Git-Mirrors/qubes-mirage-firewall
1
0
Fork 0
mirror of https://github.com/mirage/qubes-mirage-firewall.git synced 2024-10-01 01:05:39 -04:00
Code Issues Packages Projects Releases Wiki Activity
d4e365a499
qubes-mirage-firewall/router.ml

38 lines
1.1 KiB
OCaml
Raw Normal View History

Initial import
2015-12-30 04:52:24 -05:00
(* Copyright (C) 2015, Thomas Leonard <thomas.leonard@unikernel.com>
See the README file for details. *)
Mirage 3 support
2017-03-02 09:52:55 -05:00
open Fw_utils
Initial import
2015-12-30 04:52:24 -05:00
Move NAT code to router and add DNS redirects
2015-12-30 11:07:16 -05:00
(* The routing table *)
Initial import
2015-12-30 04:52:24 -05:00
type t = {
Moved client networking to its own module Renamed the old Client_net to Client_eth, as it just handles the Ethernet layer.
2015-12-30 08:48:13 -05:00
client_eth : Client_eth.t;
Mirage 3 support
2017-03-02 09:52:55 -05:00
nat : My_nat.t;
Rationalised firewall rules syntax Added explicit NAT target, allowing NAT even within client net and making it clear that NAT is used externally. Changed Redirect_to_netvm to NAT_to, and allow specifying any target host.
2016-01-01 06:32:57 -05:00
uplink : interface;
Support firewall rules with hostnames. Co-Authored-By: Mindy Preston <yomimono@users.noreply.github.com> Co-Authored-By: Olle Jonsson <olle.jonsson@gmail.com> Co-Authored-By: hannes <hannes@mehnert.org> Co-Authored-By: cfcs <cfcs@users.noreply.github.com>
2020-04-29 10:06:48 -04:00
(* NOTE: do not try to make this pure, it relies on mvars / side effects *)
ports : My_nat.ports;
Initial import
2015-12-30 04:52:24 -05:00
}
Mirage 3 support
2017-03-02 09:52:55 -05:00
let create ~client_eth ~uplink ~nat =
Support firewall rules with hostnames. Co-Authored-By: Mindy Preston <yomimono@users.noreply.github.com> Co-Authored-By: Olle Jonsson <olle.jonsson@gmail.com> Co-Authored-By: hannes <hannes@mehnert.org> Co-Authored-By: cfcs <cfcs@users.noreply.github.com>
2020-04-29 10:06:48 -04:00
let ports = My_nat.empty_ports () in
{ client_eth; nat; uplink; ports }
Initial import
2015-12-30 04:52:24 -05:00
let target t buf =
Mirage 3 support
2017-03-02 09:52:55 -05:00
let dst_ip = buf.Ipv4_packet.dst in
Allow clients to have any IP address We previously assumed that Qubes would always give clients IP addresses on a particular network. However, it is not required to do this and in fact uses a different network for disposable VMs. With this change: - We no longer reject clients with unknown IP addresses - The `Unknown_client` classification is gone; we have no way to tell the difference between a client that isn't connected and an external address. - We now consider every client to be on a point-to-point link and do not answer ARP requests on behalf of other clients. Clients should assume their netmask is 255.255.255.255 (and ignore /qubes-netmask). This is a partial fix for #9. It allows disposable VMs to connect to the firewall but for some reason they don't process any frames we send them (we get their ARP requests but they don't get our replies). Taking eth0 down in the disp VM, then bringing it back up (and re-adding the routes) allows it to work.
2016-09-25 09:38:17 -04:00
match Client_eth.lookup t.client_eth dst_ip with
| Some client_link -> Some (client_link :> interface)
| None -> Some t.uplink
Initial import
2015-12-30 04:52:24 -05:00
Moved client networking to its own module Renamed the old Client_net to Client_eth, as it just handles the Ethernet layer.
2015-12-30 08:48:13 -05:00
let add_client t = Client_eth.add_client t.client_eth
let remove_client t = Client_eth.remove_client t.client_eth
Move NAT code to router and add DNS redirects
2015-12-30 11:07:16 -05:00
let classify t ip =
Combine Client_gateway and Firewall_uplink Before, we used Client_gateway for the IP address of the firewall on the client network and Firewall_uplink for its address on the uplink network. However, Qubes 4 uses the same IP address for both, so we can't separate these any longer, and there doesn't seem to be any advantage to keeping them separate anyway.
2019-05-16 14:18:31 -04:00
if ip = Ipaddr.V4 t.uplink#my_ip then `Firewall
Rationalised firewall rules syntax Added explicit NAT target, allowing NAT even within client net and making it clear that NAT is used externally. Changed Redirect_to_netvm to NAT_to, and allow specifying any target host.
2016-01-01 06:32:57 -05:00
else if ip = Ipaddr.V4 t.uplink#other_ip then `NetVM
Move NAT code to router and add DNS redirects
2015-12-30 11:07:16 -05:00
else (Client_eth.classify t.client_eth ip :> Packet.host)
Rationalised firewall rules syntax Added explicit NAT target, allowing NAT even within client net and making it clear that NAT is used externally. Changed Redirect_to_netvm to NAT_to, and allow specifying any target host.
2016-01-01 06:32:57 -05:00
let resolve t = function
Combine Client_gateway and Firewall_uplink Before, we used Client_gateway for the IP address of the firewall on the client network and Firewall_uplink for its address on the uplink network. However, Qubes 4 uses the same IP address for both, so we can't separate these any longer, and there doesn't seem to be any advantage to keeping them separate anyway.
2019-05-16 14:18:31 -04:00
| `Firewall -> Ipaddr.V4 t.uplink#my_ip
Rationalised firewall rules syntax Added explicit NAT target, allowing NAT even within client net and making it clear that NAT is used externally. Changed Redirect_to_netvm to NAT_to, and allow specifying any target host.
2016-01-01 06:32:57 -05:00
| `NetVM -> Ipaddr.V4 t.uplink#other_ip
| #Client_eth.host as host -> Client_eth.resolve t.client_eth host
Reference in New Issue Copy Permalink