Commit Graph

12 Commits

Author SHA1 Message Date
Demi Marie Obenour
0580fe545b
Use netvm_gw_ip instead of netvm_ip
They are usually identical, but this is not guaranteed.
2020-11-22 17:52:54 -05:00
Demi Marie Obenour
9d10ecc08f
Remove commented-out code 2020-11-19 15:19:40 -05:00
Demi Marie Obenour
e4eeb2ee1b
Add NetVM-facing neighbor entry in NAT namespace
Since AppVMs will have their own NetVM-facing neighbor entries, a user
might (correctly) conclude that NetVMs do not need ARP or NDP enabled.
For this to work with NAT namespaces, they need their own neighbor
entries.
2020-11-19 12:16:15 -05:00
Demi Marie Obenour
097342bd08
Optimization: use ip -n over ip netns exec
This saves an exec call.
2020-11-19 12:10:26 -05:00
Demi Marie Obenour
6517cca2a4
NAT network namespaces need neighbor entries
If we are using a NAT network namespace, it needs its own neighbor
entries.  For consistency, give it the same MAC address as the VM it
connects to.
2020-11-19 12:08:23 -05:00
Marek Marczykowski-Górecki
bb220ce2eb
network: fix issues found by shellcheck 2017-09-30 04:43:04 +02:00
Marek Marczykowski-Górecki
24b726a3bf
network: use /32 netmask on internal IPs in NAT providing namespace
Use /32 inside network namespace too. Otherwise inter-VM traffic is
broken - as all VMs seems to be in a single /24 subnet, but in fact are
not.

QubesOS/qubes-issues#1143
2016-11-01 00:22:19 +01:00
Marek Marczykowski-Górecki
c8213ea55a
network: properly handle DNS addresses in vif-qubes-nat.sh
Core3 no longer reuse netvm own IP for primary DNS. At the same time,
disable dropping traffic to netvm itself because it breaks DNS (as one
of blocked things). This allows VM to learn real netvm IP, but:
 - this mechanism is not intended to avoid detection from already
 compromised VM, only about unintentional leaks
 - this can be prevented using vif-qubes-nat.sh on the netvm itself (so
 it will also have hidden its own IP)

QubesOS/qubes-issues#1143
2016-11-01 00:22:08 +01:00
Marek Marczykowski-Górecki
c75b6519c5
network: keep the same MAC on vif interfaces
Even when it's veth pair into network namespace doing NAT.

QubesOS/qubes-issues#1143
2016-11-01 00:13:47 +01:00
Marek Marczykowski-Górecki
938af2c7fd
network: change vif-route-qubes-nat parameters
Keep "main" IP (the one in xenstore) as the one seen by the netvm, and
pass the "fake" one (the one seen by the VM) as script parameter.

Fixes QubesOS/qubes-issues#1143
2016-10-29 22:28:57 +02:00
Marek Marczykowski-Górecki
be86c7da1f
network: reformat vif-route-qubes-nat
Use 4-space indentation, remove trailing spaces. No functional change.
2016-10-29 14:45:36 +02:00
qubesuser
2a15863ccb network: add vif-route-qubes-nat for IP address anonymization 2015-08-30 16:27:14 +02:00