c8213ea55a
Core3 no longer reuse netvm own IP for primary DNS. At the same time, disable dropping traffic to netvm itself because it breaks DNS (as one of blocked things). This allows VM to learn real netvm IP, but: - this mechanism is not intended to avoid detection from already compromised VM, only about unintentional leaks - this can be prevented using vif-qubes-nat.sh on the netvm itself (so it will also have hidden its own IP) QubesOS/qubes-issues#1143
93 lines
2.7 KiB
Bash
Executable File
93 lines
2.7 KiB
Bash
Executable File
#!/bin/bash
|
|
#============================================================================
|
|
# /etc/xen/vif-route-qubes
|
|
#
|
|
# Script for configuring a vif in routed mode.
|
|
# The hotplugging system will call this script if it is specified either in
|
|
# the device configuration given to Xend, or the default Xend configuration
|
|
# in /etc/xen/xend-config.sxp. If the script is specified in neither of those
|
|
# places, then vif-bridge is the default.
|
|
#
|
|
# Usage:
|
|
# vif-route (add|remove|online|offline)
|
|
#
|
|
# Environment vars:
|
|
# vif vif interface name (required).
|
|
# XENBUS_PATH path to this device's details in the XenStore (required).
|
|
#
|
|
# Read from the store:
|
|
# ip list of IP networks for the vif, space-separated (default given in
|
|
# this script).
|
|
#============================================================================
|
|
|
|
dir=$(dirname "$0")
|
|
. "$dir/vif-common.sh"
|
|
|
|
#main_ip=$(dom0_ip)
|
|
lockfile=/var/run/xen-hotplug/vif-lock
|
|
|
|
if [ "${ip}" ]; then
|
|
# IPs as seen by this VM
|
|
netvm_ip="$ip"
|
|
netvm_gw_ip=`qubesdb-read /qubes-netvm-gateway`
|
|
netvm_dns1_ip=`qubesdb-read /qubes-netvm-primary-dns`
|
|
netvm_dns2_ip=`qubesdb-read /qubes-netvm-secondary-dns`
|
|
|
|
back_ip="$netvm_gw_ip"
|
|
|
|
# IPs as seen by the VM - if other than $netvm_ip
|
|
appvm_gw_ip="`qubesdb-read /mapped-ip/$ip/visible-gateway 2>/dev/null || :`"
|
|
appvm_ip="`qubesdb-read /mapped-ip/$ip/visible-ip 2>/dev/null || :`"
|
|
fi
|
|
|
|
# Apply NAT if IP visible from the VM is different than the "real" one
|
|
# See vif-qubes-nat.sh for details
|
|
if [ -n "$appvm_ip" -a -n "$appvm_gw_ip" -a "$appvm_ip" != "$netvm_ip" ]; then
|
|
if test "$command" == online; then
|
|
echo 1 >/proc/sys/net/ipv4/conf/${vif}/proxy_arp
|
|
fi
|
|
|
|
. "$dir/vif-qubes-nat.sh"
|
|
fi
|
|
|
|
|
|
case "$command" in
|
|
online)
|
|
ifconfig ${vif} up
|
|
ipcmd='add'
|
|
iptables_cmd='-I PREROUTING 1'
|
|
cmdprefix=''
|
|
;;
|
|
offline)
|
|
do_without_error ifdown ${vif}
|
|
ipcmd='del'
|
|
iptables_cmd='-D PREROUTING'
|
|
cmdprefix='do_without_error'
|
|
;;
|
|
esac
|
|
|
|
domid=${vif/vif/}
|
|
domid=${domid/.*/}
|
|
# metric must be possitive, but prefer later interface
|
|
# 32752 is max XID aka domid
|
|
metric=$[ 32752 - $domid ]
|
|
|
|
if [ "${ip}" ] ; then
|
|
# If we've been given a list of IP addresses, then add routes from dom0 to
|
|
# the guest using those addresses.
|
|
for addr in ${ip} ; do
|
|
${cmdprefix} ip route ${ipcmd} ${addr} dev ${vif} metric $metric
|
|
done
|
|
echo -e "*raw\n$iptables_cmd -i ${vif} ! -s ${ip} -j DROP\nCOMMIT" | \
|
|
${cmdprefix} flock $lockfile iptables-restore --noflush
|
|
${cmdprefix} ip addr ${ipcmd} ${back_ip}/32 dev ${vif}
|
|
fi
|
|
|
|
log debug "Successful vif-route-qubes $command for $vif."
|
|
if [ "$command" = "online" ]
|
|
then
|
|
# disable tx checksumming offload, apparently it doesn't work with our ancient qemu in stubdom
|
|
do_without_error ethtool -K $vif tx off
|
|
success
|
|
fi
|