Home Explore Help
Sign In
Qubes
/
core-agent-linux
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Merge branch 'network-fixes'

Marek Marczykowski-Górecki 6 years ago
parent
76649d875b 836bf90e97
commit
0ca2db894f
5 changed files with 35 additions and 5 deletions
Split View Show Diff Stats
  1. 11 0
      network/network-manager-prepare-conf-dir
  2. 3 0
      network/setup-ip
  3. 6 1
      network/vif-route-qubes
  4. 5 0
      qubesagent/firewall.py
  5. 10 4
      qubesagent/test_firewall.py

+ 11 - 0
network/network-manager-prepare-conf-dir
View File 

@@ -16,4 +16,15 @@ unmanaged_devices=mac:fe:ff:ff:ff:ff:ff
 
 sed -r -i -e "s/^#?unmanaged-devices=.*/unmanaged-devices=$unmanaged_devices/" /etc/NetworkManager/NetworkManager.conf
 
 sed -r -i -e "s/^#?plugins=.*/plugins=keyfile/" /etc/NetworkManager/NetworkManager.conf
 
 
+# setup uplink configuration if applicable - this needs to be done before
 
+# starting NetworkManager, otherwise it will try default DHCP configuration
 
+# first and only after a timeout fallback to static one - introducing delay in
 
+# network connectivity
 
+export INTERFACE=eth0
 
+if qubesdb-read /qubes-ip >/dev/null 2>/dev/null &&
 
+        [ -e /sys/class/net/$INTERFACE ] &&
 
+        [ ! -r /etc/NetworkManager/system-connections/qubes-uplink-$INTERFACE ]; then
 
+    /usr/lib/qubes/setup-ip
 
+fi
 
+
 
 exit 0

+ 3 - 0
network/setup-ip
View File 

@@ -91,6 +91,9 @@ __EOF__
 
         fi
 
         /sbin/ifconfig "$INTERFACE" up
 
         /sbin/route add -host "$gateway" dev "$INTERFACE"
 
+        if [ -n "$gateway6" ] && ! echo "$gateway6" | grep -q "^fe80:"; then
 
+            /sbin/route -6 add "$gateway6/128" dev "$INTERFACE"
 
+        fi
 
         if ! qsvc disable-default-route ; then
 
             /sbin/route add default gw "$gateway"
 
             if [ -n "$gateway6" ]; then

+ 6 - 1
network/vif-route-qubes
View File 

@@ -40,10 +40,12 @@ if [ "${ip}" ]; then
 
     # IPs as seen by this VM
 
     netvm_ip="$ip4"
 
     netvm_gw_ip=$(qubesdb-read /qubes-netvm-gateway)
 
+    netvm_gw_ip6=$(qubesdb-read /qubes-netvm-gateway6 || :)
 
     netvm_dns1_ip=$(qubesdb-read /qubes-netvm-primary-dns)
 
     netvm_dns2_ip=$(qubesdb-read /qubes-netvm-secondary-dns)
 
 
     back_ip="$netvm_gw_ip"
 
+    back_ip6="$netvm_gw_ip6"
 
 
     # IPs as seen by the VM - if other than $netvm_ip
 
     appvm_gw_ip="$(qubesdb-read "/mapped-ip/$ip4/visible-gateway" 2>/dev/null || :)"
 
@@ -106,7 +108,10 @@ if [ "${ip}" ] ; then
 
         echo -e "*raw\n$iptables_cmd -i ${vif} -j DROP\nCOMMIT" | \
 
             ${cmdprefix} flock $lockfile ip6tables-restore --noflush
 
     fi
 
-	${cmdprefix} ip addr "${ipcmd}" "${back_ip}/32" dev "${vif}"
 
+    ${cmdprefix} ip addr "${ipcmd}" "${back_ip}/32" dev "${vif}"
 
+    if [ "${back_ip6}" ] && [[ "${back_ip6}" != "fe80:"* ]]; then
 
+        ${cmdprefix} ip addr "${ipcmd}" "${back_ip6}/128" dev "${vif}"
 
+    fi
 
 fi
 
 
 log debug "Successful vif-route-qubes $command for $vif."

+ 5 - 0
qubesagent/firewall.py
View File 

@@ -370,8 +370,12 @@ class IptablesWorker(FirewallWorker):
 
         # starting qubes-firewall
 
         try:
 
             self.run_ipt(4, ['-F', 'QBS-FORWARD'])
 
+            self.run_ipt(4,
 
+                ['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN'])
 
             self.run_ipt(4, ['-A', 'QBS-FORWARD', '-j', 'DROP'])
 
             self.run_ipt(6, ['-F', 'QBS-FORWARD'])
 
+            self.run_ipt(6,
 
+                ['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN'])
 
             self.run_ipt(6, ['-A', 'QBS-FORWARD', '-j', 'DROP'])
 
         except subprocess.CalledProcessError:
 
             self.log_error('\'QBS-FORWARD\' chain not found, create it first')
 
@@ -579,6 +583,7 @@ class NftablesWorker(FirewallWorker):
 
             '    type filter hook forward priority 0;\n'
 
             '    policy drop;\n'
 
             '    ct state established,related accept\n'
 
+            '    meta iifname != "vif*" accept\n'
 
             '  }}\n'
 
             '}}\n'
 
         )

+ 10 - 4
qubesagent/test_firewall.py
View File 

@@ -271,10 +271,14 @@ class TestIptablesWorker(TestCase):
 
 
     def test_006_init(self):
 
         self.obj.init()
 
-        self.assertEqual(self.obj.called_commands[4],
 
-            [['-F', 'QBS-FORWARD'], ['-A', 'QBS-FORWARD', '-j', 'DROP']])
 
-        self.assertEqual(self.obj.called_commands[6],
 
-            [['-F', 'QBS-FORWARD'], ['-A', 'QBS-FORWARD', '-j', 'DROP']])
 
+        self.assertEqual(self.obj.called_commands[4], [
 
+            ['-F', 'QBS-FORWARD'],
 
+            ['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN'],
 
+            ['-A', 'QBS-FORWARD', '-j', 'DROP']])
 
+        self.assertEqual(self.obj.called_commands[6], [
 
+            ['-F', 'QBS-FORWARD'],
 
+            ['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN'],
 
+            ['-A', 'QBS-FORWARD', '-j', 'DROP']])
 
 
     def test_007_cleanup(self):
 
         self.obj.init()
 
@@ -435,6 +439,7 @@ class TestNftablesWorker(TestCase):
 
             '    type filter hook forward priority 0;\n'
 
             '    policy drop;\n'
 
             '    ct state established,related accept\n'
 
+            '    meta iifname != "vif*" accept\n'
 
             '  }\n'
 
             '}\n'
 
             'table ip6 qubes-firewall {\n'
 
@@ -442,6 +447,7 @@ class TestNftablesWorker(TestCase):
 
             '    type filter hook forward priority 0;\n'
 
             '    policy drop;\n'
 
             '    ct state established,related accept\n'
 
+            '    meta iifname != "vif*" accept\n'
 
             '  }\n'
 
             '}\n'
 
         ])