qubes-firewall: handle only traffic originating from VMs

Ignore packets coming from non-vif interfaces early.

Fixes QubesOS/qubes-issues#3644

qubesagent/firewall.py

@@ -370,8 +370,12 @@ class IptablesWorker(FirewallWorker):
         # starting qubes-firewall
         try:
             self.run_ipt(4, ['-F', 'QBS-FORWARD'])
+            self.run_ipt(4,
+                ['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN'])
             self.run_ipt(4, ['-A', 'QBS-FORWARD', '-j', 'DROP'])
             self.run_ipt(6, ['-F', 'QBS-FORWARD'])
+            self.run_ipt(6,
+                ['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN'])
             self.run_ipt(6, ['-A', 'QBS-FORWARD', '-j', 'DROP'])
         except subprocess.CalledProcessError:
             self.log_error('\'QBS-FORWARD\' chain not found, create it first')
@@ -579,6 +583,7 @@ class NftablesWorker(FirewallWorker):
             '    type filter hook forward priority 0;\n'
             '    policy drop;\n'
             '    ct state established,related accept\n'
+            '    meta iifname != "vif*" accept\n'
             '  }}\n'
             '}}\n'
         )

qubesagent/test_firewall.py

@@ -271,10 +271,14 @@ class TestIptablesWorker(TestCase):
 
     def test_006_init(self):
         self.obj.init()
-        self.assertEqual(self.obj.called_commands[4],
-            [['-F', 'QBS-FORWARD'], ['-A', 'QBS-FORWARD', '-j', 'DROP']])
-        self.assertEqual(self.obj.called_commands[6],
-            [['-F', 'QBS-FORWARD'], ['-A', 'QBS-FORWARD', '-j', 'DROP']])
+        self.assertEqual(self.obj.called_commands[4], [
+            ['-F', 'QBS-FORWARD'],
+            ['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN'],
+            ['-A', 'QBS-FORWARD', '-j', 'DROP']])
+        self.assertEqual(self.obj.called_commands[6], [
+            ['-F', 'QBS-FORWARD'],
+            ['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN'],
+            ['-A', 'QBS-FORWARD', '-j', 'DROP']])
 
     def test_007_cleanup(self):
         self.obj.init()
@@ -435,6 +439,7 @@ class TestNftablesWorker(TestCase):
             '    type filter hook forward priority 0;\n'
             '    policy drop;\n'
             '    ct state established,related accept\n'
+            '    meta iifname != "vif*" accept\n'
             '  }\n'
             '}\n'
             'table ip6 qubes-firewall {\n'
@@ -442,6 +447,7 @@ class TestNftablesWorker(TestCase):
             '    type filter hook forward priority 0;\n'
             '    policy drop;\n'
             '    ct state established,related accept\n'
+            '    meta iifname != "vif*" accept\n'
             '  }\n'
             '}\n'
         ])