qubes-mirage-firewall/router.ml

(* Copyright (C) 2015, Thomas Leonard <thomas.leonard@unikernel.com>
   See the README file for details. *)

open Fw_utils

(* The routing table *)
let src = Logs.Src.create "router" ~doc:"Packet router"
module Log = (val Logs.src_log src : Logs.LOG)

type t = {
  config : Dao.network_config;
  clients : Client_eth.t;
  nat : My_nat.t;
  uplink : interface option;
}

let create ~config ~clients ~nat ?uplink =
  { config; clients; nat; uplink }

let target t buf =
  let dst_ip = buf.Ipv4_packet.dst in
  match Client_eth.lookup t.clients dst_ip with
  | Some client_link -> Some (client_link :> interface)
  | None -> begin match t.uplink with
    | None -> (
      match Client_eth.lookup t.clients t.config.netvm_ip with
      | Some uplink -> Some (uplink :> interface)
      | None -> None
    )
    | uplink -> uplink
  end

let add_client t = Client_eth.add_client t.clients
let remove_client t = Client_eth.remove_client t.clients

let classify t ip =
  if ip = Ipaddr.V4 t.config.our_ip then `Firewall
  else if ip = Ipaddr.V4 t.config.netvm_ip then `NetVM
  else (Client_eth.classify t.clients ip :> Packet.host)

let resolve t = function
  | `Firewall -> Ipaddr.V4 t.config.our_ip
  | `NetVM -> Ipaddr.V4 t.config.netvm_ip
  | #Client_eth.host as host -> Client_eth.resolve t.clients host
Initial import 2015-12-30 09:52:24 +00:00			`(* Copyright (C) 2015, Thomas Leonard <thomas.leonard@unikernel.com>`
			`See the README file for details. *)`

Mirage 3 support 2017-03-02 14:52:55 +00:00			`open Fw_utils`
Initial import 2015-12-30 09:52:24 +00:00
Move NAT code to router and add DNS redirects 2015-12-30 16:07:16 +00:00			`(* The routing table *)`
fallback to the command line specified uplink interface if no netvm interface 2023-07-01 11:56:14 +02:00			`let src = Logs.Src.create "router" ~doc:"Packet router"`
			`module Log = (val Logs.src_log src : Logs.LOG)`
Move NAT code to router and add DNS redirects 2015-12-30 16:07:16 +00:00
Initial import 2015-12-30 09:52:24 +00:00			`type t = {`
add the network_config to the router 2023-06-30 15:33:41 +02:00			`config : Dao.network_config;`
allow to have no netvm defined (will fail on uplink.connect) 2023-06-30 13:59:03 +02:00			`clients : Client_eth.t;`
Mirage 3 support 2017-03-02 14:52:55 +00:00			`nat : My_nat.t;`
add optional uplink interface 2023-06-30 16:58:08 +02:00			`uplink : interface option;`
Initial import 2015-12-30 09:52:24 +00:00			`}`

add optional uplink interface 2023-06-30 16:58:08 +02:00			`let create ~config ~clients ~nat ?uplink =`
add the network_config to the router 2023-06-30 15:33:41 +02:00			`{ config; clients; nat; uplink }`
Initial import 2015-12-30 09:52:24 +00:00
			`let target t buf =`
Mirage 3 support 2017-03-02 14:52:55 +00:00			`let dst_ip = buf.Ipv4_packet.dst in`
allow to have no netvm defined (will fail on uplink.connect) 2023-06-30 13:59:03 +02:00			`match Client_eth.lookup t.clients dst_ip with`
Allow clients to have any IP address We previously assumed that Qubes would always give clients IP addresses on a particular network. However, it is not required to do this and in fact uses a different network for disposable VMs. With this change: - We no longer reject clients with unknown IP addresses - The `Unknown_client` classification is gone; we have no way to tell the difference between a client that isn't connected and an external address. - We now consider every client to be on a point-to-point link and do not answer ARP requests on behalf of other clients. Clients should assume their netmask is 255.255.255.255 (and ignore /qubes-netmask). This is a partial fix for #9. It allows disposable VMs to connect to the firewall but for some reason they don't process any frames we send them (we get their ARP requests but they don't get our replies). Taking eth0 down in the disp VM, then bringing it back up (and re-adding the routes) allows it to work. 2016-09-25 14:38:17 +01:00			`\| Some client_link -> Some (client_link :> interface)`
fallback to the command line specified uplink interface if no netvm interface 2023-07-01 11:56:14 +02:00			`\| None -> begin match t.uplink with`
			`\| None -> (`
			`match Client_eth.lookup t.clients t.config.netvm_ip with`
			`\| Some uplink -> Some (uplink :> interface)`
			`\| None -> None`
			`)`
			`\| uplink -> uplink`
			`end`
Initial import 2015-12-30 09:52:24 +00:00
allow to have no netvm defined (will fail on uplink.connect) 2023-06-30 13:59:03 +02:00			`let add_client t = Client_eth.add_client t.clients`
			`let remove_client t = Client_eth.remove_client t.clients`
Moved client networking to its own module Renamed the old Client_net to Client_eth, as it just handles the Ethernet layer. 2015-12-30 13:48:13 +00:00
Move NAT code to router and add DNS redirects 2015-12-30 16:07:16 +00:00			`let classify t ip =`
add the network_config to the router 2023-06-30 15:33:41 +02:00			if ip = Ipaddr.V4 t.config.our_ip then `Firewall
			else if ip = Ipaddr.V4 t.config.netvm_ip then `NetVM
allow to have no netvm defined (will fail on uplink.connect) 2023-06-30 13:59:03 +02:00			`else (Client_eth.classify t.clients ip :> Packet.host)`
Rationalised firewall rules syntax Added explicit NAT target, allowing NAT even within client net and making it clear that NAT is used externally. Changed Redirect_to_netvm to NAT_to, and allow specifying any target host. 2016-01-01 11:32:57 +00:00
			`let resolve t = function`
add the network_config to the router 2023-06-30 15:33:41 +02:00			\| `Firewall -> Ipaddr.V4 t.config.our_ip
			\| `NetVM -> Ipaddr.V4 t.config.netvm_ip
allow to have no netvm defined (will fail on uplink.connect) 2023-06-30 13:59:03 +02:00			`\| #Client_eth.host as host -> Client_eth.resolve t.clients host`