Git-Mirrors/qubes-mirage-firewall
1
0
Fork 0
mirror of https://github.com/mirage/qubes-mirage-firewall.git synced 2025-04-25 09:29:19 -04:00
Code Issues Packages Projects Releases Wiki Activity

Set up everything for rule reading from QubesDB (but don't do it yet ;-)

Browse Source 
)
This commit is contained in:
linse 2019-05-18 02:49:30 +02:00
parent bf8f7c7fd2
commit a63fcf0dbb
3 changed files with 16 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
client_net.ml
View File

@ -26,10 +26,11 @@ let writev eth dst proto fillfn =
Lwt.return () Lwt.return ()
) )
class client_iface eth ~domid ~gateway_ip ~client_ip client_mac : client_link = class client_iface eth ~domid ~gateway_ip ~client_ip client_mac rules : client_link =
let log_header = Fmt.strf "dom%d:%a" domid Ipaddr.V4.pp client_ip in let log_header = Fmt.strf "dom%d:%a" domid Ipaddr.V4.pp client_ip in
object object
val queue = FrameQ.create (Ipaddr.V4.to_string client_ip) val queue = FrameQ.create (Ipaddr.V4.to_string client_ip)
val rules = rules
method my_mac = ClientEth.mac eth method my_mac = ClientEth.mac eth
method other_mac = client_mac method other_mac = client_mac
method my_ip = gateway_ip method my_ip = gateway_ip
@ -72,14 +73,14 @@ let input_ipv4 ~iface ~router packet =
) )
(** Connect to a new client's interface and listen for incoming frames. *) (** Connect to a new client's interface and listen for incoming frames. *)
let add_vif { Dao.ClientVif.domid; device_id } ~client_ip ~router ~cleanup_tasks = let add_vif { Dao.ClientVif.domid; device_id } ~client_ip ~router ~cleanup_tasks rules =
Netback.make ~domid ~device_id >>= fun backend -> Netback.make ~domid ~device_id >>= fun backend ->
Log.info (fun f -> f "Client %d (IP: %s) ready" domid (Ipaddr.V4.to_string client_ip)); Log.info (fun f -> f "Client %d (IP: %s) ready" domid (Ipaddr.V4.to_string client_ip));
ClientEth.connect backend >>= fun eth -> ClientEth.connect backend >>= fun eth ->
let client_mac = Netback.frontend_mac backend in let client_mac = Netback.frontend_mac backend in
let client_eth = router.Router.client_eth in let client_eth = router.Router.client_eth in
let gateway_ip = Client_eth.client_gw client_eth in let gateway_ip = Client_eth.client_gw client_eth in
let iface = new client_iface eth ~domid ~gateway_ip ~client_ip client_mac in let iface = new client_iface eth ~domid ~gateway_ip ~client_ip client_mac rules in
Router.add_client router iface >>= fun () -> Router.add_client router iface >>= fun () ->
Cleanup.on_cleanup cleanup_tasks (fun () -> Router.remove_client router iface); Cleanup.on_cleanup cleanup_tasks (fun () -> Router.remove_client router iface);
let fixed_arp = Client_eth.ARP.create ~net:client_eth iface in let fixed_arp = Client_eth.ARP.create ~net:client_eth iface in
@ -100,12 +101,12 @@ let add_vif { Dao.ClientVif.domid; device_id } ~client_ip ~router ~cleanup_tasks
>|= or_raise "Listen on client interface" Netback.pp_error >|= or_raise "Listen on client interface" Netback.pp_error
(** A new client VM has been found in XenStore. Find its interface and connect to it. *) (** A new client VM has been found in XenStore. Find its interface and connect to it. *)
let add_client ~router vif client_ip = let add_client ~router vif client_ip rules =
let cleanup_tasks = Cleanup.create () in let cleanup_tasks = Cleanup.create () in
Log.info (fun f -> f "add client vif %a with IP %a" Dao.ClientVif.pp vif Ipaddr.V4.pp client_ip); Log.info (fun f -> f "add client vif %a with IP %a" Dao.ClientVif.pp vif Ipaddr.V4.pp client_ip);
Lwt.async (fun () -> Lwt.async (fun () ->
Lwt.catch (fun () -> Lwt.catch (fun () ->
add_vif vif ~client_ip ~router ~cleanup_tasks add_vif vif ~client_ip ~router ~cleanup_tasks rules
) )
(fun ex -> (fun ex ->
Log.warn (fun f -> f "Error with client %a: %s" Log.warn (fun f -> f "Error with client %a: %s"
@ -127,9 +128,9 @@ let listen router =
) )
); );
(* Check for added clients *) (* Check for added clients *)
new_set |> Dao.VifMap.iter (fun key ip_addr -> new_set |> Dao.VifMap.iter (fun key (ip_addr, rules) ->
if not (Dao.VifMap.mem key !clients) then ( if not (Dao.VifMap.mem key !clients) then (
let cleanup = add_client ~router key ip_addr in let cleanup = add_client ~router key ip_addr rules in
clients := !clients |> Dao.VifMap.add key cleanup clients := !clients |> Dao.VifMap.add key cleanup
) )
) )

6
dao.ml
View File

@ -49,7 +49,8 @@ let vifs ~handle domid =
(fun () -> OS.Xs.read handle (Printf.sprintf "%s/%d/ip" path device_id)) (fun () -> OS.Xs.read handle (Printf.sprintf "%s/%d/ip" path device_id))
(fun client_ip -> (fun client_ip ->
let client_ip = Ipaddr.V4.of_string_exn client_ip in let client_ip = Ipaddr.V4.of_string_exn client_ip in
Lwt.return (Some (vif, client_ip)) let rules = [] in
Lwt.return (Some (vif, (client_ip, rules)))
) )
(function (function
| Xs_protocol.Enoent _ -> Lwt.return None | Xs_protocol.Enoent _ -> Lwt.return None
@ -113,4 +114,7 @@ let read_network_config qubesDB =
in in
aux (DB.bindings qubesDB) aux (DB.bindings qubesDB)
let read_fw_rules qubesDB domid =
[]
let set_iptables_error db = Qubes.DB.write db "/qubes-iptables-error" let set_iptables_error db = Qubes.DB.write db "/qubes-iptables-error"

4
dao.mli
View File

@ -15,7 +15,7 @@ module VifMap : sig
val find : key -> 'a t -> 'a option val find : key -> 'a t -> 'a option
end end
val watch_clients : (Ipaddr.V4.t VifMap.t -> unit) -> 'a Lwt.t val watch_clients : ((Ipaddr.V4.t * Pf_qubes.Parse_qubes.rule list) VifMap.t -> unit) -> 'a Lwt.t
(** [watch_clients fn] calls [fn clients] with the list of backend clients (** [watch_clients fn] calls [fn clients] with the list of backend clients
in XenStore, and again each time XenStore updates. *) in XenStore, and again each time XenStore updates. *)
@ -30,4 +30,6 @@ val read_network_config : Qubes.DB.t -> network_config Lwt.t
(** [read_network_config db] fetches the configuration from QubesDB. (** [read_network_config db] fetches the configuration from QubesDB.
If it isn't there yet, it waits until it is. *) If it isn't there yet, it waits until it is. *)
val read_fw_rules: Qubes.DB.t -> int -> Pf_qubes.Parse_qubes.rule list
val set_iptables_error : Qubes.DB.t -> string -> unit Lwt.t val set_iptables_error : Qubes.DB.t -> string -> unit Lwt.t