Before, we used Client_gateway for the IP address of the firewall on the
client network and Firewall_uplink for its address on the uplink
network. However, Qubes 4 uses the same IP address for both, so we can't
separate these any longer, and there doesn't seem to be any advantage to
keeping them separate anyway.
We previously assumed that Qubes would always give clients IP addresses
on a particular network. However, it is not required to do this and in
fact uses a different network for disposable VMs.
With this change:
- We no longer reject clients with unknown IP addresses
- The `Unknown_client` classification is gone; we have no way to tell
the difference between a client that isn't connected and an external
address.
- We now consider every client to be on a point-to-point link and do not
answer ARP requests on behalf of other clients. Clients should assume
their netmask is 255.255.255.255 (and ignore /qubes-netmask).
This is a partial fix for #9. It allows disposable VMs to connect to the
firewall but for some reason they don't process any frames we send them
(we get their ARP requests but they don't get our replies). Taking eth0
down in the disp VM, then bringing it back up (and re-adding the routes)
allows it to work.
Before, when resetting the NAT table to handle an out-of-memory
condition we tried to allocate the new table while still holding
the reference to the old one. It should be more reliable to drop
the old reference first.
Log showed:
2016-01-31 19:33.47: INF [firewall] added NAT redirect 10.137.3.12:32860 -> 53:firewall:52517 -> 53:net-vm
2016-01-31 19:33.52: WRN [firewall] Out_of_memory adding NAT rule. Dropping NAT table...
--- End dump ---
Fatal error: exception Out of memory
Raised by primitive operation at file "hashtbl.ml", line 63, characters 52-70
Called from file "router.ml", line 47, characters 11-30
Called from file "src/core/lwt.ml", line 907, characters 20-24
Mirage exiting with status 2
Do_exit called!
Added explicit NAT target, allowing NAT even within client net and
making it clear that NAT is used externally.
Changed Redirect_to_netvm to NAT_to, and allow specifying any target
host.
