Qubes/core-agent-linux
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
1,160 Commits 1 Branch 0 Tags 34 MiB
53b0d8ab17
Commit Graph

46 Commits

Author SHA1 Message Date
Marek Marczykowski-Górecki
53b0d8ab17 network: fix IP address of backend network interface 
Get it from settings provided by dom0, do not calculate itself. This
makes a difference for DispVMs.
 2014-08-13 09:23:51 +02:00
Marek Marczykowski-Górecki
a288939156 Revert "network: use the same gateway IP generation method as backend" 
This reverts commit 4ef785a016.
Actually this change was wrong - the frontend IP was correct, the
problem was with backend IP.
 2014-08-13 08:58:10 +02:00
Marek Marczykowski-Górecki
4ef785a016 network: use the same gateway IP generation method as backend 
Backend domain generates its IP address based on frontend IP, not
settings given from dom0. So change frontend method to the same (for
DispVM it makes a difference). Now "qubes-gateway" xenstore entry is
basically primary DNS address only.
 2014-08-13 08:12:37 +02:00
Marek Marczykowski-Górecki
4d300ff137 Fix bashism 
Debian has dash as default shell.
 2014-07-26 03:58:21 +02:00
Davíð Steinn Geirsson
e5fa610b0d Use xenstore.h instead of xs.h when xen >= 4.2 2014-07-23 05:13:06 +02:00
Davíð Steinn Geirsson
2ddea415b2 Check for xenstore-read in /usr/sbin as well (default on debian) 2014-07-23 05:11:31 +02:00
Marek Marczykowski-Górecki
510edfb071 network: setup NM connection when its active in the ProxyVM 2014-05-22 01:36:15 +02:00
Marek Marczykowski-Górecki
486b148a08 Configure only installed programs 2014-05-22 01:31:43 +02:00
Marek Marczykowski-Górecki
e88b6e38be network: suppress NetworkManager from touching inter-vm interfaces (#774) 
Those interfaces are configured by qubes scripts (based on xenstore data
filled by qubes core).
 2014-03-28 02:57:12 +01:00
Marek Marczykowski-Górecki
4c3d5a46c2 firewall: replace deprecated "state" iptables module with "conntrack" 2014-03-28 02:56:43 +01:00
Marek Marczykowski-Górecki
f2ff044539 yum-proxy: fix iptables rules order 
Add the rules at the beginning of chain, so before final REJECT rule.
 2014-03-26 00:02:10 +01:00
Marek Marczykowski-Górecki
a19ef6d0db qubes-firewall: log errors to stderr -> syslog 
Not only display as notifications (which may be easily missed).
 2014-02-22 01:23:27 +01:00
Marek Marczykowski-Górecki
18ed540158 yum-proxy: fix stop command - iptables-restore do not accept -D 
iptables-restore format accept only "-A" command, so remove the rules
with direct call to iptables
 2014-02-21 13:28:49 +01:00
Marek Marczykowski-Górecki
d660f260b8 Hide nm-applet when NetworkManager is disabled (retry) 
It isn't done automatically by nm-applet itself since nm-applet 0.9.9.0
(fc19+), this one commit:
https://git.gnome.org/browse/network-manager-applet/commit?id=276a702000ee9e509321891f5ffa9789acfb053c
At the same time they've introduced option to manually hide the icon:
https://git.gnome.org/browse/network-manager-applet/commit?id=e7331a3f33ab422ea6c1bbc015ad44d8d9c83bc3
 2014-02-07 02:16:39 +01:00
Marek Marczykowski
8c9433fc00 yum-proxy: use iptables-restore to set firewall rules 
Simple iptables sometimes returns EBUSY.
 2013-08-05 02:08:52 +02:00
Marek Marczykowski
30ca124784 The Underscores Revolution: xenstore paths 2013-03-14 04:29:15 +01:00
Marek Marczykowski
ecc812f350 The Underscores Revolution: filenames 
Get rid of underscores in filenames, use dashes instead.
This is first part of cleanup in filenames.
"qubes_rpc" still untouched - will be in separate commit.
 2013-03-14 01:07:49 +01:00
Marek Marczykowski
c8e6ec3a7f Remove obsolete files. 2013-03-12 18:02:54 +01:00
Marek Marczykowski
ff47b0a8b8 vm/network: create NetworkManager config link only once 2013-01-11 05:05:39 +01:00
Marek Marczykowski
965846532a vm/network: disable tx-checksumming offload (#700) 
It doesn't work on xen-netfront.
 2013-01-08 03:03:44 +01:00
Marek Marczykowski
7131bb7dcd vm/network: do not fail service on failed xenstore-read 2012-10-13 11:47:32 +02:00
Marek Marczykowski
f33d2e4f42 vm/iptables: block IPv6 traffic 
This isn't properly handled by Qubes VMs yet, so block it in all the VMs.
Also restrict access to firewall config.
 2012-09-25 16:14:06 +02:00
Marek Marczykowski
6b50f834e5 vm/yum-proxy: one more regexp fix 2012-09-25 15:08:06 +02:00
Marek Marczykowski
299a233078 vm/yum-proxy: filter regexp: add missing ^$ marks, remove unneded .* at the beginning 
Reported-by: Igor Bukanov <igor@mir2.org>
 2012-09-25 13:37:59 +02:00
Marek Marczykowski
2d67d70d44 vm/yum-proxy: allow pkgtags repodata 2012-09-19 12:55:45 +02:00
Marek Marczykowski
f33fca9d95 vm/updates-proxy: fix regexp (#643) 2012-08-06 14:59:10 +02:00
Marek Marczykowski
7e55f001f5 vm/qubes-update-proxy: update URL whitelist 2012-07-05 01:43:32 +02:00
Marek Marczykowski
0430e5186b vm: qubes-yum-proxy service (#568) 
Introduce proxy service, which allow only http(s) traffic to yum repos. The
filter rules are based on URL regexp, so it isn't full-featured content
inspection and can be easy bypassed, but should be enough to prevent some
erroneus user actions (like clicking on invalid link).

It is set up to intercept connections to 10.137.255.254:8082, so VM can connect
to this IP regardless of VM in which proxy is running. By default it is
started in every NetVM, but this can be changed using qvm-service or
qubes-manager (as always).
 2012-05-31 03:11:43 +02:00
Marek Marczykowski
4b98106732 dom0+vm/iptables: add PR-QBS-SERVICES chain in PREROUTING nat table 
Additional chain for some qubes-related redirections. BTW PR-QBS should be
renamed now to PR-QBS-DNS...
 2012-05-31 03:11:43 +02:00
Marek Marczykowski
c18cb08f8c dom0+vm/vif-script: setup IP address of net backend interface 
This is needed to connect to ProxyVM/NetVM, not only pass traffic ahead. Still
firewall rules applies.
 2012-05-31 03:11:43 +02:00
Marek Marczykowski
f290b2e939 vm+dom0/vif-script: indent fix 2012-05-31 03:11:43 +02:00
Marek Marczykowski
703c74397f vm/netwatcher: fix watch 2012-03-09 01:54:16 +01:00
Marek Marczykowski
9de77d7fe4 vm/qvm-firewall: force firewall reload on service start (#478) 
This makes firewall reload triggered by qubes-netwatcher working again.
 2012-03-09 01:50:51 +01:00
Marek Marczykowski
aa0d767e8a vm/netwatcher: watch also for netvm change (#478) 2012-03-09 01:01:30 +01:00
Joanna Rutkowska
531449b16f vm/qubes_netwatcher: correct type in service name (#465) 
This prevented netwatcher being started in the firewallvm.
 2012-03-09 00:21:54 +01:00
Marek Marczykowski
2b3939ab64 vm/network: use metric to allow multiple routes to same VM 
This is required when VM has multiple interfaces (eg HVM: PV and stubdom).
Prefer the later one.
 2012-03-08 14:57:10 +01:00
Marek Marczykowski
8a7906a016 vm/network: really place anti-spoof rules in 'raw' table 
This fixes commit:
4d68998 vm/network: place anti-spoof rules in 'raw' table
 2012-03-08 14:56:39 +01:00
Marek Marczykowski
23e1e1db1f vm/network: place anti-spoof rules in 'raw' table 2012-03-03 01:30:04 +01:00
Marek Marczykowski
6610b22f97 vm/network: replace route in more elegant way 2012-03-03 01:26:06 +01:00
Marek Marczykowski
41a0366719 vm/network: do not fail when route already exists - override it 2012-02-24 17:10:16 +01:00
Marek Marczykowski
1b92fc877e vm/firewall: do not fail when one VMs rules failed 2012-02-13 15:47:34 +01:00
Marek Marczykowski
85e6704037 vm/network: symlink NetworkManager system-connection to /rw (#425) 
In FC15, NetworkManager by default uses global connections ("Available to all users"). Save them in /rw instead of /etc, to preserve them across reboots.
 2012-01-30 14:20:02 +01:00
Marek Marczykowski
18f32efe90 vm/network: ignore IPv6 DNS entries in /etc/resolv.conf 2012-01-30 13:41:41 +01:00
Marek Marczykowski
cc36c3ad7b vm/netwatcher: ignore error when no external IP present 
This can be set later - when network in NetVM is connected.
 2012-01-18 19:34:09 +01:00
Marek Marczykowski
b5fff2564f vm/iptables: do not MASQUERADE packets on lo (#416) 
Masquerading packets on lo actually drops them when there is no default route.
This causes problems with commutication between ntpd processes (ntp main
daemon and resolver). And perhaps many more...
 2012-01-13 20:42:31 +01:00
Marek Marczykowski
240d35259f vm(+dom0): major rearrage VM files in repo; merge core-*vm packages 2012-01-06 21:31:12 +01:00