Update rule priorities for anti-spoofing

2020-01-10 09:19:32 +01:00 · 2020-01-10 09:19:32 +01:00 · cd19073d50
commit cd19073d50
parent c1d8d7bce1
4 changed files with 19 additions and 13 deletions
--- a/network/ip6tables
+++ b/network/ip6tables
@ -1,8 +1,10 @@
 # Generated by ip6tables-save v1.4.14 on Tue Sep 25 16:00:20 2012
-*mangle
+*raw
 :QBS-PREROUTING - [0:0]
-:QBS-POSTROUTING - [0:0]
 -A PREROUTING -j QBS-PREROUTING
+COMMIT
+*mangle
+:QBS-POSTROUTING - [0:0
 -A POSTROUTING -j QBS-POSTROUTING
 COMMIT
 *filter
--- a/network/ip6tables-enabled
+++ b/network/ip6tables-enabled
@ -10,10 +10,12 @@
 -A POSTROUTING -o lo -j ACCEPT
 -A POSTROUTING -j MASQUERADE
 COMMIT
-*mangle
+*raw
 :QBS-PREROUTING - [0:0]
-:QBS-POSTROUTING - [0:0
 -A PREROUTING -j QBS-PREROUTING
+COMMIT
+*mangle
+:QBS-POSTROUTING - [0:0]
 -A POSTROUTING -j QBS-POSTROUTING
 COMMIT
 *filter
--- a/network/iptables
+++ b/network/iptables
@ -11,10 +11,12 @@
 -A POSTROUTING -o lo -j ACCEPT
 -A POSTROUTING -j MASQUERADE
 COMMIT
-*mangle
+*raw
 :QBS-PREROUTING - [0:0]
-:QBS-POSTROUTING - [0:0
 -A PREROUTING -j QBS-PREROUTING
+COMMIT
+*mangle
+:QBS-POSTROUTING - [0:0]
 -A POSTROUTING -j QBS-POSTROUTING
 COMMIT
 # Completed on Mon Sep  6 08:57:46 2010
--- a/qubesagent/firewall.py
+++ b/qubesagent/firewall.py
@ -411,12 +411,12 @@ class IptablesWorker(FirewallWorker):
            self.apply_rules_family(source, rules, 4)

    def update_connected_ips(self, family):
-        self.run_ipt(family, ['-t', 'mangle', '-F', 'QBS-PREROUTING'])
+        self.run_ipt(family, ['-t', 'raw', '-F', 'QBS-PREROUTING'])
        self.run_ipt(family, ['-t', 'mangle', '-F', 'QBS-POSTROUTING'])

        for ip in self.get_connected_ips(family):
            self.run_ipt(family, [
-                '-t', 'mangle', '-A', 'QBS-PREROUTING',
+                '-t', 'raw', '-A', 'QBS-PREROUTING',
                '!', '-i', 'vif+', '-s', ip, '-j', 'DROP'])
            self.run_ipt(family, [
                '-t', 'mangle', '-A', 'QBS-POSTROUTING',
@ -431,14 +431,14 @@ class IptablesWorker(FirewallWorker):
            self.run_ipt(4,
                ['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN'])
            self.run_ipt(4, ['-A', 'QBS-FORWARD', '-j', 'DROP'])
-            self.run_ipt(4, ['-t', 'mangle', '-F', 'QBS-PREROUTING'])
+            self.run_ipt(4, ['-t', 'raw', '-F', 'QBS-PREROUTING'])
            self.run_ipt(4, ['-t', 'mangle', '-F', 'QBS-POSTROUTING'])

            self.run_ipt(6, ['-F', 'QBS-FORWARD'])
            self.run_ipt(6,
                ['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN'])
            self.run_ipt(6, ['-A', 'QBS-FORWARD', '-j', 'DROP'])
-            self.run_ipt(6, ['-t', 'mangle', '-F', 'QBS-PREROUTING'])
+            self.run_ipt(6, ['-t', 'raw', '-F', 'QBS-PREROUTING'])
            self.run_ipt(6, ['-t', 'mangle', '-F', 'QBS-POSTROUTING'])
        except subprocess.CalledProcessError:
            self.log_error(
@ -451,7 +451,7 @@ class IptablesWorker(FirewallWorker):
    def cleanup(self):
        for family in (4, 6):
            self.run_ipt(family, ['-F', 'QBS-FORWARD'])
-            self.run_ipt(family, ['-t', 'mangle', '-F', 'QBS-PREROUTING'])
+            self.run_ipt(family, ['-t', 'raw', '-F', 'QBS-PREROUTING'])
            self.run_ipt(family, ['-t', 'mangle', '-F', 'QBS-POSTROUTING'])
            for chain in self.chains[family]:
                self.run_ipt(family, ['-F', chain])
@ -682,11 +682,11 @@ class NftablesWorker(FirewallWorker):
            '    meta iifname != "vif*" accept\n'
            '  }}\n'
            '  chain prerouting {{\n'
-            '    type filter hook prerouting priority 0;\n'
+            '    type filter hook prerouting priority -300;\n'
            '    policy accept;\n'
            '  }}\n'
            '  chain postrouting {{\n'
-            '    type filter hook postrouting priority 0;\n'
+            '    type filter hook postrouting priority -300;\n'
            '    policy accept;\n'
            '  }}\n'
            '}}\n'