.get_xid()) + def remove_from_disk(self): if dry_run: return @@ -1869,12 +1881,12 @@ class QubesProxyVm(QubesNetVm): if xid < 0: # VM not active ATM continue - vif = vm.vif - if vif is None: + ip = vm.ip + if ip is None: continue iptables += "# '{0}' VM:\n".format(vm.name) - iptables += "-A FORWARD ! -s {0}/32 -i {1} -j DROP\n".format(vm.ip, vif) + # Anti-spoof rules are added by vif-script (vif-route-qubes), here we trust IP address accept_action = "ACCEPT" reject_action = "REJECT --reject-with icmp-host-prohibited" @@ -1887,7 +1899,7 @@ class QubesProxyVm(QubesNetVm): rules_action = accept_action for rule in conf["rules"]: - iptables += "-A FORWARD -i {0} -d {1}".format(vif, rule["address"]) + iptables += "-A FORWARD -s {0} -d {1}".format(ip, rule["address"]) if rule["netmask"] != 32: iptables += "/{0}".format(rule["netmask"]) @@ -1902,12 +1914,12 @@ class QubesProxyVm(QubesNetVm): if conf["allowDns"]: # PREROUTING does DNAT to NetVM DNSes, so we need self.netvm. properties - iptables += "-A FORWARD -i {0} -p udp -d {1} --dport 53 -j ACCEPT\n".format(vif,self.netvm.gateway) - iptables += "-A FORWARD -i {0} -p udp -d {1} --dport 53 -j ACCEPT\n".format(vif,self.netvm.secondary_dns) + iptables += "-A FORWARD -s {0} -p udp -d {1} --dport 53 -j ACCEPT\n".format(ip,self.netvm.gateway) + iptables += "-A FORWARD -s {0} -p udp -d {1} --dport 53 -j ACCEPT\n".format(ip,self.netvm.secondary_dns) if conf["allowIcmp"]: - iptables += "-A FORWARD -i {0} -p icmp -j ACCEPT\n".format(vif) + iptables += "-A FORWARD -s {0} -p icmp -j ACCEPT\n".format(ip) - iptables += "-A FORWARD -i {0} -j {1}\n".format(vif, default_action) + iptables += "-A FORWARD -s {0} -j {1}\n".format(ip, default_action) iptables += "COMMIT\n" xs.write('', "/local/domain/"+str(self.get_xid())+"/qubes_iptables_domainrules/"+str(xid), iptables) # no need for ending -A FORWARD -j DROP, cause default action is DROP diff --git a/dom0/qvm-tools/qvm-run b/dom0/qvm-tools/qvm-run index 73f929d0..db5ad720 100755 --- a/dom0/qvm-tools/qvm-run +++ b/dom0/qvm-tools/qvm-run @@ -63,13 +63,13 @@ def vm_run_cmd(vm, cmd, options): if options.pause: if options.verbose: print >> sys.stderr, "Pausing VM: '{0}'...".format(vm.name) - subprocess.call (["/usr/sbin/xl", "pause", vm.name]) + vm.pause() return if options.unpause: if options.verbose: print >> sys.stderr, "UnPausing VM: '{0}'...".format(vm.name) - subprocess.call (["/usr/sbin/xl", "unpause", vm.name]) + vm.unpause() return if options.verbose: diff --git a/network/vif-route-qubes b/network/vif-route-qubes index 385b6656..c8070177 100755 --- a/network/vif-route-qubes +++ b/network/vif-route-qubes @@ -29,7 +29,7 @@ case "$command" in online) ifconfig ${vif} up echo 1 >/proc/sys/net/ipv4/conf/${vif}/proxy_arp - ipcmd='replace' + ipcmd='add' iptables_cmd='-I PREROUTING 1' cmdprefix='' ;; @@ -41,14 +41,20 @@ case "$command" in ;; esac +domid=${vif/vif/} +domid=${domid/.*/} +# metric must be possitive, but prefer later interface +# 32752 is max XID aka domid +metric=$[ 32752 - $domid ] + if [ "${ip}" ] ; then # If we've been given a list of IP addresses, then add routes from dom0 to # the guest using those addresses. for addr in ${ip} ; do - ${cmdprefix} ip route ${ipcmd} ${addr} dev ${vif} || true + ${cmdprefix} ip route ${ipcmd} ${addr} dev ${vif} metric $metric done echo ${cmdprefix} iptables -t raw $iptables_cmd -i ${vif} \! -s ${ip} -j DROP - ${cmdprefix} iptables $iptables_cmd -i ${vif} \! -s ${ip} -j DROP + ${cmdprefix} iptables -t raw $iptables_cmd -i ${vif} \! -s ${ip} -j DROP fi log debug "Successful vif-route-qubes $command for $vif."