qubes-mirage-firewall

mirror of https://github.com/mirage/qubes-mirage-firewall.git synced 2024-10-01 01:05:39 -04:00

Author	SHA1	Message	Date
Hannes Mehnert	f2d3faf1da	revise port management this needs mirage-nat at hannesm#fixes	2022-10-11 13:31:18 +02:00
palainp	abb508000e	remove memory management code not needed anymore	2022-10-11 13:20:07 +02:00
Hannes Mehnert	c643f97700	in rules, instead of hardcoding IPv4 addresses of name servers, use those present in QubesDB	2022-09-14 09:43:51 +02:00
palainp	a99d7f8792	update to mirage 4.0.0 & mirage-xen 7.0.0	2022-03-30 03:12:01 -04:00
Hannes Mehnert	ed0f7667e4	update to ethernet 3.0 API	2022-01-09 12:55:35 +01:00
Hannes Mehnert	d4e365a499	avoid fmt and cstruct deprecation warnings	2021-11-05 20:02:56 +01:00
linse	2d78d47591	Support firewall rules with hostnames. Co-Authored-By: Mindy Preston <yomimono@users.noreply.github.com> Co-Authored-By: Olle Jonsson <olle.jonsson@gmail.com> Co-Authored-By: hannes <hannes@mehnert.org> Co-Authored-By: cfcs <cfcs@users.noreply.github.com>	2020-05-15 16:25:46 +02:00
linse	87df5bdcc0	Read firewall rules from QubesDB. The module Rules contains a rule matcher instead of hardcoded rules now. Co-Authored-By: Mindy Preston <yomimono@users.noreply.github.com>	2020-05-15 16:25:46 +02:00
Hannes Mehnert	88fec9fa49	adapt to mirage-nat 2.1.0 API (Nat_packet returns a Fragments.Cache.t - which is now a Lru.F.t)	2020-02-08 15:58:37 +01:00
Hannes Mehnert	554e73a46d	cleanup: remove exception cases during Ethernet decode / Nat.of_ipv4_packet - they do not raise exceptions anymore	2020-02-08 15:55:32 +01:00
Hannes Mehnert	3fc418e80c	qualify all return with Lwt, use Lwt.return_unit where possible	2020-01-11 15:44:30 +01:00
Hannes Mehnert	0f476c4d7b	mirage-nat 2.0.0 and mirage-qubes 0.8.0 compatibility	2020-01-11 15:36:02 +01:00
Hannes Mehnert	c66ee54a9f	revert `bc7706cc97`, mirage-xen since 5.0.0 reverted the split of OS into Os_xen	2020-01-11 14:34:25 +01:00
xaki23	bc7706cc97	rename things for newer mirage-xen versions	2019-08-25 18:12:59 +02:00
Thomas Leonard	b60d098e96	Give exact types for Packet.src Before, the packet passed to rules.ml could have any host as its src. Now, `from_client` knows that `src` must be a `Client`, and `from_netvm` knows that `src` is `External` or `NetVM`.	2019-05-06 10:35:51 +01:00
Thomas Leonard	8b4cc6f5a9	Improve logging	2019-05-06 09:56:02 +01:00
Thomas Leonard	0a4dd7413c	Force backend MAC to fe:ff:ff:ff:ff:ff to fix HVM clients Xen appears to configure the same MAC address for both the frontend and backend in XenStore. e.g. [tal@dom0 ~]$ xenstore-ls /local/domain/3/backend/vif/19/0 frontend = "/local/domain/19/device/vif/0" mac = "00:16:3e:5e:6c:00" [...] [tal@dom0 ~]$ xenstore-ls /local/domain/19/device/vif/0 mac = "00:16:3e:5e:6c:00" This works if the client uses just a simple ethernet device, but fails if it connects via a bridge. HVM domains have an associated stub domain running qemu, which provides an emulated network device. The stub domain uses a bridge to connect qemu's interface with eth0, and this didn't work. Force the use of the fixed version of mirage-net-xen, which no longer uses XenStore to get the backend MAC, and provides a new function to get the frontend one.	2019-05-06 09:52:46 +01:00
Hannes Mehnert	3553a7aa93	use Ethernet_wire.sizeof_ethernet instead of a magic '14'	2019-03-24 14:29:21 +01:00
Mindy	0852aa0f43	use tcpip 3.7, ethernet, arp, mirage-nat 1.1.0	2019-03-22 14:27:40 -05:00
Thomas Leonard	2edb088650	Update to latest Debian and opam Reported by Honzoo.	2019-02-01 09:36:08 +00:00
Thomas Leonard	b114e569f2	Use Git master for shared-memory-ring and netchannel This adds support for HVM and disposable domains. Also, update the suggested RAM allocation slightly as 20 MB can be too small with lots of VMs.	2017-11-09 17:08:59 +00:00
Thomas Leonard	e070044fef	Add extra logging	2017-03-06 14:30:41 +00:00
Thomas Leonard	b4079ac861	Update to new mirage-nat API	2017-03-05 17:04:05 +00:00
Thomas Leonard	bb78a726e4	Mirage 3 support	2017-03-04 17:22:58 +00:00
Thomas Leonard	312627e078	Monitor set of client interfaces, not client domains Qubes does not remove the client directory itself when the domain exits. Combined with `63cbb4bed0`, this prevented clients from reconnecting. This may also make it possible to connect clients to the firewall via multiple interfaces, although this doesn't seem useful.	2016-10-01 16:11:16 +01:00
Thomas Leonard	9c33da3bfd	Handle errors writing to client mirage-net-xen would report Netback_shutdown if we tried to write to a client after it had disconnected. Now we just log this and continue.	2016-09-25 16:36:18 +01:00
Thomas Leonard	63cbb4bed0	Ensure that old client has quit before adding new one Not sure if this can happen, but it removes a TODO from the code.	2016-09-25 16:36:18 +01:00
Thomas Leonard	3409a19792	Keep track of transmit queue lengths Log if we have to wait to send a frame.	2016-01-17 11:42:40 +00:00
Thomas Leonard	e05a92da50	Update to new Logs API Note: this reintroduces mirage-qubes pin, as that uses Logs too.	2016-01-08 11:40:11 +00:00
Thomas Leonard	2002126b8b	Rationalised firewall rules syntax Added explicit NAT target, allowing NAT even within client net and making it clear that NAT is used externally. Changed Redirect_to_netvm to NAT_to, and allow specifying any target host.	2016-01-01 11:32:57 +00:00
Thomas Leonard	4032a5d776	Simplify code slightly	2016-01-01 10:56:37 +00:00
Thomas Leonard	86b31f7f4b	Process all client frames Before, we only looked at frames with our MAC address, but we may want to handle client-to-client communication too.	2015-12-31 15:56:56 +00:00
Thomas Leonard	0d864d6cde	Minor cleanup	2015-12-31 15:30:32 +00:00
Thomas Leonard	cd69ce5a86	Move NAT code to router and add DNS redirects	2015-12-30 19:34:04 +00:00
Thomas Leonard	9dc7d01896	Moved client networking to its own module Renamed the old Client_net to Client_eth, as it just handles the Ethernet layer.	2015-12-30 13:52:56 +00:00
Thomas Leonard	914b6bbbf6	Initial import	2015-12-30 11:07:17 +00:00

36 Commits