Qubes/core-agent-linux
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

update_connected_ips: set iptables policy to drop while updating

Browse Source
This commit is contained in:
Pawel Marczewski 2020-01-14 11:22:16 +01:00
parent a12e72b89c
commit e6eee9f4e0
No known key found for this signature in database
GPG Key ID: DE42EE9B14F96465
2 changed files with 20 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
qubesagent/firewall.py
View File

@ -411,10 +411,22 @@ class IptablesWorker(FirewallWorker):
self.apply_rules_family(source, rules, 4) self.apply_rules_family(source, rules, 4)
def update_connected_ips(self, family): def update_connected_ips(self, family):
ips = self.get_connected_ips(family)
if not ips:
# Just flush.
self.run_ipt(family, ['-t', 'raw', '-F', 'QBS-PREROUTING'])
self.run_ipt(family, ['-t', 'mangle', '-F', 'QBS-POSTROUTING'])
return
# Temporarily set policy to DROP while updating the rules.
self.run_ipt(family, ['-t', 'raw', '-P', 'PREROUTING', 'DROP'])
self.run_ipt(family, ['-t', 'mangle', '-P', 'POSTROUTING', 'DROP'])
self.run_ipt(family, ['-t', 'raw', '-F', 'QBS-PREROUTING']) self.run_ipt(family, ['-t', 'raw', '-F', 'QBS-PREROUTING'])
self.run_ipt(family, ['-t', 'mangle', '-F', 'QBS-POSTROUTING']) self.run_ipt(family, ['-t', 'mangle', '-F', 'QBS-POSTROUTING'])
for ip in self.get_connected_ips(family): for ip in ips:
self.run_ipt(family, [ self.run_ipt(family, [
'-t', 'raw', '-A', 'QBS-PREROUTING', '-t', 'raw', '-A', 'QBS-PREROUTING',
'!', '-i', 'vif+', '-s', ip, '-j', 'DROP']) '!', '-i', 'vif+', '-s', ip, '-j', 'DROP'])
@ -422,6 +434,8 @@ class IptablesWorker(FirewallWorker):
'-t', 'mangle', '-A', 'QBS-POSTROUTING', '-t', 'mangle', '-A', 'QBS-POSTROUTING',
'!', '-o', 'vif+', '-d', ip, '-j', 'DROP']) '!', '-o', 'vif+', '-d', ip, '-j', 'DROP'])
self.run_ipt(family, ['-t', 'raw', '-P', 'PREROUTING', 'ACCEPT'])
self.run_ipt(family, ['-t', 'mangle', '-P', 'POSTROUTING', 'ACCEPT'])
def init(self): def init(self):
# Chains QBS-FORWARD, QBS-PREROUTING, QBS-POSTROUTING # Chains QBS-FORWARD, QBS-PREROUTING, QBS-POSTROUTING

6
qubesagent/test_firewall.py
View File

@ -337,6 +337,8 @@ class TestIptablesWorker(TestCase):
self.obj.update_connected_ips(4) self.obj.update_connected_ips(4)
self.assertEqual(self.obj.called_commands[4], [ self.assertEqual(self.obj.called_commands[4], [
['-t', 'raw', '-P', 'PREROUTING', 'DROP'],
['-t', 'mangle', '-P', 'POSTROUTING', 'DROP'],
['-t', 'raw', '-F', 'QBS-PREROUTING'], ['-t', 'raw', '-F', 'QBS-PREROUTING'],
['-t', 'mangle', '-F', 'QBS-POSTROUTING'], ['-t', 'mangle', '-F', 'QBS-POSTROUTING'],
['-t', 'raw', '-A', 'QBS-PREROUTING', ['-t', 'raw', '-A', 'QBS-PREROUTING',
@ -346,7 +348,9 @@ class TestIptablesWorker(TestCase):
['-t', 'raw', '-A', 'QBS-PREROUTING', ['-t', 'raw', '-A', 'QBS-PREROUTING',
'!', '-i', 'vif+', '-s', '10.137.0.2', '-j', 'DROP'], '!', '-i', 'vif+', '-s', '10.137.0.2', '-j', 'DROP'],
['-t', 'mangle', '-A', 'QBS-POSTROUTING', ['-t', 'mangle', '-A', 'QBS-POSTROUTING',
'!', '-o', 'vif+', '-d', '10.137.0.2', '-j', 'DROP'] '!', '-o', 'vif+', '-d', '10.137.0.2', '-j', 'DROP'],
['-t', 'raw', '-P', 'PREROUTING', 'ACCEPT'],
['-t', 'mangle', '-P', 'POSTROUTING', 'ACCEPT'],
]) ])
def test_009_update_connected_ips_empty(self): def test_009_update_connected_ips_empty(self):