Commit Graph

296 Commits

Author SHA1 Message Date
palainp
764e95e5be WIP:
- merge router+uplink+client_net+firewall into a single dispatcher file
- watch qubesDB for netvm update
- dynamic netvm should works
- without netvm (but command line options) forward packet to a client, and warn the user if the "netvm" is not connected
- apply ocamlformat
2023-07-10 17:02:41 +02:00
palainp
e055f810c7 update hashsum 2023-07-01 17:26:34 +02:00
palainp
95812a7458 fix default DNS addresses 2023-07-01 16:49:07 +02:00
palainp
ee2409dc61 fallback to the command line specified uplink interface if no netvm interface 2023-07-01 11:56:14 +02:00
palainp
7f5729a12d prevent usage of both command line options and netvm property 2023-07-01 10:46:55 +02:00
palainp
e99e80b150 only set clients when we have a correct netvm IP address 2023-06-30 17:57:08 +02:00
palainp
e5349c22a7 do not stop the unikernel if netvm is None 2023-06-30 17:13:56 +02:00
palainp
fe99021dc0 add minimal README information about using mirage-firewall without netvm 2023-06-30 17:06:17 +02:00
palainp
55b2f19196 add optional uplink interface 2023-06-30 16:58:08 +02:00
palainp
de9a1dbd1c add the network_config to the router 2023-06-30 15:36:15 +02:00
palainp
5a0711bb2d in Qubes doc client_our_ip is always netvm_our_ip 2023-06-30 15:31:30 +02:00
palainp
9cabe7e303 allow to have no netvm defined (will fail on uplink.connect) 2023-06-30 13:59:03 +02:00
Hannes Mehnert
609f5295c7 changes for 0.8.4 2022-12-07 20:44:00 +01:00
Hannes Mehnert
09740b7e12
Merge pull request #167 from hannesm/update
Update of opam-repository commit to retrieve solo5 0.7.5
2022-12-07 20:40:52 +01:00
Hannes Mehnert
916813b6ea update hash of build product 2022-12-07 20:00:55 +01:00
Hannes Mehnert
0c3959af04 update opam repository commit to get solo5 0.7.5 2022-12-07 19:15:44 +01:00
Hannes Mehnert
54dfd05ab5
Merge pull request #164 from hannesm/action
Reproducible build systems: use in GitHub action the build-with-docker.sh
2022-11-17 12:39:37 +01:00
Hannes Mehnert
9239aa5277 github action: check checksum before uploading 2022-11-13 16:15:15 +01:00
Hannes Mehnert
ba6629f4ca Reproducible build systems: use in GitHub action the build-with-docker.sh
Also upload the artifact to GitHub action, and in addition use the same setup
(ubuntu 20.04 image) and build directories as done on builds.robur.coop.

Also use `strip` on the resulting binary to reduce it's size (since the debug
section aren't mapped into the running unikernel, there's nothing we get from
them -- also they are preserved (as .debug file) and uploaded to
https://builds.robur.coop if one needs them).

This entails binary reproducibility between the different systems:
- a developer using ./build-with-docker.sh
- GitHub action (run on every PR)
- builds.robur.coop with the ubuntu-20.04 worker
2022-11-13 15:20:59 +01:00
Hannes Mehnert
ee45c7ba3d
Merge pull request #163 from hannesm/next
Next release: 0.8.3
2022-11-11 16:43:26 +01:00
Hannes Mehnert
b414230735 Dockerfile: install ocaml-solo5 earlier to help caching more 2022-11-11 16:10:28 +01:00
Hannes Mehnert
2023cc4655 changes for 0.8.3, and checksum updates 2022-11-11 15:50:50 +01:00
Hannes Mehnert
20ce084a49 set netchannel + mirage-nat lower bounds 2022-11-11 15:44:58 +01:00
Hannes Mehnert
e8e03fe6a6 My_nat.free_udp_port: avoid looping forever, use last_resort_port earlier 2022-11-11 15:44:58 +01:00
Hannes Mehnert
d094b20950 use a fresh client for requesting vif and ip
in the callback to "Xs_client.wait", all operations are tracked and new watches
are installed (that are never removed, due to xenstore's xs_handle
"accessed_path" never removes any elements of the "accessed_paths" (a mutable
StringSet). So, whatever is done in the callback of wait needs to take care
(if returning EAGAIN and thus forcing xenstore to continue waiting/watching)
that accesses are tracked.

Our way out is to create a fresh client and read the IP address with that new
client -> the watcher isn't extended -> no dangling (leaking) watches, and no
leaking only-expanding StringSet.
2022-11-11 15:44:58 +01:00
Hannes Mehnert
0e0917f4fe DNS: start task reading Lwt_mvar and distributing DNS replies to clients
Before, a DNS request was sent and the first thing appearing in the Lwt_mvar
was taken as reply. The issue with this was two-fold:
- it could be a reply for a different request
- there could be DNS replies being sent to the uplink stack leading to
  Lwt_mvar.put being called, which blocks if there is already a value in the
  mvar.

No, the separate task is a loop reading the mvar, using a Lwt_condition to
signal the receive of that ID (potentially discarding if there's no client
waiting). The DNS query registers itself (using the ID) in the map with a
Lwt_condition, and waits to be notified (or a timeout occurs).
2022-11-11 15:44:58 +01:00
Hannes Mehnert
ddfb17c0b2 remove unused integer module, intset, intmap 2022-11-11 15:44:58 +01:00
Hannes Mehnert
33c7c24dfd code cleanups (removed profile release from dune-workspace to find some warnings) 2022-11-11 15:44:58 +01:00
Hannes Mehnert
ecc5cbc409 fix github action 2022-11-11 15:36:42 +01:00
Hannes Mehnert
af60225671 github action: something sets OPAMCLI to 2.0, so no --confirm-level=yes available 2022-11-11 13:58:46 +01:00
Hannes Mehnert
7370ba85f6 github action should be in .github/workflows 2022-11-11 13:46:29 +01:00
Hannes Mehnert
bed0aa5cc4 add github action to compile the firewall 2022-11-11 13:40:04 +01:00
Hannes Mehnert
b09acdeec2
Merge pull request #154 from hannesm/dns-6.4.0
update to dns 6.4.0
2022-10-27 15:05:39 +02:00
Hannes Mehnert
2afa24536d update to dns 6.4.0 2022-10-27 11:48:52 +02:00
Hannes Mehnert
07da67c8cf changes for 0.8.2 2022-10-12 09:09:03 +02:00
Hannes Mehnert
065c8bb69a
Merge pull request #152 from hannesm/next-release
Next release
2022-10-12 09:05:55 +02:00
Hannes Mehnert
b958c10690 build-with-docker: update sha 2022-10-11 13:55:36 +02:00
Hannes Mehnert
c66d6a8727 raise lower bound of mirage-nat to 3.0.0, bump opam-repo commit 2022-10-11 13:34:55 +02:00
Hannes Mehnert
93b92c041b Adapt to mirage-nat changes:
allow pick_free_port to fail
reserve a special udp port for dns (as last resort)
2022-10-11 13:31:30 +02:00
Hannes Mehnert
f2d3faf1da revise port management
this needs mirage-nat at hannesm#fixes
2022-10-11 13:31:18 +02:00
Hannes Mehnert
8187096bfa updates to recent mirage-nat changes 2022-10-11 13:30:45 +02:00
palainp
06b9a88331 remove unneeded logs: be silent if the GC is enough 2022-10-11 13:20:23 +02:00
palainp
eb4d0fc371 update documentation 2022-10-11 13:20:07 +02:00
palainp
abb508000e remove memory management code not needed anymore 2022-10-11 13:20:07 +02:00
Hannes Mehnert
721f552a3c CHANGES for 0.8.1 2022-09-14 11:10:23 +02:00
Hannes Mehnert
47562749b2
Merge pull request #149 from hannesm/next
Next release
2022-09-14 10:57:49 +02:00
Hannes Mehnert
6521b1474c update sha256 2022-09-14 10:18:11 +02:00
palainp
9b1b30aa2b trigger the GC earlier (at < 50% free space)
print memory usage every 10 minutes
2022-09-14 09:45:44 +02:00
Hannes Mehnert
c643f97700 in rules, instead of hardcoding IPv4 addresses of name servers, use those present in QubesDB 2022-09-14 09:43:51 +02:00
Hannes Mehnert
5fdcaae7e8 firewall rule: remove DNS rule (was only needed in Qubes 3) 2022-09-14 09:43:48 +02:00