network: properly handle DNS addresses in vif-qubes-nat.sh
Core3 no longer reuse netvm own IP for primary DNS. At the same time, disable dropping traffic to netvm itself because it breaks DNS (as one of blocked things). This allows VM to learn real netvm IP, but: - this mechanism is not intended to avoid detection from already compromised VM, only about unintentional leaks - this can be prevented using vif-qubes-nat.sh on the netvm itself (so it will also have hidden its own IP) QubesOS/qubes-issues#1143
This commit is contained in:
parent
c75b6519c5
commit
c8213ea55a
@ -2,7 +2,7 @@
|
|||||||
#set -x
|
#set -x
|
||||||
|
|
||||||
netvm_subnet=/24
|
netvm_subnet=/24
|
||||||
undetectable_netvm_ips=1
|
undetectable_netvm_ips=
|
||||||
|
|
||||||
netns="${vif}-nat"
|
netns="${vif}-nat"
|
||||||
netvm_if="${vif}"
|
netvm_if="${vif}"
|
||||||
@ -65,6 +65,7 @@ if test "$command" == online; then
|
|||||||
|
|
||||||
# same for the gateway/DNS IPs
|
# same for the gateway/DNS IPs
|
||||||
netns iptables -t raw -I PREROUTING -i "$netns_appvm_if" -d "$netvm_gw_ip" -j DROP
|
netns iptables -t raw -I PREROUTING -i "$netns_appvm_if" -d "$netvm_gw_ip" -j DROP
|
||||||
|
netns iptables -t raw -I PREROUTING -i "$netns_appvm_if" -d "$netvm_dns1_ip" -j DROP
|
||||||
netns iptables -t raw -I PREROUTING -i "$netns_appvm_if" -d "$netvm_dns2_ip" -j DROP
|
netns iptables -t raw -I PREROUTING -i "$netns_appvm_if" -d "$netvm_dns2_ip" -j DROP
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -74,6 +75,11 @@ if test "$command" == online; then
|
|||||||
netns iptables -t nat -I PREROUTING -i "$netns_appvm_if" -d "$appvm_gw_ip" -j DNAT --to-destination "$netvm_gw_ip"
|
netns iptables -t nat -I PREROUTING -i "$netns_appvm_if" -d "$appvm_gw_ip" -j DNAT --to-destination "$netvm_gw_ip"
|
||||||
netns iptables -t nat -I POSTROUTING -o "$netns_appvm_if" -s "$netvm_gw_ip" -j SNAT --to-source "$appvm_gw_ip"
|
netns iptables -t nat -I POSTROUTING -o "$netns_appvm_if" -s "$netvm_gw_ip" -j SNAT --to-source "$appvm_gw_ip"
|
||||||
|
|
||||||
|
if test -n "$appvm_dns1_ip"; then
|
||||||
|
netns iptables -t nat -I PREROUTING -i "$netns_appvm_if" -d "$appvm_dns1_ip" -j DNAT --to-destination "$netvm_dns1_ip"
|
||||||
|
netns iptables -t nat -I POSTROUTING -o "$netns_appvm_if" -s "$netvm_dns1_ip" -j SNAT --to-source "$appvm_dns1_ip"
|
||||||
|
fi
|
||||||
|
|
||||||
if test -n "$appvm_dns2_ip"; then
|
if test -n "$appvm_dns2_ip"; then
|
||||||
netns iptables -t nat -I PREROUTING -i "$netns_appvm_if" -d "$appvm_dns2_ip" -j DNAT --to-destination "$netvm_dns2_ip"
|
netns iptables -t nat -I PREROUTING -i "$netns_appvm_if" -d "$appvm_dns2_ip" -j DNAT --to-destination "$netvm_dns2_ip"
|
||||||
netns iptables -t nat -I POSTROUTING -o "$netns_appvm_if" -s "$netvm_dns2_ip" -j SNAT --to-source "$appvm_dns2_ip"
|
netns iptables -t nat -I POSTROUTING -o "$netns_appvm_if" -s "$netvm_dns2_ip" -j SNAT --to-source "$appvm_dns2_ip"
|
||||||
|
@ -30,6 +30,7 @@ if [ "${ip}" ]; then
|
|||||||
# IPs as seen by this VM
|
# IPs as seen by this VM
|
||||||
netvm_ip="$ip"
|
netvm_ip="$ip"
|
||||||
netvm_gw_ip=`qubesdb-read /qubes-netvm-gateway`
|
netvm_gw_ip=`qubesdb-read /qubes-netvm-gateway`
|
||||||
|
netvm_dns1_ip=`qubesdb-read /qubes-netvm-primary-dns`
|
||||||
netvm_dns2_ip=`qubesdb-read /qubes-netvm-secondary-dns`
|
netvm_dns2_ip=`qubesdb-read /qubes-netvm-secondary-dns`
|
||||||
|
|
||||||
back_ip="$netvm_gw_ip"
|
back_ip="$netvm_gw_ip"
|
||||||
|
Loading…
Reference in New Issue
Block a user