qubes-firewall: handle only traffic originating from VMs

Ignore packets coming from non-vif interfaces early. Fixes QubesOS/qubes-issues#3644
2018-04-03 01:01:56 +02:00 · 2018-04-03 01:01:56 +02:00 · 53c9b45c76
commit 53c9b45c76
parent c281d6454f
2 changed files with 15 additions and 4 deletions
--- a/qubesagent/firewall.py
+++ b/qubesagent/firewall.py
@ -370,8 +370,12 @@ class IptablesWorker(FirewallWorker):
        # starting qubes-firewall
        try:
            self.run_ipt(4, ['-F', 'QBS-FORWARD'])
+            self.run_ipt(4,
+                ['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN'])
            self.run_ipt(4, ['-A', 'QBS-FORWARD', '-j', 'DROP'])
            self.run_ipt(6, ['-F', 'QBS-FORWARD'])
+            self.run_ipt(6,
+                ['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN'])
            self.run_ipt(6, ['-A', 'QBS-FORWARD', '-j', 'DROP'])
        except subprocess.CalledProcessError:
            self.log_error('\'QBS-FORWARD\' chain not found, create it first')
@ -579,6 +583,7 @@ class NftablesWorker(FirewallWorker):
            '    type filter hook forward priority 0;\n'
            '    policy drop;\n'
            '    ct state established,related accept\n'
+            '    meta iifname != "vif*" accept\n'
            '  }}\n'
            '}}\n'
        )
--- a/qubesagent/test_firewall.py
+++ b/qubesagent/test_firewall.py
@ -271,10 +271,14 @@ class TestIptablesWorker(TestCase):

    def test_006_init(self):
        self.obj.init()
-        self.assertEqual(self.obj.called_commands[4],
-            [['-F', 'QBS-FORWARD'], ['-A', 'QBS-FORWARD', '-j', 'DROP']])
-        self.assertEqual(self.obj.called_commands[6],
-            [['-F', 'QBS-FORWARD'], ['-A', 'QBS-FORWARD', '-j', 'DROP']])
+        self.assertEqual(self.obj.called_commands[4], [
+            ['-F', 'QBS-FORWARD'],
+            ['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN'],
+            ['-A', 'QBS-FORWARD', '-j', 'DROP']])
+        self.assertEqual(self.obj.called_commands[6], [
+            ['-F', 'QBS-FORWARD'],
+            ['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN'],
+            ['-A', 'QBS-FORWARD', '-j', 'DROP']])

    def test_007_cleanup(self):
        self.obj.init()
@ -435,6 +439,7 @@ class TestNftablesWorker(TestCase):
            '    type filter hook forward priority 0;\n'
            '    policy drop;\n'
            '    ct state established,related accept\n'
+            '    meta iifname != "vif*" accept\n'
            '  }\n'
            '}\n'
            'table ip6 qubes-firewall {\n'
@ -442,6 +447,7 @@ class TestNftablesWorker(TestCase):
            '    type filter hook forward priority 0;\n'
            '    policy drop;\n'
            '    ct state established,related accept\n'
+            '    meta iifname != "vif*" accept\n'
            '  }\n'
            '}\n'
        ])