Example:
/rw/config/network-hooks.d/test.sh
\#!/bin/bash
command="$1"
vif="$2"
ip="$3"
if [ "$ip" == '10.137.0.100' ]; then
case "$command" in
online)
ip route add 192.168.0.100 via 10.137.0.100
;;
offline)
ip route del 192.168.0.100
;;
esac
fi
In rare cases when vif-route-qubes is called simultaneously with some
other iptables-restore instance, it fails because of missing --wait (and
recent iptables-restore defaults to aborting instead of waiting
for lock). That other call may be from qubes-firewall or user script.
Related to QubesOS/qubes-issues#3665
If IPv6 gateway address provided by dom0 isn't a link local address, add
a /128 route to it. Also, add this address on backend interfaces (vif*).
This is to allow proper ICMP host unreachable packets forwarding - if
gateway (address on vif* interface) have only fe80: address, it will be
used as a source for ICMP reply. It will be properly delivered to the VM
directly connected there (for example from sys-net to sys-firewall), but
because of being link-local address, it will not be forwarded any
further.
This results timeouts if host doesn't have IPv6 connectivity.
NetworkManager reports a bunch of events, reloading DNS at each of them
doesn't make sense and is harmful - systemd have ratelimit on service
restart.
FixesQubesOS/qubes-issues#3135
If IPv6 is configured in the VM, and it is providing network to others,
apply IPv6 firewall similar to the IPv4 one (including NAT for outgoing
traffix), instead of blocking everything. Also, enable IP forwarding for
IPv6 in such a case.
FixesQubesOS/qubes-issues#718
If dom0 expose IPv6 address settings, configure it on the interface.
Both backend and frontend side. If no IPv6 configuration is provided,
block IPv6 as it was before.
FixesQubesOS/qubes-issues#718
When qubes-firewall service is started, modify firewall to have "DROP"
policy, so if something goes wrong, no data got leaked.
But keep default action "ACCEPT" in case of legitimate service stop, or
not starting it at all - because one may choose to not use this service
at all.
Achieve this by adding "DROP" rule at the end of QBS-FIREWALL chain and
keep it there while qubes-firewall service is running.
FixesQubesOS/qubes-issues#3269
New udev have `DRIVERS` matcher, instead of `ENV{ID_NET_DRIVER}`. Add
appropriate rule to the file. Without it, network was working
incidentally, because there is a fallback in qubes-misc-post.service,
but dynamic network change was broken.
This applies at least to Debian stretch.
FixesQubesOS/qubes-issues#3192
Explicitly block something like "curl http://127.0.0.1:8082" and
return error page in this case. This error page is used in Whonix to
detect if the proxy is torrified. If not blocked, it may happen that
empty response is returned instead of error. See linked ticket for
details.
This was previously done for 10.137.255.254, but since migration to
qrexec-based connection, 127.0.0.1 is used instead.
FixesQubesOS/qubes-issues#1482
Configure package manager to use 127.0.0.1:8082 as proxy instead of
"magic" IP intercepted later. The listen on this port and whenever
new connection arrives, spawn qubes.UpdatesProxy service call (to
default target domain - subject to configuration in dom0) and connect
its stdin/out to the local TCP connection. This part use systemd.socket
unit in case of systemd, and ncat --exec otherwise.
On the other end - in target domain - simply pass stdin/out to updates
proxy (tinyproxy) running locally.
It's important to _not_ configure the same VM to both be updates proxy and
use it. In practice such configuration makes little sense - if VM can
access network (which is required to run updates proxy), package manager
can use it directly. Even if this network access is through some
VPN/Tor. If a single VM would be configured as both proxy provider and
proxy user, connection would loop back to itself. Because of this, proxy
connection redirection (to qrexec service) is disabled when the same VM
also run updates proxy.
FixesQubesOS/qubes-issues#1854
Qubes-specific options must be added in NetworkManager.conf, even if
those lines are commented out by default. The problem is solved by using
extended regular expressions.
Use /32 inside network namespace too. Otherwise inter-VM traffic is
broken - as all VMs seems to be in a single /24 subnet, but in fact are
not.
QubesOS/qubes-issues#1143
Core3 no longer reuse netvm own IP for primary DNS. At the same time,
disable dropping traffic to netvm itself because it breaks DNS (as one
of blocked things). This allows VM to learn real netvm IP, but:
- this mechanism is not intended to avoid detection from already
compromised VM, only about unintentional leaks
- this can be prevented using vif-qubes-nat.sh on the netvm itself (so
it will also have hidden its own IP)
QubesOS/qubes-issues#1143
Since 'script' xenstore entry no longer allows passing arguments
(actually this always was a side effect, not intended behaviour), we
need to pass additional parameters some other way. Natural choice for
Qubes-specific script is to use QubesDB.
And since those parameters are passed some other way, it is no longer
necessary to keep it as separate script.
FixesQubesOS/qubes-issues#1143
Keep "main" IP (the one in xenstore) as the one seen by the netvm, and
pass the "fake" one (the one seen by the VM) as script parameter.
FixesQubesOS/qubes-issues#1143
Do not use a symlink there, as it will be left after NetworkManager
shutdown - as a broken link then
FixesQubesOS/qubes-issues#2320
Reported by Achim Patzner <noses@noses.com>
This rewrite is mainly to adopt new interface for Qubes 4.x.
Main changes:
- change language from bash to python, introduce qubesagent python package
- support both nftables (preferred) and iptables
- new interface (https://qubes-os.org/doc/vm-interface/)
- IPv6 support
- unit tests included
- nftables version support running along with other firewall loaded
FixesQubesOS/qubes-issues#1815QubesOS/qubes-issues#718
* origin/pr/77:
archlinux: fix update-proxy-configs to use pacman.d drop-ins
archlinux: ensure repositories are the last pacman.d files included
archlinux: Setup default package repository
archlinux: switch to usage of pacman.d drop-ins
