Qubes/core-agent-linux
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge branch 'network-fixes'

Browse Source
This commit is contained in:
Marek Marczykowski-Górecki 2018-04-06 02:04:20 +02:00
commit 0ca2db894f
No known key found for this signature in database
GPG Key ID: 063938BA42CFA724
5 changed files with 35 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
network/network-manager-prepare-conf-dir
View File

@ -16,4 +16,15 @@ unmanaged_devices=mac:fe:ff:ff:ff:ff:ff
sed -r -i -e "s/^#?unmanaged-devices=.*/unmanaged-devices=$unmanaged_devices/" /etc/NetworkManager/NetworkManager.conf
sed -r -i -e "s/^#?plugins=.*/plugins=keyfile/" /etc/NetworkManager/NetworkManager.conf
# setup uplink configuration if applicable - this needs to be done before
# starting NetworkManager, otherwise it will try default DHCP configuration
# first and only after a timeout fallback to static one - introducing delay in
# network connectivity
export INTERFACE=eth0
if qubesdb-read /qubes-ip >/dev/null 2>/dev/null &&
[ -e /sys/class/net/$INTERFACE ] &&
[ ! -r /etc/NetworkManager/system-connections/qubes-uplink-$INTERFACE ]; then
/usr/lib/qubes/setup-ip
fi
exit 0

3
network/setup-ip
View File

@ -91,6 +91,9 @@ __EOF__
fi
/sbin/ifconfig "$INTERFACE" up
/sbin/route add -host "$gateway" dev "$INTERFACE"
if [ -n "$gateway6" ] && ! echo "$gateway6" | grep -q "^fe80:"; then
/sbin/route -6 add "$gateway6/128" dev "$INTERFACE"
fi
if ! qsvc disable-default-route ; then
/sbin/route add default gw "$gateway"
if [ -n "$gateway6" ]; then

5
network/vif-route-qubes
View File

@ -40,10 +40,12 @@ if [ "${ip}" ]; then
# IPs as seen by this VM
netvm_ip="$ip4"
netvm_gw_ip=$(qubesdb-read /qubes-netvm-gateway)
netvm_gw_ip6=$(qubesdb-read /qubes-netvm-gateway6 || :)
netvm_dns1_ip=$(qubesdb-read /qubes-netvm-primary-dns)
netvm_dns2_ip=$(qubesdb-read /qubes-netvm-secondary-dns)
back_ip="$netvm_gw_ip"
back_ip6="$netvm_gw_ip6"
# IPs as seen by the VM - if other than $netvm_ip
appvm_gw_ip="$(qubesdb-read "/mapped-ip/$ip4/visible-gateway" 2>/dev/null || :)"
@ -107,6 +109,9 @@ if [ "${ip}" ] ; then
${cmdprefix} flock $lockfile ip6tables-restore --noflush
fi
${cmdprefix} ip addr "${ipcmd}" "${back_ip}/32" dev "${vif}"
if [ "${back_ip6}" ] && [[ "${back_ip6}" != "fe80:"* ]]; then
${cmdprefix} ip addr "${ipcmd}" "${back_ip6}/128" dev "${vif}"
fi
fi
log debug "Successful vif-route-qubes $command for $vif."

5
qubesagent/firewall.py
View File

@ -370,8 +370,12 @@ class IptablesWorker(FirewallWorker):
# starting qubes-firewall
try:
self.run_ipt(4, ['-F', 'QBS-FORWARD'])
self.run_ipt(4,
['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN'])
self.run_ipt(4, ['-A', 'QBS-FORWARD', '-j', 'DROP'])
self.run_ipt(6, ['-F', 'QBS-FORWARD'])
self.run_ipt(6,
['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN'])
self.run_ipt(6, ['-A', 'QBS-FORWARD', '-j', 'DROP'])
except subprocess.CalledProcessError:
self.log_error('\'QBS-FORWARD\' chain not found, create it first')
@ -579,6 +583,7 @@ class NftablesWorker(FirewallWorker):
' type filter hook forward priority 0;\n'
' policy drop;\n'
' ct state established,related accept\n'
' meta iifname != "vif*" accept\n'
' }}\n'
'}}\n'
)

14
qubesagent/test_firewall.py
View File

@ -271,10 +271,14 @@ class TestIptablesWorker(TestCase):
def test_006_init(self):
self.obj.init()
self.assertEqual(self.obj.called_commands[4],
[['-F', 'QBS-FORWARD'], ['-A', 'QBS-FORWARD', '-j', 'DROP']])
self.assertEqual(self.obj.called_commands[6],
[['-F', 'QBS-FORWARD'], ['-A', 'QBS-FORWARD', '-j', 'DROP']])
self.assertEqual(self.obj.called_commands[4], [
['-F', 'QBS-FORWARD'],
['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN'],
['-A', 'QBS-FORWARD', '-j', 'DROP']])
self.assertEqual(self.obj.called_commands[6], [
['-F', 'QBS-FORWARD'],
['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN'],
['-A', 'QBS-FORWARD', '-j', 'DROP']])
def test_007_cleanup(self):
self.obj.init()
@ -435,6 +439,7 @@ class TestNftablesWorker(TestCase):
' type filter hook forward priority 0;\n'
' policy drop;\n'
' ct state established,related accept\n'
' meta iifname != "vif*" accept\n'
' }\n'
'}\n'
'table ip6 qubes-firewall {\n'
@ -442,6 +447,7 @@ class TestNftablesWorker(TestCase):
' type filter hook forward priority 0;\n'
' policy drop;\n'
' ct state established,related accept\n'
' meta iifname != "vif*" accept\n'
' }\n'
'}\n'
])