firewall.py 27 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750
  1. # vim: fileencoding=utf-8
  2. #
  3. # The Qubes OS Project, https://www.qubes-os.org/
  4. #
  5. # Copyright (C) 2016
  6. # Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
  7. #
  8. # This program is free software; you can redistribute it and/or modify
  9. # it under the terms of the GNU General Public License as published by
  10. # the Free Software Foundation; either version 2 of the License, or
  11. # (at your option) any later version.
  12. #
  13. # This program is distributed in the hope that it will be useful,
  14. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  15. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  16. # GNU General Public License for more details.
  17. #
  18. # You should have received a copy of the GNU General Public License along
  19. # with this program; if not, write to the Free Software Foundation, Inc.,
  20. # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  21. #
  22. import logging
  23. import os
  24. import socket
  25. import subprocess
  26. import shutil
  27. import daemon
  28. import qubesdb
  29. import sys
  30. import signal
  31. class RuleParseError(Exception):
  32. pass
  33. class RuleApplyError(Exception):
  34. pass
  35. class FirewallWorker(object):
  36. def __init__(self):
  37. self.terminate_requested = False
  38. self.qdb = qubesdb.QubesDB()
  39. self.log = logging.getLogger('qubes.firewall')
  40. self.log.addHandler(logging.StreamHandler(sys.stderr))
  41. def init(self):
  42. """Create appropriate chains/tables"""
  43. raise NotImplementedError
  44. def sd_notify(self, state):
  45. """Send notification to systemd, if available"""
  46. # based on sdnotify python module
  47. if 'NOTIFY_SOCKET' not in os.environ:
  48. return
  49. addr = os.environ['NOTIFY_SOCKET']
  50. if addr[0] == '@':
  51. addr = '\0' + addr[1:]
  52. try:
  53. sock = socket.socket(socket.AF_UNIX, socket.SOCK_DGRAM)
  54. sock.connect(addr)
  55. sock.sendall(state.encode())
  56. except:
  57. # generally ignore error on systemd notification
  58. pass
  59. def cleanup(self):
  60. """Remove tables/chains - reverse work done by init"""
  61. raise NotImplementedError
  62. def apply_rules(self, source_addr, rules):
  63. """Apply rules in given source address"""
  64. raise NotImplementedError
  65. def update_connected_ips(self, family):
  66. raise NotImplementedError
  67. def get_connected_ips(self, family):
  68. ips = self.qdb.read('/connected-ips6' if family == 6 else '/connected-ips')
  69. if ips is None:
  70. return []
  71. return ips.decode().split()
  72. def run_firewall_dir(self):
  73. """Run scripts dir contents, before user script"""
  74. script_dir_paths = ['/etc/qubes/qubes-firewall.d',
  75. '/rw/config/qubes-firewall.d']
  76. for script_dir_path in script_dir_paths:
  77. if not os.path.isdir(script_dir_path):
  78. continue
  79. for d_script in sorted(os.listdir(script_dir_path)):
  80. d_script_path = os.path.join(script_dir_path, d_script)
  81. if os.path.isfile(d_script_path) and \
  82. os.access(d_script_path, os.X_OK):
  83. subprocess.call([d_script_path])
  84. def run_user_script(self):
  85. """Run user script in /rw/config"""
  86. user_script_path = '/rw/config/qubes-firewall-user-script'
  87. if os.path.isfile(user_script_path) and \
  88. os.access(user_script_path, os.X_OK):
  89. subprocess.call([user_script_path])
  90. def read_rules(self, target):
  91. """Read rules from QubesDB and return them as a list of dicts"""
  92. entries = self.qdb.multiread('/qubes-firewall/{}/'.format(target))
  93. assert isinstance(entries, dict)
  94. # drop full path
  95. entries = dict(((k.split('/')[3], v.decode())
  96. for k, v in entries.items()))
  97. if 'policy' not in entries:
  98. raise RuleParseError('No \'policy\' defined')
  99. policy = entries.pop('policy')
  100. rules = []
  101. for ruleno, rule in sorted(entries.items()):
  102. if len(ruleno) != 4 or not ruleno.isdigit():
  103. raise RuleParseError(
  104. 'Unexpected non-rule found: {}={}'.format(ruleno, rule))
  105. rule_dict = dict(elem.split('=') for elem in rule.split(' '))
  106. if 'action' not in rule_dict:
  107. raise RuleParseError('Rule \'{}\' lack action'.format(rule))
  108. rules.append(rule_dict)
  109. rules.append({'action': policy})
  110. return rules
  111. def list_targets(self):
  112. return set(t.split('/')[2] for t in self.qdb.list('/qubes-firewall/'))
  113. @staticmethod
  114. def is_ip6(addr):
  115. return addr.count(':') > 0
  116. def log_error(self, msg):
  117. self.log.error(msg)
  118. subprocess.call(
  119. ['notify-send', '-t', '3000', msg],
  120. env=os.environ.copy().update({'DISPLAY': ':0'})
  121. )
  122. def handle_addr(self, addr):
  123. try:
  124. rules = self.read_rules(addr)
  125. self.apply_rules(addr, rules)
  126. except RuleParseError as e:
  127. self.log_error(
  128. 'Failed to parse rules for {} ({}), blocking traffic'.format(
  129. addr, str(e)
  130. ))
  131. self.apply_rules(addr, [{'action': 'drop'}])
  132. except RuleApplyError as e:
  133. self.log_error(
  134. 'Failed to apply rules for {} ({}), blocking traffic'.format(
  135. addr, str(e))
  136. )
  137. # retry with fallback rules
  138. try:
  139. self.apply_rules(addr, [{'action': 'drop'}])
  140. except RuleApplyError:
  141. self.log_error(
  142. 'Failed to block traffic for {}'.format(addr))
  143. @staticmethod
  144. def dns_addresses(family=None):
  145. with open('/etc/resolv.conf') as resolv:
  146. for line in resolv.readlines():
  147. line = line.strip()
  148. if line.startswith('nameserver'):
  149. if line.count('.') == 3 and (family or 4) == 4:
  150. yield line.split(' ')[1]
  151. elif line.count(':') and (family or 6) == 6:
  152. yield line.split(' ')[1]
  153. def main(self):
  154. self.terminate_requested = False
  155. self.init()
  156. self.run_firewall_dir()
  157. self.run_user_script()
  158. self.sd_notify('READY=1')
  159. # initial load
  160. for source_addr in self.list_targets():
  161. self.handle_addr(source_addr)
  162. self.update_connected_ips(4)
  163. self.update_connected_ips(6)
  164. self.qdb.watch('/qubes-firewall/')
  165. self.qdb.watch('/connected-ips')
  166. self.qdb.watch('/connected-ips6')
  167. try:
  168. for watch_path in iter(self.qdb.read_watch, None):
  169. if watch_path == '/connected-ips':
  170. self.update_connected_ips(4)
  171. if watch_path == '/connected-ips6':
  172. self.update_connected_ips(6)
  173. # ignore writing rules itself - wait for final write at
  174. # source_addr level empty write (/qubes-firewall/SOURCE_ADDR)
  175. if watch_path.startswith('/qubes-firewall/') and watch_path.count('/') == 2:
  176. source_addr = watch_path.split('/')[2]
  177. self.handle_addr(source_addr)
  178. except OSError: # EINTR
  179. # signal received, don't continue the loop
  180. pass
  181. self.cleanup()
  182. def terminate(self):
  183. self.terminate_requested = True
  184. class IptablesWorker(FirewallWorker):
  185. supported_rule_opts = ['action', 'proto', 'dst4', 'dst6', 'dsthost',
  186. 'dstports', 'specialtarget', 'icmptype']
  187. def __init__(self):
  188. super(IptablesWorker, self).__init__()
  189. self.chains = {
  190. 4: set(),
  191. 6: set(),
  192. }
  193. @staticmethod
  194. def chain_for_addr(addr):
  195. """Generate iptables chain name for given source address address"""
  196. return 'qbs-' + addr.replace('.', '-').replace(':', '-')[-20:]
  197. def run_ipt(self, family, args, **kwargs):
  198. # pylint: disable=no-self-use
  199. if family == 6:
  200. subprocess.check_call(['ip6tables'] + args, **kwargs)
  201. else:
  202. subprocess.check_call(['iptables'] + args, **kwargs)
  203. def run_ipt_restore(self, family, args):
  204. # pylint: disable=no-self-use
  205. if family == 6:
  206. return subprocess.Popen(['ip6tables-restore'] + args,
  207. stdin=subprocess.PIPE,
  208. stdout=subprocess.PIPE,
  209. stderr=subprocess.STDOUT)
  210. else:
  211. return subprocess.Popen(['iptables-restore'] + args,
  212. stdin=subprocess.PIPE,
  213. stdout=subprocess.PIPE,
  214. stderr=subprocess.STDOUT)
  215. def create_chain(self, addr, chain, family):
  216. """
  217. Create iptables chain and hook traffic coming from `addr` to it.
  218. :param addr: source IP from which traffic should be handled by the
  219. chain
  220. :param chain: name of the chain to create
  221. :param family: address family (4 or 6)
  222. :return: None
  223. """
  224. self.run_ipt(family, ['-N', chain])
  225. self.run_ipt(family,
  226. ['-I', 'QBS-FORWARD', '-s', addr, '-j', chain])
  227. self.chains[family].add(chain)
  228. def prepare_rules(self, chain, rules, family):
  229. """
  230. Helper function to translate rules list into input for iptables-restore
  231. :param chain: name of the chain to put rules into
  232. :param rules: list of rules
  233. :param family: address family (4 or 6)
  234. :return: input for iptables-restore
  235. :rtype: str
  236. """
  237. iptables = "*filter\n"
  238. fullmask = '/128' if family == 6 else '/32'
  239. dns = list(addr + fullmask for addr in self.dns_addresses(family))
  240. for rule in rules:
  241. unsupported_opts = set(rule.keys()).difference(
  242. set(self.supported_rule_opts))
  243. if unsupported_opts:
  244. raise RuleParseError(
  245. 'Unsupported rule option(s): {!s}'.format(unsupported_opts))
  246. if 'dst4' in rule and family == 6:
  247. raise RuleParseError('IPv4 rule found for IPv6 address')
  248. if 'dst6' in rule and family == 4:
  249. raise RuleParseError('dst6 rule found for IPv4 address')
  250. if 'proto' in rule:
  251. if rule['proto'] == 'icmp' and family == 6:
  252. protos = ['icmpv6']
  253. else:
  254. protos = [rule['proto']]
  255. else:
  256. protos = None
  257. if 'dst4' in rule:
  258. dsthosts = [rule['dst4']]
  259. elif 'dst6' in rule:
  260. dsthosts = [rule['dst6']]
  261. elif 'dsthost' in rule:
  262. try:
  263. addrinfo = socket.getaddrinfo(rule['dsthost'], None,
  264. (socket.AF_INET6 if family == 6 else socket.AF_INET))
  265. except socket.gaierror as e:
  266. raise RuleParseError('Failed to resolve {}: {}'.format(
  267. rule['dsthost'], str(e)))
  268. dsthosts = set(item[4][0] + fullmask for item in addrinfo)
  269. else:
  270. dsthosts = None
  271. if 'dstports' in rule:
  272. dstports = rule['dstports'].replace('-', ':')
  273. else:
  274. dstports = None
  275. if rule.get('specialtarget', None) == 'dns':
  276. if dstports not in ('53:53', None):
  277. continue
  278. else:
  279. dstports = '53:53'
  280. if not dns:
  281. continue
  282. if protos is not None:
  283. protos = {'tcp', 'udp'}.intersection(protos)
  284. else:
  285. protos = {'tcp', 'udp'}
  286. if dsthosts is not None:
  287. dsthosts = set(dns).intersection(dsthosts)
  288. else:
  289. dsthosts = dns
  290. if 'icmptype' in rule:
  291. icmptype = rule['icmptype']
  292. else:
  293. icmptype = None
  294. # make them iterable
  295. if protos is None:
  296. protos = [None]
  297. if dsthosts is None:
  298. dsthosts = [None]
  299. if rule['action'] == 'accept':
  300. action = 'ACCEPT'
  301. elif rule['action'] == 'drop':
  302. action = 'REJECT --reject-with {}'.format(
  303. 'icmp6-adm-prohibited' if family == 6 else
  304. 'icmp-admin-prohibited')
  305. else:
  306. raise RuleParseError(
  307. 'Invalid rule action {}'.format(rule['action']))
  308. # sorting here is only to ease writing tests
  309. for proto in sorted(protos):
  310. for dsthost in sorted(dsthosts):
  311. ipt_rule = '-A {}'.format(chain)
  312. if dsthost is not None:
  313. ipt_rule += ' -d {}'.format(dsthost)
  314. if proto is not None:
  315. ipt_rule += ' -p {}'.format(proto)
  316. if dstports is not None:
  317. ipt_rule += ' --dport {}'.format(dstports)
  318. if icmptype is not None:
  319. ipt_rule += ' --icmp-type {}'.format(icmptype)
  320. ipt_rule += ' -j {}\n'.format(action)
  321. iptables += ipt_rule
  322. iptables += 'COMMIT\n'
  323. return iptables
  324. def apply_rules_family(self, source, rules, family):
  325. """
  326. Apply rules for given source address.
  327. Handle only rules for given address family (IPv4 or IPv6).
  328. :param source: source address
  329. :param rules: rules list
  330. :param family: address family, either 4 or 6
  331. :return: None
  332. """
  333. chain = self.chain_for_addr(source)
  334. if chain not in self.chains[family]:
  335. self.create_chain(source, chain, family)
  336. iptables = self.prepare_rules(chain, rules, family)
  337. try:
  338. self.run_ipt(family, ['-F', chain])
  339. p = self.run_ipt_restore(family, ['-n'])
  340. (output, _) = p.communicate(iptables.encode())
  341. if p.returncode != 0:
  342. raise RuleApplyError(
  343. 'iptables-restore failed: {}'.format(output))
  344. except subprocess.CalledProcessError as e:
  345. raise RuleApplyError('\'iptables -F {}\' failed: {}'.format(
  346. chain, e.output))
  347. def apply_rules(self, source, rules):
  348. if self.is_ip6(source):
  349. self.apply_rules_family(source, rules, 6)
  350. else:
  351. self.apply_rules_family(source, rules, 4)
  352. def update_connected_ips(self, family):
  353. ips = self.get_connected_ips(family)
  354. if not ips:
  355. # Just flush.
  356. self.run_ipt(family, ['-t', 'raw', '-F', 'QBS-PREROUTING'])
  357. self.run_ipt(family, ['-t', 'mangle', '-F', 'QBS-POSTROUTING'])
  358. return
  359. # Temporarily set policy to DROP while updating the rules.
  360. self.run_ipt(family, ['-t', 'raw', '-P', 'PREROUTING', 'DROP'])
  361. self.run_ipt(family, ['-t', 'mangle', '-P', 'POSTROUTING', 'DROP'])
  362. self.run_ipt(family, ['-t', 'raw', '-F', 'QBS-PREROUTING'])
  363. self.run_ipt(family, ['-t', 'mangle', '-F', 'QBS-POSTROUTING'])
  364. for ip in ips:
  365. self.run_ipt(family, [
  366. '-t', 'raw', '-A', 'QBS-PREROUTING',
  367. '!', '-i', 'vif+', '-s', ip, '-j', 'DROP'])
  368. self.run_ipt(family, [
  369. '-t', 'mangle', '-A', 'QBS-POSTROUTING',
  370. '!', '-o', 'vif+', '-d', ip, '-j', 'DROP'])
  371. self.run_ipt(family, ['-t', 'raw', '-P', 'PREROUTING', 'ACCEPT'])
  372. self.run_ipt(family, ['-t', 'mangle', '-P', 'POSTROUTING', 'ACCEPT'])
  373. def init(self):
  374. # Chains QBS-FORWARD, QBS-PREROUTING, QBS-POSTROUTING
  375. # need to be created before running this.
  376. try:
  377. self.run_ipt(4, ['-F', 'QBS-FORWARD'])
  378. self.run_ipt(4,
  379. ['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN'])
  380. self.run_ipt(4, ['-A', 'QBS-FORWARD', '-j', 'DROP'])
  381. self.run_ipt(4, ['-t', 'raw', '-F', 'QBS-PREROUTING'])
  382. self.run_ipt(4, ['-t', 'mangle', '-F', 'QBS-POSTROUTING'])
  383. self.run_ipt(6, ['-F', 'QBS-FORWARD'])
  384. self.run_ipt(6,
  385. ['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN'])
  386. self.run_ipt(6, ['-A', 'QBS-FORWARD', '-j', 'DROP'])
  387. self.run_ipt(6, ['-t', 'raw', '-F', 'QBS-PREROUTING'])
  388. self.run_ipt(6, ['-t', 'mangle', '-F', 'QBS-POSTROUTING'])
  389. except subprocess.CalledProcessError:
  390. self.log_error(
  391. 'Error initializing iptables. '
  392. 'You probably need to create QBS-FORWARD, QBS-PREROUTING and '
  393. 'QBS-POSTROUTING chains first.'
  394. )
  395. sys.exit(1)
  396. def cleanup(self):
  397. for family in (4, 6):
  398. self.run_ipt(family, ['-F', 'QBS-FORWARD'])
  399. self.run_ipt(family, ['-t', 'raw', '-F', 'QBS-PREROUTING'])
  400. self.run_ipt(family, ['-t', 'mangle', '-F', 'QBS-POSTROUTING'])
  401. for chain in self.chains[family]:
  402. self.run_ipt(family, ['-F', chain])
  403. self.run_ipt(family, ['-X', chain])
  404. class NftablesWorker(FirewallWorker):
  405. supported_rule_opts = ['action', 'proto', 'dst4', 'dst6', 'dsthost',
  406. 'dstports', 'specialtarget', 'icmptype']
  407. def __init__(self):
  408. super(NftablesWorker, self).__init__()
  409. self.chains = {
  410. 4: set(),
  411. 6: set(),
  412. }
  413. @staticmethod
  414. def chain_for_addr(addr):
  415. """Generate iptables chain name for given source address address"""
  416. return 'qbs-' + addr.replace('.', '-').replace(':', '-')
  417. def run_nft(self, nft_input):
  418. # pylint: disable=no-self-use
  419. p = subprocess.Popen(['nft', '-f', '/dev/stdin'],
  420. stdin=subprocess.PIPE,
  421. stdout=subprocess.PIPE,
  422. stderr=subprocess.STDOUT)
  423. stdout, _ = p.communicate(nft_input.encode())
  424. if p.returncode != 0:
  425. raise RuleApplyError('nft failed: {}'.format(stdout))
  426. def create_chain(self, addr, chain, family):
  427. """
  428. Create iptables chain and hook traffic coming from `addr` to it.
  429. :param addr: source IP from which traffic should be handled by the
  430. chain
  431. :param chain: name of the chain to create
  432. :param family: address family (4 or 6)
  433. :return: None
  434. """
  435. nft_input = (
  436. 'table {family} {table} {{\n'
  437. ' chain {chain} {{\n'
  438. ' }}\n'
  439. ' chain forward {{\n'
  440. ' {family} saddr {ip} jump {chain}\n'
  441. ' }}\n'
  442. '}}\n'.format(
  443. family=("ip6" if family == 6 else "ip"),
  444. table='qubes-firewall',
  445. chain=chain,
  446. ip=addr,
  447. )
  448. )
  449. self.run_nft(nft_input)
  450. self.chains[family].add(chain)
  451. def update_connected_ips(self, family):
  452. family_name = ('ip6' if family == 6 else 'ip')
  453. table = 'qubes-firewall'
  454. nft_input = (
  455. 'flush chain {family_name} {table} prerouting\n'
  456. 'flush chain {family_name} {table} postrouting\n'
  457. ).format(family_name=family_name, table=table)
  458. ips = self.get_connected_ips(family)
  459. if ips:
  460. addr = '{' + ', '.join(ips) + '}'
  461. irule = 'iifname != "vif*" {family_name} saddr {addr} drop\n'.format(
  462. family_name=family_name, addr=addr)
  463. orule = 'oifname != "vif*" {family_name} daddr {addr} drop\n'.format(
  464. family_name=family_name, addr=addr)
  465. nft_input += (
  466. 'table {family_name} {table} {{\n'
  467. ' chain prerouting {{\n'
  468. ' {irule}'
  469. ' }}\n'
  470. ' chain postrouting {{\n'
  471. ' {orule}'
  472. ' }}\n'
  473. '}}\n'
  474. ).format(
  475. family_name=family_name,
  476. table=table,
  477. irule=irule,
  478. orule=orule,
  479. )
  480. self.run_nft(nft_input)
  481. def prepare_rules(self, chain, rules, family):
  482. """
  483. Helper function to translate rules list into input for iptables-restore
  484. :param chain: name of the chain to put rules into
  485. :param rules: list of rules
  486. :param family: address family (4 or 6)
  487. :return: input for iptables-restore
  488. :rtype: str
  489. """
  490. assert family in (4, 6)
  491. nft_rules = []
  492. ip_match = 'ip6' if family == 6 else 'ip'
  493. fullmask = '/128' if family == 6 else '/32'
  494. dns = list(addr + fullmask for addr in self.dns_addresses(family))
  495. for rule in rules:
  496. unsupported_opts = set(rule.keys()).difference(
  497. set(self.supported_rule_opts))
  498. if unsupported_opts:
  499. raise RuleParseError(
  500. 'Unsupported rule option(s): {!s}'.format(unsupported_opts))
  501. if 'dst4' in rule and family == 6:
  502. raise RuleParseError('IPv4 rule found for IPv6 address')
  503. if 'dst6' in rule and family == 4:
  504. raise RuleParseError('dst6 rule found for IPv4 address')
  505. nft_rule = ""
  506. if rule['action'] == 'accept':
  507. action = 'accept'
  508. elif rule['action'] == 'drop':
  509. action = 'reject with icmp{} type admin-prohibited'.format(
  510. 'v6' if family == 6 else '')
  511. else:
  512. raise RuleParseError(
  513. 'Invalid rule action {}'.format(rule['action']))
  514. if 'proto' in rule:
  515. if family == 4:
  516. nft_rule += ' ip protocol {}'.format(rule['proto'])
  517. elif family == 6:
  518. proto = 'icmpv6' if rule['proto'] == 'icmp' \
  519. else rule['proto']
  520. nft_rule += ' ip6 nexthdr {}'.format(proto)
  521. if 'dst4' in rule:
  522. nft_rule += ' ip daddr {}'.format(rule['dst4'])
  523. elif 'dst6' in rule:
  524. nft_rule += ' ip6 daddr {}'.format(rule['dst6'])
  525. elif 'dsthost' in rule:
  526. try:
  527. addrinfo = socket.getaddrinfo(rule['dsthost'], None,
  528. (socket.AF_INET6 if family == 6 else socket.AF_INET))
  529. except socket.gaierror as e:
  530. raise RuleParseError('Failed to resolve {}: {}'.format(
  531. rule['dsthost'], str(e)))
  532. nft_rule += ' {} daddr {{ {} }}'.format(ip_match,
  533. ', '.join(set(item[4][0] + fullmask for item in addrinfo)))
  534. if 'dstports' in rule:
  535. dstports = rule['dstports']
  536. if len(set(dstports.split('-'))) == 1:
  537. dstports = dstports.split('-')[0]
  538. else:
  539. dstports = None
  540. if rule.get('specialtarget', None) == 'dns':
  541. if dstports not in ('53', None):
  542. continue
  543. else:
  544. dstports = '53'
  545. if not dns:
  546. continue
  547. nft_rule += ' {} daddr {{ {} }}'.format(ip_match, ', '.join(
  548. dns))
  549. if 'icmptype' in rule:
  550. if family == 4:
  551. nft_rule += ' icmp type {}'.format(rule['icmptype'])
  552. elif family == 6:
  553. nft_rule += ' icmpv6 type {}'.format(rule['icmptype'])
  554. # now duplicate rules for tcp/udp if needed
  555. # it isn't possible to specify "tcp dport xx || udp dport xx" in
  556. # one rule
  557. if dstports is not None:
  558. if 'proto' not in rule:
  559. nft_rules.append(
  560. nft_rule + ' tcp dport {} {}'.format(
  561. dstports, action))
  562. nft_rules.append(
  563. nft_rule + ' udp dport {} {}'.format(
  564. dstports, action))
  565. else:
  566. nft_rules.append(
  567. nft_rule + ' {} dport {} {}'.format(
  568. rule['proto'], dstports, action))
  569. else:
  570. nft_rules.append(nft_rule + ' ' + action)
  571. return (
  572. 'flush chain {family} {table} {chain}\n'
  573. 'table {family} {table} {{\n'
  574. ' chain {chain} {{\n'
  575. ' {rules}\n'
  576. ' }}\n'
  577. '}}\n'.format(
  578. family=('ip6' if family == 6 else 'ip'),
  579. table='qubes-firewall',
  580. chain=chain,
  581. rules='\n '.join(nft_rules)
  582. ))
  583. def apply_rules_family(self, source, rules, family):
  584. """
  585. Apply rules for given source address.
  586. Handle only rules for given address family (IPv4 or IPv6).
  587. :param source: source address
  588. :param rules: rules list
  589. :param family: address family, either 4 or 6
  590. :return: None
  591. """
  592. chain = self.chain_for_addr(source)
  593. if chain not in self.chains[family]:
  594. self.create_chain(source, chain, family)
  595. self.run_nft(self.prepare_rules(chain, rules, family))
  596. def apply_rules(self, source, rules):
  597. if self.is_ip6(source):
  598. self.apply_rules_family(source, rules, 6)
  599. else:
  600. self.apply_rules_family(source, rules, 4)
  601. def init(self):
  602. nft_init = (
  603. 'table {family} qubes-firewall {{\n'
  604. ' chain forward {{\n'
  605. ' type filter hook forward priority 0;\n'
  606. ' policy drop;\n'
  607. ' ct state established,related accept\n'
  608. ' meta iifname != "vif*" accept\n'
  609. ' }}\n'
  610. ' chain prerouting {{\n'
  611. ' type filter hook prerouting priority -300;\n'
  612. ' policy accept;\n'
  613. ' }}\n'
  614. ' chain postrouting {{\n'
  615. ' type filter hook postrouting priority -300;\n'
  616. ' policy accept;\n'
  617. ' }}\n'
  618. '}}\n'
  619. )
  620. nft_init = ''.join(
  621. nft_init.format(family=family) for family in ('ip', 'ip6'))
  622. self.run_nft(nft_init)
  623. def cleanup(self):
  624. nft_cleanup = (
  625. 'delete table ip qubes-firewall\n'
  626. 'delete table ip6 qubes-firewall\n'
  627. )
  628. self.run_nft(nft_cleanup)
  629. def main():
  630. if shutil.which('nft'):
  631. worker = NftablesWorker()
  632. else:
  633. worker = IptablesWorker()
  634. context = daemon.DaemonContext()
  635. context.stderr = sys.stderr
  636. context.detach_process = False
  637. context.files_preserve = [worker.qdb.watch_fd()]
  638. context.signal_map = {
  639. signal.SIGTERM: lambda _signal, _stack: worker.terminate(),
  640. }
  641. with context:
  642. worker.main()
  643. if __name__ == '__main__':
  644. main()