Update rule priorities for anti-spoofing

network/ip6tables

@@ -1,8 +1,10 @@
 # Generated by ip6tables-save v1.4.14 on Tue Sep 25 16:00:20 2012
-*mangle
+*raw
 :QBS-PREROUTING - [0:0]
-:QBS-POSTROUTING - [0:0]
 -A PREROUTING -j QBS-PREROUTING
+COMMIT
+*mangle
+:QBS-POSTROUTING - [0:0
 -A POSTROUTING -j QBS-POSTROUTING
 COMMIT
 *filter

network/ip6tables-enabled

@@ -10,10 +10,12 @@
 -A POSTROUTING -o lo -j ACCEPT
 -A POSTROUTING -j MASQUERADE
 COMMIT
-*mangle
+*raw
 :QBS-PREROUTING - [0:0]
-:QBS-POSTROUTING - [0:0
 -A PREROUTING -j QBS-PREROUTING
+COMMIT
+*mangle
+:QBS-POSTROUTING - [0:0]
 -A POSTROUTING -j QBS-POSTROUTING
 COMMIT
 *filter

network/iptables

@@ -11,10 +11,12 @@
 -A POSTROUTING -o lo -j ACCEPT
 -A POSTROUTING -j MASQUERADE
 COMMIT
-*mangle
+*raw
 :QBS-PREROUTING - [0:0]
-:QBS-POSTROUTING - [0:0
 -A PREROUTING -j QBS-PREROUTING
+COMMIT
+*mangle
+:QBS-POSTROUTING - [0:0]
 -A POSTROUTING -j QBS-POSTROUTING
 COMMIT
 # Completed on Mon Sep  6 08:57:46 2010

qubesagent/firewall.py

@@ -411,12 +411,12 @@ class IptablesWorker(FirewallWorker):
             self.apply_rules_family(source, rules, 4)
 
     def update_connected_ips(self, family):
-        self.run_ipt(family, ['-t', 'mangle', '-F', 'QBS-PREROUTING'])
+        self.run_ipt(family, ['-t', 'raw', '-F', 'QBS-PREROUTING'])
         self.run_ipt(family, ['-t', 'mangle', '-F', 'QBS-POSTROUTING'])
 
         for ip in self.get_connected_ips(family):
             self.run_ipt(family, [
-                '-t', 'mangle', '-A', 'QBS-PREROUTING',
+                '-t', 'raw', '-A', 'QBS-PREROUTING',
                 '!', '-i', 'vif+', '-s', ip, '-j', 'DROP'])
             self.run_ipt(family, [
                 '-t', 'mangle', '-A', 'QBS-POSTROUTING',
@@ -431,14 +431,14 @@ class IptablesWorker(FirewallWorker):
             self.run_ipt(4,
                 ['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN'])
             self.run_ipt(4, ['-A', 'QBS-FORWARD', '-j', 'DROP'])
-            self.run_ipt(4, ['-t', 'mangle', '-F', 'QBS-PREROUTING'])
+            self.run_ipt(4, ['-t', 'raw', '-F', 'QBS-PREROUTING'])
             self.run_ipt(4, ['-t', 'mangle', '-F', 'QBS-POSTROUTING'])
 
             self.run_ipt(6, ['-F', 'QBS-FORWARD'])
             self.run_ipt(6,
                 ['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN'])
             self.run_ipt(6, ['-A', 'QBS-FORWARD', '-j', 'DROP'])
-            self.run_ipt(6, ['-t', 'mangle', '-F', 'QBS-PREROUTING'])
+            self.run_ipt(6, ['-t', 'raw', '-F', 'QBS-PREROUTING'])
             self.run_ipt(6, ['-t', 'mangle', '-F', 'QBS-POSTROUTING'])
         except subprocess.CalledProcessError:
             self.log_error(
@@ -451,7 +451,7 @@ class IptablesWorker(FirewallWorker):
     def cleanup(self):
         for family in (4, 6):
             self.run_ipt(family, ['-F', 'QBS-FORWARD'])
-            self.run_ipt(family, ['-t', 'mangle', '-F', 'QBS-PREROUTING'])
+            self.run_ipt(family, ['-t', 'raw', '-F', 'QBS-PREROUTING'])
             self.run_ipt(family, ['-t', 'mangle', '-F', 'QBS-POSTROUTING'])
             for chain in self.chains[family]:
                 self.run_ipt(family, ['-F', chain])
@@ -682,11 +682,11 @@ class NftablesWorker(FirewallWorker):
             '    meta iifname != "vif*" accept\n'
             '  }}\n'
             '  chain prerouting {{\n'
-            '    type filter hook prerouting priority 0;\n'
+            '    type filter hook prerouting priority -300;\n'
             '    policy accept;\n'
             '  }}\n'
             '  chain postrouting {{\n'
-            '    type filter hook postrouting priority 0;\n'
+            '    type filter hook postrouting priority -300;\n'
             '    policy accept;\n'
             '  }}\n'
             '}}\n'