vif-route-qubes 6.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211
  1. #!/bin/bash
  2. #============================================================================
  3. # /etc/xen/vif-route-qubes
  4. #
  5. # Script for configuring a vif in routed mode.
  6. # The hotplugging system will call this script if it is specified either in
  7. # the device configuration given to Xend, or the default Xend configuration
  8. # in /etc/xen/xend-config.sxp. If the script is specified in neither of those
  9. # places, then vif-bridge is the default.
  10. #
  11. # Usage:
  12. # vif-route (add|remove|online|offline)
  13. #
  14. # Environment vars:
  15. # vif vif interface name (required).
  16. # XENBUS_PATH path to this device's details in the XenStore (required).
  17. #
  18. # Read from the store:
  19. # ip list of IP networks for the vif, space-separated (default given in
  20. # this script).
  21. #============================================================================
  22. dir=$(dirname "$0")
  23. # shellcheck disable=SC1091,SC1090
  24. . "$dir/vif-common.sh"
  25. set -o pipefail
  26. #main_ip=$(dom0_ip)
  27. # Network Hooks for triggering supplementary actions on AppVM connect
  28. network_hooks() {
  29. local command="$1"
  30. local vif="$2"
  31. local addr="$3"
  32. local vif_type
  33. vif_type="$(xenstore-read "${XENBUS_PATH}/type")"
  34. if [ -d /rw/config/network-hooks.d ]; then
  35. for hook in /rw/config/network-hooks.d/*
  36. do
  37. if [ -x "$hook" ]; then
  38. log debug "Executing network-hook $(basename "$hook")..."
  39. do_without_error "${hook}" "${command}" "${vif}" "${vif_type}" "${addr}"
  40. fi
  41. done
  42. fi
  43. }
  44. conntrack_purge () {
  45. local n output deleted msg
  46. n='(0|[1-9][0-9]*)' msg='flow entries have been deleted\.$'
  47. deleted="^conntrack v$n\\.$n\\.$n \\(conntrack-tools\\): $n $msg"
  48. output=$(LC_ALL=C exec conntrack -D "$@" 2>&1 >/dev/null) || :
  49. [[ "$output" =~ $deleted ]]
  50. }
  51. ipt_arg=
  52. if "iptables-restore" --help 2>&1 | grep -q wait=; then
  53. # 'wait' must be last on command line if secs not specified
  54. ipt_arg=--wait
  55. fi
  56. # shellcheck disable=SC2154
  57. if [ "${ip}" ]; then
  58. # get first IPv4 and first IPv6
  59. for addr in ${ip}; do
  60. if [ -z "$ip4" ] && [[ "$addr" = *.* ]]; then
  61. ip4="$addr"
  62. elif [ -z "$ip6" ] && [[ "$addr" = *:* ]]; then
  63. ip6="$addr"
  64. fi
  65. done
  66. # IPs as seen by this VM
  67. netvm_ip="$ip4"
  68. netvm_gw_ip=$(qubesdb-read /qubes-netvm-gateway)
  69. netvm_gw_ip6=$(qubesdb-read /qubes-netvm-gateway6 || :)
  70. netvm_dns1_ip=$(qubesdb-read /qubes-netvm-primary-dns)
  71. netvm_dns2_ip=$(qubesdb-read /qubes-netvm-secondary-dns)
  72. back_ip="$netvm_gw_ip"
  73. back_ip6="$netvm_gw_ip6"
  74. # IPs as seen by the VM - if other than $netvm_ip
  75. appvm_gw_ip="$(qubesdb-read "/mapped-ip/$ip4/visible-gateway" 2>/dev/null || :)"
  76. appvm_ip="$(qubesdb-read "/mapped-ip/$ip4/visible-ip" 2>/dev/null || :)"
  77. fi
  78. readonly max_domid=32752
  79. # This comment used to say, “if domid is 0 something is seriously wrong, so
  80. # don’t check for that case”. Indeed, dom0 should never have an Ethernet
  81. # connection in a production QubesOS system.
  82. #
  83. # However, giving dom0 an Ethernet connection can be extremely useful in
  84. # insecure test environments, where there is simply no data worth compromising.
  85. # In fact, some test setups, including OpenQA, actually do this. Therefore, we
  86. # now handle this case correctly, even though it is by definition a security
  87. # risk.
  88. if ! [[ $vif =~ ^vif(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)$ ]]; then
  89. printf 'Bad interface name %q\n' "$vif">&2
  90. exit 1
  91. fi
  92. domid=${BASH_REMATCH[1]} sub=${BASH_REMATCH[2]}
  93. # metric must be positive, but prefer later interface
  94. # 32752 is max XID aka domid
  95. # the length check ensures there is no overflow
  96. if (( "${#domid}" > "${#max_domid}" || domid > max_domid )); then
  97. printf %s\\n "domid $domid too large"
  98. exit 1
  99. fi
  100. metric=$(( max_domid - domid ))
  101. # shellcheck disable=SC2154
  102. case "$command" in
  103. online)
  104. echo 1 >"/proc/sys/net/ipv4/conf/${vif}/proxy_arp"
  105. ipcmd='add'
  106. iptables_cmd='-I PREROUTING 1'
  107. cmdprefix=''
  108. ipv6_disabled=$(cat /proc/sys/net/ipv6/conf/"${vif}"/disable_ipv6 || echo 1)
  109. # without a MAC address we will fail later with a confusing error
  110. mac=$(xenstore-read "backend/vif/$domid/$sub/mac") || exit 1
  111. ;;
  112. offline)
  113. do_without_error ifdown "${vif}"
  114. ipcmd='del'
  115. iptables_cmd='-D PREROUTING'
  116. cmdprefix='do_without_error'
  117. # cleanup IPv6 config even if _now_ it is disabled
  118. ipv6_disabled=0
  119. ;;
  120. esac
  121. # Apply NAT if IP visible from the VM is different than the "real" one
  122. # See vif-qubes-nat.sh for details
  123. # XXX: supported only for the first IPv4 address, IPv6 is dropped if this
  124. # feature is enabled
  125. if [ -n "$appvm_ip" ] && [ -n "$appvm_gw_ip" ] && [ "$appvm_ip" != "$netvm_ip" ]; then
  126. # shellcheck source=network/vif-qubes-nat.sh
  127. . "$dir/vif-qubes-nat.sh"
  128. fi
  129. case $- in
  130. (*e*) :;;
  131. (*) echo '-e not set'>&2; exit 1;;
  132. esac
  133. # add anti-spoofing rules before enabling the interface
  134. if [ "${ip}" ]; then
  135. # If we’ve been given a list of IP addresses, then add routes from us to
  136. # the VMs we serve using those addresses.
  137. for addr in ${ip};
  138. do
  139. if [[ "$addr" = *:* ]]; then
  140. ipt=ip6tables-restore
  141. else
  142. ipt=iptables-restore
  143. fi
  144. printf '%s\n' "*raw" \
  145. "$iptables_cmd -i ${vif} ! -s ${addr} -j DROP" \
  146. "$iptables_cmd ! -i vif+ -s ${addr} -j DROP" \
  147. "COMMIT" |
  148. ${cmdprefix} "$ipt" --noflush $ipt_arg
  149. if [[ "$command" = 'online' ]]; then
  150. ip -- neighbour "${ipcmd}" to "${addr}" \
  151. dev "${vif}" lladdr "$mac" nud permanent
  152. fi
  153. if ! conntrack_purge -s "$addr" || ! conntrack_purge -d "$addr"; then
  154. printf 'Cannot purge stale conntrack entries for %q\n' "$addr">&2
  155. exit 1
  156. fi
  157. done
  158. # if no IPv6 is assigned, block all IPv6 traffic on that interface
  159. if ! [[ "$ip" = *:* ]]; then
  160. echo -e "*raw\\n$iptables_cmd -i ${vif} -j DROP\\nCOMMIT" |
  161. ${cmdprefix} ip6tables-restore --noflush $ipt_arg
  162. fi
  163. fi
  164. if [ "$command" = "online" ]; then
  165. ifconfig "${vif}" up
  166. fi
  167. if [ "${ip}" ]; then
  168. # If we've been given a list of IP addresses, then add routes from dom0 to
  169. # the guest using those addresses.
  170. for addr in ${ip};
  171. do
  172. if [[ "$addr" = *:* ]] && [[ "$ipv6_disabled" = 1 ]]; then
  173. log error "Cannot set IPv6 route to ${addr}, IPv6 disabled in the kernel"
  174. continue
  175. fi
  176. ${cmdprefix} ip route "${ipcmd}" "${addr}" dev "${vif}" metric "$metric"
  177. network_hooks "${command}" "${vif}" "${addr}"
  178. done
  179. ${cmdprefix} ip addr "${ipcmd}" "${back_ip}/32" dev "${vif}"
  180. if [ "${back_ip6}" ] && [[ "${back_ip6}" != "fe80:"* ]] && [[ "$ipv6_disabled" != 1 ]]; then
  181. ${cmdprefix} ip addr "${ipcmd}" "${back_ip6}/128" dev "${vif}"
  182. fi
  183. else
  184. network_hooks "${command}" "${vif}"
  185. fi
  186. log debug "Successful vif-route-qubes $command for $vif."
  187. if [ "$command" = "online" ]; then
  188. success
  189. fi