Commit Graph

10 Commits

Author SHA1 Message Date
Christopher Laprise
a262574f85
Add qubes-firewall.d feature 2018-02-13 17:38:14 -05:00
Marek Marczykowski-Górecki
6b48d79d8c
tests: check if qubes-firewall-user-script is called
QubesOS/qubes-issues#3260
2018-02-05 18:17:29 +01:00
Marek Marczykowski-Górecki
6c33652ed4
qubes-firewall: call firewall-user-script at service startup
Call it just after creating base chains in iptables/nftables. This allow
the user to modify how those rules are plugged in, add custom rules at
beginning/end etc.

Fixes QubesOS/qubes-issues#3260
2018-02-05 18:17:11 +01:00
Marek Marczykowski-Górecki
c324b16252
firewall: allow also related traffic
This include ICMP error messages for allowed traffic.

Fixes QubesOS/qubes-issues#3406
2017-12-28 05:34:30 +01:00
Marek Marczykowski-Górecki
3a83623647
firewall: don't crash the whole qubes-firewall service on DNS fail
If DNS resolution fails, just block the traffic (for this VM), but don't
crash the whole service.

Fixes QubesOS/qubes-issues#3277
2017-12-28 05:15:00 +01:00
Marek Marczykowski-Górecki
4d51ea9387
Fix IPv6 support in qubes-firewall
Chain name in IPv6 cannot be longer than 29 chars, so strip IPv6 prefix
from it.
ICMP on IPv6 is a different protocol than on IPv4 - handle iptables rule
accordingly.

QubesOS/qubes-issues#718
2017-12-07 01:41:56 +01:00
Marek Marczykowski-Górecki
57a3c2d67e
network: have safe fallback in case of qubes-firewall crash/error
When qubes-firewall service is started, modify firewall to have "DROP"
policy, so if something goes wrong, no data got leaked.
But keep default action "ACCEPT" in case of legitimate service stop, or
not starting it at all - because one may choose to not use this service
at all.
Achieve this by adding "DROP" rule at the end of QBS-FIREWALL chain and
keep it there while qubes-firewall service is running.

Fixes QubesOS/qubes-issues#3269
2017-11-20 01:56:14 +01:00
Marek Marczykowski-Górecki
07be216a0d
tests: add run-tests script, plug it into travis
Also, replace subproces.call with a mockup, as notify-send is not
available on travis.
2017-05-20 13:20:08 +02:00
Marek Marczykowski-Górecki
87efe51be0
tests: make firewall tests working regardless of python version
Don't depend on set ordering...
2017-05-20 12:56:23 +02:00
Marek Marczykowski-Górecki
ee0a292b21
network: rewrite qubes-firewall daemon
This rewrite is mainly to adopt new interface for Qubes 4.x.
Main changes:
 - change language from bash to python, introduce qubesagent python package
 - support both nftables (preferred) and iptables
 - new interface (https://qubes-os.org/doc/vm-interface/)
 - IPv6 support
 - unit tests included
 - nftables version support running along with other firewall loaded

Fixes QubesOS/qubes-issues#1815
QubesOS/qubes-issues#718
2016-09-12 05:22:53 +02:00