qvm-firewall 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345
  1. #!/usr/bin/python2
  2. #
  3. # The Qubes OS Project, http://www.qubes-os.org
  4. #
  5. # Copyright (C) 2012 Marek Marczykowski <marmarek@invisiblethingslab.com>
  6. #
  7. # This program is free software; you can redistribute it and/or
  8. # modify it under the terms of the GNU General Public License
  9. # as published by the Free Software Foundation; either version 2
  10. # of the License, or (at your option) any later version.
  11. #
  12. # This program is distributed in the hope that it will be useful,
  13. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  14. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  15. # GNU General Public License for more details.
  16. #
  17. # You should have received a copy of the GNU General Public License
  18. # along with this program; if not, write to the Free Software
  19. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
  20. #
  21. #
  22. import datetime
  23. from qubes.qubes import QubesVmCollection
  24. from optparse import OptionParser;
  25. import subprocess
  26. import sys
  27. import re
  28. import os
  29. services = list()
  30. def load_services():
  31. global services
  32. services = list()
  33. pattern = re.compile("(?P<name>[a-z][a-z0-9-]+)\s+(?P<port>[0-9]+)/(?P<protocol>[a-z]+)", re.IGNORECASE)
  34. f = open('/etc/services', 'r')
  35. for line in f:
  36. match = pattern.match(line)
  37. if match is not None:
  38. service = match.groupdict()
  39. services.append( (service["name"], int(service["port"]), service["protocol"]) )
  40. f.close()
  41. def get_service_name(port):
  42. for service in services:
  43. if service[1] == port:
  44. return service[0]
  45. return str(port)
  46. def get_service_port(name):
  47. for service in services:
  48. if service[0] == name:
  49. return int(service[1])
  50. return None
  51. def parse_rule(args):
  52. if len(args) < 2:
  53. print >>sys.stderr, "ERROR: Rule must have at least address and protocol"
  54. return None
  55. address = args[0]
  56. netmask = 32
  57. proto = args[1]
  58. port = args[2] if len(args) > 2 else None
  59. port_end = None
  60. unmask = address.split("/", 1)
  61. if len(unmask) == 2:
  62. address = unmask[0]
  63. netmask = unmask[1]
  64. if netmask.isdigit():
  65. if re.match("^([0-9]{1,3}\.){3}[0-9]{1,3}$", address) is None:
  66. print >>sys.stderr, "ERROR: Only IP is allowed when specyfying netmask"
  67. return None
  68. if netmask != "":
  69. netmask = int(unmask[1])
  70. if netmask < 0 or netmask > 32:
  71. print >>sys.stderr, "ERROR: Invalid netmask"
  72. return None
  73. else:
  74. print >>sys.stderr, "ERROR: Invalid netmask"
  75. return None
  76. if address[-1:] == ".":
  77. address = address[:-1]
  78. allowed = re.compile("(?!-)[A-Z\d-]{1,63}(?<!-)$", re.IGNORECASE)
  79. if not all(allowed.match(x) for x in address.split(".")):
  80. print >>sys.stderr, "ERROR: Invalid hostname"
  81. return None
  82. proto_split = proto.split('/', 1)
  83. if len(proto_split) == 2:
  84. proto = proto_split[0]
  85. port = proto_split[1]
  86. if proto not in ['tcp', 'udp', 'any']:
  87. print >>sys.stderr, "ERROR: Protocol must be one of: 'tcp', 'udp', 'any'"
  88. return None
  89. if proto != "any" and port is None:
  90. print >>sys.stderr, "ERROR: Port required for protocol %s" % args[1]
  91. return None
  92. if port is not None:
  93. port_range = port.split('-', 1)
  94. if len(port_range) == 2:
  95. port = port_range[0]
  96. port_end = port_range[1]
  97. if get_service_port(port):
  98. port = get_service_port(port)
  99. elif not port.isdigit():
  100. print >>sys.stderr, "ERROR: Invalid port/service name '%s'" % port
  101. return None
  102. else:
  103. port = int(port)
  104. if port_end is not None and not port_end.isdigit():
  105. print >>sys.stderr, "ERROR: Invalid port '%s'" % port_end
  106. return None
  107. if port_end is not None:
  108. port_end = int(port_end)
  109. rule = {}
  110. rule['address'] = address
  111. rule['netmask'] = netmask
  112. rule['proto'] = proto
  113. rule['portBegin'] = port
  114. rule['portEnd'] = port_end
  115. return rule
  116. def list_rules(rules):
  117. fields = [ "num", "address", "proto", "port(s)" ]
  118. rules_to_display = list()
  119. counter = 1
  120. for rule in rules:
  121. parsed_rule = {
  122. 'num': "{0:>2}".format(counter),
  123. 'address': rule['address'] + ('/' + str(rule['netmask']) if rule['netmask'] < 32 else ""),
  124. 'proto': rule['proto'],
  125. 'port(s)': '',
  126. }
  127. if rule['proto'] in ['tcp', 'udp']:
  128. parsed_rule['port(s)'] = str(rule['portBegin']) + \
  129. ('-' + str(rule['portEnd']) if rule['portEnd'] is not None else '')
  130. if rule['portBegin'] is not None and rule['portEnd'] is None:
  131. parsed_rule['port(s)'] = get_service_name(rule['portBegin'])
  132. if 'expire' in rule:
  133. parsed_rule['expire'] = str(datetime.datetime.fromtimestamp(rule[
  134. 'expire']))
  135. rules_to_display.append(parsed_rule)
  136. counter += 1
  137. fields_width = {}
  138. for f in fields:
  139. fields_width[f] = len(f)
  140. for r in rules_to_display:
  141. if len(r[f]) > fields_width[f]:
  142. fields_width[f] = len(r[f])
  143. # Display the header
  144. s = ""
  145. for f in fields:
  146. fmt="{{0:-^{0}}}-+".format(fields_width[f] + 1)
  147. s += fmt.format('-')
  148. print s
  149. s = ""
  150. for f in fields:
  151. fmt=" {{0:^{0}}} |".format(fields_width[f])
  152. s += fmt.format(f)
  153. print s
  154. s = ""
  155. for f in fields:
  156. fmt="{{0:-^{0}}}-+".format(fields_width[f] + 1)
  157. s += fmt.format('-')
  158. print s
  159. # And the content
  160. for r in rules_to_display:
  161. s = ""
  162. for f in fields:
  163. fmt=" {{0:<{0}}} |".format(fields_width[f])
  164. s += fmt.format(r[f])
  165. if 'expire' in r:
  166. s += " <-- expires at %s" % r['expire']
  167. print s
  168. def display_firewall(conf):
  169. print "Firewall policy: %s" % (
  170. "ALLOW all traffic except" if conf['allow'] else "DENY all traffic except")
  171. print "ICMP: %s" % ("ALLOW" if conf['allowIcmp'] else 'DENY')
  172. print "DNS: %s" % ("ALLOW" if conf['allowDns'] else 'DENY')
  173. print "Qubes yum proxy: %s" % ("ALLOW" if conf['allowYumProxy'] else 'DENY')
  174. list_rules(conf['rules'])
  175. def add_rule(conf, args):
  176. rule = parse_rule(args)
  177. if rule is None:
  178. return False
  179. conf['rules'].append(rule)
  180. return True
  181. def del_rule(conf, args):
  182. if len(args) == 1 and args[0].isdigit():
  183. rulenum = int(args[0])
  184. if rulenum < 1 or rulenum > len(conf['rules']):
  185. print >>sys.stderr, "ERROR: Rule number out of range"
  186. return False
  187. conf['rules'].pop(rulenum-1)
  188. else:
  189. rule = parse_rule(args)
  190. #print "PARSED: %s" % str(rule)
  191. #print "ALL: %s" % str(conf['rules'])
  192. if rule is None:
  193. return False
  194. try:
  195. conf['rules'].remove(rule)
  196. except ValueError:
  197. print >>sys.stderr, "ERROR: Rule not found"
  198. return False
  199. return True
  200. def allow_deny_value(s):
  201. value = None
  202. if s == "allow":
  203. value = True
  204. elif s == "deny":
  205. value = False
  206. else:
  207. print >>sys.stderr, 'ERROR: Only "allow" or "deny" allowed'
  208. exit(1)
  209. return value
  210. def main():
  211. usage = "usage: %prog [-n] <vm-name> [action] [rule spec]\n"
  212. usage += " rule specification can be one of:\n"
  213. usage += " address|hostname[/netmask] tcp|udp port[-port]\n"
  214. usage += " address|hostname[/netmask] tcp|udp service_name\n"
  215. usage += " address|hostname[/netmask] any\n"
  216. parser = OptionParser (usage)
  217. parser.add_option ("-l", "--list", dest="do_list", action="store_true", default=True,
  218. help="List firewall settings (default action)")
  219. parser.add_option ("-a", "--add", dest="do_add", action="store_true", default=False,
  220. help="Add rule")
  221. parser.add_option ("-d", "--del", dest="do_del", action="store_true", default=False,
  222. help="Remove rule (given by number or by rule spec)")
  223. parser.add_option ("-P", "--policy", dest="set_policy", action="store", default=None,
  224. help="Set firewall policy (allow/deny)")
  225. parser.add_option ("-i", "--icmp", dest="set_icmp", action="store", default=None,
  226. help="Set ICMP access (allow/deny)")
  227. parser.add_option ("-D", "--dns", dest="set_dns", action="store", default=None,
  228. help="Set DNS access (allow/deny)")
  229. parser.add_option ("-Y", "--yum-proxy", dest="set_yum_proxy", action="store", default=None,
  230. help="Set access to Qubes yum proxy (allow/deny)")
  231. parser.add_option ("-r", "--reload", dest="reload", action="store_true",
  232. default=False, help="Reload firewall (implied by any "
  233. "change action")
  234. parser.add_option ("-n", "--numeric", dest="numeric", action="store_true", default=False,
  235. help="Display port numbers instead of services (makes sense only with --list)")
  236. parser.add_option ("--force-root", action="store_true", dest="force_root", default=False,
  237. help="Force to run, even with root privileges")
  238. (options, args) = parser.parse_args ()
  239. if (len (args) < 1):
  240. parser.error ("You must specify VM name!")
  241. vmname = args[0]
  242. args = args[1:]
  243. if os.geteuid() == 0:
  244. if not options.force_root:
  245. print >> sys.stderr, "*** Running this tool as root is strongly discouraged, this will lead you in permissions problems."
  246. print >> sys.stderr, "Retry as unprivileged user."
  247. print >> sys.stderr, "... or use --force-root to continue anyway."
  248. exit(1)
  249. if options.do_add or options.do_del or options.set_policy or \
  250. options.set_icmp or options.set_dns or options.set_yum_proxy:
  251. options.do_list = False
  252. qvm_collection = QubesVmCollection()
  253. if options.do_list:
  254. qvm_collection.lock_db_for_reading()
  255. qvm_collection.load()
  256. qvm_collection.unlock_db()
  257. else:
  258. qvm_collection.lock_db_for_writing()
  259. qvm_collection.load()
  260. vm = qvm_collection.get_vm_by_name(vmname)
  261. if vm is None:
  262. print >> sys.stderr, "A VM with the name '{0}' does not exist in the system.".format(vmname)
  263. exit(1)
  264. changed = False
  265. conf = vm.get_firewall_conf()
  266. if options.set_policy:
  267. conf['allow'] = allow_deny_value(options.set_policy)
  268. changed = True
  269. if options.set_icmp:
  270. conf['allowIcmp'] = allow_deny_value(options.set_icmp)
  271. changed = True
  272. if options.set_dns:
  273. conf['allowDns'] = allow_deny_value(options.set_dns)
  274. changed = True
  275. if options.set_yum_proxy:
  276. conf['allowYumProxy'] = allow_deny_value(options.set_yum_proxy)
  277. changed = True
  278. if options.do_add:
  279. load_services()
  280. changed = add_rule(conf, args)
  281. elif options.do_del:
  282. load_services()
  283. changed = del_rule(conf, args)
  284. elif options.do_list and not options.reload:
  285. if not options.numeric:
  286. load_services()
  287. if not vm.has_firewall():
  288. print "INFO: This VM has no firewall rules set, below defaults are listed"
  289. display_firewall(conf)
  290. if changed:
  291. vm.write_firewall_conf(conf)
  292. if changed or options.reload:
  293. if vm.is_running():
  294. if vm.netvm is not None and vm.netvm.is_proxyvm():
  295. vm.netvm.write_iptables_xenstore_entry()
  296. qvm_collection.save()
  297. if not options.do_list:
  298. qvm_collection.unlock_db()
  299. main()