network: setup anti-spoofing firewall rules before enabling the interface

Previously enabling the interface was the first action in the setup
steps. Linux theoretically do not forward the traffic until proper
IP address and route is added to the interface (depending on rp_filter
setting). But instead of relying on this opaque behavior better setup
anti-spoofing rules earlier. Also, add 'set -o pipefail' for more
reliable error handling.
Note the rules for actual VM traffic (qvm-firewall) are properly
enforced - until those rules are loaded, traffic from appropriate vif
interface is blocked. But this relies on proper source IP address,
anti-spoofing rules need to be setup race-free.

Reported-by: Demi M. Obenour <demiobenour@gmail.com>
This commit is contained in:
Marek Marczykowski-Górecki 2019-12-19 01:14:39 +01:00 committed by Demi Marie Obenour
parent 75ffdf6a53
commit 68b61c2c6d
No known key found for this signature in database
GPG Key ID: 28A45C93B0B5B6E0

View File

@ -24,6 +24,7 @@ dir=$(dirname "$0")
# shellcheck disable=SC1091,SC1090 # shellcheck disable=SC1091,SC1090
. "$dir/vif-common.sh" . "$dir/vif-common.sh"
set -o pipefail
#main_ip=$(dom0_ip) #main_ip=$(dom0_ip)
# Network Hooks for triggering supplementary actions on AppVM connect # Network Hooks for triggering supplementary actions on AppVM connect
@ -95,7 +96,6 @@ fi
# shellcheck disable=SC2154 # shellcheck disable=SC2154
case "$command" in case "$command" in
online) online)
ifconfig "${vif}" up
echo 1 >"/proc/sys/net/ipv4/conf/${vif}/proxy_arp" echo 1 >"/proc/sys/net/ipv4/conf/${vif}/proxy_arp"
ipcmd='add' ipcmd='add'
iptables_cmd='-I PREROUTING 1' iptables_cmd='-I PREROUTING 1'
@ -118,6 +118,30 @@ domid=${domid/.*/}
# 32752 is max XID aka domid # 32752 is max XID aka domid
metric=$(( 32752 - domid )) metric=$(( 32752 - domid ))
# add anti-spoofing rules before enabling the interface
if [ "${ip}" ]; then
# If we've been given a list of IP addresses, then add routes from dom0 to
# the guest using those addresses.
for addr in ${ip};
do
if [[ "$addr" = *:* ]]; then
ipt=ip6tables-restore
else
ipt=iptables-restore
fi
echo -e "*raw\\n$iptables_cmd -i ${vif} ! -s ${addr} -j DROP\\nCOMMIT" | \
${cmdprefix} $ipt --noflush $ipt_arg
done
# if no IPv6 is assigned, block all IPv6 traffic on that interface
if ! [[ "$ip" = *:* ]]; then
echo -e "*raw\\n$iptables_cmd -i ${vif} -j DROP\\nCOMMIT" | \
${cmdprefix} ip6tables-restore --noflush $ipt_arg
fi
fi
if [ "$command" = "online" ]; then
ifconfig "${vif}" up
fi
if [ "${ip}" ]; then if [ "${ip}" ]; then
# If we've been given a list of IP addresses, then add routes from dom0 to # If we've been given a list of IP addresses, then add routes from dom0 to
@ -129,21 +153,9 @@ if [ "${ip}" ]; then
continue continue
fi fi
${cmdprefix} ip route "${ipcmd}" "${addr}" dev "${vif}" metric "$metric" ${cmdprefix} ip route "${ipcmd}" "${addr}" dev "${vif}" metric "$metric"
if [[ "$addr" = *:* ]]; then
ipt=ip6tables-restore
else
ipt=iptables-restore
fi
echo -e "*raw\\n$iptables_cmd -i ${vif} ! -s ${addr} -j DROP\\nCOMMIT" | \
${cmdprefix} $ipt --noflush $ipt_arg
network_hooks "${command}" "${vif}" "${addr}" network_hooks "${command}" "${vif}" "${addr}"
done done
# if no IPv6 is assigned, block all IPv6 traffic on that interface
if ! [[ "$ip" = *:* ]]; then
echo -e "*raw\\n$iptables_cmd -i ${vif} -j DROP\\nCOMMIT" | \
${cmdprefix} ip6tables-restore --noflush $ipt_arg
fi
${cmdprefix} ip addr "${ipcmd}" "${back_ip}/32" dev "${vif}" ${cmdprefix} ip addr "${ipcmd}" "${back_ip}/32" dev "${vif}"
if [ "${back_ip6}" ] && [[ "${back_ip6}" != "fe80:"* ]] && [[ "$ipv6_disabled" != 1 ]]; then if [ "${back_ip6}" ] && [[ "${back_ip6}" != "fe80:"* ]] && [[ "$ipv6_disabled" != 1 ]]; then
${cmdprefix} ip addr "${ipcmd}" "${back_ip6}/128" dev "${vif}" ${cmdprefix} ip addr "${ipcmd}" "${back_ip6}/128" dev "${vif}"