Qubes/core-agent-linux
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Purge stale connection tracking entries

Browse Source 
This ensures that a VM cannot use connection tracking entries created by
another VM.
This commit is contained in:
Demi Marie Obenour 2020-12-06 12:55:51 -05:00
parent 5ddc118429
commit a8588c4e9c
No known key found for this signature in database
GPG Key ID: 28A45C93B0B5B6E0
1 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
network/vif-route-qubes
View File

@ -47,6 +47,14 @@ network_hooks() {
fi fi
} }
conntrack_purge () {
local 'n=(0|[1-9][0-9]*)' output deleted msg
msg='flow entries have been deleted\.$'
deleted="^conntrack v$n\\.$n\\.$n \\(conntrack-tools\\): $n $msg"
output=$(LC_ALL=C exec conntrack -D "$@" 2>&1 >/dev/null) || :
[[ "$output" =~ $deleted ]]
}
ipt_arg= ipt_arg=
if "iptables-restore" --help 2>&1 | grep -q wait=; then if "iptables-restore" --help 2>&1 | grep -q wait=; then
# 'wait' must be last on command line if secs not specified # 'wait' must be last on command line if secs not specified
@ -146,6 +154,10 @@ if [ "${ip}" ]; then
ip -- neighbour "${ipcmd}" to "${addr}" \ ip -- neighbour "${ipcmd}" to "${addr}" \
dev "${vif}" lladdr "$mac" nud permanent dev "${vif}" lladdr "$mac" nud permanent
fi fi
if ! conntrack_purge -s "$addr" || ! conntrack_purge -d "$addr"; then
printf 'Cannot purge stale conntrack entries for %q\n' "$addr">&2
exit 1
fi
done done
# if no IPv6 is assigned, block all IPv6 traffic on that interface # if no IPv6 is assigned, block all IPv6 traffic on that interface
if ! [[ "$ip" = *:* ]]; then if ! [[ "$ip" = *:* ]]; then