Commit Graph

13 Commits

Author SHA1 Message Date
Hannes Mehnert
7e3303a8d6 read DNS resolver IP addresses from QubesDB
as specified in https://www.qubes-os.org/doc/vm-interface/
2021-11-05 20:02:52 +01:00
linse
b5ec221e2a Handle other IP formats from xenstore.
Example: "10.137.0.18 fd09:24ef:3178::a19:11"
reported via https://twitter.com/t_grote/status/1262747002334408704
2020-05-19 17:47:40 +02:00
linse
87df5bdcc0 Read firewall rules from QubesDB. The module Rules contains a rule matcher instead of hardcoded rules now.
Co-Authored-By: Mindy Preston <yomimono@users.noreply.github.com>
2020-05-15 16:25:46 +02:00
Hannes Mehnert
3fc418e80c qualify all return with Lwt, use Lwt.return_unit where possible 2020-01-11 15:44:30 +01:00
Hannes Mehnert
c66ee54a9f revert bc7706cc97, mirage-xen since 5.0.0 reverted the split of OS into Os_xen 2020-01-11 14:34:25 +01:00
xaki23
bc7706cc97
rename things for newer mirage-xen versions 2019-08-25 18:12:59 +02:00
Thomas Leonard
c7fc54af02 Wait if dom0 is slow to set the network configuration
Sometimes we boot before dom0 has put the network settings in QubesDB.
If that happens, log a message, wait until the database changes, and
retry.
2019-04-28 16:08:27 +01:00
Thomas Leonard
bb78a726e4 Mirage 3 support 2017-03-04 17:22:58 +00:00
Thomas Leonard
312627e078 Monitor set of client interfaces, not client domains
Qubes does not remove the client directory itself when the domain exits.
Combined with 63cbb4bed0, this prevented clients from reconnecting.

This may also make it possible to connect clients to the firewall via
multiple interfaces, although this doesn't seem useful.
2016-10-01 16:11:16 +01:00
Thomas Leonard
a7001a70d2 Allow clients to have any IP address
We previously assumed that Qubes would always give clients IP addresses
on a particular network. However, it is not required to do this and in
fact uses a different network for disposable VMs.

With this change:

- We no longer reject clients with unknown IP addresses
- The `Unknown_client` classification is gone; we have no way to tell
  the difference between a client that isn't connected and an external
  address.
- We now consider every client to be on a point-to-point link and do not
  answer ARP requests on behalf of other clients. Clients should assume
  their netmask is 255.255.255.255 (and ignore /qubes-netmask).

This is a partial fix for #9. It allows disposable VMs to connect to the
firewall but for some reason they don't process any frames we send them
(we get their ARP requests but they don't get our replies). Taking eth0
down in the disp VM, then bringing it back up (and re-adding the routes)
allows it to work.
2016-09-25 16:34:22 +01:00
Thomas Leonard
ac0444f1c1 Log packet details when dropping 2015-12-31 09:56:58 +00:00
Thomas Leonard
5a2f6f7ce8 Minor cleanups 2015-12-30 14:32:59 +00:00
Thomas Leonard
f3332ed4da Split database access into its own module 2015-12-30 12:07:29 +00:00