network: have safe fallback in case of qubes-firewall crash/error
When qubes-firewall service is started, modify firewall to have "DROP" policy, so if something goes wrong, no data got leaked. But keep default action "ACCEPT" in case of legitimate service stop, or not starting it at all - because one may choose to not use this service at all. Achieve this by adding "DROP" rule at the end of QBS-FIREWALL chain and keep it there while qubes-firewall service is running. Fixes QubesOS/qubes-issues#3269
This commit is contained in:
Marek Marczykowski-Górecki
parent
589c32b1e3
commit
57a3c2d67e
@ -1,6 +1,6 @@
|
|||||||
# Generated by ip6tables-save v1.4.14 on Tue Sep 25 16:00:20 2012
|
# Generated by ip6tables-save v1.4.14 on Tue Sep 25 16:00:20 2012
|
||||||
*filter
|
*filter
|
||||||
:INPUT DROP [1:72]
|
:INPUT DROP [0:0]
|
||||||
:FORWARD DROP [0:0]
|
:FORWARD DROP [0:0]
|
||||||
:OUTPUT ACCEPT [0:0]
|
:OUTPUT ACCEPT [0:0]
|
||||||
:QBS-FORWARD - [0:0]
|
:QBS-FORWARD - [0:0]
|
||||||
|
|||||||
@ -1,6 +1,6 @@
|
|||||||
# Generated by iptables-save v1.4.5 on Mon Sep 6 08:57:46 2010
|
# Generated by iptables-save v1.4.5 on Mon Sep 6 08:57:46 2010
|
||||||
*nat
|
*nat
|
||||||
:PREROUTING ACCEPT [85:5912]
|
:PREROUTING ACCEPT [0:0]
|
||||||
:OUTPUT ACCEPT [0:0]
|
:OUTPUT ACCEPT [0:0]
|
||||||
:POSTROUTING ACCEPT [0:0]
|
:POSTROUTING ACCEPT [0:0]
|
||||||
:PR-QBS - [0:0]
|
:PR-QBS - [0:0]
|
||||||
@ -14,9 +14,9 @@ COMMIT
|
|||||||
# Completed on Mon Sep 6 08:57:46 2010
|
# Completed on Mon Sep 6 08:57:46 2010
|
||||||
# Generated by iptables-save v1.4.5 on Mon Sep 6 08:57:46 2010
|
# Generated by iptables-save v1.4.5 on Mon Sep 6 08:57:46 2010
|
||||||
*filter
|
*filter
|
||||||
:INPUT ACCEPT [168:11399]
|
:INPUT DROP [0:0]
|
||||||
:FORWARD ACCEPT [0:0]
|
:FORWARD DROP [0:0]
|
||||||
:OUTPUT ACCEPT [128:12536]
|
:OUTPUT ACCEPT [0:0]
|
||||||
:QBS-FORWARD - [0:0]
|
:QBS-FORWARD - [0:0]
|
||||||
-A INPUT -i vif+ -p udp -m udp --dport 68 -j DROP
|
-A INPUT -i vif+ -p udp -m udp --dport 68 -j DROP
|
||||||
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||||
|
|||||||
@ -204,7 +204,7 @@ class IptablesWorker(FirewallWorker):
|
|||||||
|
|
||||||
self.run_ipt(family, ['-N', chain])
|
self.run_ipt(family, ['-N', chain])
|
||||||
self.run_ipt(family,
|
self.run_ipt(family,
|
||||||
['-A', 'QBS-FORWARD', '-s', addr, '-j', chain])
|
['-I', 'QBS-FORWARD', '-s', addr, '-j', chain])
|
||||||
self.chains[family].add(chain)
|
self.chains[family].add(chain)
|
||||||
|
|
||||||
def prepare_rules(self, chain, rules, family):
|
def prepare_rules(self, chain, rules, family):
|
||||||
@ -340,8 +340,10 @@ class IptablesWorker(FirewallWorker):
|
|||||||
# make sure 'QBS_FORWARD' chain exists - should be created before
|
# make sure 'QBS_FORWARD' chain exists - should be created before
|
||||||
# starting qubes-firewall
|
# starting qubes-firewall
|
||||||
try:
|
try:
|
||||||
self.run_ipt(4, ['-nL', 'QBS-FORWARD'])
|
self.run_ipt(4, ['-F', 'QBS-FORWARD'])
|
||||||
self.run_ipt(6, ['-nL', 'QBS-FORWARD'])
|
self.run_ipt(4, ['-A', 'QBS-FORWARD', '-j', 'DROP'])
|
||||||
|
self.run_ipt(6, ['-F', 'QBS-FORWARD'])
|
||||||
|
self.run_ipt(6, ['-A', 'QBS-FORWARD', '-j', 'DROP'])
|
||||||
except subprocess.CalledProcessError:
|
except subprocess.CalledProcessError:
|
||||||
self.log_error('\'QBS-FORWARD\' chain not found, create it first')
|
self.log_error('\'QBS-FORWARD\' chain not found, create it first')
|
||||||
sys.exit(1)
|
sys.exit(1)
|
||||||
@ -542,6 +544,8 @@ class NftablesWorker(FirewallWorker):
|
|||||||
'table {family} qubes-firewall {{\n'
|
'table {family} qubes-firewall {{\n'
|
||||||
' chain forward {{\n'
|
' chain forward {{\n'
|
||||||
' type filter hook forward priority 0;\n'
|
' type filter hook forward priority 0;\n'
|
||||||
|
' policy drop;\n'
|
||||||
|
' ct state established accept\n'
|
||||||
' }}\n'
|
' }}\n'
|
||||||
'}}\n'
|
'}}\n'
|
||||||
)
|
)
|
||||||
|
|||||||
@ -173,7 +173,7 @@ class TestIptablesWorker(TestCase):
|
|||||||
self.obj.create_chain(addr, chain, family)
|
self.obj.create_chain(addr, chain, family)
|
||||||
self.assertEqual(self.obj.called_commands[family],
|
self.assertEqual(self.obj.called_commands[family],
|
||||||
[['-N', chain],
|
[['-N', chain],
|
||||||
['-A', 'QBS-FORWARD', '-s', addr, '-j', chain]])
|
['-I', 'QBS-FORWARD', '-s', addr, '-j', chain]])
|
||||||
|
|
||||||
def test_002_prepare_rules4(self):
|
def test_002_prepare_rules4(self):
|
||||||
rules = [
|
rules = [
|
||||||
@ -244,7 +244,7 @@ class TestIptablesWorker(TestCase):
|
|||||||
self.assertEqual(self.obj.called_commands[4],
|
self.assertEqual(self.obj.called_commands[4],
|
||||||
[
|
[
|
||||||
['-N', chain],
|
['-N', chain],
|
||||||
['-A', 'QBS-FORWARD', '-s', '10.137.0.1', '-j', chain],
|
['-I', 'QBS-FORWARD', '-s', '10.137.0.1', '-j', chain],
|
||||||
['-F', chain]])
|
['-F', chain]])
|
||||||
self.assertEqual(self.obj.loaded_iptables[4],
|
self.assertEqual(self.obj.loaded_iptables[4],
|
||||||
self.obj.prepare_rules(chain, rules, 4))
|
self.obj.prepare_rules(chain, rules, 4))
|
||||||
@ -258,7 +258,7 @@ class TestIptablesWorker(TestCase):
|
|||||||
self.assertEqual(self.obj.called_commands[6],
|
self.assertEqual(self.obj.called_commands[6],
|
||||||
[
|
[
|
||||||
['-N', chain],
|
['-N', chain],
|
||||||
['-A', 'QBS-FORWARD', '-s', '2000::a', '-j', chain],
|
['-I', 'QBS-FORWARD', '-s', '2000::a', '-j', chain],
|
||||||
['-F', chain]])
|
['-F', chain]])
|
||||||
self.assertEqual(self.obj.loaded_iptables[6],
|
self.assertEqual(self.obj.loaded_iptables[6],
|
||||||
self.obj.prepare_rules(chain, rules, 6))
|
self.obj.prepare_rules(chain, rules, 6))
|
||||||
@ -268,9 +268,9 @@ class TestIptablesWorker(TestCase):
|
|||||||
def test_006_init(self):
|
def test_006_init(self):
|
||||||
self.obj.init()
|
self.obj.init()
|
||||||
self.assertEqual(self.obj.called_commands[4],
|
self.assertEqual(self.obj.called_commands[4],
|
||||||
[['-nL', 'QBS-FORWARD']])
|
[['-F', 'QBS-FORWARD'], ['-A', 'QBS-FORWARD', '-j', 'DROP']])
|
||||||
self.assertEqual(self.obj.called_commands[6],
|
self.assertEqual(self.obj.called_commands[6],
|
||||||
[['-nL', 'QBS-FORWARD']])
|
[['-F', 'QBS-FORWARD'], ['-A', 'QBS-FORWARD', '-j', 'DROP']])
|
||||||
|
|
||||||
def test_007_cleanup(self):
|
def test_007_cleanup(self):
|
||||||
self.obj.init()
|
self.obj.init()
|
||||||
@ -429,11 +429,15 @@ class TestNftablesWorker(TestCase):
|
|||||||
'table ip qubes-firewall {\n'
|
'table ip qubes-firewall {\n'
|
||||||
' chain forward {\n'
|
' chain forward {\n'
|
||||||
' type filter hook forward priority 0;\n'
|
' type filter hook forward priority 0;\n'
|
||||||
|
' policy drop;\n'
|
||||||
|
' ct state established accept\n'
|
||||||
' }\n'
|
' }\n'
|
||||||
'}\n'
|
'}\n'
|
||||||
'table ip6 qubes-firewall {\n'
|
'table ip6 qubes-firewall {\n'
|
||||||
' chain forward {\n'
|
' chain forward {\n'
|
||||||
' type filter hook forward priority 0;\n'
|
' type filter hook forward priority 0;\n'
|
||||||
|
' policy drop;\n'
|
||||||
|
' ct state established accept\n'
|
||||||
' }\n'
|
' }\n'
|
||||||
'}\n'
|
'}\n'
|
||||||
])
|
])
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user