Qubes/core-agent-linux
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

network: use own iptables service instead of repurposing existing one

Browse Source 
There were multiple problems with reusing existing one:
 - need to sync with upstream changes (configuration path etc)
 - conflicts resolution on updates
 - lack of iptables --wait, which causes firewall fail to load sometimes

QubesOS/qubes-issues#1067
This commit is contained in:
Marek Marczykowski-Górecki 2015-08-04 17:15:01 +02:00
parent c6fa6c9b19
commit 65e9e4c72c
No known key found for this signature in database
GPG Key ID: 063938BA42CFA724
7 changed files with 92 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
Makefile
View File

@ -79,6 +79,7 @@ install-systemd:
install -m 0644 vm-systemd/75-qubes-vm.preset $(DESTDIR)$(SYSLIBDIR)/systemd/system-preset/
install -m 0644 vm-systemd/qubes-core.conf $(DESTDIR)$(SYSLIBDIR)/modules-load.d/
install -m 0644 vm-systemd/qubes-misc.conf $(DESTDIR)$(SYSLIBDIR)/modules-load.d/
install -m 0755 network/qubes-iptables $(DESTDIR)$(LIBDIR)/qubes/init/
install-sysvinit:
install -d $(DESTDIR)/etc/init.d
@ -91,6 +92,7 @@ install-sysvinit:
install vm-init.d/qubes-updates-proxy $(DESTDIR)/etc/init.d/
install -D vm-init.d/qubes-core.modules $(DESTDIR)/etc/sysconfig/modules/qubes-core.modules
install -D vm-init.d/qubes-misc.modules $(DESTDIR)/etc/sysconfig/modules/qubes-misc.modules
install network/qubes-iptables $(DESTDIR)/etc/init.d/
install-rh: install-systemd install-systemd-dropins install-sysvinit
install -D -m 0644 misc/qubes-r3.repo $(DESTDIR)/etc/yum.repos.d/qubes-r3.repo
@ -114,9 +116,6 @@ install-rh: install-systemd install-systemd-dropins install-sysvinit
install -D -m 0644 misc/serial.conf $(DESTDIR)/usr/share/qubes/serial.conf
install -D misc/qubes-serial-login $(DESTDIR)/$(SBINDIR)/qubes-serial-login
install -m 0400 -D network/iptables $(DESTDIR)/usr/lib/qubes/init/iptables
install -m 0400 -D network/ip6tables $(DESTDIR)/usr/lib/qubes/init/ip6tables
install-common:
install -m 0644 -D misc/fstab $(DESTDIR)/etc/fstab
@ -162,6 +161,9 @@ install-common:
install -d $(DESTDIR)/etc/xdg/autostart
install -m 0755 network/show-hide-nm-applet.sh $(DESTDIR)$(LIBDIR)/qubes/show-hide-nm-applet.sh
install -m 0644 network/show-hide-nm-applet.desktop $(DESTDIR)/etc/xdg/autostart/00-qubes-show-hide-nm-applet.desktop
install -m 0400 -D network/iptables $(DESTDIR)/etc/qubes/iptables.rules
install -m 0400 -D network/ip6tables $(DESTDIR)/etc/qubes/ip6tables.rules
install -d $(DESTDIR)/$(SBINDIR)
install network/qubes-firewall $(DESTDIR)/$(SBINDIR)/
@ -213,8 +215,6 @@ install-deb: install-common install-systemd install-systemd-dropins
mkdir -p $(DESTDIR)/etc/apt/sources.list.d
sed -e "s/@DIST@/`lsb_release -cs`/" misc/qubes-r3.list.in > $(DESTDIR)/etc/apt/sources.list.d/qubes-r3.list
install -D -m 644 misc/qubes-archive-keyring.gpg $(DESTDIR)/etc/apt/trusted.gpg.d/qubes-archive-keyring.gpg
install -D -m 644 network/iptables $(DESTDIR)/etc/iptables/rules.v4
install -D -m 644 network/ip6tables $(DESTDIR)/etc/iptables/rules.v6
install -D -m 644 network/00notify-hook $(DESTDIR)/etc/apt/apt.conf.d/00notify-hook
install -d $(DESTDIR)/etc/sysctl.d
install -m 644 network/80-qubes.conf $(DESTDIR)/etc/sysctl.d/

59
network/qubes-iptables Executable file
View File

@ -0,0 +1,59 @@
#!/bin/bash
#
# qubes-iptables Start Qubes base iptables firewall
#
# chkconfig: 2345 08 92
# description: Loads iptables firewall
#
# config: /etc/qubes/iptables.rules
# config: /etc/qubes/ip6tables.rules
#
### BEGIN INIT INFO
# Provides: iptables
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Loads Qubes base iptables firewall
# Description: Loads Qubes base iptables firewall
### END INIT INFO
IPTABLES=iptables
IPTABLES_DATA_DIR=/etc/qubes
if [ ! -x /sbin/$IPTABLES ]; then
echo $"${IPTABLES}: /sbin/$IPTABLES does not exist."
exit 5
fi
start() {
ipt=$1
IPTABLES_DATA=$IPTABLES_DATA_DIR/${ipt}.rules
CMD=$ipt
# Do not start if there is no config file.
[ ! -f "$IPTABLES_DATA" ] && return 6
echo -n $"${CMD}: Applying firewall rules: "
$CMD-restore $IPTABLES_DATA
if [ $? -eq 0 ]; then
echo OK
else
echo FAIL; return 1
fi
return $ret
}
case "$1" in
start)
start iptables && start ip6tables
RETVAL=$?
;;
*)
echo $"Usage: ${IPTABLES} start"
RETVAL=2
;;
esac
exit $RETVAL

51
rpm_spec/core-vm.spec
View File

@ -37,7 +37,6 @@ Requires: yum-plugin-post-transaction-actions
Requires: NetworkManager >= 0.8.1-1
%if %{fedora} >= 18
# Fedora >= 18 defaults to firewalld, which isn't supported nor needed by Qubes
Requires: iptables-services
Conflicts: firewalld
%endif
Requires: /usr/bin/mimeopen
@ -120,9 +119,6 @@ usermod -L user
(cd qrexec; make install DESTDIR=$RPM_BUILD_ROOT)
make install-vm DESTDIR=$RPM_BUILD_ROOT
cp -p $RPM_BUILD_ROOT/usr/lib/qubes/init/iptables $RPM_BUILD_ROOT/etc/sysconfig/iptables.qubes
cp -p $RPM_BUILD_ROOT/usr/lib/qubes/init/ip6tables $RPM_BUILD_ROOT/etc/sysconfig/ip6tables.qubes
%triggerin -- initscripts
if [ -e /etc/init/serial.conf ]; then
cp /usr/share/qubes/serial.conf /etc/init/serial.conf
@ -131,25 +127,6 @@ fi
%triggerin -- pulseaudio-module-x11
/usr/bin/qubes-desktop-file-install --force --dir /var/lib/qubes/xdg/autostart --remove-show-in --add-not-show-in X-QUBES /etc/xdg/autostart/pulseaudio.desktop
%triggerin -- iptables
if ! grep -q IPTABLES_DATA /etc/sysconfig/iptables-config; then
cat <<EOF >>/etc/sysconfig/iptables-config
### Automatically added by Qubes:
# Override default rules location on Qubes
IPTABLES_DATA=/etc/sysconfig/iptables.qubes
EOF
fi
if ! grep -q IP6TABLES_DATA /etc/sysconfig/ip6tables-config; then
cat <<EOF >>/etc/sysconfig/ip6tables-config
### Automatically added by Qubes:
# Override default rules location on Qubes
IP6TABLES_DATA=/etc/sysconfig/ip6tables.qubes
EOF
fi
%post
# disable some Upstart services
@ -203,16 +180,6 @@ EOF
fi
fi
# Make sure that /etc/sysconfig/ip(|6)tables exists. Otherwise iptales.service
# would not start (even when configured to use another configuration file.
if [ ! -e '/etc/sysconfig/iptables' ]; then
ln -s iptables.qubes /etc/sysconfig/iptables
fi
if [ ! -e '/etc/sysconfig/ip6tables' ]; then
ln -s ip6tables.qubes /etc/sysconfig/ip6tables
fi
# ensure that hostname resolves to 127.0.0.1 resp. ::1 and that /etc/hosts is
# in the form expected by qubes-sysinit.sh
if ! grep -rq "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
@ -357,10 +324,8 @@ rm -f %{name}-%{version}
%config(noreplace) /etc/qubes-rpc/qubes.GetImageRGBA
%config(noreplace) /etc/qubes-rpc/qubes.SetDateTime
%config(noreplace) /etc/sudoers.d/qubes
%config(noreplace) /etc/sysconfig/iptables.qubes
%config(noreplace) /etc/sysconfig/ip6tables.qubes
/usr/lib/qubes/init/iptables
/usr/lib/qubes/init/ip6tables
%config(noreplace) /etc/qubes/iptables.rules
%config(noreplace) /etc/qubes/ip6tables.rules
%config(noreplace) /etc/tinyproxy/filter-updates
%config(noreplace) /etc/tinyproxy/tinyproxy-updates.conf
%config(noreplace) /etc/udev/rules.d/50-qubes-misc.rules
@ -451,6 +416,7 @@ The Qubes core startup configuration for SysV init (or upstart).
/etc/init.d/qubes-core-netvm
/etc/init.d/qubes-firewall
/etc/init.d/qubes-netwatcher
/etc/init.d/qubes-iptables
/etc/init.d/qubes-updates-proxy
/etc/init.d/qubes-qrexec-agent
/etc/sysconfig/modules/qubes-core.modules
@ -476,8 +442,6 @@ done
chkconfig rsyslog on
chkconfig haldaemon on
chkconfig messagebus on
chkconfig iptables on
chkconfig ip6tables on
chkconfig --add qubes-core || echo "WARNING: Cannot add service qubes-core!"
chkconfig qubes-core on || echo "WARNING: Cannot enable service qubes-core!"
chkconfig --add qubes-core-netvm || echo "WARNING: Cannot add service qubes-core-netvm!"
@ -488,6 +452,8 @@ chkconfig --add qubes-firewall || echo "WARNING: Cannot add service qubes-firewa
chkconfig qubes-firewall on || echo "WARNING: Cannot enable service qubes-firewall!"
chkconfig --add qubes-netwatcher || echo "WARNING: Cannot add service qubes-netwatcher!"
chkconfig qubes-netwatcher on || echo "WARNING: Cannot enable service qubes-netwatcher!"
chkconfig --add qubes-iptables || echo "WARNING: Cannot add service qubes-iptables!"
chkconfig qubes-iptables on || echo "WARNING: Cannot enable service qubes-iptables!"
chkconfig --add qubes-updates-proxy || echo "WARNING: Cannot add service qubes-updates-proxy!"
chkconfig qubes-updates-proxy on || echo "WARNING: Cannot enable service qubes-updates-proxy!"
chkconfig --add qubes-qrexec-agent || echo "WARNING: Cannot add service qubes-qrexec-agent!"
@ -531,6 +497,7 @@ The Qubes core startup configuration for SystemD init.
/lib/systemd/system/qubes-mount-home.service
/lib/systemd/system/qubes-netwatcher.service
/lib/systemd/system/qubes-network.service
/lib/systemd/system/qubes-iptables.service
/lib/systemd/system/qubes-sysinit.service
/lib/systemd/system/qubes-update-check.service
/lib/systemd/system/qubes-update-check.timer
@ -542,6 +509,7 @@ The Qubes core startup configuration for SystemD init.
%dir /usr/lib/qubes/init
/usr/lib/qubes/init/prepare-dvm.sh
/usr/lib/qubes/init/network-proxy-setup.sh
/usr/lib/qubes/init/qubes-iptables
/usr/lib/qubes/init/misc-post.sh
/usr/lib/qubes/init/misc-post-stop.sh
/usr/lib/qubes/init/mount-home.sh
@ -565,11 +533,14 @@ if [ $1 -eq 1 ]; then
else
services="qubes-dvm qubes-misc-post qubes-firewall qubes-mount-home"
services="$services qubes-netwatcher qubes-network qubes-sysinit"
services="$services qubes-updates-proxy qubes-qrexec-agent"
services="$services qubes-iptables qubes-updates-proxy qubes-qrexec-agent"
for srv in $services; do
/bin/systemctl --no-reload preset $srv.service
done
/bin/systemctl --no-reload preset qubes-update-check.timer
# Upgrade path - now qubes-iptables is used instead
/bin/systemctl --no-reload preset iptables.service
/bin/systemctl --no-reload preset ip6tables.service
fi
# Set default "runlevel"

5
vm-systemd/75-qubes-vm.preset
View File

@ -42,6 +42,8 @@ disable fedora-storage-init.service
disable fedora-storage-init-late.service
disable hwclock-load.service
disable ipmi.service
disable iptables.service
disable ip6tables.service
disable irqbalance.service
disable mcelog.service
disable mdmonitor-takeover.service
@ -68,7 +70,6 @@ enable qubes-mount-home.service
enable qubes-firewall.service
enable qubes-netwatcher.service
enable qubes-meminfo-writer.service
enable iptables.service
enable ip6tables.service
enable qubes-iptables.service
enable haveged.service
enable chronyd.service

12
vm-systemd/qubes-iptables.service Normal file
View File

@ -0,0 +1,12 @@
[Unit]
Description=Qubes base firewall settings
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/lib/qubes/init/qubes-iptables start
StandardOutput=syslog
StandardError=syslog
[Install]
WantedBy=basic.target

2
vm-systemd/qubes-network.service
View File

@ -2,7 +2,7 @@
Description=Qubes network forwarding setup
ConditionPathExists=/var/run/qubes-service/qubes-network
Before=network.target
After=iptables.service
After=qubes-iptables.service
[Service]
Type=oneshot

2
vm-systemd/qubes-updates-proxy.service
View File

@ -2,7 +2,7 @@
Description=Qubes updates proxy (tinyproxy)
ConditionPathExists=|/var/run/qubes-service/qubes-yum-proxy
ConditionPathExists=|/var/run/qubes-service/qubes-updates-proxy
After=iptables.service
After=qubes-iptables.service
[Service]
ExecStartPre=/usr/bin/install -d --owner tinyproxy --group tinyproxy /var/run/tinyproxy