Hannes Mehnert
f2d3faf1da
revise port management
...
this needs mirage-nat at hannesm#fixes
2022-10-11 13:31:18 +02:00
palainp
abb508000e
remove memory management code not needed anymore
2022-10-11 13:20:07 +02:00
Hannes Mehnert
c643f97700
in rules, instead of hardcoding IPv4 addresses of name servers, use those present in QubesDB
2022-09-14 09:43:51 +02:00
palainp
a99d7f8792
update to mirage 4.0.0 & mirage-xen 7.0.0
2022-03-30 03:12:01 -04:00
Hannes Mehnert
ed0f7667e4
update to ethernet 3.0 API
2022-01-09 12:55:35 +01:00
Hannes Mehnert
d4e365a499
avoid fmt and cstruct deprecation warnings
2021-11-05 20:02:56 +01:00
linse
2d78d47591
Support firewall rules with hostnames.
...
Co-Authored-By: Mindy Preston <yomimono@users.noreply.github.com>
Co-Authored-By: Olle Jonsson <olle.jonsson@gmail.com>
Co-Authored-By: hannes <hannes@mehnert.org>
Co-Authored-By: cfcs <cfcs@users.noreply.github.com>
2020-05-15 16:25:46 +02:00
linse
87df5bdcc0
Read firewall rules from QubesDB. The module Rules contains a rule matcher instead of hardcoded rules now.
...
Co-Authored-By: Mindy Preston <yomimono@users.noreply.github.com>
2020-05-15 16:25:46 +02:00
Hannes Mehnert
88fec9fa49
adapt to mirage-nat 2.1.0 API (Nat_packet returns a Fragments.Cache.t - which is now a Lru.F.t)
2020-02-08 15:58:37 +01:00
Hannes Mehnert
554e73a46d
cleanup: remove exception cases during Ethernet decode / Nat.of_ipv4_packet - they do not raise exceptions anymore
2020-02-08 15:55:32 +01:00
Hannes Mehnert
3fc418e80c
qualify all return with Lwt, use Lwt.return_unit where possible
2020-01-11 15:44:30 +01:00
Hannes Mehnert
0f476c4d7b
mirage-nat 2.0.0 and mirage-qubes 0.8.0 compatibility
2020-01-11 15:36:02 +01:00
Hannes Mehnert
c66ee54a9f
revert bc7706cc97
, mirage-xen since 5.0.0 reverted the split of OS into Os_xen
2020-01-11 14:34:25 +01:00
xaki23
bc7706cc97
rename things for newer mirage-xen versions
2019-08-25 18:12:59 +02:00
Thomas Leonard
b60d098e96
Give exact types for Packet.src
...
Before, the packet passed to rules.ml could have any host as its src.
Now, `from_client` knows that `src` must be a `Client`, and `from_netvm`
knows that `src` is `External` or `NetVM`.
2019-05-06 10:35:51 +01:00
Thomas Leonard
8b4cc6f5a9
Improve logging
2019-05-06 09:56:02 +01:00
Thomas Leonard
0a4dd7413c
Force backend MAC to fe:ff:ff:ff:ff:ff to fix HVM clients
...
Xen appears to configure the same MAC address for both the frontend
and backend in XenStore. e.g.
[tal@dom0 ~]$ xenstore-ls /local/domain/3/backend/vif/19/0
frontend = "/local/domain/19/device/vif/0"
mac = "00:16:3e:5e:6c:00"
[...]
[tal@dom0 ~]$ xenstore-ls /local/domain/19/device/vif/0
mac = "00:16:3e:5e:6c:00"
This works if the client uses just a simple ethernet device, but fails
if it connects via a bridge. HVM domains have an associated stub domain
running qemu, which provides an emulated network device. The stub domain
uses a bridge to connect qemu's interface with eth0, and this didn't
work.
Force the use of the fixed version of mirage-net-xen, which no longer
uses XenStore to get the backend MAC, and provides a new function to get
the frontend one.
2019-05-06 09:52:46 +01:00
Hannes Mehnert
3553a7aa93
use Ethernet_wire.sizeof_ethernet instead of a magic '14'
2019-03-24 14:29:21 +01:00
Mindy
0852aa0f43
use tcpip 3.7, ethernet, arp, mirage-nat 1.1.0
2019-03-22 14:27:40 -05:00
Thomas Leonard
2edb088650
Update to latest Debian and opam
...
Reported by Honzoo.
2019-02-01 09:36:08 +00:00
Thomas Leonard
b114e569f2
Use Git master for shared-memory-ring and netchannel
...
This adds support for HVM and disposable domains.
Also, update the suggested RAM allocation slightly as 20 MB can be too
small with lots of VMs.
2017-11-09 17:08:59 +00:00
Thomas Leonard
e070044fef
Add extra logging
2017-03-06 14:30:41 +00:00
Thomas Leonard
b4079ac861
Update to new mirage-nat API
2017-03-05 17:04:05 +00:00
Thomas Leonard
bb78a726e4
Mirage 3 support
2017-03-04 17:22:58 +00:00
Thomas Leonard
312627e078
Monitor set of client interfaces, not client domains
...
Qubes does not remove the client directory itself when the domain exits.
Combined with 63cbb4bed0
, this prevented clients from reconnecting.
This may also make it possible to connect clients to the firewall via
multiple interfaces, although this doesn't seem useful.
2016-10-01 16:11:16 +01:00
Thomas Leonard
9c33da3bfd
Handle errors writing to client
...
mirage-net-xen would report Netback_shutdown if we tried to write to a
client after it had disconnected. Now we just log this and continue.
2016-09-25 16:36:18 +01:00
Thomas Leonard
63cbb4bed0
Ensure that old client has quit before adding new one
...
Not sure if this can happen, but it removes a TODO from the code.
2016-09-25 16:36:18 +01:00
Thomas Leonard
3409a19792
Keep track of transmit queue lengths
...
Log if we have to wait to send a frame.
2016-01-17 11:42:40 +00:00
Thomas Leonard
e05a92da50
Update to new Logs API
...
Note: this reintroduces mirage-qubes pin, as that uses Logs too.
2016-01-08 11:40:11 +00:00
Thomas Leonard
2002126b8b
Rationalised firewall rules syntax
...
Added explicit NAT target, allowing NAT even within client net and
making it clear that NAT is used externally.
Changed Redirect_to_netvm to NAT_to, and allow specifying any target
host.
2016-01-01 11:32:57 +00:00
Thomas Leonard
4032a5d776
Simplify code slightly
2016-01-01 10:56:37 +00:00
Thomas Leonard
86b31f7f4b
Process all client frames
...
Before, we only looked at frames with our MAC address, but we may want
to handle client-to-client communication too.
2015-12-31 15:56:56 +00:00
Thomas Leonard
0d864d6cde
Minor cleanup
2015-12-31 15:30:32 +00:00
Thomas Leonard
cd69ce5a86
Move NAT code to router and add DNS redirects
2015-12-30 19:34:04 +00:00
Thomas Leonard
9dc7d01896
Moved client networking to its own module
...
Renamed the old Client_net to Client_eth, as it just handles the
Ethernet layer.
2015-12-30 13:52:56 +00:00
Thomas Leonard
914b6bbbf6
Initial import
2015-12-30 11:07:17 +00:00