Commit Graph

206 Commits

Author SHA1 Message Date
Demi Marie Obenour
ae48c7e04d
Merge commit '66b3e628f2bf0ec8f23b0b42484d014e5cad23bf' into conntrack-purge 2020-12-08 14:47:56 -05:00
Demi Marie Obenour
44b3c12d94
Keep shellcheck from complaining
The code was correct, but shellcheck didn’t recognize that ‘n’ had been
assigned as a local variable.
2020-12-07 14:57:03 -05:00
Demi Marie Obenour
d960f7af85
Stop disabling checksum offload
We now have a newer qemu in the stubdomain, so checksum offloading
should work.
2020-12-07 14:12:01 -05:00
Demi Marie Obenour
70253edeab
Remove spurious line continuation; add quotes.
Pipelines can extend over multiple lines without needing line
continuation.
2020-12-07 14:11:12 -05:00
Demi Marie Obenour
9840953f5f
vif-route-qubes: Check that the -e flag is set 2020-12-07 14:08:32 -05:00
Demi Marie Obenour
a8588c4e9c
Purge stale connection tracking entries
This ensures that a VM cannot use connection tracking entries created by
another VM.
2020-12-06 12:55:51 -05:00
Marek Marczykowski-Górecki
6aa2b89fba
Cleanup setup-ip script a bit
There is no longer a case where $INTERFACE is not set.
2020-12-04 03:24:02 +01:00
Marek Marczykowski-Górecki
dd8de797e3
Move network uplink setup to a separate service
Previously, network uplink (eth0) was configured in two places:
 - udev (asynchronously)
 - qubes-misc-post.service - at the very end of the boot process

This caused multiple issues:
1. Depending on udev event processing (non-deterministic), network
   uplink could be enabled too early, for example before setting up
   firewall.
2. Again depending on udev processing, it can be enabled quite late in
   the boot process, after network.target is up and services assume
   network already configured. This for example causes qubes-firewall to
   fail DNS queries.
3. If udev happen try to enable enable networking even earlier, it may
   happend before qubesdb-daemon is started, in which case network setup
   fill fail. For this case, there was network re-setup in
   qubes-misc-post service - much later in the boot.

Fix the above by placing network uplink setup in a dedicated
qubes-network-uplink@${INTERFACE}.service unit ordered after
network-pre.target and pulled in by udev based on vif device existence,
to handle also dynamic network attach/detach.
Then, create qubes-network-uplink.service unit waiting for appropriate
interface-specific unit (if one is expected!) and order it before
network.target.

QubesOS/qubes-issues#5576
2020-12-04 03:24:02 +01:00
Marek Marczykowski-Górecki
f66a494cc2
Allow DHCPv6 replies on uplink interface, if ipv6 is enabled
Fixes QubesOS/qubes-issues#5886
2020-12-03 20:52:51 +01:00
Demi Marie Obenour
0580fe545b
Use netvm_gw_ip instead of netvm_ip
They are usually identical, but this is not guaranteed.
2020-11-22 17:52:54 -05:00
Demi Marie Obenour
9d10ecc08f
Remove commented-out code 2020-11-19 15:19:40 -05:00
Demi Marie Obenour
e4eeb2ee1b
Add NetVM-facing neighbor entry in NAT namespace
Since AppVMs will have their own NetVM-facing neighbor entries, a user
might (correctly) conclude that NetVMs do not need ARP or NDP enabled.
For this to work with NAT namespaces, they need their own neighbor
entries.
2020-11-19 12:16:15 -05:00
Demi Marie Obenour
097342bd08
Optimization: use ip -n over ip netns exec
This saves an exec call.
2020-11-19 12:10:26 -05:00
Demi Marie Obenour
6517cca2a4
NAT network namespaces need neighbor entries
If we are using a NAT network namespace, it needs its own neighbor
entries.  For consistency, give it the same MAC address as the VM it
connects to.
2020-11-19 12:08:23 -05:00
Demi Marie Obenour
791b08c2ec
vif-route-qubes: better input validation
The input is trusted, but this will help debugging if something goes
wrong.
2020-11-13 13:15:24 -05:00
Demi Marie Obenour
9646acb18e
Don’t use onlink flag for nexthop
This is rejected by the kernel.
2020-11-13 12:51:15 -05:00
Demi Marie Obenour
3e7552856f
Fix running under -euo pipefail
Some qubesdb-read commands are expected to fail.  I ultimately did not
wind up including -e, but this version should be ready for it.
2020-11-11 14:07:55 -05:00
Demi Marie Obenour
377add43d1
Don’t hardcode MAC addresses 2020-11-10 22:31:18 -05:00
Demi Marie Obenour
0a322958e4
Add gateway IP+MAC, not VM’s own 2020-11-10 22:09:54 -05:00
Demi Marie Obenour
aa71677cbd
Add permanent neighbor entries
This allows network traffic to flow even if ARP and NDP do not work or
ave explicitly been disabled.
2020-11-10 16:28:53 -05:00
Marek Marczykowski-Górecki
74f5fb5ac7
network: prevent IP spoofing on upstream (eth0) interface
Currently there is just one anti-spoofing firewall rule ensuring packets
coming through vif+ interfaces have the right source address. Add
another rule ensuring that addresses that belongs to VMs behind those
vif+ interface do not appear on other interfaces (specifically eth0, but
also physical ones).

Normally it wouldn't be an issue because of rp_filter (doing the same
based on route table), default DROP in FORWARD chain and also conntrack
(the need to guess exact port numbers and sequence numbers). But it
appears all three mechanisms are ineffective in some cases:
 - rp_filter in many distributions (including Fedora and Debian) was
 switched to Loose Mode, which doesn't verify exact interface
 - there is a rule in FORWARD table allowing established connections and
 conntrack does not keep track of input/output interfaces
 - CVE-2019-14899 allows to guess all the data needed to inject packets

Reported-by: Demi M. Obenour <demiobenour@gmail.com>
2020-11-10 15:47:25 -05:00
Marek Marczykowski-Górecki
68b61c2c6d
network: setup anti-spoofing firewall rules before enabling the interface
Previously enabling the interface was the first action in the setup
steps. Linux theoretically do not forward the traffic until proper
IP address and route is added to the interface (depending on rp_filter
setting). But instead of relying on this opaque behavior better setup
anti-spoofing rules earlier. Also, add 'set -o pipefail' for more
reliable error handling.
Note the rules for actual VM traffic (qvm-firewall) are properly
enforced - until those rules are loaded, traffic from appropriate vif
interface is blocked. But this relies on proper source IP address,
anti-spoofing rules need to be setup race-free.

Reported-by: Demi M. Obenour <demiobenour@gmail.com>
2020-11-10 15:46:22 -05:00
ejose19
e09675c2b9
archlinux: improve pacman proxy implementation 2020-10-29 00:11:06 -03:00
Frédéric Pierret (fepitre)
60ed2c0a1b
Workaround for gpg not resolving key servers used behing proxy
See QubesOS/qubes-issues#6013
2020-08-22 22:55:33 +02:00
Marek Marczykowski-Górecki
cb4f06d464
Merge remote-tracking branch 'origin/pr/239'
* origin/pr/239:
  xendriverdomain: remove placeholder for sbinpath
  Fix regex in qubes-fix-nm-conf.sh
  Update travis
  xendriverdomain: remove Requires and After proc-xen.mount
  Drop legacy xen entry in fstab
2020-08-06 05:32:45 +02:00
Frédéric Pierret (fepitre)
239ea3d04b
tinyproxy: support rsync for Gentoo 2020-08-04 12:24:09 +02:00
Frédéric Pierret (fepitre)
91bce584a2
Fix regex in qubes-fix-nm-conf.sh 2020-07-28 16:02:34 +02:00
Frédéric Pierret (fepitre)
a6c5e6094c
update-proxy-configs: handle Portage(Gentoo) 2020-07-14 11:41:37 +02:00
Frédéric Pierret (fepitre)
fef261499b
setup-ip: fallback to legacy if nmcli is no present 2020-04-17 15:29:40 +02:00
Amadeusz Piotr Żołnowski
4de377bc3b
Split items in misc directory by topic 2020-02-04 23:59:09 +00:00
Pawel Marczewski
63d8065e4f
firewall: drop INVALID state TCP packets
Packets detected as INVALID are ignored by NAT, so if they are not
dropped, packets with internal source IPs can leak to the outside
network.

See:

https://bugzilla.netfilter.org/show_bug.cgi?id=693
http://www.smythies.com/~doug/network/iptables_notes/

Fixes QubesOS/qubes-issues#5596.
2020-01-24 19:01:00 +01:00
Pawel Marczewski
cd19073d50
Update rule priorities for anti-spoofing 2020-01-10 09:19:32 +01:00
Pawel Marczewski
bfe31cfec8
qubes-firewall: add anti-spoofing rules for connected machines
qubes-firewall will now blacklist IP addresses from all connected
machines on non-vif* interfaces. This prevents spoofing source or
target address on packets going over an upstream link, even if
a VM in question is powered off at the moment.

Depends on QubesOS/qubes-core-admin#303 which makes admin maintain
the list of IPs in qubesdb.

Fixes QubesOS/qubes-issues#5540.
2020-01-09 18:25:08 +01:00
Jonas DOREL
281d1a5776
Mention Update Proxy in configuration
This makes it easier to understand why this configuration is present.
2019-12-01 13:41:54 +01:00
Otto Sabart
b9d3e87438
archlinux: fix proxy setting in XferCommand
Starting from pacman v5.2.0 there is a problem with updating/installing
new packages:

$ pacman -Sy
...
debug: running command: ALL_PROXY=http://127.0.0.1:8082/ /usr/bin/curl -C - -f https://gluttony.sin.cvut.cz/arch/core/os/x86_64/core.db > /var/lib/pacman/sync/core.db.part
warning: running XferCommand: fork failed!
...

The problem is caused by change in pacman "run XferCommand via exec" [0].


Refs.:
- [0] https://git.archlinux.org/pacman.git/commit/?id=808a4f15ce82d2ed7eeb06de73d0f313620558ee
- [1] https://github.com/QubesOS/qubes-issues/issues/5443
2019-11-04 10:18:20 +01:00
Marek Marczykowski-Górecki
34921cd9c0
network: don't fail the whole vif setup if IPv6 is disabled
Detect if IPv6 is disabled in the kernel (like it is in Whonix Gateway)
and skip setting IPv6 in that case. Otherwise 'ip' call would fail and
since the script is with 'set -e', it would interrupt setting IPv4 too.
Log error message in that case anyway.

Fixes QubesOS/qubes-issues#5110
2019-10-06 06:19:16 +02:00
unman
3f11775899
NetworkManager config - Add dns=default 2019-08-16 14:21:13 +00:00
Frédéric Pierret (fepitre)
dba1020b4c
Handle errors for non-present ip gateways 2019-06-22 17:40:25 +02:00
Frédéric Pierret (fepitre)
cf03ae3e2a
Better use '-z' and '-n' for readibility 2019-06-20 16:32:08 +02:00
Frédéric Pierret (fepitre)
aa7ab25a78
configure_network: use classical function parsing 2019-06-19 21:10:00 +02:00
Frédéric Pierret (fepitre)
1c54101663
Handle legacy non-present /qubes-mac qubesdb entry 2019-06-19 19:21:38 +02:00
Frédéric Pierret (fepitre)
325eff2b13
Refactor and handle new network qubesdb configuration 2019-06-18 18:49:42 +02:00
Frédéric Pierret (fepitre)
e2a33e69e3
Handle empty ip and vif_type 2019-05-30 15:31:57 +02:00
Frédéric Pierret (fepitre)
73ed5e85fc
Handle network hooks located in /rw/config/network-hooks.d
Example:
/rw/config/network-hooks.d/test.sh
\#!/bin/bash

command="$1"
vif="$2"
ip="$3"

if [ "$ip" == '10.137.0.100' ]; then
    case "$command" in
        online)
            ip route add 192.168.0.100 via 10.137.0.100
            ;;
        offline)
            ip route del 192.168.0.100
            ;;
    esac
fi
2019-05-30 11:40:40 +02:00
Frédéric Pierret (fepitre)
27fddadc22
setup-ip: handle default conf if /qubes-mac returns empty value 2019-05-21 17:32:09 +02:00
Frédéric Pierret (fepitre)
f7dd41206d
setup-ip: only assign IP configuration of Qubes managed iface 2019-05-21 17:21:51 +02:00
Frédéric Pierret (fepitre)
b18efe3257
Make ShellCheck happy 2019-05-21 17:21:51 +02:00
Frédéric Pierret (fepitre)
0ce79d4895
Handle non-default 'eth0' Qubes managed interface 2019-05-16 17:32:50 +02:00
Marek Marczykowski-Górecki
e3db225aab
vif-route-qubes: \n -> \\n
Make shellcheck happy.
2018-10-15 06:20:32 +02:00
Marek Marczykowski-Górecki
336754426b
Fix iptables-restore race condition in vif-route-qubes
In rare cases when vif-route-qubes is called simultaneously with some
other iptables-restore instance, it fails because of missing --wait (and
recent iptables-restore defaults to aborting instead of waiting
for lock). That other call may be from qubes-firewall or user script.

Related to QubesOS/qubes-issues#3665
2018-10-15 06:20:25 +02:00