Commit Graph

41 Commits

Author SHA1 Message Date
palainp
764e95e5be WIP:
- merge router+uplink+client_net+firewall into a single dispatcher file
- watch qubesDB for netvm update
- dynamic netvm should works
- without netvm (but command line options) forward packet to a client, and warn the user if the "netvm" is not connected
- apply ocamlformat
2023-07-10 17:02:41 +02:00
palainp
7f5729a12d prevent usage of both command line options and netvm property 2023-07-01 10:46:55 +02:00
palainp
e99e80b150 only set clients when we have a correct netvm IP address 2023-06-30 17:57:08 +02:00
palainp
e5349c22a7 do not stop the unikernel if netvm is None 2023-06-30 17:13:56 +02:00
palainp
55b2f19196 add optional uplink interface 2023-06-30 16:58:08 +02:00
palainp
de9a1dbd1c add the network_config to the router 2023-06-30 15:36:15 +02:00
palainp
9cabe7e303 allow to have no netvm defined (will fail on uplink.connect) 2023-06-30 13:59:03 +02:00
Hannes Mehnert
8187096bfa updates to recent mirage-nat changes 2022-10-11 13:30:45 +02:00
Hannes Mehnert
c643f97700 in rules, instead of hardcoding IPv4 addresses of name servers, use those present in QubesDB 2022-09-14 09:43:51 +02:00
palainp
050c4706e3 remove gui code, not needed anymore in Qubes 4.1 2022-09-14 09:43:20 +02:00
palainp
a99d7f8792 update to mirage 4.0.0 & mirage-xen 7.0.0 2022-03-30 03:12:01 -04:00
Hannes Mehnert
c4f9142376 DNS: address code review comments, use qubes-primary-dns from QubesDB 2021-11-10 15:30:55 +01:00
Hannes Mehnert
7e3303a8d6 read DNS resolver IP addresses from QubesDB
as specified in https://www.qubes-os.org/doc/vm-interface/
2021-11-05 20:02:52 +01:00
linse
2d78d47591 Support firewall rules with hostnames.
Co-Authored-By: Mindy Preston <yomimono@users.noreply.github.com>
Co-Authored-By: Olle Jonsson <olle.jonsson@gmail.com>
Co-Authored-By: hannes <hannes@mehnert.org>
Co-Authored-By: cfcs <cfcs@users.noreply.github.com>
2020-05-15 16:25:46 +02:00
linse
87df5bdcc0 Read firewall rules from QubesDB. The module Rules contains a rule matcher instead of hardcoded rules now.
Co-Authored-By: Mindy Preston <yomimono@users.noreply.github.com>
2020-05-15 16:25:46 +02:00
Thomas Leonard
ab3508a936 Remove unused Clock argument to Uplink 2020-01-13 09:54:09 +00:00
Hannes Mehnert
28bda78d20 fix deprecation warnings (Mirage_clock_lwt -> Mirage_clock) 2020-01-11 15:46:02 +01:00
Hannes Mehnert
3fc418e80c qualify all return with Lwt, use Lwt.return_unit where possible 2020-01-11 15:44:30 +01:00
Hannes Mehnert
0f476c4d7b mirage-nat 2.0.0 and mirage-qubes 0.8.0 compatibility 2020-01-11 15:36:02 +01:00
Thomas Leonard
c7fc54af02 Wait if dom0 is slow to set the network configuration
Sometimes we boot before dom0 has put the network settings in QubesDB.
If that happens, log a message, wait until the database changes, and
retry.
2019-04-28 16:08:27 +01:00
Thomas Leonard
d849a09a25 Don't wait for GUI before attaching client VMs
If the firewall is restarted while AppVMs are connected, qubesd tries to
reconnect them before starting the GUI agent. However, the firewall was
waiting for the GUI agent to connect before handling the connections.

This led to a 10s delay on restart for each client VM.

Reported by xaki23.
2019-01-10 12:55:48 +00:00
Thomas Leonard
75dd8503c5 Use LRU cache to prevent out-of-memory errors 2017-03-18 09:56:07 +00:00
Thomas Leonard
0ef60ae767 Update to new mirage-nat API 2017-03-12 15:14:06 +00:00
Thomas Leonard
6f8d83f828 Use new Nat.reset function to clear the table 2017-03-07 16:06:18 +00:00
Thomas Leonard
bb78a726e4 Mirage 3 support 2017-03-04 17:22:58 +00:00
Thomas Leonard
79092e1463 Avoid using Lwt.join on listening threads
Lwt.join only reports an error if *both* threads fail.
2016-10-01 10:47:19 +01:00
Thomas Leonard
a7001a70d2 Allow clients to have any IP address
We previously assumed that Qubes would always give clients IP addresses
on a particular network. However, it is not required to do this and in
fact uses a different network for disposable VMs.

With this change:

- We no longer reject clients with unknown IP addresses
- The `Unknown_client` classification is gone; we have no way to tell
  the difference between a client that isn't connected and an external
  address.
- We now consider every client to be on a point-to-point link and do not
  answer ARP requests on behalf of other clients. Clients should assume
  their netmask is 255.255.255.255 (and ignore /qubes-netmask).

This is a partial fix for #9. It allows disposable VMs to connect to the
firewall but for some reason they don't process any frames we send them
(we get their ARP requests but they don't get our replies). Taking eth0
down in the disp VM, then bringing it back up (and re-adding the routes)
allows it to work.
2016-09-25 16:34:22 +01:00
Thomas Leonard
0230cfaf1e Updates for mirage 2.9.0
- Unpin bootvar and use register ~argv:no_argv` instead.
- Use new name for uplink device ("0", not "tap0").
- Don't configure logging - mirage does that for us now.
2016-05-14 10:44:57 +01:00
Thomas Leonard
221c797241 Survive death of GUId connection
We don't need the GUI anyway. Error was:

    Fatal error: exception Failure("End-of-file from GUId in dom0")
    Raised at file "pervasives.ml", line 30, characters 22-33
    Called from file "src/core/lwt.ml", line 754, characters 44-47
    Mirage exiting with status 2
    Do_exit called!
2016-01-17 13:19:40 +00:00
Thomas Leonard
6fd7b01c65 Remove XenStore debug code
Was causing a Not_found error when used with the released version of
XenStore, which doesn't provide a log.

Reported by Cyril Levis.
2016-01-16 20:12:58 +00:00
Thomas Leonard
987834f6a6 Use mirage-logs library for log reporter
Also, configure Xen debug messages to go to the log ring buffer but not
the console (they will be shown only if an error occurs).
2016-01-11 16:40:26 +00:00
Thomas Leonard
e05a92da50 Update to new Logs API
Note: this reintroduces mirage-qubes pin, as that uses Logs too.
2016-01-08 11:40:11 +00:00
Thomas Leonard
f1ed6ffdd8 Report current memory use to XenStore 2016-01-02 16:14:02 +00:00
Thomas Leonard
aee124338a Minor cleanup 2016-01-01 13:03:18 +00:00
Thomas Leonard
d0f4189df8 Turn off XenStore debug logging 2016-01-01 12:37:39 +00:00
Thomas Leonard
2002126b8b Rationalised firewall rules syntax
Added explicit NAT target, allowing NAT even within client net and
making it clear that NAT is used externally.

Changed Redirect_to_netvm to NAT_to, and allow specifying any target
host.
2016-01-01 11:32:57 +00:00
Thomas Leonard
4032a5d776 Simplify code slightly 2016-01-01 10:56:37 +00:00
Thomas Leonard
cd69ce5a86 Move NAT code to router and add DNS redirects 2015-12-30 19:34:04 +00:00
Thomas Leonard
11e18c0b83 Moved uplink code to its own module 2015-12-30 14:22:46 +00:00
Thomas Leonard
f3332ed4da Split database access into its own module 2015-12-30 12:07:29 +00:00
Thomas Leonard
914b6bbbf6 Initial import 2015-12-30 11:07:17 +00:00