* origin/pr/303:
firewall: prefer - over _ for QubesDB path
firewall: put DNS resolving into its own function
firewall: start watches before initial load
tests/firewall: added test for /dns/[ip]/[domain] info
tests/firewall: some code refactoring
add some checks for QubesDB /qubes-firewall_handled/[ip]
firewall: adjust tests to the new tuple returned by prepare_rules()
firewall: mark an IP as handled in /qubes-firewall_handled/[ip] after each handling iteration
mock qubesdb.rm()
firewall: refactor to remove side effects from prepare_rules()
Export DNS information obtained during firewall setup to QubesDB
I've run into an issue with incorrectly generated rules for IPv6. I
added some debugging code printing the generated rules and the
resulting error (see below). Turns out "reject with" expects icmpv6
rather than icmp6.
--- generated rule ---
flush chain ip6 qubes-firewall qbs-fd09-24ef-4179--a89-15
table ip6 qubes-firewall {
chain qbs-fd09-24ef-4179--a89-15 {
ip6 daddr fc00::/8 reject with icmp6 type admin-prohibited
ip6 daddr fd00::/8 reject with icmp6 type admin-prohibited
ip6 daddr fe80::/10 reject with icmp6 type admin-prohibited
accept
reject with icmp6 type admin-prohibited
}
}
--- output ---
/dev/stdin:4:36-40: Error: syntax error, unexpected string, expecting icmp or icmpv6 or tcp or icmpx
^^^^^
/dev/stdin:5:36-40: Error: syntax error, unexpected string, expecting icmp or icmpv6 or tcp or icmpx
^^^^^
/dev/stdin:6:37-41: Error: syntax error, unexpected string, expecting icmp or icmpv6 or tcp or icmpx
^^^^^
/dev/stdin:8:17-21: Error: syntax error, unexpected string, expecting icmp or icmpv6 or tcp or icmpx
^^^^^
qubes-firewall service is meant as mistakes mitigation, not a
high-volume external network filter. Providing feedback (ICMP
admin-prohibited error packet) to the VM reduces timeouts and give
immediate connection failure. This is especially useful when some
website tries to load unwanted (not whitelisted) 3rd party elements -
providing error response avoids long site loading time.
FixesQubesOS/qubes-issues#3607
Chain name in IPv6 cannot be longer than 29 chars, so strip IPv6 prefix
from it.
ICMP on IPv6 is a different protocol than on IPv4 - handle iptables rule
accordingly.
QubesOS/qubes-issues#718
When qubes-firewall service is started, modify firewall to have "DROP"
policy, so if something goes wrong, no data got leaked.
But keep default action "ACCEPT" in case of legitimate service stop, or
not starting it at all - because one may choose to not use this service
at all.
Achieve this by adding "DROP" rule at the end of QBS-FIREWALL chain and
keep it there while qubes-firewall service is running.
FixesQubesOS/qubes-issues#3269
This rewrite is mainly to adopt new interface for Qubes 4.x.
Main changes:
- change language from bash to python, introduce qubesagent python package
- support both nftables (preferred) and iptables
- new interface (https://qubes-os.org/doc/vm-interface/)
- IPv6 support
- unit tests included
- nftables version support running along with other firewall loaded
FixesQubesOS/qubes-issues#1815QubesOS/qubes-issues#718
