Qubes/core-agent-linux
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

update_connected_ips: reload nftables using one command

Browse Source 
Get rid of race condition between flushing the chains
and adding new rules.
This commit is contained in:
Pawel Marczewski 2020-01-14 10:46:51 +01:00
parent 4aace50313
commit a12e72b89c
No known key found for this signature in database
GPG Key ID: DE42EE9B14F96465
2 changed files with 24 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
qubesagent/firewall.py
View File

@ -515,36 +515,35 @@ class NftablesWorker(FirewallWorker):
family_name = ('ip6' if family == 6 else 'ip') family_name = ('ip6' if family == 6 else 'ip')
table = 'qubes-firewall' table = 'qubes-firewall'
self.run_nft(( nft_input = (
'flush chain {family_name} {table} prerouting\n' 'flush chain {family_name} {table} prerouting\n'
'flush chain {family_name} {table} postrouting\n' 'flush chain {family_name} {table} postrouting\n'
).format(family_name=family_name, table=table)) ).format(family_name=family_name, table=table)
ips = self.get_connected_ips(family) ips = self.get_connected_ips(family)
if not ips: if ips:
return addr = '{' + ', '.join(ips) + '}'
irule = 'iifname != "vif*" {family_name} saddr {addr} drop\n'.format(
family_name=family_name, addr=addr)
orule = 'oifname != "vif*" {family_name} daddr {addr} drop\n'.format(
family_name=family_name, addr=addr)
addr = '{' + ', '.join(ips) + '}' nft_input += (
irule = 'iifname != "vif*" {family_name} saddr {addr} drop\n'.format( 'table {family_name} {table} {{\n'
family_name=family_name, addr=addr) ' chain prerouting {{\n'
orule = 'oifname != "vif*" {family_name} daddr {addr} drop\n'.format( ' {irule}'
family_name=family_name, addr=addr) ' }}\n'
' chain postrouting {{\n'
' {orule}'
' }}\n'
'}}\n'
).format(
family_name=family_name,
table=table,
irule=irule,
orule=orule,
)
nft_input = (
'table {family_name} {table} {{\n'
' chain prerouting {{\n'
' {irule}'
' }}\n'
' chain postrouting {{\n'
' {orule}'
' }}\n'
'}}\n'
).format(
family_name=family_name,
table=table,
irule=irule,
orule=orule,
)
self.run_nft(nft_input) self.run_nft(nft_input)
def prepare_rules(self, chain, rules, family): def prepare_rules(self, chain, rules, family):

3
qubesagent/test_firewall.py
View File

@ -553,8 +553,7 @@ class TestNftablesWorker(TestCase):
self.assertEqual(self.obj.loaded_rules, [ self.assertEqual(self.obj.loaded_rules, [
'flush chain ip qubes-firewall prerouting\n' 'flush chain ip qubes-firewall prerouting\n'
'flush chain ip qubes-firewall postrouting\n', 'flush chain ip qubes-firewall postrouting\n'
'table ip qubes-firewall {\n' 'table ip qubes-firewall {\n'
' chain prerouting {\n' ' chain prerouting {\n'
' iifname != "vif*" ip saddr {10.137.0.1, 10.137.0.2} drop\n' ' iifname != "vif*" ip saddr {10.137.0.1, 10.137.0.2} drop\n'