Qubes/core-agent-linux
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge remote-tracking branch 'origin/pr/268'

Browse Source 
* origin/pr/268:
  Don’t rely on an arbitrary length limit
  Don’t assume dom0 will never have a network connection
  Add conntrack-tools dependency to qubes-core-agent-networking
  Keep shellcheck from complaining
  Stop disabling checksum offload
  Remove spurious line continuation; add quotes.
  vif-route-qubes: Check that the -e flag is set
  Purge stale connection tracking entries
This commit is contained in:
Marek Marczykowski-Górecki 2020-12-28 16:43:29 +01:00
commit cba3f59623
No known key found for this signature in database
GPG Key ID: 063938BA42CFA724
4 changed files with 35 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
archlinux/PKGBUILD
View File

@ -117,6 +117,7 @@ package_qubes-vm-networking() {
pkgdesc="Qubes OS tools allowing to use a Qubes VM as a NetVM/ProxyVM" pkgdesc="Qubes OS tools allowing to use a Qubes VM as a NetVM/ProxyVM"
depends=(qubes-vm-core qubes-vm-utils python ethtool net-tools depends=(qubes-vm-core qubes-vm-utils python ethtool net-tools
qubes-db-vm networkmanager iptables tinyproxy nftables qubes-db-vm networkmanager iptables tinyproxy nftables
conntrack-tools
) )
install=PKGBUILD-networking.install install=PKGBUILD-networking.install

1
debian/control vendored
View File

@ -124,6 +124,7 @@ Depends:
iptables, iptables,
net-tools, net-tools,
ethtool, ethtool,
conntrack,
socat, socat,
tinyproxy, tinyproxy,
iproute2, iproute2,

40
network/vif-route-qubes
View File

@ -47,6 +47,14 @@ network_hooks() {
fi fi
} }
conntrack_purge () {
local n output deleted msg
n='(0|[1-9][0-9]*)' msg='flow entries have been deleted\.$'
deleted="^conntrack v$n\\.$n\\.$n \\(conntrack-tools\\): $n $msg"
output=$(LC_ALL=C exec conntrack -D "$@" 2>&1 >/dev/null) || :
[[ "$output" =~ $deleted ]]
}
ipt_arg= ipt_arg=
if "iptables-restore" --help 2>&1 | grep -q wait=; then if "iptables-restore" --help 2>&1 | grep -q wait=; then
# 'wait' must be last on command line if secs not specified # 'wait' must be last on command line if secs not specified
@ -80,8 +88,16 @@ fi
readonly max_domid=32752 readonly max_domid=32752
# if domid is 0 something is seriously wrong, so dont check for that case # This comment used to say, “if domid is 0 something is seriously wrong, so
if ! [[ $vif =~ ^vif([1-9][0-9]{,4})\.(0|[1-9][0-9]*)$ ]]; then # dont check for that case”. Indeed, dom0 should never have an Ethernet
# connection in a production QubesOS system.
#
# However, giving dom0 an Ethernet connection can be extremely useful in
# insecure test environments, where there is simply no data worth compromising.
# In fact, some test setups, including OpenQA, actually do this. Therefore, we
# now handle this case correctly, even though it is by definition a security
# risk.
if ! [[ $vif =~ ^vif(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)$ ]]; then
printf 'Bad interface name %q\n' "$vif">&2 printf 'Bad interface name %q\n' "$vif">&2
exit 1 exit 1
fi fi
@ -90,7 +106,8 @@ domid=${BASH_REMATCH[1]} sub=${BASH_REMATCH[2]}
# metric must be positive, but prefer later interface # metric must be positive, but prefer later interface
# 32752 is max XID aka domid # 32752 is max XID aka domid
if (( domid > max_domid )); then # the length check ensures there is no overflow
if (( "${#domid}" > "${#max_domid}" || domid > max_domid )); then
printf %s\\n "domid $domid too large" printf %s\\n "domid $domid too large"
exit 1 exit 1
fi fi
@ -126,6 +143,11 @@ if [ -n "$appvm_ip" ] && [ -n "$appvm_gw_ip" ] && [ "$appvm_ip" != "$netvm_ip" ]
. "$dir/vif-qubes-nat.sh" . "$dir/vif-qubes-nat.sh"
fi fi
case $- in
(*e*) :;;
(*) echo '-e not set'>&2; exit 1;;
esac
# add anti-spoofing rules before enabling the interface # add anti-spoofing rules before enabling the interface
if [ "${ip}" ]; then if [ "${ip}" ]; then
# If weve been given a list of IP addresses, then add routes from us to # If weve been given a list of IP addresses, then add routes from us to
@ -140,16 +162,20 @@ if [ "${ip}" ]; then
printf '%s\n' "*raw" \ printf '%s\n' "*raw" \
"$iptables_cmd -i ${vif} ! -s ${addr} -j DROP" \ "$iptables_cmd -i ${vif} ! -s ${addr} -j DROP" \
"$iptables_cmd ! -i vif+ -s ${addr} -j DROP" \ "$iptables_cmd ! -i vif+ -s ${addr} -j DROP" \
"COMMIT" | \ "COMMIT" |
${cmdprefix} $ipt --noflush $ipt_arg ${cmdprefix} "$ipt" --noflush $ipt_arg
if [[ "$command" = 'online' ]]; then if [[ "$command" = 'online' ]]; then
ip -- neighbour "${ipcmd}" to "${addr}" \ ip -- neighbour "${ipcmd}" to "${addr}" \
dev "${vif}" lladdr "$mac" nud permanent dev "${vif}" lladdr "$mac" nud permanent
fi fi
if ! conntrack_purge -s "$addr" || ! conntrack_purge -d "$addr"; then
printf 'Cannot purge stale conntrack entries for %q\n' "$addr">&2
exit 1
fi
done done
# if no IPv6 is assigned, block all IPv6 traffic on that interface # if no IPv6 is assigned, block all IPv6 traffic on that interface
if ! [[ "$ip" = *:* ]]; then if ! [[ "$ip" = *:* ]]; then
echo -e "*raw\\n$iptables_cmd -i ${vif} -j DROP\\nCOMMIT" | \ echo -e "*raw\\n$iptables_cmd -i ${vif} -j DROP\\nCOMMIT" |
${cmdprefix} ip6tables-restore --noflush $ipt_arg ${cmdprefix} ip6tables-restore --noflush $ipt_arg
fi fi
fi fi
@ -181,7 +207,5 @@ fi
log debug "Successful vif-route-qubes $command for $vif." log debug "Successful vif-route-qubes $command for $vif."
if [ "$command" = "online" ]; then if [ "$command" = "online" ]; then
# disable tx checksumming offload, apparently it doesn't work with our ancient qemu in stubdom
do_without_error ethtool -K "$vif" tx off
success success
fi fi

1
rpm_spec/core-agent.spec.in
View File

@ -235,6 +235,7 @@ Scripts required to handle dom0 updates.
Summary: Networking support for Qubes VM Summary: Networking support for Qubes VM
Requires: ethtool Requires: ethtool
Requires: iptables Requires: iptables
Requires: conntrack-tools
Requires: net-tools Requires: net-tools
Requires: iproute Requires: iproute
Requires: nftables Requires: nftables