Git-Mirrors/qubes-mirage-firewall
1
0
Fork 0
mirror of https://github.com/mirage/qubes-mirage-firewall.git synced 2024-09-30 04:36:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

qualify all return with Lwt, use Lwt.return_unit where possible

Browse Source
This commit is contained in:
Hannes Mehnert 2020-01-11 15:39:20 +01:00
parent 0f476c4d7b
commit 3fc418e80c
7 changed files with 31 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
client_net.ml
View File

@ -23,7 +23,7 @@ let writev eth dst proto fillfn =
(* Usually Netback_shutdown, because the client disconnected *) (* Usually Netback_shutdown, because the client disconnected *)
Log.err (fun f -> f "uncaught exception trying to send to client: @[%s@]" Log.err (fun f -> f "uncaught exception trying to send to client: @[%s@]"
(Printexc.to_string ex)); (Printexc.to_string ex));
Lwt.return () Lwt.return_unit
) )
class client_iface eth ~domid ~gateway_ip ~client_ip client_mac : client_link = class client_iface eth ~domid ~gateway_ip ~client_ip client_mac : client_link =
@ -48,10 +48,10 @@ let input_arp ~fixed_arp ~iface request =
match Arp_packet.decode request with match Arp_packet.decode request with
| Error e -> | Error e ->
Log.warn (fun f -> f "Ignored unknown ARP message: %a" Arp_packet.pp_error e); Log.warn (fun f -> f "Ignored unknown ARP message: %a" Arp_packet.pp_error e);
Lwt.return () Lwt.return_unit
| Ok arp -> | Ok arp ->
match Client_eth.ARP.input fixed_arp arp with match Client_eth.ARP.input fixed_arp arp with
| None -> return () | None -> Lwt.return_unit
| Some response -> | Some response ->
iface#writev `ARP (fun b -> Arp_packet.encode_into response b; Arp_packet.size) iface#writev `ARP (fun b -> Arp_packet.encode_into response b; Arp_packet.size)
@ -60,8 +60,8 @@ let input_ipv4 get_ts cache ~iface ~router packet =
match Nat_packet.of_ipv4_packet cache ~now:(get_ts ()) packet with match Nat_packet.of_ipv4_packet cache ~now:(get_ts ()) packet with
| Error e -> | Error e ->
Log.warn (fun f -> f "Ignored unknown IPv4 message: %a" Nat_packet.pp_error e); Log.warn (fun f -> f "Ignored unknown IPv4 message: %a" Nat_packet.pp_error e);
Lwt.return () Lwt.return_unit
| Ok None -> Lwt.return () | Ok None -> Lwt.return_unit
| Ok (Some packet) -> | Ok (Some packet) ->
let `IPv4 (ip, _) = packet in let `IPv4 (ip, _) = packet in
let src = ip.Ipv4_packet.src in let src = ip.Ipv4_packet.src in
@ -69,7 +69,7 @@ let input_ipv4 get_ts cache ~iface ~router packet =
else ( else (
Log.warn (fun f -> f "Incorrect source IP %a in IP packet from %a (dropping)" Log.warn (fun f -> f "Incorrect source IP %a in IP packet from %a (dropping)"
Ipaddr.V4.pp src Ipaddr.V4.pp iface#other_ip); Ipaddr.V4.pp src Ipaddr.V4.pp iface#other_ip);
return () Lwt.return_unit
) )
(** Connect to a new client's interface and listen for incoming frames. *) (** Connect to a new client's interface and listen for incoming frames. *)
@ -92,12 +92,12 @@ let add_vif get_ts { Dao.ClientVif.domid; device_id } ~client_ip ~router ~cleanu
Cstruct.hexdump_pp frame Cstruct.hexdump_pp frame
); );
Lwt.return_unit Lwt.return_unit
| Error err -> Log.warn (fun f -> f "Invalid Ethernet frame: %s" err); return () | Error err -> Log.warn (fun f -> f "Invalid Ethernet frame: %s" err); Lwt.return_unit
| Ok (eth, payload) -> | Ok (eth, payload) ->
match eth.Ethernet_packet.ethertype with match eth.Ethernet_packet.ethertype with
| `ARP -> input_arp ~fixed_arp ~iface payload | `ARP -> input_arp ~fixed_arp ~iface payload
| `IPv4 -> input_ipv4 get_ts fragment_cache ~iface ~router payload | `IPv4 -> input_ipv4 get_ts fragment_cache ~iface ~router payload
| `IPv6 -> return () (* TODO: oh no! *) | `IPv6 -> Lwt.return_unit (* TODO: oh no! *)
) )
>|= or_raise "Listen on client interface" Netback.pp_error >|= or_raise "Listen on client interface" Netback.pp_error
@ -112,7 +112,7 @@ let add_client get_ts ~router vif client_ip =
(fun ex -> (fun ex ->
Log.warn (fun f -> f "Error with client %a: %s" Log.warn (fun f -> f "Error with client %a: %s"
Dao.ClientVif.pp vif (Printexc.to_string ex)); Dao.ClientVif.pp vif (Printexc.to_string ex));
return () Lwt.return_unit
) )
); );
cleanup_tasks cleanup_tasks

4
config.ml
View File

@ -30,8 +30,8 @@ let main =
package "netchannel" ~min:"1.11.0"; package "netchannel" ~min:"1.11.0";
package "mirage-net-xen"; package "mirage-net-xen";
package "ipaddr" ~min:"4.0.0"; package "ipaddr" ~min:"4.0.0";
package "mirage-qubes"; package "mirage-qubes" ~min:"0.8.0";
package "mirage-nat" ~min:"1.2.0"; package "mirage-nat" ~min:"2.0.0";
package "mirage-logs"; package "mirage-logs";
package "mirage-xen" ~min:"5.0.0"; package "mirage-xen" ~min:"5.0.0";
] ]

7
dao.ml
View File

@ -3,7 +3,6 @@
open Lwt.Infix open Lwt.Infix
open Qubes open Qubes
open Fw_utils
open Astring open Astring
let src = Logs.Src.create "dao" ~doc:"QubesDB data access" let src = Logs.Src.create "dao" ~doc:"QubesDB data access"
@ -68,13 +67,13 @@ let watch_clients fn =
begin Lwt.catch begin Lwt.catch
(fun () -> directory ~handle backend_vifs) (fun () -> directory ~handle backend_vifs)
(function (function
| Xs_protocol.Enoent _ -> return [] | Xs_protocol.Enoent _ -> Lwt.return []
| ex -> fail ex) | ex -> Lwt.fail ex)
end >>= fun items -> end >>= fun items ->
Lwt_list.map_p (vifs ~handle) items >>= fun items -> Lwt_list.map_p (vifs ~handle) items >>= fun items ->
fn (List.concat items |> VifMap.of_list); fn (List.concat items |> VifMap.of_list);
(* Wait for further updates *) (* Wait for further updates *)
fail Xs_protocol.Eagain Lwt.fail Xs_protocol.Eagain
) )
type network_config = { type network_config = {

25
firewall.ml
View File

@ -1,7 +1,6 @@
(* Copyright (C) 2015, Thomas Leonard <thomas.leonard@unikernel.com> (* Copyright (C) 2015, Thomas Leonard <thomas.leonard@unikernel.com>
See the README file for details. *) See the README file for details. *)
open Fw_utils
open Packet open Packet
open Lwt.Infix open Lwt.Infix
@ -32,7 +31,7 @@ let transmit_ipv4 packet iface =
Log.warn (fun f -> f "Failed to write packet to %a: %s" Log.warn (fun f -> f "Failed to write packet to %a: %s"
Ipaddr.V4.pp iface#other_ip Ipaddr.V4.pp iface#other_ip
(Printexc.to_string ex)); (Printexc.to_string ex));
Lwt.return () Lwt.return_unit
) )
) )
(fun ex -> (fun ex ->
@ -40,7 +39,7 @@ let transmit_ipv4 packet iface =
(Printexc.to_string ex) (Printexc.to_string ex)
Nat_packet.pp packet Nat_packet.pp packet
); );
Lwt.return () Lwt.return_unit
) )
let forward_ipv4 t packet = let forward_ipv4 t packet =
@ -127,19 +126,19 @@ let add_nat_and_forward_ipv4 t packet =
| Ok packet -> forward_ipv4 t packet | Ok packet -> forward_ipv4 t packet
| Error e -> | Error e ->
Log.warn (fun f -> f "Failed to add NAT rewrite rule: %s (%a)" e pp_header packet); Log.warn (fun f -> f "Failed to add NAT rewrite rule: %s (%a)" e pp_header packet);
Lwt.return () Lwt.return_unit
(* Add a NAT rule to redirect this conversation to [host:port] instead of us. *) (* Add a NAT rule to redirect this conversation to [host:port] instead of us. *)
let nat_to t ~host ~port packet = let nat_to t ~host ~port packet =
match Router.resolve t host with match Router.resolve t host with
| Ipaddr.V6 _ -> Log.warn (fun f -> f "Cannot NAT with IPv6"); Lwt.return () | Ipaddr.V6 _ -> Log.warn (fun f -> f "Cannot NAT with IPv6"); Lwt.return_unit
| Ipaddr.V4 target -> | Ipaddr.V4 target ->
let xl_host = t.Router.uplink#my_ip in let xl_host = t.Router.uplink#my_ip in
My_nat.add_nat_rule_and_translate t.Router.nat ~xl_host (`Redirect (target, port)) packet >>= function My_nat.add_nat_rule_and_translate t.Router.nat ~xl_host (`Redirect (target, port)) packet >>= function
| Ok packet -> forward_ipv4 t packet | Ok packet -> forward_ipv4 t packet
| Error e -> | Error e ->
Log.warn (fun f -> f "Failed to add NAT redirect rule: %s (%a)" e pp_header packet); Log.warn (fun f -> f "Failed to add NAT redirect rule: %s (%a)" e pp_header packet);
Lwt.return () Lwt.return_unit
(* Handle incoming packets *) (* Handle incoming packets *)
@ -150,12 +149,12 @@ let apply_rules t rules ~dst info =
| `Accept, (`External _ | `NetVM) -> transmit_ipv4 packet t.Router.uplink | `Accept, (`External _ | `NetVM) -> transmit_ipv4 packet t.Router.uplink
| `Accept, `Firewall -> | `Accept, `Firewall ->
Log.warn (fun f -> f "Bad rule: firewall can't accept packets %a" (pp_packet t) info); Log.warn (fun f -> f "Bad rule: firewall can't accept packets %a" (pp_packet t) info);
return () Lwt.return_unit
| `NAT, _ -> add_nat_and_forward_ipv4 t packet | `NAT, _ -> add_nat_and_forward_ipv4 t packet
| `NAT_to (host, port), _ -> nat_to t packet ~host ~port | `NAT_to (host, port), _ -> nat_to t packet ~host ~port
| `Drop reason, _ -> | `Drop reason, _ ->
Log.info (fun f -> f "Dropped packet (%s) %a" reason (pp_packet t) info); Log.info (fun f -> f "Dropped packet (%s) %a" reason (pp_packet t) info);
return () Lwt.return_unit
let handle_low_memory t = let handle_low_memory t =
match Memory_pressure.status () with match Memory_pressure.status () with
@ -167,7 +166,7 @@ let handle_low_memory t =
let ipv4_from_client t ~src packet = let ipv4_from_client t ~src packet =
handle_low_memory t >>= function handle_low_memory t >>= function
| `Memory_critical -> return () | `Memory_critical -> Lwt.return_unit
| `Ok -> | `Ok ->
(* Check for existing NAT entry for this packet *) (* Check for existing NAT entry for this packet *)
translate t packet >>= function translate t packet >>= function
@ -177,23 +176,23 @@ let ipv4_from_client t ~src packet =
let `IPv4 (ip, _transport) = packet in let `IPv4 (ip, _transport) = packet in
let dst = Router.classify t (Ipaddr.V4 ip.Ipv4_packet.dst) in let dst = Router.classify t (Ipaddr.V4 ip.Ipv4_packet.dst) in
match classify ~src:(resolve_client src) ~dst:(resolve_host dst) packet with match classify ~src:(resolve_client src) ~dst:(resolve_host dst) packet with
| None -> return () | None -> Lwt.return_unit
| Some info -> apply_rules t Rules.from_client ~dst info | Some info -> apply_rules t Rules.from_client ~dst info
let ipv4_from_netvm t packet = let ipv4_from_netvm t packet =
handle_low_memory t >>= function handle_low_memory t >>= function
| `Memory_critical -> return () | `Memory_critical -> Lwt.return_unit
| `Ok -> | `Ok ->
let `IPv4 (ip, _transport) = packet in let `IPv4 (ip, _transport) = packet in
let src = Router.classify t (Ipaddr.V4 ip.Ipv4_packet.src) in let src = Router.classify t (Ipaddr.V4 ip.Ipv4_packet.src) in
let dst = Router.classify t (Ipaddr.V4 ip.Ipv4_packet.dst) in let dst = Router.classify t (Ipaddr.V4 ip.Ipv4_packet.dst) in
match classify ~src ~dst:(resolve_host dst) packet with match classify ~src ~dst:(resolve_host dst) packet with
| None -> return () | None -> Lwt.return_unit
| Some info -> | Some info ->
match src with match src with
| `Client _ | `Firewall -> | `Client _ | `Firewall ->
Log.warn (fun f -> f "Frame from NetVM has internal source IP address! %a" (pp_packet t) info); Log.warn (fun f -> f "Frame from NetVM has internal source IP address! %a" (pp_packet t) info);
return () Lwt.return_unit
| `External _ | `NetVM as src -> | `External _ | `NetVM as src ->
translate t packet >>= function translate t packet >>= function
| Some frame -> forward_ipv4 t frame | Some frame -> forward_ipv4 t frame

3
fw_utils.ml
View File

@ -41,9 +41,6 @@ let error fmt =
let err s = Failure s in let err s = Failure s in
Printf.ksprintf err fmt Printf.ksprintf err fmt
let return = Lwt.return
let fail = Lwt.fail
let or_raise msg pp = function let or_raise msg pp = function
| Ok x -> x | Ok x -> x
| Error e -> failwith (Fmt.strf "%s: %a" msg pp e) | Error e -> failwith (Fmt.strf "%s: %a" msg pp e)

4
unikernel.ml
View File

@ -46,7 +46,7 @@ module Main (Clock : Mirage_clock_lwt.MCLOCK) = struct
(fun `Cant_happen -> assert false) (fun `Cant_happen -> assert false)
(fun ex -> (fun ex ->
Log.warn (fun f -> f "GUI thread failed: %s" (Printexc.to_string ex)); Log.warn (fun f -> f "GUI thread failed: %s" (Printexc.to_string ex));
return () Lwt.return_unit
) )
) )
@ -70,7 +70,7 @@ module Main (Clock : Mirage_clock_lwt.MCLOCK) = struct
(* Watch for shutdown requests from Qubes *) (* Watch for shutdown requests from Qubes *)
let shutdown_rq = let shutdown_rq =
OS.Lifecycle.await_shutdown_request () >>= fun (`Poweroff | `Reboot) -> OS.Lifecycle.await_shutdown_request () >>= fun (`Poweroff | `Reboot) ->
return () in Lwt.return_unit in
(* Set up networking *) (* Set up networking *)
let max_entries = Key_gen.nat_table_size () in let max_entries = Key_gen.nat_table_size () in
My_nat.create ~max_entries >>= fun nat -> My_nat.create ~max_entries >>= fun nat ->

6
uplink.ml
View File

@ -46,12 +46,12 @@ module Make(Clock : Mirage_clock_lwt.MCLOCK) = struct
Lwt.return_unit Lwt.return_unit
| Error e -> | Error e ->
Log.warn (fun f -> f "Ignored unknown IPv4 message from uplink: %a" Nat_packet.pp_error e); Log.warn (fun f -> f "Ignored unknown IPv4 message from uplink: %a" Nat_packet.pp_error e);
Lwt.return () Lwt.return_unit
| Ok None -> Lwt.return_unit | Ok None -> Lwt.return_unit
| Ok (Some packet) -> | Ok (Some packet) ->
Firewall.ipv4_from_netvm router packet Firewall.ipv4_from_netvm router packet
) )
~ipv6:(fun _ip -> return ()) ~ipv6:(fun _ip -> Lwt.return_unit)
frame frame
) >|= or_raise "Uplink listen loop" Netif.pp_error ) >|= or_raise "Uplink listen loop" Netif.pp_error
@ -70,5 +70,5 @@ module Make(Clock : Mirage_clock_lwt.MCLOCK) = struct
~my_ip:ip ~my_ip:ip
~other_ip:config.Dao.uplink_netvm_ip in ~other_ip:config.Dao.uplink_netvm_ip in
let fragments = Fragments.Cache.create (256 * 1024) in let fragments = Fragments.Cache.create (256 * 1024) in
return { net; eth; arp; interface ; fragments } Lwt.return { net; eth; arp; interface ; fragments }
end end