Merge branch 'qubes-iptables'

Conflicts:
	debian/control
	rpm_spec/core-vm.spec

QubesOS/qubes-issues#1067
This commit is contained in:
Marek Marczykowski-Górecki 2015-10-05 01:47:01 +02:00
commit 8e497bffc0
No known key found for this signature in database
GPG Key ID: 063938BA42CFA724
9 changed files with 97 additions and 50 deletions

View File

@ -67,6 +67,9 @@ ifeq ($(shell lsb_release -is), Debian)
# Wheezy Dropins # Wheezy Dropins
# Disable sysinit 'network-manager.service' since systemd 'NetworkManager.service' is already installed # Disable sysinit 'network-manager.service' since systemd 'NetworkManager.service' is already installed
DROPINS += $(strip $(if $(filter wheezy, $(shell lsb_release -cs)), network-manager.service,)) DROPINS += $(strip $(if $(filter wheezy, $(shell lsb_release -cs)), network-manager.service,))
# handled by qubes-iptables service now
DROPINS += netfilter-persistent.service
endif endif
install-systemd-dropins: install-systemd-dropins:
@ -83,6 +86,7 @@ install-systemd:
install -m 0644 vm-systemd/75-qubes-vm.preset $(DESTDIR)$(SYSLIBDIR)/systemd/system-preset/ install -m 0644 vm-systemd/75-qubes-vm.preset $(DESTDIR)$(SYSLIBDIR)/systemd/system-preset/
install -m 0644 vm-systemd/qubes-core.conf $(DESTDIR)$(SYSLIBDIR)/modules-load.d/ install -m 0644 vm-systemd/qubes-core.conf $(DESTDIR)$(SYSLIBDIR)/modules-load.d/
install -m 0644 vm-systemd/qubes-misc.conf $(DESTDIR)$(SYSLIBDIR)/modules-load.d/ install -m 0644 vm-systemd/qubes-misc.conf $(DESTDIR)$(SYSLIBDIR)/modules-load.d/
install -m 0755 network/qubes-iptables $(DESTDIR)$(LIBDIR)/qubes/init/
install-sysvinit: install-sysvinit:
install -d $(DESTDIR)/etc/init.d install -d $(DESTDIR)/etc/init.d
@ -95,6 +99,7 @@ install-sysvinit:
install vm-init.d/qubes-updates-proxy $(DESTDIR)/etc/init.d/ install vm-init.d/qubes-updates-proxy $(DESTDIR)/etc/init.d/
install -D vm-init.d/qubes-core.modules $(DESTDIR)/etc/sysconfig/modules/qubes-core.modules install -D vm-init.d/qubes-core.modules $(DESTDIR)/etc/sysconfig/modules/qubes-core.modules
install -D vm-init.d/qubes-misc.modules $(DESTDIR)/etc/sysconfig/modules/qubes-misc.modules install -D vm-init.d/qubes-misc.modules $(DESTDIR)/etc/sysconfig/modules/qubes-misc.modules
install network/qubes-iptables $(DESTDIR)/etc/init.d/
install-rh: install-systemd install-systemd-dropins install-sysvinit install-rh: install-systemd install-systemd-dropins install-sysvinit
install -D -m 0644 misc/qubes-r3.repo $(DESTDIR)/etc/yum.repos.d/qubes-r3.repo install -D -m 0644 misc/qubes-r3.repo $(DESTDIR)/etc/yum.repos.d/qubes-r3.repo
@ -117,9 +122,6 @@ install-rh: install-systemd install-systemd-dropins install-sysvinit
install -D -m 0644 misc/serial.conf $(DESTDIR)/usr/share/qubes/serial.conf install -D -m 0644 misc/serial.conf $(DESTDIR)/usr/share/qubes/serial.conf
install -D misc/qubes-serial-login $(DESTDIR)/$(SBINDIR)/qubes-serial-login install -D misc/qubes-serial-login $(DESTDIR)/$(SBINDIR)/qubes-serial-login
install -m 0400 -D network/iptables $(DESTDIR)/usr/lib/qubes/init/iptables
install -m 0400 -D network/ip6tables $(DESTDIR)/usr/lib/qubes/init/ip6tables
install-common: install-common:
$(MAKE) -C autostart-dropins install $(MAKE) -C autostart-dropins install
install -m 0644 -D misc/fstab $(DESTDIR)/etc/fstab install -m 0644 -D misc/fstab $(DESTDIR)/etc/fstab
@ -167,6 +169,9 @@ install-common:
install -d $(DESTDIR)/etc/xdg/autostart install -d $(DESTDIR)/etc/xdg/autostart
install -m 0755 network/show-hide-nm-applet.sh $(DESTDIR)$(LIBDIR)/qubes/show-hide-nm-applet.sh install -m 0755 network/show-hide-nm-applet.sh $(DESTDIR)$(LIBDIR)/qubes/show-hide-nm-applet.sh
install -m 0644 network/show-hide-nm-applet.desktop $(DESTDIR)/etc/xdg/autostart/00-qubes-show-hide-nm-applet.desktop install -m 0644 network/show-hide-nm-applet.desktop $(DESTDIR)/etc/xdg/autostart/00-qubes-show-hide-nm-applet.desktop
install -m 0400 -D network/iptables $(DESTDIR)/etc/qubes/iptables.rules
install -m 0400 -D network/ip6tables $(DESTDIR)/etc/qubes/ip6tables.rules
install -d $(DESTDIR)/$(SBINDIR) install -d $(DESTDIR)/$(SBINDIR)
install network/qubes-firewall $(DESTDIR)/$(SBINDIR)/ install network/qubes-firewall $(DESTDIR)/$(SBINDIR)/
@ -226,8 +231,6 @@ install-deb: install-common install-systemd install-systemd-dropins
mkdir -p $(DESTDIR)/etc/apt/sources.list.d mkdir -p $(DESTDIR)/etc/apt/sources.list.d
sed -e "s/@DIST@/`lsb_release -cs`/" misc/qubes-r3.list.in > $(DESTDIR)/etc/apt/sources.list.d/qubes-r3.list sed -e "s/@DIST@/`lsb_release -cs`/" misc/qubes-r3.list.in > $(DESTDIR)/etc/apt/sources.list.d/qubes-r3.list
install -D -m 644 misc/qubes-archive-keyring.gpg $(DESTDIR)/etc/apt/trusted.gpg.d/qubes-archive-keyring.gpg install -D -m 644 misc/qubes-archive-keyring.gpg $(DESTDIR)/etc/apt/trusted.gpg.d/qubes-archive-keyring.gpg
install -D -m 644 network/iptables $(DESTDIR)/etc/iptables/rules.v4
install -D -m 644 network/ip6tables $(DESTDIR)/etc/iptables/rules.v6
install -D -m 644 network/00notify-hook $(DESTDIR)/etc/apt/apt.conf.d/00notify-hook install -D -m 644 network/00notify-hook $(DESTDIR)/etc/apt/apt.conf.d/00notify-hook
install -d $(DESTDIR)/etc/sysctl.d install -d $(DESTDIR)/etc/sysctl.d
install -m 644 network/80-qubes.conf $(DESTDIR)/etc/sysctl.d/ install -m 644 network/80-qubes.conf $(DESTDIR)/etc/sysctl.d/

1
debian/control vendored
View File

@ -18,7 +18,6 @@ Depends:
init-system-helpers, init-system-helpers,
initscripts, initscripts,
iptables, iptables,
iptables-persistent,
librsvg2-bin, librsvg2-bin,
libvchan-xen, libvchan-xen,
locales, locales,

59
network/qubes-iptables Executable file
View File

@ -0,0 +1,59 @@
#!/bin/bash
#
# qubes-iptables Start Qubes base iptables firewall
#
# chkconfig: 2345 08 92
# description: Loads iptables firewall
#
# config: /etc/qubes/iptables.rules
# config: /etc/qubes/ip6tables.rules
#
### BEGIN INIT INFO
# Provides: iptables
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Loads Qubes base iptables firewall
# Description: Loads Qubes base iptables firewall
### END INIT INFO
IPTABLES=iptables
IPTABLES_DATA_DIR=/etc/qubes
if [ ! -x /sbin/$IPTABLES ]; then
echo $"${IPTABLES}: /sbin/$IPTABLES does not exist."
exit 5
fi
start() {
ipt=$1
IPTABLES_DATA=$IPTABLES_DATA_DIR/${ipt}.rules
CMD=$ipt
# Do not start if there is no config file.
[ ! -f "$IPTABLES_DATA" ] && return 6
echo -n $"${CMD}: Applying firewall rules: "
$CMD-restore $IPTABLES_DATA
if [ $? -eq 0 ]; then
echo OK
else
echo FAIL; return 1
fi
return $ret
}
case "$1" in
start)
start iptables && start ip6tables
RETVAL=$?
;;
*)
echo $"Usage: ${IPTABLES} start"
RETVAL=2
;;
esac
exit $RETVAL

View File

@ -37,7 +37,6 @@ Requires: yum-plugin-post-transaction-actions
Requires: NetworkManager >= 0.8.1-1 Requires: NetworkManager >= 0.8.1-1
%if %{fedora} >= 18 %if %{fedora} >= 18
# Fedora >= 18 defaults to firewalld, which isn't supported nor needed by Qubes # Fedora >= 18 defaults to firewalld, which isn't supported nor needed by Qubes
Requires: iptables-services
Conflicts: firewalld Conflicts: firewalld
%endif %endif
Requires: /usr/bin/mimeopen Requires: /usr/bin/mimeopen
@ -122,33 +121,11 @@ usermod -L user
(cd qrexec; make install DESTDIR=$RPM_BUILD_ROOT) (cd qrexec; make install DESTDIR=$RPM_BUILD_ROOT)
make install-vm DESTDIR=$RPM_BUILD_ROOT make install-vm DESTDIR=$RPM_BUILD_ROOT
cp -p $RPM_BUILD_ROOT/usr/lib/qubes/init/iptables $RPM_BUILD_ROOT/etc/sysconfig/iptables.qubes
cp -p $RPM_BUILD_ROOT/usr/lib/qubes/init/ip6tables $RPM_BUILD_ROOT/etc/sysconfig/ip6tables.qubes
%triggerin -- initscripts %triggerin -- initscripts
if [ -e /etc/init/serial.conf ]; then if [ -e /etc/init/serial.conf ]; then
cp /usr/share/qubes/serial.conf /etc/init/serial.conf cp /usr/share/qubes/serial.conf /etc/init/serial.conf
fi fi
%triggerin -- iptables
if ! grep -q IPTABLES_DATA /etc/sysconfig/iptables-config; then
cat <<EOF >>/etc/sysconfig/iptables-config
### Automatically added by Qubes:
# Override default rules location on Qubes
IPTABLES_DATA=/etc/sysconfig/iptables.qubes
EOF
fi
if ! grep -q IP6TABLES_DATA /etc/sysconfig/ip6tables-config; then
cat <<EOF >>/etc/sysconfig/ip6tables-config
### Automatically added by Qubes:
# Override default rules location on Qubes
IP6TABLES_DATA=/etc/sysconfig/ip6tables.qubes
EOF
fi
%post %post
# disable some Upstart services # disable some Upstart services
@ -198,16 +175,6 @@ EOF
fi fi
fi fi
# Make sure that /etc/sysconfig/ip(|6)tables exists. Otherwise iptales.service
# would not start (even when configured to use another configuration file.
if [ ! -e '/etc/sysconfig/iptables' ]; then
ln -s iptables.qubes /etc/sysconfig/iptables
fi
if [ ! -e '/etc/sysconfig/ip6tables' ]; then
ln -s ip6tables.qubes /etc/sysconfig/ip6tables
fi
# ensure that hostname resolves to 127.0.0.1 resp. ::1 and that /etc/hosts is # ensure that hostname resolves to 127.0.0.1 resp. ::1 and that /etc/hosts is
# in the form expected by qubes-sysinit.sh # in the form expected by qubes-sysinit.sh
if ! grep -rq "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then if ! grep -rq "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
@ -356,10 +323,8 @@ rm -f %{name}-%{version}
%config /etc/qubes/autostart/*.desktop.d/30_qubes.conf %config /etc/qubes/autostart/*.desktop.d/30_qubes.conf
%config(noreplace) /etc/sudoers.d/qubes %config(noreplace) /etc/sudoers.d/qubes
%config(noreplace) /etc/sudoers.d/qt_x11_no_mitshm %config(noreplace) /etc/sudoers.d/qt_x11_no_mitshm
%config(noreplace) /etc/sysconfig/iptables.qubes %config(noreplace) /etc/qubes/iptables.rules
%config(noreplace) /etc/sysconfig/ip6tables.qubes %config(noreplace) /etc/qubes/ip6tables.rules
/usr/lib/qubes/init/iptables
/usr/lib/qubes/init/ip6tables
%config(noreplace) /etc/tinyproxy/filter-updates %config(noreplace) /etc/tinyproxy/filter-updates
%config(noreplace) /etc/tinyproxy/tinyproxy-updates.conf %config(noreplace) /etc/tinyproxy/tinyproxy-updates.conf
%config(noreplace) /etc/udev/rules.d/50-qubes-misc.rules %config(noreplace) /etc/udev/rules.d/50-qubes-misc.rules
@ -450,6 +415,7 @@ The Qubes core startup configuration for SysV init (or upstart).
/etc/init.d/qubes-core-netvm /etc/init.d/qubes-core-netvm
/etc/init.d/qubes-firewall /etc/init.d/qubes-firewall
/etc/init.d/qubes-netwatcher /etc/init.d/qubes-netwatcher
/etc/init.d/qubes-iptables
/etc/init.d/qubes-updates-proxy /etc/init.d/qubes-updates-proxy
/etc/init.d/qubes-qrexec-agent /etc/init.d/qubes-qrexec-agent
/etc/sysconfig/modules/qubes-core.modules /etc/sysconfig/modules/qubes-core.modules
@ -475,8 +441,6 @@ done
chkconfig rsyslog on chkconfig rsyslog on
chkconfig haldaemon on chkconfig haldaemon on
chkconfig messagebus on chkconfig messagebus on
chkconfig iptables on
chkconfig ip6tables on
chkconfig --add qubes-core || echo "WARNING: Cannot add service qubes-core!" chkconfig --add qubes-core || echo "WARNING: Cannot add service qubes-core!"
chkconfig qubes-core on || echo "WARNING: Cannot enable service qubes-core!" chkconfig qubes-core on || echo "WARNING: Cannot enable service qubes-core!"
chkconfig --add qubes-core-netvm || echo "WARNING: Cannot add service qubes-core-netvm!" chkconfig --add qubes-core-netvm || echo "WARNING: Cannot add service qubes-core-netvm!"
@ -487,6 +451,8 @@ chkconfig --add qubes-firewall || echo "WARNING: Cannot add service qubes-firewa
chkconfig qubes-firewall on || echo "WARNING: Cannot enable service qubes-firewall!" chkconfig qubes-firewall on || echo "WARNING: Cannot enable service qubes-firewall!"
chkconfig --add qubes-netwatcher || echo "WARNING: Cannot add service qubes-netwatcher!" chkconfig --add qubes-netwatcher || echo "WARNING: Cannot add service qubes-netwatcher!"
chkconfig qubes-netwatcher on || echo "WARNING: Cannot enable service qubes-netwatcher!" chkconfig qubes-netwatcher on || echo "WARNING: Cannot enable service qubes-netwatcher!"
chkconfig --add qubes-iptables || echo "WARNING: Cannot add service qubes-iptables!"
chkconfig qubes-iptables on || echo "WARNING: Cannot enable service qubes-iptables!"
chkconfig --add qubes-updates-proxy || echo "WARNING: Cannot add service qubes-updates-proxy!" chkconfig --add qubes-updates-proxy || echo "WARNING: Cannot add service qubes-updates-proxy!"
chkconfig qubes-updates-proxy on || echo "WARNING: Cannot enable service qubes-updates-proxy!" chkconfig qubes-updates-proxy on || echo "WARNING: Cannot enable service qubes-updates-proxy!"
chkconfig --add qubes-qrexec-agent || echo "WARNING: Cannot add service qubes-qrexec-agent!" chkconfig --add qubes-qrexec-agent || echo "WARNING: Cannot add service qubes-qrexec-agent!"
@ -530,6 +496,7 @@ The Qubes core startup configuration for SystemD init.
/lib/systemd/system/qubes-mount-home.service /lib/systemd/system/qubes-mount-home.service
/lib/systemd/system/qubes-netwatcher.service /lib/systemd/system/qubes-netwatcher.service
/lib/systemd/system/qubes-network.service /lib/systemd/system/qubes-network.service
/lib/systemd/system/qubes-iptables.service
/lib/systemd/system/qubes-sysinit.service /lib/systemd/system/qubes-sysinit.service
/lib/systemd/system/qubes-update-check.service /lib/systemd/system/qubes-update-check.service
/lib/systemd/system/qubes-update-check.timer /lib/systemd/system/qubes-update-check.timer
@ -541,6 +508,7 @@ The Qubes core startup configuration for SystemD init.
%dir /usr/lib/qubes/init %dir /usr/lib/qubes/init
/usr/lib/qubes/init/prepare-dvm.sh /usr/lib/qubes/init/prepare-dvm.sh
/usr/lib/qubes/init/network-proxy-setup.sh /usr/lib/qubes/init/network-proxy-setup.sh
/usr/lib/qubes/init/qubes-iptables
/usr/lib/qubes/init/misc-post.sh /usr/lib/qubes/init/misc-post.sh
/usr/lib/qubes/init/misc-post-stop.sh /usr/lib/qubes/init/misc-post-stop.sh
/usr/lib/qubes/init/mount-home.sh /usr/lib/qubes/init/mount-home.sh
@ -565,11 +533,14 @@ if [ $1 -eq 1 ]; then
else else
services="qubes-dvm qubes-misc-post qubes-firewall qubes-mount-home" services="qubes-dvm qubes-misc-post qubes-firewall qubes-mount-home"
services="$services qubes-netwatcher qubes-network qubes-sysinit" services="$services qubes-netwatcher qubes-network qubes-sysinit"
services="$services qubes-updates-proxy qubes-qrexec-agent" services="$services qubes-iptables qubes-updates-proxy qubes-qrexec-agent"
for srv in $services; do for srv in $services; do
/bin/systemctl --no-reload preset $srv.service /bin/systemctl --no-reload preset $srv.service
done done
/bin/systemctl --no-reload preset qubes-update-check.timer /bin/systemctl --no-reload preset qubes-update-check.timer
# Upgrade path - now qubes-iptables is used instead
/bin/systemctl --no-reload preset iptables.service
/bin/systemctl --no-reload preset ip6tables.service
fi fi
# Set default "runlevel" # Set default "runlevel"

View File

@ -42,6 +42,8 @@ disable fedora-storage-init.service
disable fedora-storage-init-late.service disable fedora-storage-init-late.service
disable hwclock-load.service disable hwclock-load.service
disable ipmi.service disable ipmi.service
disable iptables.service
disable ip6tables.service
disable irqbalance.service disable irqbalance.service
disable mcelog.service disable mcelog.service
disable mdmonitor-takeover.service disable mdmonitor-takeover.service
@ -68,7 +70,6 @@ enable qubes-mount-home.service
enable qubes-firewall.service enable qubes-firewall.service
enable qubes-netwatcher.service enable qubes-netwatcher.service
enable qubes-meminfo-writer.service enable qubes-meminfo-writer.service
enable iptables.service enable qubes-iptables.service
enable ip6tables.service
enable haveged.service enable haveged.service
enable chronyd.service enable chronyd.service

View File

@ -0,0 +1,2 @@
[Unit]
ConditionPathExists=/var/run/qubes-service/netfilter-persistent

View File

@ -0,0 +1,12 @@
[Unit]
Description=Qubes base firewall settings
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/lib/qubes/init/qubes-iptables start
StandardOutput=syslog
StandardError=syslog
[Install]
WantedBy=basic.target

View File

@ -2,7 +2,7 @@
Description=Qubes network forwarding setup Description=Qubes network forwarding setup
ConditionPathExists=/var/run/qubes-service/qubes-network ConditionPathExists=/var/run/qubes-service/qubes-network
Before=network.target Before=network.target
After=iptables.service After=qubes-iptables.service
[Service] [Service]
Type=oneshot Type=oneshot

View File

@ -2,7 +2,7 @@
Description=Qubes updates proxy (tinyproxy) Description=Qubes updates proxy (tinyproxy)
ConditionPathExists=|/var/run/qubes-service/qubes-yum-proxy ConditionPathExists=|/var/run/qubes-service/qubes-yum-proxy
ConditionPathExists=|/var/run/qubes-service/qubes-updates-proxy ConditionPathExists=|/var/run/qubes-service/qubes-updates-proxy
After=iptables.service After=qubes-iptables.service
[Service] [Service]
ExecStartPre=/usr/bin/install -d --owner tinyproxy --group tinyproxy /var/run/tinyproxy ExecStartPre=/usr/bin/install -d --owner tinyproxy --group tinyproxy /var/run/tinyproxy