Commit Graph

243 Commits

Author SHA1 Message Date
jaseg
0a4b01a841
Fix ln(1) call in build instructions
The arguments were backwards. [```ln``` takes the link target first, then the link name](https://linux.die.net/man/1/ln).
2019-05-31 12:50:33 +09:00
yomimono
7d22eafa59
Merge pull request #68 from talex5/updatevm
Note that mirage-firewall cannot be used as UpdateVM
2019-05-29 17:55:25 -05:00
yomimono
0c571a0601
Merge pull request #67 from talex5/fix-typo
Fix typos in docs
2019-05-29 17:54:51 -05:00
Thomas Leonard
3ab7284a64 Note that mirage-firewall cannot be used as UpdateVM
Reported at: https://groups.google.com/forum/#!topic/qubes-users/YPFtbwyoUjc
2019-05-29 15:25:10 +01:00
Thomas Leonard
de7d05ebfa Fix typos in docs 2019-05-29 09:01:08 +01:00
yomimono
adb451e7e3
Merge pull request #66 from talex5/add-changelog
Add CHANGELOG
2019-05-28 15:25:48 -05:00
Thomas Leonard
ee97d67c84 Add CHANGELOG
Older entries are imported from the release notes. The 0.6 ones are from
the Git commits.
2019-05-28 21:09:52 +01:00
yomimono
c55819ffdf
Merge pull request #64 from talex5/combine-ips
Combine Client_gateway and Firewall_uplink
2019-05-16 18:03:59 -04:00
Thomas Leonard
672c82c43c Combine Client_gateway and Firewall_uplink
Before, we used Client_gateway for the IP address of the firewall on the
client network and Firewall_uplink for its address on the uplink
network. However, Qubes 4 uses the same IP address for both, so we can't
separate these any longer, and there doesn't seem to be any advantage to
keeping them separate anyway.
2019-05-16 19:30:51 +01:00
Thomas Leonard
a93bb954d7
Merge pull request #54 from talex5/rule-examples
Allow naming hosts and add examples to rules.ml
2019-05-07 10:03:42 +01:00
Thomas Leonard
691c4ae745 Update build hash 2019-05-06 10:37:24 +01:00
Thomas Leonard
e15fc8c219 Make example rule more restrictive
In the (commented-out) example rules, instead of allowing any client to
continue a TCP flow with any other client, just allow Untrusted to reply
to Dev. This is all that is needed to make the SSH example work.
2019-05-06 10:35:51 +01:00
Thomas Leonard
eec1e985e5 Add overview of the main components of the firewall 2019-05-06 10:35:51 +01:00
Thomas Leonard
b60d098e96 Give exact types for Packet.src
Before, the packet passed to rules.ml could have any host as its src.
Now, `from_client` knows that `src` must be a `Client`, and `from_netvm`
knows that `src` is `External` or `NetVM`.
2019-05-06 10:35:51 +01:00
Thomas Leonard
189a736368 Add some types to the rules
Before, we inferred the types from rules.ml and then the compiler
checked that it was consistent with what firewall.ml expected. If it
wasn't it reported the problem as being with firewall.ml, which could be
confusing to users.
2019-05-06 10:35:51 +01:00
Thomas Leonard
acf46b4231 Allow naming hosts and add examples to rules.ml
Previously we passed in the interface, from which it was possible (but
a little difficult) to extract the IP address and compare with some
predefined ones. Now, we allow the user to list IP addresses and named
tags for them, which can be matched on easily.

Added example rules showing how to block access to an external service
or allow SSH between AppVMs.

Requested at
https://groups.google.com/d/msg/qubes-users/BnL0nZGpJOE/61HOBg1rCgAJ.
2019-05-06 10:35:51 +01:00
Thomas Leonard
433f3e8f01
Merge pull request #61 from talex5/fix-mac
Force backend MAC to fe:ff:ff:ff:ff:ff to fix HVM clients
2019-05-06 10:32:50 +01:00
Thomas Leonard
d7b376d373 Respond to ARP requests for *.*.*.1
This is a work-around to get DHCP working with HVM domains.
See: https://github.com/QubesOS/qubes-issues/issues/5022
2019-05-06 09:57:47 +01:00
Thomas Leonard
8b4cc6f5a9 Improve logging 2019-05-06 09:56:02 +01:00
Thomas Leonard
0a4dd7413c Force backend MAC to fe:ff:ff:ff:ff:ff to fix HVM clients
Xen appears to configure the same MAC address for both the frontend
and backend in XenStore. e.g.

    [tal@dom0 ~]$ xenstore-ls /local/domain/3/backend/vif/19/0
    frontend = "/local/domain/19/device/vif/0"
    mac = "00:16:3e:5e:6c:00"
    [...]

    [tal@dom0 ~]$ xenstore-ls /local/domain/19/device/vif/0
    mac = "00:16:3e:5e:6c:00"

This works if the client uses just a simple ethernet device, but fails
if it connects via a bridge. HVM domains have an associated stub domain
running qemu, which provides an emulated network device. The stub domain
uses a bridge to connect qemu's interface with eth0, and this didn't
work.

Force the use of the fixed version of mirage-net-xen, which no longer
uses XenStore to get the backend MAC, and provides a new function to get
the frontend one.
2019-05-06 09:52:46 +01:00
yomimono
65b79208a1
Merge pull request #60 from talex5/await-net-config
Wait if dom0 is slow to set the network configuration
2019-04-30 16:18:08 -05:00
yomimono
321a93aa5d
Merge pull request #58 from talex5/advisories
Link to security advisories from README
2019-04-30 16:13:40 -05:00
Thomas Leonard
9d2723a08a Require mirage-nat >= 1.2.0 for ICMP support 2019-04-28 16:10:02 +01:00
Thomas Leonard
c7fc54af02 Wait if dom0 is slow to set the network configuration
Sometimes we boot before dom0 has put the network settings in QubesDB.
If that happens, log a message, wait until the database changes, and
retry.
2019-04-28 16:08:27 +01:00
Thomas Leonard
eb14f7e777 Link to security advisories from README
Also, link from binary installation to deployment section.
2019-04-26 12:39:34 +01:00
Thomas Leonard
5e1588f861
Merge pull request #55 from talex5/fix-icmp
Upgrade to latest mirage-nat to fix ICMP
2019-04-17 11:45:40 +01:00
Thomas Leonard
45eef49c95 Upgrade to latest mirage-nat to fix ICMP
Now ping and traceroute should work.
2019-04-16 18:21:07 +01:00
yomimono
debd34cc3a
Merge pull request #52 from talex5/repro-builds
Add patch to cmdliner for reproducible build
2019-04-13 12:15:57 -05:00
yomimono
7000d9a010
Merge pull request #51 from talex5/update-docs
Clarify how to build from source
2019-04-13 12:14:14 -05:00
Thomas Leonard
5958cfed97 Clarify how to build from source 2019-04-08 10:43:30 +01:00
Thomas Leonard
06511e076f Add patch to cmdliner for reproducible build
See https://github.com/dbuenzli/cmdliner/pull/106
2019-04-08 10:35:42 +01:00
yomimono
14461c3960
Merge pull request #49 from talex5/repro-archive
Use source date in .tar.bz2 archive
2019-04-07 18:37:46 -05:00
Thomas Leonard
74479c792e Use source date in .tar.bz2 archive
All files are now added using the date the build-with-docker script was
last changed. Since this includes the hash of the result, it should be
up-to-date. This ensures that rebuilding the archive doesn't change it
in any way.

Reported-by: Holger Levsen
2019-04-05 09:42:12 +01:00
Mindy Preston
88b55acaed
Merge pull request #48 from talex5/update-readme
Remove Qubes 3 instructions from README
2019-04-04 12:05:06 -05:00
Thomas Leonard
bd7babeda0 Remove Qubes 3 instructions from README
See https://www.qubes-os.org/news/2019/03/28/qubes-3-2-has-reached-eol/
2019-04-04 11:05:49 +01:00
Thomas Leonard
3fc9790203
Merge pull request #47 from talex5/update-deps
Update dependencies
2019-04-03 19:53:54 +01:00
Thomas Leonard
cb7078633e Update dependencies
Remove pin on mirage 3.4 - it should now be working with the latest
release.
2019-04-03 12:32:13 +01:00
Mindy Preston
7f10c24232
Merge pull request #46 from hannesm/no-14
use Ethernet_wire.sizeof_ethernet instead of a magic '14'
2019-03-25 10:43:13 -05:00
Thomas Leonard
aa405530b4
Merge pull request #45 from yomimono/just-into-cstruct
use tcpip 3.7, ethernet, arp, mirage-nat 1.1.0
2019-03-24 13:33:05 +00:00
Hannes Mehnert
3553a7aa93 use Ethernet_wire.sizeof_ethernet instead of a magic '14' 2019-03-24 14:29:21 +01:00
Thomas Leonard
7f99973a02 Update Docker build for Mirage 3.5 2019-03-24 13:21:39 +00:00
Thomas Leonard
f1a946af4e
Merge pull request #44 from xaki23/master
update ocaml version (4.05 to 4.07), pin-down mirage version (3.5 to 3.4)
2019-03-23 17:00:18 +00:00
Mindy
0852aa0f43 use tcpip 3.7, ethernet, arp, mirage-nat 1.1.0 2019-03-22 14:27:40 -05:00
Mindy
d7cd4e2961 typo fix 2019-03-17 20:16:35 -05:00
xaki23
04bea6e9ba
update ocaml version (from 4.05 to 4.07), pin-down mirage version (to 3.4, 3.5 is current) 2019-03-06 23:43:49 +01:00
Thomas Leonard
455149249f
Merge pull request #43 from mirage/update-readme
Update links from talex5 to mirage
2019-03-01 09:06:31 +00:00
Thomas Leonard
ab88d413c4
Update links from talex5 to mirage 2019-02-26 16:57:40 +00:00
Thomas Leonard
2edb088650 Update to latest Debian and opam
Reported by Honzoo.
2019-02-01 09:36:08 +00:00
Thomas Leonard
4526375a19 Note that Git versions might have different hashes 2019-01-19 10:32:27 +00:00
Ahmed Al-Sudani
ef09eb50ac Update last known build hash 2019-01-16 14:17:09 -05:00