Qubes/core-admin
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge branch 'master' of git.qubes-os.org:/var/lib/qubes/git/marmarek/core

Browse Source
This commit is contained in:
Joanna Rutkowska 2012-03-08 21:40:30 +01:00
commit bd88525f3c
3 changed files with 31 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
dom0/qvm-core/qubes.py
View File

@ -1406,6 +1406,18 @@ class QubesVm(object):
subprocess.call (['/usr/sbin/xl', 'destroy', self.name]) subprocess.call (['/usr/sbin/xl', 'destroy', self.name])
#xc.domain_destroy(self.get_xid()) #xc.domain_destroy(self.get_xid())
def pause(self):
if dry_run:
return
xc.domain_pause(self.get_xid())
def unpause(self):
if dry_run:
return
xc.domain_unpause(self.get_xid())
def remove_from_disk(self): def remove_from_disk(self):
if dry_run: if dry_run:
return return
@ -1869,12 +1881,12 @@ class QubesProxyVm(QubesNetVm):
if xid < 0: # VM not active ATM if xid < 0: # VM not active ATM
continue continue
vif = vm.vif ip = vm.ip
if vif is None: if ip is None:
continue continue
iptables += "# '{0}' VM:\n".format(vm.name) iptables += "# '{0}' VM:\n".format(vm.name)
iptables += "-A FORWARD ! -s {0}/32 -i {1} -j DROP\n".format(vm.ip, vif) # Anti-spoof rules are added by vif-script (vif-route-qubes), here we trust IP address
accept_action = "ACCEPT" accept_action = "ACCEPT"
reject_action = "REJECT --reject-with icmp-host-prohibited" reject_action = "REJECT --reject-with icmp-host-prohibited"
@ -1887,7 +1899,7 @@ class QubesProxyVm(QubesNetVm):
rules_action = accept_action rules_action = accept_action
for rule in conf["rules"]: for rule in conf["rules"]:
iptables += "-A FORWARD -i {0} -d {1}".format(vif, rule["address"]) iptables += "-A FORWARD -s {0} -d {1}".format(ip, rule["address"])
if rule["netmask"] != 32: if rule["netmask"] != 32:
iptables += "/{0}".format(rule["netmask"]) iptables += "/{0}".format(rule["netmask"])
@ -1902,12 +1914,12 @@ class QubesProxyVm(QubesNetVm):
if conf["allowDns"]: if conf["allowDns"]:
# PREROUTING does DNAT to NetVM DNSes, so we need self.netvm. properties # PREROUTING does DNAT to NetVM DNSes, so we need self.netvm. properties
iptables += "-A FORWARD -i {0} -p udp -d {1} --dport 53 -j ACCEPT\n".format(vif,self.netvm.gateway) iptables += "-A FORWARD -s {0} -p udp -d {1} --dport 53 -j ACCEPT\n".format(ip,self.netvm.gateway)
iptables += "-A FORWARD -i {0} -p udp -d {1} --dport 53 -j ACCEPT\n".format(vif,self.netvm.secondary_dns) iptables += "-A FORWARD -s {0} -p udp -d {1} --dport 53 -j ACCEPT\n".format(ip,self.netvm.secondary_dns)
if conf["allowIcmp"]: if conf["allowIcmp"]:
iptables += "-A FORWARD -i {0} -p icmp -j ACCEPT\n".format(vif) iptables += "-A FORWARD -s {0} -p icmp -j ACCEPT\n".format(ip)
iptables += "-A FORWARD -i {0} -j {1}\n".format(vif, default_action) iptables += "-A FORWARD -s {0} -j {1}\n".format(ip, default_action)
iptables += "COMMIT\n" iptables += "COMMIT\n"
xs.write('', "/local/domain/"+str(self.get_xid())+"/qubes_iptables_domainrules/"+str(xid), iptables) xs.write('', "/local/domain/"+str(self.get_xid())+"/qubes_iptables_domainrules/"+str(xid), iptables)
# no need for ending -A FORWARD -j DROP, cause default action is DROP # no need for ending -A FORWARD -j DROP, cause default action is DROP

4
dom0/qvm-tools/qvm-run
View File

@ -63,13 +63,13 @@ def vm_run_cmd(vm, cmd, options):
if options.pause: if options.pause:
if options.verbose: if options.verbose:
print >> sys.stderr, "Pausing VM: '{0}'...".format(vm.name) print >> sys.stderr, "Pausing VM: '{0}'...".format(vm.name)
subprocess.call (["/usr/sbin/xl", "pause", vm.name]) vm.pause()
return return
if options.unpause: if options.unpause:
if options.verbose: if options.verbose:
print >> sys.stderr, "UnPausing VM: '{0}'...".format(vm.name) print >> sys.stderr, "UnPausing VM: '{0}'...".format(vm.name)
subprocess.call (["/usr/sbin/xl", "unpause", vm.name]) vm.unpause()
return return
if options.verbose: if options.verbose:

12
network/vif-route-qubes
View File

@ -29,7 +29,7 @@ case "$command" in
online) online)
ifconfig ${vif} up ifconfig ${vif} up
echo 1 >/proc/sys/net/ipv4/conf/${vif}/proxy_arp echo 1 >/proc/sys/net/ipv4/conf/${vif}/proxy_arp
ipcmd='replace' ipcmd='add'
iptables_cmd='-I PREROUTING 1' iptables_cmd='-I PREROUTING 1'
cmdprefix='' cmdprefix=''
;; ;;
@ -41,14 +41,20 @@ case "$command" in
;; ;;
esac esac
domid=${vif/vif/}
domid=${domid/.*/}
# metric must be possitive, but prefer later interface
# 32752 is max XID aka domid
metric=$[ 32752 - $domid ]
if [ "${ip}" ] ; then if [ "${ip}" ] ; then
# If we've been given a list of IP addresses, then add routes from dom0 to # If we've been given a list of IP addresses, then add routes from dom0 to
# the guest using those addresses. # the guest using those addresses.
for addr in ${ip} ; do for addr in ${ip} ; do
${cmdprefix} ip route ${ipcmd} ${addr} dev ${vif} || true ${cmdprefix} ip route ${ipcmd} ${addr} dev ${vif} metric $metric
done done
echo ${cmdprefix} iptables -t raw $iptables_cmd -i ${vif} \! -s ${ip} -j DROP echo ${cmdprefix} iptables -t raw $iptables_cmd -i ${vif} \! -s ${ip} -j DROP
${cmdprefix} iptables $iptables_cmd -i ${vif} \! -s ${ip} -j DROP ${cmdprefix} iptables -t raw $iptables_cmd -i ${vif} \! -s ${ip} -j DROP
fi fi
log debug "Successful vif-route-qubes $command for $vif." log debug "Successful vif-route-qubes $command for $vif."