首页 发现 帮助
登录
Qubes
/
core-agent-linux
2
0
派生 0
文件 工单管理 0 合并请求 0 Wiki
浏览代码

network: properly handle DNS addresses in vif-qubes-nat.sh

Core3 no longer reuse netvm own IP for primary DNS. At the same time,
disable dropping traffic to netvm itself because it breaks DNS (as one
of blocked things). This allows VM to learn real netvm IP, but:
 - this mechanism is not intended to avoid detection from already
 compromised VM, only about unintentional leaks
 - this can be prevented using vif-qubes-nat.sh on the netvm itself (so
 it will also have hidden its own IP)

QubesOS/qubes-issues#1143
Marek Marczykowski-Górecki 7 年之前
父节点
c75b6519c5
当前提交
c8213ea55a
共有 2 个文件被更改,包括 8 次插入1 次删除
分列视图 显示文件统计
  1. 7 1
      network/vif-qubes-nat.sh
  2. 1 0
      network/vif-route-qubes

+ 7 - 1
network/vif-qubes-nat.sh
查看文件 

@@ -2,7 +2,7 @@
 
 #set -x
 
 
 netvm_subnet=/24
 
-undetectable_netvm_ips=1
 
+undetectable_netvm_ips=
 
 
 netns="${vif}-nat"
 
 netvm_if="${vif}"
 
@@ -65,6 +65,7 @@ if test "$command" == online; then
 
 
         # same for the gateway/DNS IPs
 
         netns iptables -t raw -I PREROUTING -i "$netns_appvm_if" -d "$netvm_gw_ip" -j DROP
 
+        netns iptables -t raw -I PREROUTING -i "$netns_appvm_if" -d "$netvm_dns1_ip" -j DROP
 
         netns iptables -t raw -I PREROUTING -i "$netns_appvm_if" -d "$netvm_dns2_ip" -j DROP
 
     fi
 
 
@@ -74,6 +75,11 @@ if test "$command" == online; then
 
     netns iptables -t nat -I PREROUTING -i "$netns_appvm_if" -d "$appvm_gw_ip" -j DNAT --to-destination "$netvm_gw_ip"
 
     netns iptables -t nat -I POSTROUTING -o "$netns_appvm_if" -s "$netvm_gw_ip" -j SNAT --to-source "$appvm_gw_ip"
 
 
+    if test -n "$appvm_dns1_ip"; then
 
+        netns iptables -t nat -I PREROUTING -i "$netns_appvm_if" -d "$appvm_dns1_ip" -j DNAT --to-destination "$netvm_dns1_ip"
 
+        netns iptables -t nat -I POSTROUTING -o "$netns_appvm_if" -s "$netvm_dns1_ip" -j SNAT --to-source "$appvm_dns1_ip"
 
+    fi
 
+
 
     if test -n "$appvm_dns2_ip"; then
 
         netns iptables -t nat -I PREROUTING -i "$netns_appvm_if" -d "$appvm_dns2_ip" -j DNAT --to-destination "$netvm_dns2_ip"
 
         netns iptables -t nat -I POSTROUTING -o "$netns_appvm_if" -s "$netvm_dns2_ip" -j SNAT --to-source "$appvm_dns2_ip"

+ 1 - 0
network/vif-route-qubes
查看文件 

@@ -30,6 +30,7 @@ if [ "${ip}" ]; then
 
     # IPs as seen by this VM
 
     netvm_ip="$ip"
 
     netvm_gw_ip=`qubesdb-read /qubes-netvm-gateway`
 
+    netvm_dns1_ip=`qubesdb-read /qubes-netvm-primary-dns`
 
     netvm_dns2_ip=`qubesdb-read /qubes-netvm-secondary-dns`
 
 
     back_ip="$netvm_gw_ip"