qubes-mirage-firewall/router.ml

(* Copyright (C) 2015, Thomas Leonard <thomas.leonard@unikernel.com>
   See the README file for details. *)

open Utils

let src = Logs.Src.create "router" ~doc:"Router"
module Log = (val Logs.src_log src : Logs.LOG)

(* The routing table *)

type t = {
  client_eth : Client_eth.t;
  mutable nat : Nat_lookup.t;
  uplink : interface;
}

let create ~client_eth ~uplink =
  let nat = Nat_lookup.empty () in
  { client_eth; nat; uplink }

let target t buf =
  let open Wire_structs.Ipv4_wire in
  let dst_ip = get_ipv4_dst buf |> Ipaddr.V4.of_int32 in
  match Client_eth.lookup t.client_eth dst_ip with
  | Some client_link -> Some (client_link :> interface)
  | None -> Some t.uplink

let add_client t = Client_eth.add_client t.client_eth
let remove_client t = Client_eth.remove_client t.client_eth

let classify t ip =
  if ip = Ipaddr.V4 t.uplink#my_ip then `Firewall_uplink
  else if ip = Ipaddr.V4 t.uplink#other_ip then `NetVM
  else (Client_eth.classify t.client_eth ip :> Packet.host)

let resolve t = function
  | `Firewall_uplink -> Ipaddr.V4 t.uplink#my_ip
  | `NetVM -> Ipaddr.V4 t.uplink#other_ip
  | #Client_eth.host as host -> Client_eth.resolve t.client_eth host

(* To avoid needing to allocate a new NAT table when we've run out of
   memory, pre-allocate the new one ahead of time. *)
let next_nat = ref (Nat_lookup.empty ())
let reset t =
  t.nat <- !next_nat;
  (* (at this point, the big old NAT table can be GC'd, so allocating
     a new one should be OK) *)
  next_nat := Nat_lookup.empty ()
Initial import 2015-12-30 09:52:24 +00:00			`(* Copyright (C) 2015, Thomas Leonard <thomas.leonard@unikernel.com>`
			`See the README file for details. *)`

			`open Utils`

			`let src = Logs.Src.create "router" ~doc:"Router"`
			`module Log = (val Logs.src_log src : Logs.LOG)`

Move NAT code to router and add DNS redirects 2015-12-30 16:07:16 +00:00			`(* The routing table *)`

Initial import 2015-12-30 09:52:24 +00:00			`type t = {`
Moved client networking to its own module Renamed the old Client_net to Client_eth, as it just handles the Ethernet layer. 2015-12-30 13:48:13 +00:00			`client_eth : Client_eth.t;`
Reset NAT table if memory gets low 2016-01-02 15:50:05 +00:00			`mutable nat : Nat_lookup.t;`
Rationalised firewall rules syntax Added explicit NAT target, allowing NAT even within client net and making it clear that NAT is used externally. Changed Redirect_to_netvm to NAT_to, and allow specifying any target host. 2016-01-01 11:32:57 +00:00			`uplink : interface;`
Initial import 2015-12-30 09:52:24 +00:00			`}`

Rationalised firewall rules syntax Added explicit NAT target, allowing NAT even within client net and making it clear that NAT is used externally. Changed Redirect_to_netvm to NAT_to, and allow specifying any target host. 2016-01-01 11:32:57 +00:00			`let create ~client_eth ~uplink =`
Move NAT code to router and add DNS redirects 2015-12-30 16:07:16 +00:00			`let nat = Nat_lookup.empty () in`
Rationalised firewall rules syntax Added explicit NAT target, allowing NAT even within client net and making it clear that NAT is used externally. Changed Redirect_to_netvm to NAT_to, and allow specifying any target host. 2016-01-01 11:32:57 +00:00			`{ client_eth; nat; uplink }`
Initial import 2015-12-30 09:52:24 +00:00
			`let target t buf =`
			`let open Wire_structs.Ipv4_wire in`
			`let dst_ip = get_ipv4_dst buf \|> Ipaddr.V4.of_int32 in`
Allow clients to have any IP address We previously assumed that Qubes would always give clients IP addresses on a particular network. However, it is not required to do this and in fact uses a different network for disposable VMs. With this change: - We no longer reject clients with unknown IP addresses - The `Unknown_client` classification is gone; we have no way to tell the difference between a client that isn't connected and an external address. - We now consider every client to be on a point-to-point link and do not answer ARP requests on behalf of other clients. Clients should assume their netmask is 255.255.255.255 (and ignore /qubes-netmask). This is a partial fix for #9. It allows disposable VMs to connect to the firewall but for some reason they don't process any frames we send them (we get their ARP requests but they don't get our replies). Taking eth0 down in the disp VM, then bringing it back up (and re-adding the routes) allows it to work. 2016-09-25 13:38:17 +00:00			`match Client_eth.lookup t.client_eth dst_ip with`
			`\| Some client_link -> Some (client_link :> interface)`
			`\| None -> Some t.uplink`
Initial import 2015-12-30 09:52:24 +00:00
Moved client networking to its own module Renamed the old Client_net to Client_eth, as it just handles the Ethernet layer. 2015-12-30 13:48:13 +00:00			`let add_client t = Client_eth.add_client t.client_eth`
			`let remove_client t = Client_eth.remove_client t.client_eth`

Move NAT code to router and add DNS redirects 2015-12-30 16:07:16 +00:00			`let classify t ip =`
Rationalised firewall rules syntax Added explicit NAT target, allowing NAT even within client net and making it clear that NAT is used externally. Changed Redirect_to_netvm to NAT_to, and allow specifying any target host. 2016-01-01 11:32:57 +00:00			if ip = Ipaddr.V4 t.uplink#my_ip then `Firewall_uplink
			else if ip = Ipaddr.V4 t.uplink#other_ip then `NetVM
Move NAT code to router and add DNS redirects 2015-12-30 16:07:16 +00:00			`else (Client_eth.classify t.client_eth ip :> Packet.host)`
Rationalised firewall rules syntax Added explicit NAT target, allowing NAT even within client net and making it clear that NAT is used externally. Changed Redirect_to_netvm to NAT_to, and allow specifying any target host. 2016-01-01 11:32:57 +00:00
			`let resolve t = function`
			\| `Firewall_uplink -> Ipaddr.V4 t.uplink#my_ip
			\| `NetVM -> Ipaddr.V4 t.uplink#other_ip
			`\| #Client_eth.host as host -> Client_eth.resolve t.client_eth host`
Reset NAT table if memory gets low 2016-01-02 15:50:05 +00:00
Try to avoid running out of memory on NAT reset Before, when resetting the NAT table to handle an out-of-memory condition we tried to allocate the new table while still holding the reference to the old one. It should be more reliable to drop the old reference first. Log showed: 2016-01-31 19:33.47: INF [firewall] added NAT redirect 10.137.3.12:32860 -> 53:firewall:52517 -> 53:net-vm 2016-01-31 19:33.52: WRN [firewall] Out_of_memory adding NAT rule. Dropping NAT table... --- End dump --- Fatal error: exception Out of memory Raised by primitive operation at file "hashtbl.ml", line 63, characters 52-70 Called from file "router.ml", line 47, characters 11-30 Called from file "src/core/lwt.ml", line 907, characters 20-24 Mirage exiting with status 2 Do_exit called! 2016-01-31 21:01:52 +00:00			`(* To avoid needing to allocate a new NAT table when we've run out of`
			`memory, pre-allocate the new one ahead of time. *)`
			`let next_nat = ref (Nat_lookup.empty ())`
Reset NAT table if memory gets low 2016-01-02 15:50:05 +00:00			`let reset t =`
Try to avoid running out of memory on NAT reset Before, when resetting the NAT table to handle an out-of-memory condition we tried to allocate the new table while still holding the reference to the old one. It should be more reliable to drop the old reference first. Log showed: 2016-01-31 19:33.47: INF [firewall] added NAT redirect 10.137.3.12:32860 -> 53:firewall:52517 -> 53:net-vm 2016-01-31 19:33.52: WRN [firewall] Out_of_memory adding NAT rule. Dropping NAT table... --- End dump --- Fatal error: exception Out of memory Raised by primitive operation at file "hashtbl.ml", line 63, characters 52-70 Called from file "router.ml", line 47, characters 11-30 Called from file "src/core/lwt.ml", line 907, characters 20-24 Mirage exiting with status 2 Do_exit called! 2016-01-31 21:01:52 +00:00			`t.nat <- !next_nat;`
			`(* (at this point, the big old NAT table can be GC'd, so allocating`
			`a new one should be OK) *)`
			`next_nat := Nat_lookup.empty ()`