network: have safe fallback in case of qubes-firewall crash/error
When qubes-firewall service is started, modify firewall to have "DROP" policy, so if something goes wrong, no data got leaked. But keep default action "ACCEPT" in case of legitimate service stop, or not starting it at all - because one may choose to not use this service at all. Achieve this by adding "DROP" rule at the end of QBS-FIREWALL chain and keep it there while qubes-firewall service is running. Fixes QubesOS/qubes-issues#3269
This commit is contained in:
parent
589c32b1e3
commit
57a3c2d67e
@ -1,6 +1,6 @@
|
||||
# Generated by ip6tables-save v1.4.14 on Tue Sep 25 16:00:20 2012
|
||||
*filter
|
||||
:INPUT DROP [1:72]
|
||||
:INPUT DROP [0:0]
|
||||
:FORWARD DROP [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
:QBS-FORWARD - [0:0]
|
||||
|
@ -1,6 +1,6 @@
|
||||
# Generated by iptables-save v1.4.5 on Mon Sep 6 08:57:46 2010
|
||||
*nat
|
||||
:PREROUTING ACCEPT [85:5912]
|
||||
:PREROUTING ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
:POSTROUTING ACCEPT [0:0]
|
||||
:PR-QBS - [0:0]
|
||||
@ -14,9 +14,9 @@ COMMIT
|
||||
# Completed on Mon Sep 6 08:57:46 2010
|
||||
# Generated by iptables-save v1.4.5 on Mon Sep 6 08:57:46 2010
|
||||
*filter
|
||||
:INPUT ACCEPT [168:11399]
|
||||
:FORWARD ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [128:12536]
|
||||
:INPUT DROP [0:0]
|
||||
:FORWARD DROP [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
:QBS-FORWARD - [0:0]
|
||||
-A INPUT -i vif+ -p udp -m udp --dport 68 -j DROP
|
||||
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
|
@ -204,7 +204,7 @@ class IptablesWorker(FirewallWorker):
|
||||
|
||||
self.run_ipt(family, ['-N', chain])
|
||||
self.run_ipt(family,
|
||||
['-A', 'QBS-FORWARD', '-s', addr, '-j', chain])
|
||||
['-I', 'QBS-FORWARD', '-s', addr, '-j', chain])
|
||||
self.chains[family].add(chain)
|
||||
|
||||
def prepare_rules(self, chain, rules, family):
|
||||
@ -340,8 +340,10 @@ class IptablesWorker(FirewallWorker):
|
||||
# make sure 'QBS_FORWARD' chain exists - should be created before
|
||||
# starting qubes-firewall
|
||||
try:
|
||||
self.run_ipt(4, ['-nL', 'QBS-FORWARD'])
|
||||
self.run_ipt(6, ['-nL', 'QBS-FORWARD'])
|
||||
self.run_ipt(4, ['-F', 'QBS-FORWARD'])
|
||||
self.run_ipt(4, ['-A', 'QBS-FORWARD', '-j', 'DROP'])
|
||||
self.run_ipt(6, ['-F', 'QBS-FORWARD'])
|
||||
self.run_ipt(6, ['-A', 'QBS-FORWARD', '-j', 'DROP'])
|
||||
except subprocess.CalledProcessError:
|
||||
self.log_error('\'QBS-FORWARD\' chain not found, create it first')
|
||||
sys.exit(1)
|
||||
@ -542,6 +544,8 @@ class NftablesWorker(FirewallWorker):
|
||||
'table {family} qubes-firewall {{\n'
|
||||
' chain forward {{\n'
|
||||
' type filter hook forward priority 0;\n'
|
||||
' policy drop;\n'
|
||||
' ct state established accept\n'
|
||||
' }}\n'
|
||||
'}}\n'
|
||||
)
|
||||
|
@ -173,7 +173,7 @@ class TestIptablesWorker(TestCase):
|
||||
self.obj.create_chain(addr, chain, family)
|
||||
self.assertEqual(self.obj.called_commands[family],
|
||||
[['-N', chain],
|
||||
['-A', 'QBS-FORWARD', '-s', addr, '-j', chain]])
|
||||
['-I', 'QBS-FORWARD', '-s', addr, '-j', chain]])
|
||||
|
||||
def test_002_prepare_rules4(self):
|
||||
rules = [
|
||||
@ -244,7 +244,7 @@ class TestIptablesWorker(TestCase):
|
||||
self.assertEqual(self.obj.called_commands[4],
|
||||
[
|
||||
['-N', chain],
|
||||
['-A', 'QBS-FORWARD', '-s', '10.137.0.1', '-j', chain],
|
||||
['-I', 'QBS-FORWARD', '-s', '10.137.0.1', '-j', chain],
|
||||
['-F', chain]])
|
||||
self.assertEqual(self.obj.loaded_iptables[4],
|
||||
self.obj.prepare_rules(chain, rules, 4))
|
||||
@ -258,7 +258,7 @@ class TestIptablesWorker(TestCase):
|
||||
self.assertEqual(self.obj.called_commands[6],
|
||||
[
|
||||
['-N', chain],
|
||||
['-A', 'QBS-FORWARD', '-s', '2000::a', '-j', chain],
|
||||
['-I', 'QBS-FORWARD', '-s', '2000::a', '-j', chain],
|
||||
['-F', chain]])
|
||||
self.assertEqual(self.obj.loaded_iptables[6],
|
||||
self.obj.prepare_rules(chain, rules, 6))
|
||||
@ -268,9 +268,9 @@ class TestIptablesWorker(TestCase):
|
||||
def test_006_init(self):
|
||||
self.obj.init()
|
||||
self.assertEqual(self.obj.called_commands[4],
|
||||
[['-nL', 'QBS-FORWARD']])
|
||||
[['-F', 'QBS-FORWARD'], ['-A', 'QBS-FORWARD', '-j', 'DROP']])
|
||||
self.assertEqual(self.obj.called_commands[6],
|
||||
[['-nL', 'QBS-FORWARD']])
|
||||
[['-F', 'QBS-FORWARD'], ['-A', 'QBS-FORWARD', '-j', 'DROP']])
|
||||
|
||||
def test_007_cleanup(self):
|
||||
self.obj.init()
|
||||
@ -429,11 +429,15 @@ class TestNftablesWorker(TestCase):
|
||||
'table ip qubes-firewall {\n'
|
||||
' chain forward {\n'
|
||||
' type filter hook forward priority 0;\n'
|
||||
' policy drop;\n'
|
||||
' ct state established accept\n'
|
||||
' }\n'
|
||||
'}\n'
|
||||
'table ip6 qubes-firewall {\n'
|
||||
' chain forward {\n'
|
||||
' type filter hook forward priority 0;\n'
|
||||
' policy drop;\n'
|
||||
' ct state established accept\n'
|
||||
' }\n'
|
||||
'}\n'
|
||||
])
|
||||
|
Loading…
Reference in New Issue
Block a user