diff --git a/.dockerignore b/.dockerignore index 85fe546..72eb1df 100644 --- a/.dockerignore +++ b/.dockerignore @@ -2,3 +2,6 @@ _build *.xen *.bz2 +*.tar.bz2 +*.tgz +mirage-firewall-bin* diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml new file mode 100644 index 0000000..a5720ca --- /dev/null +++ b/.github/workflows/docker.yml @@ -0,0 +1,32 @@ +name: Main workflow + +on: + pull_request: + push: + schedule: + # Prime the caches every Monday + - cron: 0 1 * * MON + +jobs: + build: + strategy: + fail-fast: false + matrix: + os: + - ubuntu-latest + + runs-on: ${{ matrix.os }} + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - run: ./build-with.sh docker + + - run: sh -exc 'if [ "$(sha256sum dist/qubes-firewall.xen)" = "$(cat qubes-firewall.sha256)" ]; then echo "SHA256 MATCHES"; else exit 42; fi' + + - name: Upload Artifact + uses: actions/upload-artifact@v4 + with: + name: qubes-firewall.xen + path: qubes-firewall.xen diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml new file mode 100644 index 0000000..7970630 --- /dev/null +++ b/.github/workflows/format.yml @@ -0,0 +1,42 @@ +name: ocamlformat + +on: [push] + +jobs: + format: + name: ocamlformat + + strategy: + fail-fast: false + matrix: + ocaml-version: ["4.14.2"] + operating-system: [ubuntu-latest] + + runs-on: ${{ matrix.operating-system }} + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Use OCaml ${{ matrix.ocaml-version }} + uses: ocaml/setup-ocaml@v3 + with: + ocaml-compiler: ${{ matrix.ocaml-version }} + + - name: Install ocamlformat + run: grep ^version .ocamlformat | cut -d '=' -f 2 | xargs -I V opam install ocamlformat=V + + - name: Format code + run: git ls-files '*.ml' '*.mli' | xargs opam exec -- ocamlformat --inplace + + - name: Check for modified files + id: git-check + run: echo "modified=$(if git diff-index --quiet HEAD --; then echo "false"; else echo "true"; fi)" >> $GITHUB_OUTPUT + + - name: Commit and push changes + if: steps.git-check.outputs.modified == 'true' + run: | + git config --global user.name "Automated ocamlformat GitHub action, developed by robur.coop" + git config --global user.email "autoformat@robur.coop" + git commit -m "formatted code" . + git push diff --git a/.github/workflows/podman.yml b/.github/workflows/podman.yml new file mode 100644 index 0000000..21f2bd2 --- /dev/null +++ b/.github/workflows/podman.yml @@ -0,0 +1,32 @@ +name: Main workflow + +on: + pull_request: + push: + schedule: + # Prime the caches every Monday + - cron: 0 1 * * MON + +jobs: + build: + strategy: + fail-fast: false + matrix: + os: + - ubuntu-latest + + runs-on: ${{ matrix.os }} + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - run: ./build-with.sh podman + + - run: sh -exc 'if [ "$(sha256sum dist/qubes-firewall.xen)" = "$(cat qubes-firewall.sha256)" ]; then echo "SHA256 MATCHES"; else exit 42; fi' + + - name: Upload Artifact + uses: actions/upload-artifact@v4 + with: + name: qubes-firewall.xen + path: qubes-firewall.xen diff --git a/.gitignore b/.gitignore index bd2f111..280a547 100644 --- a/.gitignore +++ b/.gitignore @@ -7,3 +7,4 @@ main.native mir-qubes-test qubes-firewall.xl.in qubes-firewall_libvirt.xml +.merlin diff --git a/.merlin b/.merlin deleted file mode 100644 index 2b4d411..0000000 --- a/.merlin +++ /dev/null @@ -1,3 +0,0 @@ -S . -B _build -PKG vchan.xen lwt mirage mirage-net-xen tcpip mirage-nat diff --git a/.ocamlformat b/.ocamlformat new file mode 100644 index 0000000..d6d9647 --- /dev/null +++ b/.ocamlformat @@ -0,0 +1,3 @@ +version = 0.27.0 +profile = conventional +parse-docstrings = true diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index fb11f9a..0000000 --- a/.travis.yml +++ /dev/null @@ -1,8 +0,0 @@ -language: c -script: - - echo 'ADD . /home/opam/qubes-mirage-firewall' >> Dockerfile - - echo 'RUN sudo chown -R opam /home/opam/qubes-mirage-firewall' >> Dockerfile - - docker build -t qubes-mirage-firewall . - - docker run --rm -i qubes-mirage-firewall -sudo: required -dist: trusty diff --git a/CHANGES.md b/CHANGES.md index 7fde759..41d0026 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,3 +1,169 @@ +### 0.9.4 (2025-02-10) + +- Fix an issue when qubes-mirage-firewall is used a a mullvad AppVM client. If + our netvm does not reply to our ARP requests we can not construct the ethernet + header. However in Linux VMs, Qubes adds a default netvm address associated to + `fe:ff:ff:ff:ff:ff`, so if ARP fails, we fall back on that address. + (#213, @palainp, reported in the Qubes forum #212, reviewed by @hannesm) + +### 0.9.3 (2025-01-04) + +- Fix an issue when qubes-mirage-firewall is used along with *BSD sys-net + (#209, @palainp, reported in the Qubes forum #208, reviewed by @dinosaure) + +### 0.9.2 (2024-10-16) + +- Code refactoring and improvements (#197, @dinosaure) +- Build tooling updates: opam 2.2.1, solo5 0.9, mirage 4.8.1 (#199, #201, #202, + #203, @hannesm) + +### 0.9.1 (2024-05-10) + +- Drop astring dependency, update mirage-net-xen, and OCaml 4.14.2 -- the + latest LTS release (#193, @hannesm) +- Allow the firewall to use domains requests in rules (#193, @palainp, + reported in the Qubes forum, fix confirmed by @neoniobium) + +### 0.9.0 (2024-04-24) + +- Fix an incorrect free memory estimation (fix in mirage/ocaml-solo5#135 + @palainp) +- Update to mirage 4.5.0, allowing openBSD to be used as netvm (#146 reported + by @Szewcson), and recover from a netvm change (#156 reported by @xaki-23) + (#178 @palainp) + +### 0.8.6 (2023-11-08) + +- Fix Docker build issue with newest SELinux policies (#183 @palainp, reported + by @Szewcson) +- Update build script (change to debian repositories, update debian image, update + opam-repository commit, set commit for opam-overlay and mirage-overlay) (#184 + @palainp, reported by @ben-grande) +- Update disk usage value during local compilation (#186 @palainp, reported by + @ben-grande) + +### 0.8.5 (2023-07-05) + +- Remove memreport to Xen to avoid Qubes trying to get back some memory + (#176 @palainp) +- Use bookworm and snapshot.notset.fr debian packages for reproducibility + (#175 @palainp) + +### 0.8.4 (2022-12-07) + +- Fix remote denial of service due to excessive console output (#166 @burghardt, + fix in solo5/solo5#538 by @palainp) +- Use Ubuntu container for build, now GitHub action, ./build-with-docker.sh and + builds.robur.coop are synchronized (and result in the same artifact) + (#164 @hannesm) + +### 0.8.3 (2022-11-11) + +- Fix "DNS issues", a firewall ruleset with a domain name lead to 100% CPU usage + (reported by fiftyfourthparallel on + https://forum.qubes-os.org/t/mirage-firewall-0-8-2-broken-new-users-should-install-0-8-1/14566, + re-reported by @palainp in #158, fixed by @hannesm in mirage/mirage-nat#48 + (release 3.0.1)) - underlying issue was a wrong definition of `is_port_free` + (since 3.0.0, used since mirage-qubes-firewall 0.8.2). +- Fix "crash on downstream vm start", after more than 64 client VMs have been + connected and disconnected with the qubes-mirage-firewall (reported by @xaki23 + in #155, fixed by @hannesm in #161) - underlying issue was a leak of xenstore + watchers and a hard limit in xen on the amount of watchers +- Fix "detach netvm fails" (reported by @rootnoob in #157, fixed by @palainp + in mirage/mirage-net-xen#105 (release 2.1.2)) - underlying issue was that the + network interface state was never set to closed, but directly removed +- Fix potential DoS in handling DNS replies (#162 @hannesm) +- Avoid potential forever loop in My_nat.free_udp_port (#159 @hannesm) +- Assorted code removals (#161 @hannesm) +- Update to dns 6.4.0 changes (#154, @hannesm) + +### 0.8.2 (2022-10-12) + +- Advise to use 32 MB memory, which is sufficient (#150, @palainp) +- Improve documentation (#150, @palainp) +- Remove unneeded memory management code and log messages (#150, @palainp) +- Use mirage-nat 3.0.0, remove global mutable state (#151, @hannesm) + +### 0.8.1 (2022-09-14) + +- support qrexec protocol version 3 (@reynir @palainp in mirage-qubes 0.9.3) +- remove special DNS rule (which used to be required for Qubes 3, issue #63, fix #142, @hannesm) +- use DNS servers from QubesDB instead of hardcoded ones for evaluation of the DNS rule (#142 @hannesm) +- remove the GUI code (not needed in Qubes 4.1 anymore, issue #62, fix #144, @palainp) +- trigger GC slightly earlier (at < 50% free space, issue #143, fix #147, @palainp) + +### 0.8.0 + +The major change is to use PVH instead of PV. The effort was in solo5 (https://github.com/solo5/solo5) which since 0.6.6 supports Xen and PVH (developed by @mato, with some fixes (multiboot, mem size computed uniformly, not skipping first token of command line arguments) by @marmarek, @xaki23, @palainp, and @hannesm). + +Another user-visible change is that the DNS resolver is read from QubesDB /qubes-primary-dns instead of using a hardcoded IP address (@palainp and @hannesm). + +Also, the qrexec version negotiation has been implemented (in mirage-qubes by @reynir). + +Thanks to @palainp and @winux138 keeping track of memory allocation has been improved, and also memory can be freed now. + +This release uses the latest mirage release (4.2.1). It can be built with a Fedora 35 container. It uses OCaml 4.14.0. + +Thanks to @talex5 for lots of code cleanups, reviews, and merges. Also thanks to @xaki23 for early and detailed feedback. Testing was done by @Tommytran732 and @Szewcson. Thanks to @burghardt for documentation improvements. + +### 0.7.1 + +Bugfixes: + +- More robust parsing of IP address in Xenstore, which may contain both IPv4 and IPv6 addresses (@linse, #103, reported by @grote) + +- Avoid stack overflow with many connections in the NAT table (@linse and @hannesm, reported by @talex5 in #105, fixed by mirage-nat 2.2.2 release) + +### 0.7 + +This version adapts qubes-mirage-firewall with +- dynamic rulesets via QubesDB (as defined in Qubes 4.0), and +- adds support for DNS hostnames in rules, using the pf-qubes library for parsing. + +The DNS client is provided by DNS (>= 4.2.0) which uses a cache for name lookups. Not every packet will lead to a DNS lookup if DNS rules are in place. + +A test unikernel is available in the test subdirectory. + +This project was done by @linse and @yomimono in summer 2019, see PR #96. + +Additional changes and bugfixes: + +- Support Mirage 3.7 and mirage-nat 2.0.0 (@hannesm, #89). + The main improvement is fragmentation and reassembly support. + +- Use the smaller OCurrent images as the base for building the Docker images (@talex5, #80). + - Before: 1 GB (ocaml/opam2:debian-10-ocaml-4.08) + - Now: 309 MB (ocurrent/opam:alpine-3.10-ocaml-4.08) + +- Removed unreachable `Lwt.catch` (@hannesm, #90). + +Documentation: + +- Add note that AppVM used to build from source may need a private image larger than the default 2048MB (@marmot1791, #83). + +- README: create the symlink-redirected docker dir (@xaki23, #75). Otherwise, installing the docker package removes the dangling symlink. + +- Note that mirage-firewall cannot be used as UpdateVM (@talex5, #68). + +- Fix ln(1) call in build instructions (@jaseg, #69). The arguments were backwards. + +Keeping up with upstream changes: + +- Support mirage-3.7 via qubes-builder (@xaki23, #91). + +- Remove unused `Clock` argument to `Uplink` (@talex5, #90). + +- Rename things for newer mirage-xen versions (@xaki23, #80). + +- Adjust to ipaddr-4.0.0 renaming `_bytes` to `_octets` (@xaki23, #75). + +- Use OCaml 4.08.0 for qubes-builder builds (was 4.07.1) (@xaki23, #75). + +- Remove netchannel pin as 1.11.0 is now released (@talex5, #72). + +- Remove cmdliner pin as 1.0.4 is now released (@talex5, #71). + + ### 0.6 Changes to rules language: @@ -19,7 +185,7 @@ Changes to rules language: Now, `from_client` knows that `src` must be a `Client`, and `from_netvm` knows that `src` is `External` or `NetVM`. -- Combine `Client_gateway` and `Firewall_uplink` (@talex5, #65). +- Combine `Client_gateway` and `Firewall_uplink` (@talex5, #64). Before, we used `Client_gateway` for the IP address of the firewall on the client network and `Firewall_uplink` for its address on the uplink network. However, Qubes 4 uses the same IP address for both, so we can't separate these any longer, diff --git a/Dockerfile b/Dockerfile index 1cbe558..bd6e343 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,20 +1,35 @@ # Pin the base image to a specific hash for maximum reproducibility. -# It will probably still work on newer images, though, unless Debian +# It will probably still work on newer images, though, unless an update # changes some compiler optimisations (unlikely). -#FROM ocaml/opam2:debian-9-ocaml-4.07 -FROM ocaml/opam2@sha256:f7125924dd6632099ff98b2505536fe5f5c36bf0beb24779431bb62be5748562 +# bookworm-slim taken from https://hub.docker.com/_/debian/tags?page=1&name=bookworm-slim +FROM debian@sha256:3d5df92588469a4c503adbead0e4129ef3f88e223954011c2169073897547cac +# install remove default packages repository +RUN rm /etc/apt/sources.list.d/debian.sources +# and set the package source to a specific release too +# taken from https://snapshot.debian.org/archive/debian +RUN printf "deb [check-valid-until=no] http://snapshot.debian.org/archive/debian/20240419T024211Z bookworm main\n" > /etc/apt/sources.list +# taken from https://snapshot.debian.org/archive/debian-security/ +RUN printf "deb [check-valid-until=no] http://snapshot.debian.org/archive/debian-security/20240419T111010Z bookworm-security main\n" >> /etc/apt/sources.list +RUN apt update && apt install --no-install-recommends --no-install-suggests -y wget ca-certificates git patch unzip bzip2 make gcc g++ libc-dev +RUN wget -O /usr/bin/opam https://github.com/ocaml/opam/releases/download/2.3.0/opam-2.3.0-i686-linux && chmod 755 /usr/bin/opam +# taken from https://raw.githubusercontent.com/ocaml/opam/master/shell/install.sh +RUN test `sha512sum /usr/bin/opam | cut -d' ' -f1` = \ +"4c0e8771889a36bad4d5f964e2e662d5b611e6f112777d3d4eea3eea919d109cd17826beba38e6cfa1ad9553a0a989d9268f911ea5485968da04b1e08efc7de2" || exit + +ENV OPAMROOT=/tmp +ENV OPAMCONFIRMLEVEL=unsafe-yes # Pin last known-good version for reproducible builds. # Remove this line (and the base image pin above) if you want to test with the # latest versions. -RUN git fetch origin && git reset --hard d1b2a1cbc28d43926b37e61f46fc403b48ab9c23 && opam update - -RUN sudo apt-get install -y m4 libxen-dev pkg-config -RUN opam pin add -yn cmdliner 'https://github.com/talex5/cmdliner.git#repro-builds' -RUN opam install -y vchan mirage-xen-ocaml mirage-xen-minios io-page mirage-xen mirage mirage-nat mirage-qubes -RUN mkdir /home/opam/qubes-mirage-firewall -ADD config.ml /home/opam/qubes-mirage-firewall/config.ml -WORKDIR /home/opam/qubes-mirage-firewall -RUN opam config exec -- mirage configure -t xen && make depend -CMD opam config exec -- mirage configure -t xen && \ - opam config exec -- make tar +# taken from https://github.com/ocaml/opam-repository +RUN opam init --disable-sandboxing -a --bare https://github.com/ocaml/opam-repository.git#8f63148a9025a7b775a069a6c0b0385c22ad51d3 +RUN opam switch create myswitch 4.14.2 +RUN opam exec -- opam install -y mirage opam-monorepo ocaml-solo5 +RUN mkdir /tmp/orb-build +ADD config.ml /tmp/orb-build/config.ml +WORKDIR /tmp/orb-build +CMD opam exec -- sh -exc 'mirage configure -t xen --extra-repos=\ +opam-overlays:https://github.com/dune-universe/opam-overlays.git#f2bec38beca4aea9e481f2fd3ee319c519124649,\ +mirage-overlays:https://github.com/dune-universe/mirage-opam-overlays.git#797cb363df3ff763c43c8fbec5cd44de2878757e \ +&& make depend && make unikernel' diff --git a/LICENSE.md b/LICENSE.md new file mode 100644 index 0000000..23ec3d0 --- /dev/null +++ b/LICENSE.md @@ -0,0 +1,23 @@ +Copyright (X) 2015-2024, the Qubes Mirage Firewall authors +All rights reserved. + +Redistribution and use in source and binary forms, with or without modification, +are permitted provided that the following conditions are met: + +* Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. + +* Redistributions in binary form must reproduce the above copyright notice, this + list of conditions and the following disclaimer in the documentation and/or + other materials provided with the distribution. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR +ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON +ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. \ No newline at end of file diff --git a/Makefile.builder b/Makefile.builder index 098463d..53b860d 100644 --- a/Makefile.builder +++ b/Makefile.builder @@ -1,2 +1,7 @@ -MIRAGE_KERNEL_NAME = qubes_firewall.xen -OCAML_VERSION ?= 4.07.1 +MIRAGE_KERNEL_NAME = dist/qubes-firewall.xen +OCAML_VERSION ?= 4.14.2 +SOURCE_BUILD_DEP := firewall-build-dep + +firewall-build-dep: + opam install -y mirage + diff --git a/Makefile.user b/Makefile.user index da810cd..7188982 100644 --- a/Makefile.user +++ b/Makefile.user @@ -1,7 +1,10 @@ -tar: build - rm -rf _build/mirage-firewall - mkdir _build/mirage-firewall - cp qubes_firewall.xen _build/mirage-firewall/vmlinuz - touch _build/mirage-firewall/modules.img - cat /dev/null | gzip -n > _build/mirage-firewall/initramfs - tar cjf mirage-firewall.tar.bz2 -C _build --mtime=./build-with-docker.sh mirage-firewall +unikernel: build + cp dist/qubes-firewall.xen dist/qubes-firewall.xen.debug + strip dist/qubes-firewall.xen + cp dist/qubes-firewall.xen . + sha256sum qubes-firewall.xen + +fetchmotron: qubes_firewall.xen + test-mirage qubes_firewall.xen mirage-fw-test & + sleep 1 + boot-mirage fetchmotron diff --git a/README.md b/README.md index 960e568..ce64ba6 100644 --- a/README.md +++ b/README.md @@ -3,8 +3,6 @@ A unikernel that can run as a QubesOS ProxyVM, replacing `sys-firewall`. It uses the [mirage-qubes][] library to implement the Qubes protocols. -Note: This firewall *ignores the rules set in the Qubes GUI*. See `rules.ml` for the actual policy. - See [A Unikernel Firewall for QubesOS][] for more details. @@ -15,62 +13,86 @@ See the [Deploy](#deploy) section below for installation instructions. ## Build from source -Create a new Fedora-29 AppVM (or reuse an existing one). Open a terminal. -Clone this Git repository and run the `build-with-docker.sh` script: +Note: The most reliable way to build is using Docker or Podman. +Fedora 38 works well for this, Debian 12 also works, but you'll need to follow the instructions at [docker.com][debian-docker] to get Docker +(don't use Debian's version). - sudo ln -s /var/lib/docker /home/user/docker +Create a new Fedora-38 AppVM (or reuse an existing one). In the Qube's Settings (Basic / Disk storage), increase the private storage max size from the default 2048 MiB to 8192 MiB. Open a terminal. + +Clone this Git repository and run the `build-with.sh` script with either `docker` or `podman` as argument (Note: The `chcon` call is mandatory on Fedora with new SELinux policies which do not allow to standardly keep the docker images in homedir): + + mkdir /home/user/docker + sudo ln -s /home/user/docker /var/lib/docker + sudo chcon -Rt container_file_t /home/user/docker sudo dnf install docker sudo systemctl start docker git clone https://github.com/mirage/qubes-mirage-firewall.git cd qubes-mirage-firewall - sudo ./build-with-docker.sh + sudo ./build-with.sh docker -This took about 10 minutes on my laptop (it will be much quicker if you run it again). -The symlink step at the start isn't needed if your build VM is standalone. -It gives Docker more disk space and avoids losing the Docker image cache when you reboot the Qube. +Or + + sudo systemctl start podman + git clone https://github.com/mirage/qubes-mirage-firewall.git + cd qubes-mirage-firewall + ./build-with.sh podman + +This took about 15 minutes on my laptop (it will be much quicker if you run it again). +The symlink step at the start isn't needed if your build VM is standalone. It gives Docker more disk space and avoids losing the Docker image cache when you reboot the Qube. +It's not needed with Podman as the containers lives in your home directory by default. Note: the object files are stored in the `_build` directory to speed up incremental builds. If you change the dependencies, you will need to delete this directory before rebuilding. -If you want to build on Debian, follow the instructions at [docker.com][debian-docker] to get Docker and then run `sudo ./build-with-docker.sh` as above. - -It's OK to install the Docker package in a template VM if you want it to remain +It's OK to install the Docker or Podman package in a template VM if you want it to remain after a reboot, but the build of the firewall itself should be done in a regular AppVM. -You can also build without Docker, as for any normal Mirage unikernel; -see [the Mirage installation instructions](https://mirage.io/wiki/install) for details. +You can also build without that script, as for any normal Mirage unikernel; +see [the Mirage installation instructions](https://mirageos.org/wiki/install) for details. -The Docker build fixes the versions of the libraries it uses, ensuring that you will get -exactly the same binary that is in the release. If you build without Docker, it will build +The build script fixes the versions of the libraries it uses, ensuring that you will get +exactly the same binary that is in the release. If you build without it, it will build against the latest versions instead (and the hash will therefore probably not match). However, it should still work fine. ## Deploy -If you want to deploy manually, unpack `mirage-firewall.tar.bz2` in dom0, inside `/var/lib/qubes/vm-kernels/`. e.g. (if `dev` is the AppVM where you built it): +### Manual deployment +If you want to deploy manually, you just need to download `qubes-firewall.xen` and +`qubes-firewall.sha256` in domU and check that the `.xen` file has a corresponding +hashsum. `qubes-firewall.xen` is the unikernel itself and should be copied to +`vmlinuz` in the `/var/lib/qubes/vm-kernels/mirage-firewall` directory in dom0, e.g. +(if `dev` is the AppVM where you built it): - [tal@dom0 ~]$ cd /var/lib/qubes/vm-kernels/ - [tal@dom0 vm-kernels]$ qvm-run -p dev 'cat qubes-mirage-firewall/mirage-firewall.tar.bz2' | tar xjf - + [tal@dom0 ~]$ mkdir -p /var/lib/qubes/vm-kernels/mirage-firewall/ + [tal@dom0 ~]$ cd /var/lib/qubes/vm-kernels/mirage-firewall/ + [tal@dom0 mirage-firewall]$ qvm-run -p dev 'cat mirage-firewall/qubes-firewall.xen' > vmlinuz -The tarball contains `vmlinuz`, which is the unikernel itself, plus a couple of dummy files that Qubes requires. - -Run this command in dom0 to create a `mirage-firewall` VM using the `mirage-firewall` kernel you added above: +Run this command in dom0 to create a `mirage-firewall` VM using the `mirage-firewall` kernel you added above ``` qvm-create \ --property kernel=mirage-firewall \ - --property kernelopts=None \ + --property kernelopts='' \ --property memory=32 \ --property maxmem=32 \ --property netvm=sys-net \ --property provides_network=True \ --property vcpus=1 \ - --property virt_mode=pv \ + --property virt_mode=pvh \ --label=green \ --class StandaloneVM \ mirage-firewall + +qvm-features mirage-firewall qubes-firewall 1 +qvm-features mirage-firewall no-default-kernelopts 1 ``` +### Deployment using saltstack +If you're familiar how to run salt states in Qubes, you can also use the script `SaltScriptToDownloadAndInstallMirageFirewallInQubes.sls` to automatically deploy the latest version of mirage firewall in your Qubes OS. An introduction can be found [here](https://forum.qubes-os.org/t/qubes-salt-beginners-guide/20126) and [here](https://www.qubes-os.org/doc/salt/). Following the instructions from the former link, you can run the script in dom0 with the command `sudo qubesctl --show-output state.apply SaltScriptToDownloadAndInstallMirageFirewallInQubes saltenv=user`. The script checks the checksum from the integration server and compares with the latest version provided in the github releases. It might be necessary to adjust the VM templates in the script which are used for downloading of the mirage unikernel, if your default templates do not have the tools `curl` and `tar` installed by default. Also don't forget to change the VMs in which the uni kernel should be used or adjust the "Qubes Global Settings". + +## Upgrading + To upgrade from an earlier release, just overwrite `/var/lib/qubes/vm-kernels/mirage-firewall/vmlinuz` with the new version and restart the firewall VM. ### Configure AppVMs to use it @@ -86,6 +108,25 @@ qvm-prefs --set my-app-vm netvm mirage-firewall Alternatively, you can configure `mirage-firewall` to be your default firewall VM. +Note that by default dom0 uses sys-firewall as its "UpdateVM" (a proxy for downloading updates). +mirage-firewall cannot be used for this, but any Linux VM should be fine. +https://www.qubes-os.org/doc/software-update-dom0/ says: + +> The role of UpdateVM can be assigned to any VM in the Qubes VM Manager, and +> there are no significant security implications in this choice. By default, +> this role is assigned to the firewallvm. + +### Configure firewall with OpenBSD-like netvm + +OpenBSD is currently unable to be used as netvm, so if you want to use a BSD as your sys-net VM, you'll need to set its netvm to qubes-mirage-firewall (see https://github.com/mirage/qubes-mirage-firewall/issues/146 for more information). +That means you'll have `AppVMs -> qubes-mirage-firewall <- OpenBSD` with the arrow standing for the netvm property setting. + +In that case you'll have to tell qubes-mirage-firewall which AppVM client should be used as uplink: +``` +qvm-prefs --set mirage-firewall -- kernelopts '--ipv4=X.X.X.X --ipv4-gw=Y.Y.Y.Y' +``` +with `X.X.X.X` the IP address for mirage-firewall and `Y.Y.Y.Y` the IP address of your OpenBSD HVM. + ### Components This diagram show the main components (each box corresponds to a source `.ml` file with the same name): @@ -95,7 +136,7 @@ This diagram show the main components (each box corresponds to a source `.ml` fi

Ethernet frames arrives from client qubes (such as `work` or `personal`) or from `sys-net`. -Internet (IP) packets are sent to `firewall`, which consults `rules` to decide what to do with the packet. +Internet (IP) packets are sent to `firewall`, which consults the NAT table and the rules from QubesDB to decide what to do with the packet. If it should be sent on, it uses `router` to send it to the chosen destination. `client_net` watches the XenStore database provided by dom0 to find out when clients need to be added or removed. @@ -111,48 +152,54 @@ The boot process: ### Easy deployment for developers -For development, use the [test-mirage][] scripts to deploy the unikernel (`qubes_firewall.xen`) from your development AppVM. +For development, use the [test-mirage][] scripts to deploy the unikernel (`qubes-firewall.xen`) from your development AppVM. This takes a little more setting up the first time, but will be much quicker after that. e.g. - $ test-mirage qubes_firewall.xen mirage-firewall + [user@dev ~]$ test-mirage dist/qubes-firewall.xen mirage-firewall Waiting for 'Ready'... OK - Uploading 'qubes_firewall.xen' (5901080 bytes) to "mirage-firewall" + Uploading 'dist/qubes-firewall.xen' (7454880 bytes) to "mirage-test" Waiting for 'Booting'... OK - --> Loading the VM (type = ProxyVM)... - --> Starting Qubes DB... - --> Setting Qubes DB info for the VM... - --> Updating firewall rules... - --> Starting the VM... - --> Starting the qrexec daemon... - Waiting for VM's qrexec agent.connected - --> Starting Qubes GUId... - Connecting to VM's GUI agent: .connected - --> Sending monitor layout... - --> Waiting for qubes-session... - Connecting to mirage-firewall console... - MirageOS booting... - Initialising timer interface - Initialising console ... done. - gnttab_stubs.c: initialised mini-os gntmap - 2017-03-18 11:32:37 -00:00: INF [qubes.rexec] waiting for client... - 2017-03-18 11:32:37 -00:00: INF [qubes.gui] waiting for client... - 2017-03-18 11:32:37 -00:00: INF [qubes.db] connecting to server... - 2017-03-18 11:32:37 -00:00: INF [qubes.db] connected - 2017-03-18 11:32:37 -00:00: INF [qubes.rexec] client connected, using protocol version 2 - 2017-03-18 11:32:37 -00:00: INF [qubes.db] got update: "/qubes-keyboard" = "xkb_keymap {\n\txkb_keycodes { include \"evdev+aliases(qwerty)\"\t};\n\txkb_types { include \"complete\"\t};\n\txkb_compat { include \"complete\"\t};\n\txkb_symbols { include \"pc+gb+inet(evdev)\"\t};\n\txkb_geometry { include \"pc(pc105)\"\t};\n};" - 2017-03-18 11:32:37 -00:00: INF [qubes.gui] client connected (screen size: 6720x2160) - 2017-03-18 11:32:37 -00:00: INF [unikernel] Qubes agents connected in 0.095 s (CPU time used since boot: 0.008 s) - 2017-03-18 11:32:37 -00:00: INF [net-xen:frontend] connect 0 - 2017-03-18 11:32:37 -00:00: INF [memory_pressure] Writing meminfo: free 6584 / 17504 kB (37.61 %) - Note: cannot write Xen 'control' directory - 2017-03-18 11:32:37 -00:00: INF [net-xen:frontend] create: id=0 domid=1 - 2017-03-18 11:32:37 -00:00: INF [net-xen:frontend] sg:true gso_tcpv4:true rx_copy:true rx_flip:false smart_poll:false - 2017-03-18 11:32:37 -00:00: INF [net-xen:frontend] MAC: 00:16:3e:5e:6c:11 - 2017-03-18 11:32:37 -00:00: WRN [command] << Unknown command "QUBESRPC qubes.SetMonitorLayout dom0" - 2017-03-18 11:32:38 -00:00: INF [ethif] Connected Ethernet interface 00:16:3e:5e:6c:11 - 2017-03-18 11:32:38 -00:00: INF [arpv4] Connected arpv4 device on 00:16:3e:5e:6c:11 - 2017-03-18 11:32:38 -00:00: INF [dao] Watching backend/vif - 2017-03-18 11:32:38 -00:00: INF [qubes.db] got update: "/qubes-netvm-domid" = "1" + Connecting to mirage-test console... + Solo5: Xen console: port 0x2, ring @0x00000000FEFFF000 + | ___| + __| _ \ | _ \ __ \ + \__ \ ( | | ( | ) | + ____/\___/ _|\___/____/ + Solo5: Bindings version v0.7.3 + Solo5: Memory map: 32 MB addressable: + Solo5: reserved @ (0x0 - 0xfffff) + Solo5: text @ (0x100000 - 0x319fff) + Solo5: rodata @ (0x31a000 - 0x384fff) + Solo5: data @ (0x385000 - 0x53ffff) + Solo5: heap >= 0x540000 < stack < 0x2000000 + 2022-08-13 14:55:38 -00:00: INF [qubes.rexec] waiting for client... + 2022-08-13 14:55:38 -00:00: INF [qubes.db] connecting to server... + 2022-08-13 14:55:38 -00:00: INF [qubes.db] connected + 2022-08-13 14:55:38 -00:00: INF [qubes.db] got update: "/mapped-ip/10.137.0.20/visible-ip" = "10.137.0.20" + 2022-08-13 14:55:38 -00:00: INF [qubes.db] got update: "/mapped-ip/10.137.0.20/visible-gateway" = "10.137.0.23" + 2022-08-13 14:55:38 -00:00: INF [qubes.rexec] client connected, using protocol version 3 + 2022-08-13 14:55:38 -00:00: INF [unikernel] QubesDB and qrexec agents connected in 0.041 s + 2022-08-13 14:55:38 -00:00: INF [dao] Got network configuration from QubesDB: + NetVM IP on uplink network: 10.137.0.4 + Our IP on uplink network: 10.137.0.23 + Our IP on client networks: 10.137.0.23 + DNS resolver: 10.139.1.1 + DNS secondary resolver: 10.139.1.2 + 2022-08-13 14:55:38 -00:00: INF [net-xen frontend] connect 0 + 2022-08-13 14:55:38 -00:00: INF [net-xen frontend] create: id=0 domid=1 + 2022-08-13 14:55:38 -00:00: INF [net-xen frontend] sg:true gso_tcpv4:true rx_copy:true rx_flip:false smart_poll:false + 2022-08-13 14:55:38 -00:00: INF [net-xen frontend] MAC: 00:16:3e:5e:6c:00 + 2022-08-13 14:55:38 -00:00: INF [ethernet] Connected Ethernet interface 00:16:3e:5e:6c:00 + 2022-08-13 14:55:38 -00:00: INF [ARP] Sending gratuitous ARP for 10.137.0.23 (00:16:3e:5e:6c:00) + 2022-08-13 14:55:38 -00:00: INF [ARP] Sending gratuitous ARP for 10.137.0.23 (00:16:3e:5e:6c:00) + 2022-08-13 14:55:38 -00:00: INF [udp] UDP layer connected on 10.137.0.23 + 2022-08-13 14:55:38 -00:00: INF [dao] Watching backend/vif + 2022-08-13 14:55:38 -00:00: INF [memory_pressure] Writing meminfo: free 20MiB / 27MiB (72.68 %) + +# Testing if the firewall works + +A unikernel which tests the firewall is available in the `test/` subdirectory. +To use it, run `test.sh` and follow the instructions to set up the test environment. # Security advisories @@ -160,17 +207,7 @@ See [issues tagged "security"](https://github.com/mirage/qubes-mirage-firewall/i # LICENSE -Copyright (c) 2019, Thomas Leonard -All rights reserved. - -Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - -1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. - -2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -gg +See [LICENSE.md](https://github.com/mirage/qubes-mirage-firewall/blob/main/LICENSE.md) [test-mirage]: https://github.com/talex5/qubes-test-mirage [mirage-qubes]: https://github.com/mirage/mirage-qubes diff --git a/SaltScriptToDownloadAndInstallMirageFirewallInQubes.sls b/SaltScriptToDownloadAndInstallMirageFirewallInQubes.sls new file mode 100644 index 0000000..f9886b9 --- /dev/null +++ b/SaltScriptToDownloadAndInstallMirageFirewallInQubes.sls @@ -0,0 +1,104 @@ +# How to install the superlight mirage-firewall for Qubes OS by using saltstack +# Tested on Qubes v4.1 and mirage v0.8.5 +# After the install, you have to switch your AppVMs to use the mirage firewall vm created by this script e.g. by using "Qubes Global Settings" +# inspired by: https://github.com/one7two99/my-qubes/tree/master/mirage-firewall + +# default template + dispvm template are used. Possible optimization is to use min-dvms +{% set DownloadVMTemplate = salt['cmd.shell']("qubes-prefs default_template") %} +{% set DispVM = salt['cmd.shell']("qubes-prefs default_dispvm") %} + +{% set DownloadVM = "DownloadVmMirage" %} +{% set MirageFW = "sys-mirage-fw" %} +{% set GithubUrl = "https://github.com/mirage/qubes-mirage-firewall" %} +{% set Kernel = "qubes-firewall.xen" %} +{% set Shasum = "qubes-firewall-release.sha256" %} +{% set MirageInstallDir = "/var/lib/qubes/vm-kernels/mirage-firewall" %} + +#download and install the latest version +{% set Release = salt['cmd.shell']("qvm-run --dispvm " ~ DispVM ~ " --pass-io \"curl --silent --location -o /dev/null -w %{url_effective} " ~ GithubUrl ~ "/releases/latest | rev | cut -d \"/\" -f 1 | rev\"") %} + +{% if Release != salt['cmd.shell']("test -e " ~ MirageInstallDir ~ "/version.txt" ~ " || mkdir " ~ MirageInstallDir ~ " ; touch " ~ MirageInstallDir ~ "/version.txt" ~ " ; cat " ~ MirageInstallDir ~ "/version.txt") %} + +create-downloader-VM: + qvm.vm: + - name: {{ DownloadVM }} + - present: + - template: {{ DownloadVMTemplate }} + - label: red + - prefs: + - template: {{ DownloadVMTemplate }} + - include-in-backups: false + +{% set DownloadBinary = GithubUrl ~ "/releases/download/" ~ Release ~ "/" ~ Kernel %} +{% set DownloadShasum = GithubUrl ~ "/releases/download/" ~ Release ~ "/" ~ Shasum %} + +download-and-unpack-in-DownloadVM4mirage: + cmd.run: + - names: + - qvm-run --pass-io {{ DownloadVM }} {{ "curl -L -O " ~ DownloadBinary }} + - qvm-run --pass-io {{ DownloadVM }} {{ "curl -L -O " ~ DownloadShasum }} + - require: + - create-downloader-VM + + +check-checksum-in-DownloadVM: + cmd.run: + - names: + - qvm-run --pass-io {{ DownloadVM }} {{ "\"echo \\\"Checksum of release on github:\\\";cat " ~ Shasum ~ " | cut -d\' \' -f1\"" }} + - qvm-run --pass-io {{ DownloadVM }} {{ "\"echo \\\"Checksum of downloaded local file:\\\";sha256sum " ~ Kernel ~ " | cut -d\' \' -f1\"" }} + - qvm-run --pass-io {{ DownloadVM }} {{ "\"diff <(cat " ~ Shasum ~ " | cut -d\' \' -f1) <(sha256sum " ~ Kernel ~ " | cut -d\' \' -f1) && echo \\\"Checksums DO match.\\\" || (echo \\\"Checksums do NOT match.\\\";exit 101)\"" }} + - require: + - download-and-unpack-in-DownloadVM4mirage + +copy-mirage-kernel-to-dom0: + cmd.run: + - name: mkdir -p {{ MirageInstallDir }}; qvm-run --pass-io --no-gui {{ DownloadVM }} {{ "cat " ~ Kernel }} > {{ MirageInstallDir ~ "/vmlinuz" }} + - require: + - download-and-unpack-in-DownloadVM4mirage + - check-checksum-in-DownloadVM + +update-version: + cmd.run: + - names: + - echo {{ Release }} > {{ MirageInstallDir ~ "/version.txt" }} + - require: + - copy-mirage-kernel-to-dom0 + +create-sys-mirage-fw: + qvm.vm: + - name: {{ MirageFW }} + - present: + - class: StandaloneVM + - label: black + - prefs: + - kernel: mirage-firewall + - kernelopts: + - include-in-backups: False + - memory: 32 + - maxmem: 32 + - netvm: sys-net + - provides-network: True + - vcpus: 1 + - virt-mode: pvh + - features: + - enable: + - qubes-firewall + - no-default-kernelopts + - require: + - copy-mirage-kernel-to-dom0 + + +cleanup-in-DownloadVM: + cmd.run: + - names: + - qvm-run -a --pass-io --no-gui {{ DownloadVM }} "{{ "rm " ~ Kernel ~ " " ~ Shasum }}" + - require: + - update-version + +remove-DownloadVM4mirage: + qvm.absent: + - name: {{ DownloadVM }} + - require: + - cleanup-in-DownloadVM + +{% endif %} diff --git a/_tags b/_tags deleted file mode 100644 index 7441bd2..0000000 --- a/_tags +++ /dev/null @@ -1,2 +0,0 @@ -not : warn(A-4), strict_sequence -: package(cstruct.syntax) diff --git a/build-with-docker.sh b/build-with-docker.sh deleted file mode 100755 index 701c686..0000000 --- a/build-with-docker.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh -set -eu -echo Building Docker image with dependencies.. -docker build -t qubes-mirage-firewall . -echo Building Firewall... -docker run --rm -i -v `pwd`:/home/opam/qubes-mirage-firewall qubes-mirage-firewall -echo "SHA2 of build: $(sha256sum qubes_firewall.xen)" -echo "SHA2 last known: 5ee982b12fb3964e7d9e32ca74ce377ec068b3bbef2b6c86c131f8bb422a3134" -echo "(hashes should match for released versions)" diff --git a/build-with.sh b/build-with.sh new file mode 100755 index 0000000..728ab1f --- /dev/null +++ b/build-with.sh @@ -0,0 +1,25 @@ +#!/bin/sh +set -eu + +if [[ $# -ne 1 ]] ; then + echo "Usage: build-with.sh { docker | podman }" + exit 1 +fi + +builder=$1 +case $builder in + docker|podman) + ;; + *) + echo "You should use either docker or podman for building" + exit 2 +esac + +echo Building $builder image with dependencies.. +$builder build -t qubes-mirage-firewall . +echo Building Firewall... +$builder run --rm -i -v `pwd`:/tmp/orb-build:Z qubes-mirage-firewall +echo "SHA2 of build: $(sha256sum ./dist/qubes-firewall.xen | cut -d' ' -f1)" +echo "SHA2 current head: $(cat qubes-firewall.sha256 | cut -d' ' -f1)" +echo "SHA2 last release: $(cat qubes-firewall-release.sha256 | cut -d' ' -f1)" +echo "(hashes should match for head versions)" diff --git a/cleanup.ml b/cleanup.ml index cbe9ebc..ecd3c78 100644 --- a/cleanup.ml +++ b/cleanup.ml @@ -4,9 +4,7 @@ type t = (unit -> unit) list ref let create () = ref [] - -let on_cleanup t fn = - t := fn :: !t +let on_cleanup t fn = t := fn :: !t let cleanup t = let tasks = !t in diff --git a/cleanup.mli b/cleanup.mli index d43661b..1358c07 100644 --- a/cleanup.mli +++ b/cleanup.mli @@ -1,8 +1,8 @@ (* Copyright (C) 2015, Thomas Leonard See the README file for details. *) -(** Register actions to take when a resource is finished. - Like [Lwt_switch], but synchronous. *) +(** Register actions to take when a resource is finished. Like [Lwt_switch], but + synchronous. *) type t diff --git a/client_eth.ml b/client_eth.ml index 3aa3a8a..bd9d931 100644 --- a/client_eth.ml +++ b/client_eth.ml @@ -4,109 +4,117 @@ open Fw_utils open Lwt.Infix -let src = Logs.Src.create "client_eth" ~doc:"Ethernet networks for NetVM clients" +let src = + Logs.Src.create "client_eth" ~doc:"Ethernet networks for NetVM clients" + module Log = (val Logs.src_log src : Logs.LOG) type t = { - mutable iface_of_ip : client_link IpMap.t; - changed : unit Lwt_condition.t; (* Fires when [iface_of_ip] changes. *) - client_gw : Ipaddr.V4.t; (* The IP that clients are given as their default gateway. *) + mutable iface_of_ip : client_link Ipaddr.V4.Map.t; + changed : unit Lwt_condition.t; (* Fires when [iface_of_ip] changes. *) + my_ip : Ipaddr.V4.t; + (* The IP that clients are given as their default gateway. *) } -type host = - [ `Client of client_link - | `Firewall - | `External of Ipaddr.t ] +type host = [ `Client of client_link | `Firewall | `External of Ipaddr.t ] -let create ~client_gw = +let create config = let changed = Lwt_condition.create () in - { iface_of_ip = IpMap.empty; client_gw; changed } + let my_ip = config.Dao.our_ip in + Lwt.return { iface_of_ip = Ipaddr.V4.Map.empty; my_ip; changed } -let client_gw t = t.client_gw +let client_gw t = t.my_ip let add_client t iface = let ip = iface#other_ip in let rec aux () = - match IpMap.find ip t.iface_of_ip with + match Ipaddr.V4.Map.find_opt ip t.iface_of_ip with | Some old -> - (* Wait for old client to disappear before adding one with the same IP address. + (* Wait for old client to disappear before adding one with the same IP address. Otherwise, its [remove_client] call will remove the new client instead. *) - Log.info (fun f -> f ~header:iface#log_header "Waiting for old client %s to go away before accepting new one" old#log_header); - Lwt_condition.wait t.changed >>= aux + Log.info (fun f -> + f ~header:iface#log_header + "Waiting for old client %s to go away before accepting new one" + old#log_header); + Lwt_condition.wait t.changed >>= aux | None -> - t.iface_of_ip <- t.iface_of_ip |> IpMap.add ip iface; - Lwt_condition.broadcast t.changed (); - Lwt.return_unit + t.iface_of_ip <- t.iface_of_ip |> Ipaddr.V4.Map.add ip iface; + Lwt_condition.broadcast t.changed (); + Lwt.return_unit in aux () let remove_client t iface = let ip = iface#other_ip in - assert (IpMap.mem ip t.iface_of_ip); - t.iface_of_ip <- t.iface_of_ip |> IpMap.remove ip; + assert (Ipaddr.V4.Map.mem ip t.iface_of_ip); + t.iface_of_ip <- t.iface_of_ip |> Ipaddr.V4.Map.remove ip; Lwt_condition.broadcast t.changed () -let lookup t ip = IpMap.find ip t.iface_of_ip +let lookup t ip = Ipaddr.V4.Map.find_opt ip t.iface_of_ip let classify t ip = match ip with | Ipaddr.V6 _ -> `External ip - | Ipaddr.V4 ip4 -> - if ip4 = t.client_gw then `Firewall - else match lookup t ip4 with - | Some client_link -> `Client client_link - | None -> `External ip + | Ipaddr.V4 ip4 -> ( + if ip4 = t.my_ip then `Firewall + else + match lookup t ip4 with + | Some client_link -> `Client client_link + | None -> `External ip) let resolve t : host -> Ipaddr.t = function | `Client client_link -> Ipaddr.V4 client_link#other_ip - | `Firewall -> Ipaddr.V4 t.client_gw + | `Firewall -> Ipaddr.V4 t.my_ip | `External addr -> addr module ARP = struct - type arp = { - net : t; - client_link : client_link; - } + type arp = { net : t; client_link : client_link } let lookup t ip = - if ip = t.net.client_gw then Some t.client_link#my_mac - else if (Ipaddr.V4.to_bytes ip).[3] = '\x01' then ( - Log.info (fun f -> f ~header:t.client_link#log_header - "Request for %a is invalid, but pretending it's me (see Qubes issue #5022)" Ipaddr.V4.pp ip); - Some t.client_link#my_mac - ) else None + if ip = t.net.my_ip then Some t.client_link#my_mac + else if (Ipaddr.V4.to_octets ip).[3] = '\x01' then ( + Log.info (fun f -> + f ~header:t.client_link#log_header + "Request for %a is invalid, but pretending it's me (see Qubes \ + issue #5022)" + Ipaddr.V4.pp ip); + Some t.client_link#my_mac) + else None (* We're now treating client networks as point-to-point links, so we no longer respond on behalf of other clients. *) - (* - else match IpMap.find ip t.net.iface_of_ip with + (* + else match Ipaddr.V4.Map.find_opt ip t.net.iface_of_ip with | Some client_iface -> Some client_iface#other_mac | None -> None *) - let create ~net client_link = {net; client_link} + let create ~net client_link = { net; client_link } let input_query t arp = let req_ipv4 = arp.Arp_packet.target_ip in let pf (f : ?header:string -> ?tags:_ -> _) fmt = - f ~header:t.client_link#log_header ("who-has %a? " ^^ fmt) Ipaddr.V4.pp req_ipv4 + f ~header:t.client_link#log_header ("who-has %a? " ^^ fmt) Ipaddr.V4.pp + req_ipv4 in if req_ipv4 = t.client_link#other_ip then ( Log.info (fun f -> pf f "ignoring request for client's own IP"); - None - ) else match lookup t req_ipv4 with + None) + else + match lookup t req_ipv4 with | None -> - Log.info (fun f -> pf f "unknown address; not responding"); - None + Log.info (fun f -> pf f "unknown address; not responding"); + None | Some req_mac -> - Log.info (fun f -> pf f "responding with %a" Macaddr.pp req_mac); - Some { Arp_packet. - operation = Arp_packet.Reply; - (* The Target Hardware Address and IP are copied from the request *) - target_ip = arp.Arp_packet.source_ip; - target_mac = arp.Arp_packet.source_mac; - source_ip = req_ipv4; - source_mac = req_mac; - } + Log.info (fun f -> pf f "responding with %a" Macaddr.pp req_mac); + Some + { + Arp_packet.operation = Arp_packet.Reply; + (* The Target Hardware Address and IP are copied from the request *) + target_ip = arp.Arp_packet.source_ip; + target_mac = arp.Arp_packet.source_mac; + source_ip = req_ipv4; + source_mac = req_mac; + } let input_gratuitous t arp = let source_ip = arp.Arp_packet.source_ip in @@ -114,18 +122,28 @@ module ARP = struct let header = t.client_link#log_header in match lookup t source_ip with | Some real_mac when Macaddr.compare source_mac real_mac = 0 -> - Log.info (fun f -> f ~header "client suggests updating %s -> %s (as expected)" - (Ipaddr.V4.to_string source_ip) (Macaddr.to_string source_mac)); + Log.info (fun f -> + f ~header "client suggests updating %s -> %s (as expected)" + (Ipaddr.V4.to_string source_ip) + (Macaddr.to_string source_mac)) | Some other_mac -> - Log.warn (fun f -> f ~header "client suggests incorrect update %s -> %s (should be %s)" - (Ipaddr.V4.to_string source_ip) (Macaddr.to_string source_mac) (Macaddr.to_string other_mac)); + Log.warn (fun f -> + f ~header "client suggests incorrect update %s -> %s (should be %s)" + (Ipaddr.V4.to_string source_ip) + (Macaddr.to_string source_mac) + (Macaddr.to_string other_mac)) | None -> - Log.warn (fun f -> f ~header "client suggests incorrect update %s -> %s (unexpected IP)" - (Ipaddr.V4.to_string source_ip) (Macaddr.to_string source_mac)) + Log.warn (fun f -> + f ~header + "client suggests incorrect update %s -> %s (unexpected IP)" + (Ipaddr.V4.to_string source_ip) + (Macaddr.to_string source_mac)) let input t arp = let op = arp.Arp_packet.operation in match op with | Arp_packet.Request -> input_query t arp - | Arp_packet.Reply -> input_gratuitous t arp; None + | Arp_packet.Reply -> + input_gratuitous t arp; + None end diff --git a/client_eth.mli b/client_eth.mli index 2bbb672..d7ecb55 100644 --- a/client_eth.mli +++ b/client_eth.mli @@ -1,34 +1,32 @@ (* Copyright (C) 2016, Thomas Leonard See the README file for details. *) -(** The ethernet networks connecting us to our client AppVMs. - Note: each AppVM is on a point-to-point link, each link being considered to be a separate Ethernet network. *) +(** The ethernet networks connecting us to our client AppVMs. Note: each AppVM + is on a point-to-point link, each link being considered to be a separate + Ethernet network. *) open Fw_utils type t (** A collection of clients. *) -type host = - [ `Client of client_link - | `Firewall - | `External of Ipaddr.t ] +type host = [ `Client of client_link | `Firewall | `External of Ipaddr.t ] (* Note: Qubes does not allow us to distinguish between an external address and a disconnected client. See: https://github.com/talex5/qubes-mirage-firewall/issues/9#issuecomment-246956850 *) -val create : client_gw:Ipaddr.V4.t -> t -(** [create ~client_gw] is a network of client machines. - Qubes will have configured the client machines to use [client_gw] as their default gateway. *) +val create : Dao.network_config -> t Lwt.t +(** [create ~client_gw] is a network of client machines. Qubes will have + configured the client machines to use [client_gw] as their default gateway. +*) val add_client : t -> client_link -> unit Lwt.t -(** [add_client t client] registers a new client. If a client with this IP address is already registered, - it waits for [remove_client] to be called on that before adding the new client and returning. *) +(** [add_client t client] registers a new client. If a client with this IP + address is already registered, it waits for [remove_client] to be called on + that before adding the new client and returning. *) val remove_client : t -> client_link -> unit - val client_gw : t -> Ipaddr.V4.t - val classify : t -> Ipaddr.t -> host val resolve : t -> host -> Ipaddr.t @@ -36,18 +34,18 @@ val lookup : t -> Ipaddr.V4.t -> client_link option (** [lookup t addr] is the client with IP address [addr], if connected. *) module ARP : sig - (** We already know the correct mapping of IP addresses to MAC addresses, so we never - allow clients to update it. We log a warning if a client attempts to set incorrect - information. *) + (** We already know the correct mapping of IP addresses to MAC addresses, so + we never allow clients to update it. We log a warning if a client attempts + to set incorrect information. *) type arp (** An ARP-responder for one client. *) val create : net:t -> client_link -> arp - (** [create ~net client_link] is an ARP responder for [client_link]. - It answers only for the client's gateway address. *) + (** [create ~net client_link] is an ARP responder for [client_link]. It + answers only for the client's gateway address. *) val input : arp -> Arp_packet.t -> Arp_packet.t option - (** Process one ethernet frame containing an ARP message. - Returns a response frame, if one is needed. *) + (** Process one ethernet frame containing an ARP message. Returns a response + frame, if one is needed. *) end diff --git a/client_net.ml b/client_net.ml deleted file mode 100644 index 68fe6d3..0000000 --- a/client_net.ml +++ /dev/null @@ -1,136 +0,0 @@ -(* Copyright (C) 2015, Thomas Leonard - See the README file for details. *) - -open Lwt.Infix -open Fw_utils - -module Netback = Netchannel.Backend.Make(Netchannel.Xenstore.Make(OS.Xs)) -module ClientEth = Ethernet.Make(Netback) - -let src = Logs.Src.create "client_net" ~doc:"Client networking" -module Log = (val Logs.src_log src : Logs.LOG) - -let writev eth dst proto fillfn = - Lwt.catch - (fun () -> - ClientEth.write eth dst proto fillfn >|= function - | Ok () -> () - | Error e -> - Log.err (fun f -> f "error trying to send to client: @[%a@]" - ClientEth.pp_error e); - ) - (fun ex -> - (* Usually Netback_shutdown, because the client disconnected *) - Log.err (fun f -> f "uncaught exception trying to send to client: @[%s@]" - (Printexc.to_string ex)); - Lwt.return () - ) - -class client_iface eth ~domid ~gateway_ip ~client_ip client_mac : client_link = - let log_header = Fmt.strf "dom%d:%a" domid Ipaddr.V4.pp client_ip in - object - val queue = FrameQ.create (Ipaddr.V4.to_string client_ip) - method my_mac = ClientEth.mac eth - method other_mac = client_mac - method my_ip = gateway_ip - method other_ip = client_ip - method writev proto fillfn = - FrameQ.send queue (fun () -> - writev eth client_mac proto fillfn - ) - method log_header = log_header - end - -let clients : Cleanup.t Dao.VifMap.t ref = ref Dao.VifMap.empty - -(** Handle an ARP message from the client. *) -let input_arp ~fixed_arp ~iface request = - match Arp_packet.decode request with - | Error e -> - Log.warn (fun f -> f "Ignored unknown ARP message: %a" Arp_packet.pp_error e); - Lwt.return () - | Ok arp -> - match Client_eth.ARP.input fixed_arp arp with - | None -> return () - | Some response -> - iface#writev `ARP (fun b -> Arp_packet.encode_into response b; Arp_packet.size) - -(** Handle an IPv4 packet from the client. *) -let input_ipv4 ~iface ~router packet = - match Nat_packet.of_ipv4_packet packet with - | Error e -> - Log.warn (fun f -> f "Ignored unknown IPv4 message: %a" Nat_packet.pp_error e); - Lwt.return () - | Ok packet -> - let `IPv4 (ip, _) = packet in - let src = ip.Ipv4_packet.src in - if src = iface#other_ip then Firewall.ipv4_from_client router ~src:iface packet - else ( - Log.warn (fun f -> f "Incorrect source IP %a in IP packet from %a (dropping)" - Ipaddr.V4.pp src Ipaddr.V4.pp iface#other_ip); - return () - ) - -(** Connect to a new client's interface and listen for incoming frames. *) -let add_vif { Dao.ClientVif.domid; device_id } ~client_ip ~router ~cleanup_tasks = - Netback.make ~domid ~device_id >>= fun backend -> - Log.info (fun f -> f "Client %d (IP: %s) ready" domid (Ipaddr.V4.to_string client_ip)); - ClientEth.connect backend >>= fun eth -> - let client_mac = Netback.frontend_mac backend in - let client_eth = router.Router.client_eth in - let gateway_ip = Client_eth.client_gw client_eth in - let iface = new client_iface eth ~domid ~gateway_ip ~client_ip client_mac in - Router.add_client router iface >>= fun () -> - Cleanup.on_cleanup cleanup_tasks (fun () -> Router.remove_client router iface); - let fixed_arp = Client_eth.ARP.create ~net:client_eth iface in - Netback.listen backend ~header_size:Ethernet_wire.sizeof_ethernet (fun frame -> - match Ethernet_packet.Unmarshal.of_cstruct frame with - | exception ex -> - Log.err (fun f -> f "Error unmarshalling ethernet frame from client: %s@.%a" (Printexc.to_string ex) - Cstruct.hexdump_pp frame - ); - Lwt.return_unit - | Error err -> Log.warn (fun f -> f "Invalid Ethernet frame: %s" err); return () - | Ok (eth, payload) -> - match eth.Ethernet_packet.ethertype with - | `ARP -> input_arp ~fixed_arp ~iface payload - | `IPv4 -> input_ipv4 ~iface ~router payload - | `IPv6 -> return () (* TODO: oh no! *) - ) - >|= or_raise "Listen on client interface" Netback.pp_error - -(** A new client VM has been found in XenStore. Find its interface and connect to it. *) -let add_client ~router vif client_ip = - let cleanup_tasks = Cleanup.create () in - Log.info (fun f -> f "add client vif %a with IP %a" Dao.ClientVif.pp vif Ipaddr.V4.pp client_ip); - Lwt.async (fun () -> - Lwt.catch (fun () -> - add_vif vif ~client_ip ~router ~cleanup_tasks - ) - (fun ex -> - Log.warn (fun f -> f "Error with client %a: %s" - Dao.ClientVif.pp vif (Printexc.to_string ex)); - return () - ) - ); - cleanup_tasks - -(** Watch XenStore for notifications of new clients. *) -let listen router = - Dao.watch_clients (fun new_set -> - (* Check for removed clients *) - !clients |> Dao.VifMap.iter (fun key cleanup -> - if not (Dao.VifMap.mem key new_set) then ( - clients := !clients |> Dao.VifMap.remove key; - Log.info (fun f -> f "client %a has gone" Dao.ClientVif.pp key); - Cleanup.cleanup cleanup - ) - ); - (* Check for added clients *) - new_set |> Dao.VifMap.iter (fun key ip_addr -> - if not (Dao.VifMap.mem key !clients) then ( - let cleanup = add_client ~router key ip_addr in - clients := !clients |> Dao.VifMap.add key cleanup - ) - ) - ) diff --git a/client_net.mli b/client_net.mli deleted file mode 100644 index 7bc2660..0000000 --- a/client_net.mli +++ /dev/null @@ -1,10 +0,0 @@ -(* Copyright (C) 2015, Thomas Leonard - See the README file for details. *) - -(** Handling client VMs. *) - -val listen : Router.t -> 'a Lwt.t -(** [listen router] is a thread that watches for clients being added to and - removed from XenStore. Clients are connected to the client network and - packets are sent via [router]. We ensure the source IP address is correct - before routing a packet. *) diff --git a/command.ml b/command.ml index da70727..0661bfc 100644 --- a/command.ml +++ b/command.ml @@ -4,24 +4,30 @@ (** Commands we provide via qvm-run. *) open Lwt - module Flow = Qubes.RExec.Flow let src = Logs.Src.create "command" ~doc:"qrexec command handler" + module Log = (val Logs.src_log src : Logs.LOG) let set_date_time flow = Flow.read_line flow >|= function - | `Eof -> Log.warn (fun f -> f "EOF reading time from dom0"); 1 - | `Ok line -> Log.info (fun f -> f "TODO: set time to %S" line); 0 + | `Eof -> + Log.warn (fun f -> f "EOF reading time from dom0"); + 1 + | `Ok line -> + Log.info (fun f -> f "TODO: set time to %S" line); + 0 let handler ~user:_ cmd flow = (* Write a message to the client and return an exit status of 1. *) let error fmt = - fmt |> Printf.ksprintf @@ fun s -> - Log.warn (fun f -> f "<< %s" s); - Flow.ewritef flow "%s [while processing %S]" s cmd >|= fun () -> 1 in + fmt + |> Printf.ksprintf @@ fun s -> + Log.warn (fun f -> f "<< %s" s); + Flow.ewritef flow "%s [while processing %S]" s cmd >|= fun () -> 1 + in match cmd with | "QUBESRPC qubes.SetDateTime dom0" -> set_date_time flow - | "QUBESRPC qubes.WaitForSession none" -> return 0 (* Always ready! *) + | "QUBESRPC qubes.WaitForSession none" -> return 0 (* Always ready! *) | cmd -> error "Unknown command %S" cmd diff --git a/config.ml b/config.ml index 4171927..b663813 100644 --- a/config.ml +++ b/config.ml @@ -1,3 +1,4 @@ +(* mirage >= 4.9.0 & < 4.10.0 *) (* Copyright (C) 2017, Thomas Leonard See the README file for details. *) @@ -5,37 +6,25 @@ open Mirage -let table_size = - let open Functoria_key in - let info = Arg.info - ~doc:"The number of NAT entries to allocate." - ~docv:"ENTRIES" ["nat-table-size"] - in - let key = Arg.opt ~stage:`Both Arg.int 5_000 info in - create "nat_table_size" key - let main = - foreign - ~keys:[Functoria_key.abstract table_size] - ~packages:[ - package "vchan" ~min:"4.0.2"; - package "cstruct"; - package "astring"; - package "tcpip" ~min:"3.7.0"; - package "arp"; - package "arp-mirage"; - package "ethernet"; - package "mirage-protocols"; - package "shared-memory-ring" ~min:"3.0.0"; - package "netchannel" ~min:"1.11.0" ~pin:"git+https://github.com/mirage/mirage-net-xen.git"; - package "mirage-net-xen"; - package "ipaddr" ~min:"3.0.0"; - package "mirage-qubes"; - package "mirage-nat" ~min:"1.2.0"; - package "mirage-logs"; - ] - "Unikernel.Main" (mclock @-> job) + main + ~packages: + [ + package "vchan" ~min:"4.0.2"; + package "cstruct"; + package "tcpip" ~min:"3.7.0"; + package ~min:"2.3.0" ~sublibs:[ "mirage" ] "arp"; + package ~min:"3.0.0" "ethernet"; + package "shared-memory-ring" ~min:"3.0.0"; + package "mirage-net-xen" ~min:"2.1.4"; + package "ipaddr" ~min:"5.2.0"; + package "mirage-qubes" ~min:"0.9.1"; + package ~min:"3.0.1" "mirage-nat"; + package "mirage-logs"; + package "mirage-xen" ~min:"8.0.0"; + package ~min:"6.4.0" "dns-client"; + package "pf-qubes"; + ] + "Unikernel" job -let () = - register "qubes-firewall" [main $ default_monotonic_clock] - ~argv:no_argv +let () = register "qubes-firewall" [ main ] diff --git a/dao.ml b/dao.ml index a68cc64..9219fa6 100644 --- a/dao.ml +++ b/dao.ml @@ -3,114 +3,179 @@ open Lwt.Infix open Qubes -open Fw_utils -open Astring let src = Logs.Src.create "dao" ~doc:"QubesDB data access" + module Log = (val Logs.src_log src : Logs.LOG) module ClientVif = struct - type t = { - domid : int; - device_id : int; - } + type t = { domid : int; device_id : int } - let pp f { domid; device_id } = Fmt.pf f "{domid=%d;device_id=%d}" domid device_id + let pp f { domid; device_id } = + Fmt.pf f "{domid=%d;device_id=%d}" domid device_id let compare = compare end + module VifMap = struct - include Map.Make(ClientVif) + include Map.Make (ClientVif) + let rec of_list = function | [] -> empty | (k, v) :: rest -> add k v (of_list rest) - let find key t = - try Some (find key t) - with Not_found -> None + + let find key t = try Some (find key t) with Not_found -> None end let directory ~handle dir = - OS.Xs.directory handle dir >|= function - | [""] -> [] (* XenStore client bug *) + Xen_os.Xs.directory handle dir >|= function + | [ "" ] -> [] (* XenStore client bug *) | items -> items -let vifs ~handle domid = - match String.to_int domid with - | None -> Log.err (fun f -> f "Invalid domid %S" domid); Lwt.return [] +let db_root client_ip = "/qubes-firewall/" ^ Ipaddr.V4.to_string client_ip + +let read_rules rules client_ip = + let root = db_root client_ip in + let rec get_rule n l : (Pf_qubes.Parse_qubes.rule list, string) result = + let pattern = root ^ "/" ^ Printf.sprintf "%04d" n in + Log.debug (fun f -> f "reading %s" pattern); + match Qubes.DB.KeyMap.find_opt pattern rules with + | None -> + Log.debug (fun f -> f "rule %d does not exist; won't look for more" n); + Ok (List.rev l) + | Some rule -> ( + Log.debug (fun f -> f "rule %d: %s" n rule); + match Pf_qubes.Parse_qubes.parse_qubes ~number:n rule with + | Error e -> + Log.warn (fun f -> f "Error parsing rule %d: %s" n e); + Error e + | Ok rule -> + Log.debug (fun f -> + f "parsed rule: %a" Pf_qubes.Parse_qubes.pp_rule rule); + get_rule (n + 1) (rule :: l)) + in + match get_rule 0 [] with + | Ok l -> l + | Error e -> + Log.warn (fun f -> + f "Defaulting to deny-all because of rule parse failure (%s)" e); + [ + Pf_qubes.Parse_qubes. + { + action = Drop; + proto = None; + specialtarget = None; + dst = `any; + dstports = None; + icmp_type = None; + number = 0; + }; + ] + +let vifs client domid = + let open Lwt.Syntax in + match int_of_string_opt domid with + | None -> + Log.err (fun f -> f "Invalid domid %S" domid); + Lwt.return [] | Some domid -> - let path = Printf.sprintf "backend/vif/%d" domid in - directory ~handle path >>= - Lwt_list.filter_map_p (fun device_id -> - match String.to_int device_id with - | None -> Log.err (fun f -> f "Invalid device ID %S for domid %d" device_id domid); Lwt.return_none - | Some device_id -> - let vif = { ClientVif.domid; device_id } in - Lwt.try_bind - (fun () -> OS.Xs.read handle (Printf.sprintf "%s/%d/ip" path device_id)) - (fun client_ip -> - let client_ip = Ipaddr.V4.of_string_exn client_ip in - Lwt.return (Some (vif, client_ip)) - ) - (function - | Xs_protocol.Enoent _ -> Lwt.return None - | ex -> - Log.err (fun f -> f "Error getting IP address of %a: %s" - ClientVif.pp vif (Printexc.to_string ex)); - Lwt.return None - ) - ) + let path = Fmt.str "backend/vif/%d" domid in + let vifs_of_domain handle = + let* devices = directory ~handle path in + let ip_of_vif device_id = + match int_of_string_opt device_id with + | None -> + Log.err (fun f -> + f "Invalid device ID %S for domid %d" device_id domid); + Lwt.return_none + | Some device_id -> ( + let vif = { ClientVif.domid; device_id } in + let get_client_ip () = + let* str = + Xen_os.Xs.read handle (Fmt.str "%s/%d/ip" path device_id) + in + let client_ip = List.hd (String.split_on_char ' ' str) in + (* NOTE(dinosaure): it's safe to use [List.hd] here, + [String.split_on_char] can not return an empty list. *) + Lwt.return_some (vif, Ipaddr.V4.of_string_exn client_ip) + in + Lwt.catch get_client_ip @@ function + | Xs_protocol.Enoent _ -> Lwt.return_none + | Ipaddr.Parse_error (msg, client_ip) -> + Log.err (fun f -> + f "Error parsing IP address of %a from %s: %s" + ClientVif.pp vif client_ip msg); + Lwt.return_none + | exn -> + Log.err (fun f -> + f "Error getting IP address of %a: %s" ClientVif.pp vif + (Printexc.to_string exn)); + Lwt.return_none) + in + Lwt_list.filter_map_p ip_of_vif devices + in + Xen_os.Xs.immediate client vifs_of_domain let watch_clients fn = - OS.Xs.make () >>= fun xs -> + Xen_os.Xs.make () >>= fun xs -> let backend_vifs = "backend/vif" in Log.info (fun f -> f "Watching %s" backend_vifs); - OS.Xs.wait xs (fun handle -> - begin Lwt.catch - (fun () -> directory ~handle backend_vifs) - (function - | Xs_protocol.Enoent _ -> return [] - | ex -> fail ex) - end >>= fun items -> - Lwt_list.map_p (vifs ~handle) items >>= fun items -> - fn (List.concat items |> VifMap.of_list); - (* Wait for further updates *) - fail Xs_protocol.Eagain - ) + Xen_os.Xs.wait xs (fun handle -> + Lwt.catch + (fun () -> directory ~handle backend_vifs) + (function Xs_protocol.Enoent _ -> Lwt.return [] | ex -> Lwt.fail ex) + >>= fun items -> + Xen_os.Xs.make () >>= fun xs -> + Lwt_list.map_p (vifs xs) items >>= fun items -> + fn (List.concat items |> VifMap.of_list) >>= fun () -> + (* Wait for further updates *) + Lwt.fail Xs_protocol.Eagain) type network_config = { - uplink_netvm_ip : Ipaddr.V4.t; (* The IP address of NetVM (our gateway) *) - uplink_our_ip : Ipaddr.V4.t; (* The IP address of our interface to NetVM *) - - clients_our_ip : Ipaddr.V4.t; (* The IP address of our interface to our client VMs (their gateway) *) + from_cmdline : bool; + (* Specify if we have network configuration from command line or from qubesDB*) + netvm_ip : Ipaddr.V4.t; (* The IP address of NetVM (our gateway) *) + our_ip : Ipaddr.V4.t; (* The IP address of our interface to NetVM *) + dns : Ipaddr.V4.t; + dns2 : Ipaddr.V4.t; } exception Missing_key of string -(* TODO: /qubes-secondary-dns *) let try_read_network_config db = let get name = match DB.KeyMap.find_opt name db with | None -> raise (Missing_key name) - | Some value -> value in - let uplink_our_ip = get "/qubes-ip" |> Ipaddr.V4.of_string_exn in - let uplink_netvm_ip = get "/qubes-gateway" |> Ipaddr.V4.of_string_exn in - let clients_our_ip = get "/qubes-netvm-gateway" |> Ipaddr.V4.of_string_exn in - Log.info (fun f -> f "@[Got network configuration from QubesDB:@,\ - NetVM IP on uplink network: %a@,\ - Our IP on uplink network: %a@,\ - Our IP on client networks: %a@]" - Ipaddr.V4.pp uplink_netvm_ip - Ipaddr.V4.pp uplink_our_ip - Ipaddr.V4.pp clients_our_ip); - { uplink_netvm_ip; uplink_our_ip; clients_our_ip } + | Some value -> Ipaddr.V4.of_string_exn value + in + let our_ip = get "/qubes-ip" in + (* - IP address for this VM (only when VM has netvm set) *) + let netvm_ip = get "/qubes-gateway" in + (* - default gateway IP (only when VM has netvm set); VM should add host route to this address directly via eth0 (or whatever default interface name is) *) + let dns = get "/qubes-primary-dns" in + let dns2 = get "/qubes-secondary-dns" in + { from_cmdline = false; netvm_ip; our_ip; dns; dns2 } let read_network_config qubesDB = let rec aux bindings = try Lwt.return (try_read_network_config bindings) with Missing_key key -> - Log.warn (fun f -> f "QubesDB key %S not (yet) present; waiting for QubesDB to change..." key); + Log.warn (fun f -> + f "QubesDB key %S not (yet) present; waiting for QubesDB to change..." + key); DB.after qubesDB bindings >>= aux in aux (DB.bindings qubesDB) +let print_network_config config = + Log.info (fun f -> + f + "@[Current network configuration (QubesDB or command line):@,\ + NetVM IP on uplink network: %a@,\ + Our IP on client networks: %a@,\ + DNS primary resolver: %a@,\ + DNS secondary resolver: %a@]" + Ipaddr.V4.pp config.netvm_ip Ipaddr.V4.pp config.our_ip Ipaddr.V4.pp + config.dns Ipaddr.V4.pp config.dns2) + let set_iptables_error db = Qubes.DB.write db "/qubes-iptables-error" diff --git a/dao.mli b/dao.mli index b1f56b6..85f8912 100644 --- a/dao.mli +++ b/dao.mli @@ -4,30 +4,43 @@ (** Wrapper for XenStore and QubesDB databases. *) module ClientVif : sig - type t = { - domid : int; - device_id : int; - } + type t = { domid : int; device_id : int } + val pp : t Fmt.t end + module VifMap : sig include Map.S with type key = ClientVif.t + val find : key -> 'a t -> 'a option end -val watch_clients : (Ipaddr.V4.t VifMap.t -> unit) -> 'a Lwt.t -(** [watch_clients fn] calls [fn clients] with the list of backend clients - in XenStore, and again each time XenStore updates. *) +val watch_clients : (Ipaddr.V4.t VifMap.t -> unit Lwt.t) -> 'a Lwt.t +(** [watch_clients fn] calls [fn clients] with the list of backend clients in + XenStore, and again each time XenStore updates. *) type network_config = { - uplink_netvm_ip : Ipaddr.V4.t; (* The IP address of NetVM (our gateway) *) - uplink_our_ip : Ipaddr.V4.t; (* The IP address of our interface to NetVM *) - - clients_our_ip : Ipaddr.V4.t; (* The IP address of our interface to our client VMs (their gateway) *) + from_cmdline : bool; + (* Specify if we have network configuration from command line or from qubesDB*) + netvm_ip : Ipaddr.V4.t; (* The IP address of NetVM (our gateway) *) + our_ip : Ipaddr.V4.t; (* The IP address of our interface to NetVM *) + dns : Ipaddr.V4.t; + dns2 : Ipaddr.V4.t; } val read_network_config : Qubes.DB.t -> network_config Lwt.t -(** [read_network_config db] fetches the configuration from QubesDB. - If it isn't there yet, it waits until it is. *) +(** [read_network_config db] fetches the configuration from QubesDB. If it isn't + there yet, it waits until it is. *) +val db_root : Ipaddr.V4.t -> string +(** Returns the root path of the firewall rules in the QubesDB for a given IP + address. *) + +val read_rules : + string Qubes.DB.KeyMap.t -> Ipaddr.V4.t -> Pf_qubes.Parse_qubes.rule list +(** [read_rules bindings ip] extracts firewall rule information for [ip] from + [bindings]. If any rules fail to parse, it will return only one rule denying + all traffic. *) + +val print_network_config : network_config -> unit val set_iptables_error : Qubes.DB.t -> string -> unit Lwt.t diff --git a/diagrams/components.svg b/diagrams/components.svg index 1e996b1..2d69f9d 100644 --- a/diagrams/components.svg +++ b/diagrams/components.svg @@ -1,149 +1,199 @@ - + - - - - - - - - - - - - - - - - + + + + + + + - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + - - + + - - - + + + + + - - - - - - - -l -y -s -t -k -r -u -l -n -_ -r -i -e -l -o -n -k -n -o -o -e -e -e -l -s -t -( -f -p -i -i -o -w -t -u -n -- -a -o -X -S -r -m -u -c -r -] -e -r -i -n -s -t -e -k -s -w -e -. -n -e -l -r -s -e -s -r + + + + + + + + + +r +e +n +k +e +t +t +w +o +w +e +c +n +n +o +S +( +n +t +0 +] +n +m +. +B +k +t l -[ -. -p -n -t -o -o -c -h -. -c -t -m +k +i +e +r +c +s +b +i +d +e +n +t +h +b +l +k +- +f +a +e +n +s +i +s +r +. +e +o +o +u +n +c +a +l +o +) +- +i +l +r +e +m +i +s +r +e +l +D +c +[ +n +s +o +f +- +- +l +o +r +t +c +_ +i +m +u +Q +t +e +a +h +. +t +p +l +n +r +e +p +s +n +n +y +X +e +u +s +e +t +h +o +u +a +t +r +r a -e -r -d -0 -) +o +t +- +e +f diff --git a/diagrams/components.txt b/diagrams/components.txt index 62e4f9e..8b7efbf 100644 --- a/diagrams/components.txt +++ b/diagrams/components.txt @@ -1,6 +1,12 @@ - +----------+ - | rules | - +----------+ + +--------------------+ + | rules from QubesDB | + +--------------------+ + ^ + if-not-in-nat | then check + | + +-----------+ + | nat-table | + +-----------+ ^ |checks | diff --git a/dispatcher.ml b/dispatcher.ml new file mode 100644 index 0000000..9d67f88 --- /dev/null +++ b/dispatcher.ml @@ -0,0 +1,635 @@ +open Lwt.Infix +open Fw_utils +module Netback = Backend.Make (Xenstore.Make (Xen_os.Xs)) +module ClientEth = Ethernet.Make (Netback) +module UplinkEth = Ethernet.Make (Netif) + +let src = Logs.Src.create "dispatcher" ~doc:"Networking dispatch" + +module Log = (val Logs.src_log src : Logs.LOG) +module Arp = Arp.Make (UplinkEth) +module I = Static_ipv4.Make (UplinkEth) (Arp) +module U = Udp.Make (I) + +class client_iface eth ~domid ~gateway_ip ~client_ip client_mac : client_link = + let log_header = Fmt.str "dom%d:%a" domid Ipaddr.V4.pp client_ip in + object + val mutable rules = [] + method get_rules = rules + method set_rules new_db = rules <- Dao.read_rules new_db client_ip + method my_mac = ClientEth.mac eth + method other_mac = client_mac + method my_ip = gateway_ip + method other_ip = client_ip + + method writev proto fillfn = + Lwt.catch + (fun () -> + ClientEth.write eth client_mac proto fillfn >|= function + | Ok () -> () + | Error e -> + Log.err (fun f -> + f "error trying to send to client: @[%a@]" ClientEth.pp_error + e)) + (fun ex -> + (* Usually Netback_shutdown, because the client disconnected *) + Log.err (fun f -> + f "uncaught exception trying to send to client: @[%s@]" + (Printexc.to_string ex)); + Lwt.return_unit) + + method log_header = log_header + end + +class netvm_iface eth mac ~my_ip ~other_ip : interface = + object + method my_mac = UplinkEth.mac eth + method my_ip = my_ip + method other_ip = other_ip + + method writev ethertype fillfn = + Lwt.catch + (fun () -> + mac >>= fun dst -> + UplinkEth.write eth dst ethertype fillfn + >|= or_raise "Write to uplink" UplinkEth.pp_error) + (fun ex -> + Log.err (fun f -> + f "uncaught exception trying to send to uplink: @[%s@]" + (Printexc.to_string ex)); + Lwt.return_unit) + end + +type uplink = { + net : Netif.t; + eth : UplinkEth.t; + arp : Arp.t; + interface : interface; + mutable fragments : Fragments.Cache.t; + ip : I.t; + udp : U.t; +} + +type t = { + uplink_connected : unit Lwt_condition.t; + uplink_disconnect : unit Lwt_condition.t; + uplink_disconnected : unit Lwt_condition.t; + mutable config : Dao.network_config; + clients : Client_eth.t; + nat : My_nat.t; + mutable uplink : uplink option; +} + +let create ~config ~clients ~nat ~uplink = + { + uplink_connected = Lwt_condition.create (); + uplink_disconnect = Lwt_condition.create (); + uplink_disconnected = Lwt_condition.create (); + config; + clients; + nat; + uplink; + } + +let update t ~config ~uplink = + t.config <- config; + t.uplink <- uplink; + Lwt.return_unit + +let target t buf = + let dst_ip = buf.Ipv4_packet.dst in + match Client_eth.lookup t.clients dst_ip with + | Some client_link -> Some (client_link :> interface) + | None -> ( + (* if dest is not a client, transfer it to our uplink *) + match t.uplink with + | None -> ( + match Client_eth.lookup t.clients t.config.netvm_ip with + | Some uplink -> Some (uplink :> interface) + | None -> + Log.err (fun f -> + f + "We have a command line configuration %a but it's \ + currently not connected to us (please check its netvm \ + property)...%!" + Ipaddr.V4.pp t.config.netvm_ip); + None) + | Some uplink -> Some uplink.interface) + +let add_client t = Client_eth.add_client t.clients +let remove_client t = Client_eth.remove_client t.clients + +let classify t ip = + if ip = Ipaddr.V4 t.config.our_ip then `Firewall + else if ip = Ipaddr.V4 t.config.netvm_ip then `NetVM + else (Client_eth.classify t.clients ip :> Packet.host) + +let resolve t = function + | `Firewall -> Ipaddr.V4 t.config.our_ip + | `NetVM -> Ipaddr.V4 t.config.netvm_ip + | #Client_eth.host as host -> Client_eth.resolve t.clients host + +(* Transmission *) + +let transmit_ipv4 packet iface = + Lwt.catch + (fun () -> + let fragments = ref [] in + iface#writev `IPv4 (fun b -> + match Nat_packet.into_cstruct packet b with + | Error e -> + Log.warn (fun f -> + f "Failed to write packet to %a: %a" Ipaddr.V4.pp + iface#other_ip Nat_packet.pp_error e); + 0 + | Ok (n, frags) -> + fragments := frags; + n) + >>= fun () -> + Lwt_list.iter_s + (fun f -> + let size = Cstruct.length f in + iface#writev `IPv4 (fun b -> + Cstruct.blit f 0 b 0 size; + size)) + !fragments) + (fun ex -> + Log.warn (fun f -> + f "Failed to write packet to %a: %s" Ipaddr.V4.pp iface#other_ip + (Printexc.to_string ex)); + Lwt.return_unit) + +let forward_ipv4 t packet = + let (`IPv4 (ip, _)) = packet in + Lwt.catch + (fun () -> + match target t ip with + | Some iface -> transmit_ipv4 packet iface + | None -> Lwt.return_unit) + (fun ex -> + let dst_ip = ip.Ipv4_packet.dst in + Log.warn (fun f -> + f "Failed to lookup for target %a: %s" Ipaddr.V4.pp dst_ip + (Printexc.to_string ex)); + Lwt.return_unit) + +(* NAT *) + +let translate t packet = My_nat.translate t.nat packet + +(* Add a NAT rule for the endpoints in this frame, via a random port on the firewall. *) +let add_nat_and_forward_ipv4 t packet = + let xl_host = t.config.our_ip in + match My_nat.add_nat_rule_and_translate t.nat ~xl_host `NAT packet with + | Ok packet -> forward_ipv4 t packet + | Error e -> + Log.warn (fun f -> + f "Failed to add NAT rewrite rule: %s (%a)" e Nat_packet.pp packet); + Lwt.return_unit + +(* Add a NAT rule to redirect this conversation to [host:port] instead of us. *) +let nat_to t ~host ~port packet = + match resolve t host with + | Ipaddr.V6 _ -> + Log.warn (fun f -> f "Cannot NAT with IPv6"); + Lwt.return_unit + | Ipaddr.V4 target -> ( + let xl_host = t.config.our_ip in + match + My_nat.add_nat_rule_and_translate t.nat ~xl_host + (`Redirect (target, port)) + packet + with + | Ok packet -> forward_ipv4 t packet + | Error e -> + Log.warn (fun f -> + f "Failed to add NAT redirect rule: %s (%a)" e Nat_packet.pp + packet); + Lwt.return_unit) + +let apply_rules t (rules : ('a, 'b) Packet.t -> Packet.action Lwt.t) ~dst + (annotated_packet : ('a, 'b) Packet.t) : unit Lwt.t = + let packet = Packet.to_mirage_nat_packet annotated_packet in + rules annotated_packet >>= fun action -> + match (action, dst) with + | `Accept, `Client client_link -> transmit_ipv4 packet client_link + | `Accept, (`External _ | `NetVM) -> ( + match t.uplink with + | Some uplink -> transmit_ipv4 packet uplink.interface + | None -> ( + match Client_eth.lookup t.clients t.config.netvm_ip with + | Some iface -> transmit_ipv4 packet iface + | None -> + Log.warn (fun f -> + f "No output interface for %a : drop" Nat_packet.pp packet); + Lwt.return_unit)) + | `Accept, `Firewall -> + Log.warn (fun f -> + f "Bad rule: firewall can't accept packets %a" Nat_packet.pp packet); + Lwt.return_unit + | `NAT, _ -> + Log.debug (fun f -> f "adding NAT rule for %a" Nat_packet.pp packet); + add_nat_and_forward_ipv4 t packet + | `NAT_to (host, port), _ -> nat_to t packet ~host ~port + | `Drop reason, _ -> + Log.debug (fun f -> + f "Dropped packet (%s) %a" reason Nat_packet.pp packet); + Lwt.return_unit + +let ipv4_from_netvm t packet = + match Memory_pressure.status () with + | `Memory_critical -> Lwt.return_unit + | `Ok -> ( + let (`IPv4 (ip, _transport)) = packet in + let src = classify t (Ipaddr.V4 ip.Ipv4_packet.src) in + let dst = classify t (Ipaddr.V4 ip.Ipv4_packet.dst) in + match Packet.of_mirage_nat_packet ~src ~dst packet with + | None -> Lwt.return_unit + | Some _ -> ( + match src with + | `Client _ | `Firewall -> + Log.warn (fun f -> + f "Frame from NetVM has internal source IP address! %a" + Nat_packet.pp packet); + Lwt.return_unit + | (`External _ | `NetVM) as src -> ( + match translate t packet with + | Some frame -> forward_ipv4 t frame + | None -> ( + match Packet.of_mirage_nat_packet ~src ~dst packet with + | None -> Lwt.return_unit + | Some packet -> apply_rules t Rules.from_netvm ~dst packet))) + ) + +let ipv4_from_client resolver dns_servers t ~src packet = + match Memory_pressure.status () with + | `Memory_critical -> Lwt.return_unit + | `Ok -> ( + (* Check for existing NAT entry for this packet *) + match translate t packet with + | Some frame -> + forward_ipv4 t frame (* Some existing connection or redirect *) + | None -> ( + (* No existing NAT entry. Check the firewall rules. *) + let (`IPv4 (ip, _transport)) = packet in + match classify t (Ipaddr.V4 ip.Ipv4_packet.src) with + | `Client _ | `Firewall -> ( + let dst = classify t (Ipaddr.V4 ip.Ipv4_packet.dst) in + match + Packet.of_mirage_nat_packet ~src:(`Client src) ~dst packet + with + | None -> Lwt.return_unit + | Some firewall_packet -> + apply_rules t + (Rules.from_client resolver dns_servers) + ~dst firewall_packet) + | `NetVM -> ipv4_from_netvm t packet + | `External _ -> + Log.warn (fun f -> + f "Frame from Inside has external source IP address! %a" + Nat_packet.pp packet); + Lwt.return_unit)) + +(** Handle an ARP message from the client. *) +let client_handle_arp ~fixed_arp ~iface request = + match Arp_packet.decode request with + | Error e -> + Log.warn (fun f -> + f "Ignored unknown ARP message: %a" Arp_packet.pp_error e); + Lwt.return_unit + | Ok arp -> ( + match Client_eth.ARP.input fixed_arp arp with + | None -> Lwt.return_unit + | Some response -> + Lwt.catch + (fun () -> + iface#writev `ARP (fun b -> + Arp_packet.encode_into response b; + Arp_packet.size)) + (fun ex -> + Log.warn (fun f -> + f "Failed to write APR to %a: %s" Ipaddr.V4.pp iface#other_ip + (Printexc.to_string ex)); + Lwt.return_unit)) + +(** Handle an IPv4 packet from the client. *) +let client_handle_ipv4 get_ts cache ~iface ~router dns_client dns_servers packet + = + let cache', r = Nat_packet.of_ipv4_packet !cache ~now:(get_ts ()) packet in + cache := cache'; + match r with + | Error e -> + Log.warn (fun f -> + f "Ignored unknown IPv4 message: %a" Nat_packet.pp_error e); + Lwt.return_unit + | Ok None -> Lwt.return_unit + | Ok (Some packet) -> + let (`IPv4 (ip, _)) = packet in + let src = ip.Ipv4_packet.src in + if src = iface#other_ip then + ipv4_from_client dns_client dns_servers router ~src:iface packet + else if iface#other_ip = router.config.netvm_ip then + (* This can occurs when used with *BSD as netvm (and a gateway is set) *) + ipv4_from_netvm router packet + else ( + Log.warn (fun f -> + f "Incorrect source IP %a in IP packet from %a (dropping)" + Ipaddr.V4.pp src Ipaddr.V4.pp iface#other_ip); + Lwt.return_unit) + +(** Connect to a new client's interface and listen for incoming frames and + firewall rule changes. *) +let conf_vif get_ts vif backend client_eth dns_client dns_servers ~client_ip + ~iface ~router ~cleanup_tasks qubesDB () = + let { Dao.ClientVif.domid; device_id } = vif in + Log.info (fun f -> + f "Client %d:%d (IP: %s) ready" domid device_id + (Ipaddr.V4.to_string client_ip)); + + (* update the rules whenever QubesDB notices a change for this IP *) + let qubesdb_updater = + Lwt.catch + (fun () -> + let rec update current_db current_rules = + Qubes.DB.got_new_commit qubesDB (Dao.db_root client_ip) current_db + >>= fun new_db -> + iface#set_rules new_db; + let new_rules = iface#get_rules in + if current_rules = new_rules then + Log.info (fun m -> + m "Rules did not change for %s" (Ipaddr.V4.to_string client_ip)) + else ( + Log.info (fun m -> + m "New firewall rules for %s@.%a" + (Ipaddr.V4.to_string client_ip) + Fmt.(list ~sep:(any "@.") Pf_qubes.Parse_qubes.pp_rule) + new_rules); + (* empty NAT table if rules are updated: they might deny old connections *) + My_nat.remove_connections router.nat client_ip); + update new_db new_rules + in + update Qubes.DB.KeyMap.empty []) + (function Lwt.Canceled -> Lwt.return_unit | e -> Lwt.fail e) + in + Cleanup.on_cleanup cleanup_tasks (fun () -> Lwt.cancel qubesdb_updater); + + let fixed_arp = Client_eth.ARP.create ~net:client_eth iface in + let fragment_cache = ref (Fragments.Cache.empty (256 * 1024)) in + let listener = + Lwt.catch + (fun () -> + Netback.listen backend ~header_size:Ethernet.Packet.sizeof_ethernet + (fun frame -> + match Ethernet.Packet.of_cstruct frame with + | Error err -> + Log.warn (fun f -> f "Invalid Ethernet frame: %s" err); + Lwt.return_unit + | Ok (eth, payload) -> ( + match eth.Ethernet.Packet.ethertype with + | `ARP -> client_handle_arp ~fixed_arp ~iface payload + | `IPv4 -> + client_handle_ipv4 get_ts fragment_cache ~iface ~router + dns_client dns_servers payload + | `IPv6 -> Lwt.return_unit (* TODO: oh no! *))) + >|= or_raise "Listen on client interface" Netback.pp_error) + (function Lwt.Canceled -> Lwt.return_unit | e -> Lwt.fail e) + in + Cleanup.on_cleanup cleanup_tasks (fun () -> Lwt.cancel listener); + (* NOTE(dinosaure): [qubes_updater] and [listener] can be forgotten, our [cleanup_task] + will cancel them if the client is disconnected. *) + Lwt.async (fun () -> Lwt.pick [ qubesdb_updater; listener ]); + Lwt.return_unit + +(** A new client VM has been found in XenStore. Find its interface and connect + to it. *) +let add_client get_ts dns_client dns_servers ~router vif client_ip qubesDB = + let open Lwt.Syntax in + let cleanup_tasks = Cleanup.create () in + Log.info (fun f -> + f "add client vif %a with IP %a" Dao.ClientVif.pp vif Ipaddr.V4.pp + client_ip); + let { Dao.ClientVif.domid; device_id } = vif in + let* backend = Netback.make ~domid ~device_id in + let* eth = ClientEth.connect backend in + let client_mac = Netback.frontend_mac backend in + let client_eth = router.clients in + let gateway_ip = Client_eth.client_gw client_eth in + let iface = new client_iface eth ~domid ~gateway_ip ~client_ip client_mac in + + Cleanup.on_cleanup cleanup_tasks (fun () -> remove_client router iface); + Lwt.async (fun () -> + Lwt.catch + (fun () -> add_client router iface) + (fun ex -> + Log.warn (fun f -> + f "Error with client %a: %s" Dao.ClientVif.pp vif + (Printexc.to_string ex)); + Lwt.return_unit)); + + let* () = + Lwt.catch + (conf_vif get_ts vif backend client_eth dns_client dns_servers ~client_ip + ~iface ~router ~cleanup_tasks qubesDB) + @@ fun exn -> + Log.warn (fun f -> + f "Error with client %a: %s" Dao.ClientVif.pp vif + (Printexc.to_string exn)); + Lwt.return_unit + in + Lwt.return cleanup_tasks + +(** Watch XenStore for notifications of new clients. *) +let wait_clients get_ts dns_client dns_servers qubesDB router = + let open Lwt.Syntax in + let clients : Cleanup.t Dao.VifMap.t ref = ref Dao.VifMap.empty in + Dao.watch_clients @@ fun new_set -> + (* Check for removed clients *) + let clean_up_clients key cleanup = + if not (Dao.VifMap.mem key new_set) then ( + clients := !clients |> Dao.VifMap.remove key; + Log.info (fun f -> f "client %a has gone" Dao.ClientVif.pp key); + Cleanup.cleanup cleanup) + in + Dao.VifMap.iter clean_up_clients !clients; + (* Check for added clients *) + let rec go seq = + match Seq.uncons seq with + | None -> Lwt.return_unit + | Some ((key, ipaddr), seq) when not (Dao.VifMap.mem key !clients) -> + let* cleanup = + add_client get_ts dns_client dns_servers ~router key ipaddr qubesDB + in + Log.debug (fun f -> f "client %a arrived" Dao.ClientVif.pp key); + clients := Dao.VifMap.add key cleanup !clients; + go seq + | Some (_, seq) -> go seq + in + go (Dao.VifMap.to_seq new_set) + +let send_dns_client_query t ~src_port ~dst ~dst_port buf = + match t.uplink with + | None -> + Log.err (fun f -> f "No uplink interface"); + Lwt.return (Error (`Msg "failure")) + | Some uplink -> + Lwt.catch + (fun () -> + U.write ~src_port ~dst ~dst_port uplink.udp (Cstruct.of_string buf) + >|= function + | Error s -> + Log.err (fun f -> f "error sending udp packet: %a" U.pp_error s); + Error (`Msg "failure") + | Ok () -> Ok ()) + (fun ex -> + Log.err (fun f -> + f + "uncaught exception trying to send DNS request to uplink: \ + @[%s@]" + (Printexc.to_string ex)); + Lwt.return (Error (`Msg "DNS request not sent"))) + +(** Wait for packet from our uplink (we must have an uplink here...). *) +let rec uplink_listen get_ts dns_responses router = + Lwt_condition.wait router.uplink_connected >>= fun () -> + match router.uplink with + | None -> + Log.err (fun f -> + f "Uplink is connected but not found in the router, retrying...%!"); + uplink_listen get_ts dns_responses router + | Some uplink -> + let listen = + Lwt.catch + (fun () -> + Netif.listen uplink.net ~header_size:Ethernet.Packet.sizeof_ethernet + (fun frame -> + (* Handle one Ethernet frame from NetVM *) + UplinkEth.input uplink.eth ~arpv4:(Arp.input uplink.arp) + ~ipv4:(fun ip -> + let cache, r = + Nat_packet.of_ipv4_packet uplink.fragments + ~now:(get_ts ()) ip + in + uplink.fragments <- cache; + match r with + | Error e -> + Log.warn (fun f -> + f "Ignored unknown IPv4 message from uplink: %a" + Nat_packet.pp_error e); + Lwt.return () + | Ok None -> Lwt.return_unit + | Ok (Some (`IPv4 (header, packet))) -> ( + let open Udp_packet in + Log.debug (fun f -> + f "received ipv4 packet from %a on uplink" + Ipaddr.V4.pp header.Ipv4_packet.src); + match packet with + | `UDP (header, packet) + when My_nat.dns_port router.nat header.dst_port -> + Log.debug (fun f -> + f + "found a DNS packet whose dst_port (%d) was \ + in the list of dns_client ports" + header.dst_port); + Lwt_mvar.put dns_responses + (header, Cstruct.to_string packet) + | _ -> ipv4_from_netvm router (`IPv4 (header, packet)))) + ~ipv6:(fun _ip -> Lwt.return_unit) + frame) + >|= or_raise "Uplink listen loop" Netif.pp_error) + (function + | Lwt.Canceled -> + (* We can be cancelled if reconnect_uplink is achieved (via the Lwt_condition), so we need to disconnect and broadcast when it's done + currently we delay 1s as Netif.disconnect is non-blocking... (need to fix upstream?) *) + Log.info (fun f -> f "disconnecting from our uplink"); + U.disconnect uplink.udp >>= fun () -> + I.disconnect uplink.ip >>= fun () -> + (* mutable fragments : Fragments.Cache.t; *) + (* interface : interface; *) + Arp.disconnect uplink.arp >>= fun () -> + UplinkEth.disconnect uplink.eth >>= fun () -> + Netif.disconnect uplink.net >>= fun () -> + Lwt_condition.broadcast router.uplink_disconnected (); + Lwt.return_unit + | e -> Lwt.fail e) + in + let reconnect_uplink = + Lwt_condition.wait router.uplink_disconnect >>= fun () -> + Log.info (fun f -> f "we need to reconnect to the new uplink"); + Lwt.return_unit + in + Lwt.pick [ listen; reconnect_uplink ] >>= fun () -> + uplink_listen get_ts dns_responses router + +(** Connect to our uplink backend (we must have an uplink here...). *) +let connect config = + let my_ip = config.Dao.our_ip in + let gateway = config.Dao.netvm_ip in + Netif.connect "0" >>= fun net -> + UplinkEth.connect net >>= fun eth -> + Arp.connect eth >>= fun arp -> + Arp.add_ip arp my_ip >>= fun () -> + let cidr = Ipaddr.V4.Prefix.make 0 my_ip in + I.connect ~cidr ~gateway eth arp >>= fun ip -> + U.connect ip >>= fun udp -> + let netvm_mac = + Arp.query arp gateway >>= function + | Error e -> + Log.err (fun f -> f "Getting MAC of our NetVM: %a" Arp.pp_error e); + (* This mac address is a special address used by Qubes when the device + is not managed by Qubes itself. This can occurs inside a service + AppVM (e.g. VPN) when the service creates a new interface. *) + Lwt.return (Macaddr.of_string_exn "fe:ff:ff:ff:ff:ff") + | Ok mac -> Lwt.return mac + in + let interface = + new netvm_iface eth netvm_mac ~my_ip ~other_ip:config.Dao.netvm_ip + in + let fragments = Fragments.Cache.empty (256 * 1024) in + Lwt.return { net; eth; arp; interface; fragments; ip; udp } + +(** Wait Xenstore for our uplink changes (we must have an uplink here...). *) +let uplink_wait_update qubesDB router = + let rec aux current_db = + let netvm = "/qubes-gateway" in + Log.info (fun f -> f "Waiting for netvm changes to %S...%!" netvm); + Qubes.DB.after qubesDB current_db >>= fun new_db -> + (match (router.uplink, Qubes.DB.KeyMap.find_opt netvm new_db) with + | Some uplink, Some netvm + when not + (String.equal netvm + (Ipaddr.V4.to_string uplink.interface#other_ip)) -> + Log.info (fun f -> + f "Our netvm IP has changed, before it was %s, now it's: %s%!" + (Ipaddr.V4.to_string uplink.interface#other_ip) + netvm); + Lwt_condition.broadcast router.uplink_disconnect (); + (* wait for uplink disconnexion *) + Lwt_condition.wait router.uplink_disconnected >>= fun () -> + Dao.read_network_config qubesDB >>= fun config -> + Dao.print_network_config config; + connect config >>= fun uplink -> + update router ~config ~uplink:(Some uplink) >>= fun () -> + Lwt_condition.broadcast router.uplink_connected (); + Lwt.return_unit + | None, Some _ -> + (* a new interface is attributed to qubes-mirage-firewall *) + Log.info (fun f -> f "Going from netvm not connected to %s%!" netvm); + Dao.read_network_config qubesDB >>= fun config -> + Dao.print_network_config config; + connect config >>= fun uplink -> + update router ~config ~uplink:(Some uplink) >>= fun () -> + Lwt_condition.broadcast router.uplink_connected (); + Lwt.return_unit + | Some _, None -> + (* This currently is never triggered :( *) + Log.info (fun f -> + f "TODO: Our netvm disapeared, troubles are coming!%!"); + Lwt.return_unit + | Some _, Some _ (* The new netvm IP is unchanged (it's our old netvm IP) *) + | None, None -> + Log.info (fun f -> + f "QubesDB has changed but not the situation of our netvm!%!"); + Lwt.return_unit) + >>= fun () -> aux new_db + in + aux Qubes.DB.KeyMap.empty diff --git a/firewall.ml b/firewall.ml deleted file mode 100644 index 77656d2..0000000 --- a/firewall.ml +++ /dev/null @@ -1,198 +0,0 @@ -(* Copyright (C) 2015, Thomas Leonard - See the README file for details. *) - -open Fw_utils -open Packet -open Lwt.Infix - -let src = Logs.Src.create "firewall" ~doc:"Packet handler" -module Log = (val Logs.src_log src : Logs.LOG) - -(* Transmission *) - -let transmit_ipv4 packet iface = - Lwt.catch - (fun () -> - Lwt.catch - (fun () -> - iface#writev `IPv4 (fun b -> - match Nat_packet.into_cstruct packet b with - | Error e -> - Log.warn (fun f -> f "Failed to write packet to %a: %a" - Ipaddr.V4.pp iface#other_ip - Nat_packet.pp_error e); - 0 - | Ok n -> n - ) - ) - (fun ex -> - Log.warn (fun f -> f "Failed to write packet to %a: %s" - Ipaddr.V4.pp iface#other_ip - (Printexc.to_string ex)); - Lwt.return () - ) - ) - (fun ex -> - Log.err (fun f -> f "Exception in transmit_ipv4: %s for:@.%a" - (Printexc.to_string ex) - Nat_packet.pp packet - ); - Lwt.return () - ) - -let forward_ipv4 t packet = - let `IPv4 (ip, _) = packet in - match Router.target t ip with - | Some iface -> transmit_ipv4 packet iface - | None -> Lwt.return_unit - -(* Packet classification *) - -let parse_ips ips = List.map (fun (ip_str, id) -> (Ipaddr.of_string_exn ip_str, id)) ips - -let clients = parse_ips Rules.clients -let externals = parse_ips Rules.externals - -let resolve_client client = - `Client (try List.assoc (Ipaddr.V4 client#other_ip) clients with Not_found -> `Unknown) - -let resolve_host = function - | `Client c -> resolve_client c - | `External ip -> `External (try List.assoc ip externals with Not_found -> `Unknown) - | (`Firewall | `NetVM) as x -> x - -let classify ~src ~dst packet = - let `IPv4 (_ip, transport) = packet in - let proto = - match transport with - | `TCP ({Tcp.Tcp_packet.src_port; dst_port; _}, _) -> `TCP {sport = src_port; dport = dst_port} - | `UDP ({Udp_packet.src_port; dst_port; _}, _) -> `UDP {sport = src_port; dport = dst_port} - | `ICMP _ -> `ICMP - in - Some { - packet; - src; - dst; - proto; - } - -let pp_ports fmt {sport; dport} = - Format.fprintf fmt "sport=%d dport=%d" sport dport - -let pp_host fmt = function - | `Client c -> Ipaddr.V4.pp fmt (c#other_ip) - | `Unknown_client ip -> Format.fprintf fmt "unknown-client(%a)" Ipaddr.pp ip - | `NetVM -> Format.pp_print_string fmt "net-vm" - | `External ip -> Format.fprintf fmt "external(%a)" Ipaddr.pp ip - | `Firewall -> Format.pp_print_string fmt "firewall" - -let pp_proto fmt = function - | `UDP ports -> Format.fprintf fmt "UDP(%a)" pp_ports ports - | `TCP ports -> Format.fprintf fmt "TCP(%a)" pp_ports ports - | `ICMP -> Format.pp_print_string fmt "ICMP" - | `Unknown -> Format.pp_print_string fmt "UnknownProtocol" - -let pp_packet t fmt {src = _; dst = _; proto; packet} = - let `IPv4 (ip, _transport) = packet in - let src = Router.classify t (Ipaddr.V4 ip.Ipv4_packet.src) in - let dst = Router.classify t (Ipaddr.V4 ip.Ipv4_packet.dst) in - Format.fprintf fmt "[src=%a dst=%a proto=%a]" - pp_host src - pp_host dst - pp_proto proto - -let pp_transport_headers f = function - | `ICMP (h, _) -> Icmpv4_packet.pp f h - | `TCP (h, _) -> Tcp.Tcp_packet.pp f h - | `UDP (h, _) -> Udp_packet.pp f h - -let pp_header f = function - | `IPv4 (ip, transport) -> - Fmt.pf f "%a %a" - Ipv4_packet.pp ip - pp_transport_headers transport - -(* NAT *) - -let translate t packet = - My_nat.translate t.Router.nat packet - -(* Add a NAT rule for the endpoints in this frame, via a random port on the firewall. *) -let add_nat_and_forward_ipv4 t packet = - let xl_host = t.Router.uplink#my_ip in - My_nat.add_nat_rule_and_translate t.Router.nat ~xl_host `NAT packet >>= function - | Ok packet -> forward_ipv4 t packet - | Error e -> - Log.warn (fun f -> f "Failed to add NAT rewrite rule: %s (%a)" e pp_header packet); - Lwt.return () - -(* Add a NAT rule to redirect this conversation to [host:port] instead of us. *) -let nat_to t ~host ~port packet = - match Router.resolve t host with - | Ipaddr.V6 _ -> Log.warn (fun f -> f "Cannot NAT with IPv6"); Lwt.return () - | Ipaddr.V4 target -> - let xl_host = t.Router.uplink#my_ip in - My_nat.add_nat_rule_and_translate t.Router.nat ~xl_host (`Redirect (target, port)) packet >>= function - | Ok packet -> forward_ipv4 t packet - | Error e -> - Log.warn (fun f -> f "Failed to add NAT redirect rule: %s (%a)" e pp_header packet); - Lwt.return () - -(* Handle incoming packets *) - -let apply_rules t rules ~dst info = - let packet = info.packet in - match rules info, dst with - | `Accept, `Client client_link -> transmit_ipv4 packet client_link - | `Accept, (`External _ | `NetVM) -> transmit_ipv4 packet t.Router.uplink - | `Accept, `Firewall -> - Log.warn (fun f -> f "Bad rule: firewall can't accept packets %a" (pp_packet t) info); - return () - | `NAT, _ -> add_nat_and_forward_ipv4 t packet - | `NAT_to (host, port), _ -> nat_to t packet ~host ~port - | `Drop reason, _ -> - Log.info (fun f -> f "Dropped packet (%s) %a" reason (pp_packet t) info); - return () - -let handle_low_memory t = - match Memory_pressure.status () with - | `Memory_critical -> (* TODO: should happen before copying and async *) - Log.warn (fun f -> f "Memory low - dropping packet and resetting NAT table"); - My_nat.reset t.Router.nat >|= fun () -> - `Memory_critical - | `Ok -> Lwt.return `Ok - -let ipv4_from_client t ~src packet = - handle_low_memory t >>= function - | `Memory_critical -> return () - | `Ok -> - (* Check for existing NAT entry for this packet *) - translate t packet >>= function - | Some frame -> forward_ipv4 t frame (* Some existing connection or redirect *) - | None -> - (* No existing NAT entry. Check the firewall rules. *) - let `IPv4 (ip, _transport) = packet in - let dst = Router.classify t (Ipaddr.V4 ip.Ipv4_packet.dst) in - match classify ~src:(resolve_client src) ~dst:(resolve_host dst) packet with - | None -> return () - | Some info -> apply_rules t Rules.from_client ~dst info - -let ipv4_from_netvm t packet = - handle_low_memory t >>= function - | `Memory_critical -> return () - | `Ok -> - let `IPv4 (ip, _transport) = packet in - let src = Router.classify t (Ipaddr.V4 ip.Ipv4_packet.src) in - let dst = Router.classify t (Ipaddr.V4 ip.Ipv4_packet.dst) in - match classify ~src ~dst:(resolve_host dst) packet with - | None -> return () - | Some info -> - match src with - | `Client _ | `Firewall -> - Log.warn (fun f -> f "Frame from NetVM has internal source IP address! %a" (pp_packet t) info); - return () - | `External _ | `NetVM as src -> - translate t packet >>= function - | Some frame -> forward_ipv4 t frame - | None -> - apply_rules t Rules.from_netvm ~dst { info with src } diff --git a/firewall.mli b/firewall.mli deleted file mode 100644 index 9900f56..0000000 --- a/firewall.mli +++ /dev/null @@ -1,11 +0,0 @@ -(* Copyright (C) 2015, Thomas Leonard - See the README file for details. *) - -(** Classify IP packets, apply rules and send as appropriate. *) - -val ipv4_from_netvm : Router.t -> Nat_packet.t -> unit Lwt.t -(** Handle a packet from the outside world (this module will validate the source IP). *) - -val ipv4_from_client : Router.t -> src:Fw_utils.client_link -> Nat_packet.t -> unit Lwt.t -(** Handle a packet from a client. Caller must check the source IP matches the client's - before calling this. *) diff --git a/frameQ.ml b/frameQ.ml deleted file mode 100644 index 390ac7a..0000000 --- a/frameQ.ml +++ /dev/null @@ -1,32 +0,0 @@ -(* Copyright (C) 2016, Thomas Leonard - See the README file for details. *) - -let src = Logs.Src.create "frameQ" ~doc:"Interface output queue" -module Log = (val Logs.src_log src : Logs.LOG) - -type t = { - name : string; - mutable items : int; -} - -let create name = { name; items = 0 } - -(* Note: the queue is only used if we already filled the transmit buffer. *) -let max_qlen = 10 - -let send q fn = - if q.items = max_qlen then ( - Log.warn (fun f -> f "Maximum queue length exceeded for %s: dropping frame" q.name); - Lwt.return_unit - ) else ( - let sent = fn () in - if Lwt.state sent = Lwt.Sleep then ( - q.items <- q.items + 1; - Log.info (fun f -> f "Queue length for %s: incr to %d" q.name q.items); - Lwt.on_termination sent (fun () -> - q.items <- q.items - 1; - Log.info (fun f -> f "Queue length for %s: decr to %d" q.name q.items); - ) - ); - sent - ) diff --git a/frameQ.mli b/frameQ.mli deleted file mode 100644 index f11e1ae..0000000 --- a/frameQ.mli +++ /dev/null @@ -1,15 +0,0 @@ -(* Copyright (C) 2016, Thomas Leonard - See the README file for details. *) - -(** Keep track of the queue length for output buffers. *) - -type t - -val create : string -> t -(** [create name] is a new empty queue. [name] is used in log messages. *) - -val send : t -> (unit -> unit Lwt.t) -> unit Lwt.t -(** [send t fn] checks that the queue isn't overloaded and calls [fn ()] if it's OK. - The item is considered to be queued until the result of [fn] has resolved. - In the case of mirage-net-xen's [writev], this happens when the frame has been - added to the ring (not when it is consumed), which is fine for us. *) diff --git a/fw_utils.ml b/fw_utils.ml index c034e72..53fddb0 100644 --- a/fw_utils.ml +++ b/fw_utils.ml @@ -3,25 +3,10 @@ (** General utility functions. *) -module IpMap = struct - include Map.Make(Ipaddr.V4) - let find x map = - try Some (find x map) - with Not_found -> None -end - -module Int = struct - type t = int - let compare (a:t) (b:t) = compare a b -end - -module IntSet = Set.Make(Int) -module IntMap = Map.Make(Int) - (** An Ethernet interface. *) class type interface = object method my_mac : Macaddr.t - method writev : Mirage_protocols.Ethernet.proto -> (Cstruct.t -> int) -> unit Lwt.t + method writev : Ethernet.Packet.proto -> (Cstruct.t -> int) -> unit Lwt.t method my_ip : Ipaddr.V4.t method other_ip : Ipaddr.V4.t end @@ -30,20 +15,21 @@ end class type client_link = object inherit interface method other_mac : Macaddr.t - method log_header : string (* For log messages *) + method log_header : string (* For log messages *) + method get_rules : Pf_qubes.Parse_qubes.rule list + method set_rules : string Qubes.DB.KeyMap.t -> unit end -(** An Ethernet header from [src]'s MAC address to [dst]'s with an IPv4 payload. *) +(** An Ethernet header from [src]'s MAC address to [dst]'s with an IPv4 payload. +*) let eth_header ethertype ~src ~dst = - Ethernet_packet.Marshal.make_cstruct { Ethernet_packet.source = src; destination = dst; ethertype } + Ethernet.Packet.make_cstruct + { Ethernet.Packet.source = src; destination = dst; ethertype } let error fmt = let err s = Failure s in Printf.ksprintf err fmt -let return = Lwt.return -let fail = Lwt.fail - let or_raise msg pp = function | Ok x -> x - | Error e -> failwith (Fmt.strf "%s: %a" msg pp e) + | Error e -> failwith (Fmt.str "%s: %a" msg pp e) diff --git a/memory_pressure.ml b/memory_pressure.ml index ed5b7e5..fe04bca 100644 --- a/memory_pressure.ml +++ b/memory_pressure.ml @@ -1,49 +1,21 @@ (* Copyright (C) 2015, Thomas Leonard See the README file for details. *) -open Lwt - let src = Logs.Src.create "memory_pressure" ~doc:"Memory pressure monitor" + module Log = (val Logs.src_log src : Logs.LOG) -let total_pages = OS.MM.Heap_pages.total () -let pagesize_kb = Io_page.page_size / 1024 +let fraction_free stats = + let { Xen_os.Memory.free_words; heap_words; _ } = stats in + float free_words /. float heap_words -let meminfo ~used = - let mem_total = total_pages * pagesize_kb in - let mem_free = (total_pages - used) * pagesize_kb in - Log.info (fun f -> f "Writing meminfo: free %d / %d kB (%.2f %%)" - mem_free mem_total (float_of_int mem_free /. float_of_int mem_total *. 100.0)); - Printf.sprintf "MemTotal: %d kB\n\ - MemFree: %d kB\n\ - Buffers: 0 kB\n\ - Cached: 0 kB\n\ - SwapTotal: 0 kB\n\ - SwapFree: 0 kB\n" mem_total mem_free - -let report_mem_usage used = - Lwt.async (fun () -> - let open OS in - Xs.make () >>= fun xs -> - Xs.immediate xs (fun h -> - Xs.write h "memory/meminfo" (meminfo ~used) - ) - ) - -let init () = - Gc.full_major (); - let used = OS.MM.Heap_pages.used () in - report_mem_usage used +let init () = Gc.full_major () let status () = - let used = OS.MM.Heap_pages.used () |> float_of_int in - let frac = used /. float_of_int total_pages in - if frac < 0.9 then `Ok + let stats = Xen_os.Memory.quick_stat () in + if fraction_free stats > 0.5 then `Ok else ( Gc.full_major (); - let used = OS.MM.Heap_pages.used () in - report_mem_usage used; - let frac = float_of_int used /. float_of_int total_pages in - if frac > 0.9 then `Memory_critical - else `Ok - ) + Xen_os.Memory.trim (); + let stats = Xen_os.Memory.quick_stat () in + if fraction_free stats < 0.6 then `Memory_critical else `Ok) diff --git a/memory_pressure.mli b/memory_pressure.mli index c0d9f49..f0d7df8 100644 --- a/memory_pressure.mli +++ b/memory_pressure.mli @@ -8,5 +8,5 @@ val status : unit -> [ `Ok | `Memory_critical ] (** Check the memory situation. If we're running low, do a GC (work-around for http://caml.inria.fr/mantis/view.php?id=7100 and OCaml GC needing to malloc extra space to run finalisers). Returns [`Memory_critical] if memory is - still low - caller should take action to reduce memory use. - After GC, updates meminfo in XenStore. *) + still low - caller should take action to reduce memory use. After GC, + updates meminfo in XenStore. *) diff --git a/my_dns.ml b/my_dns.ml new file mode 100644 index 0000000..e3bb267 --- /dev/null +++ b/my_dns.ml @@ -0,0 +1,81 @@ +open Lwt.Infix + +type +'a io = 'a Lwt.t +type io_addr = Ipaddr.V4.t * int + +type stack = + Dispatcher.t + * (src_port:int -> + dst:Ipaddr.V4.t -> + dst_port:int -> + string -> + (unit, [ `Msg of string ]) result Lwt.t) + * (Udp_packet.t * string) Lwt_mvar.t + +module IM = Map.Make (Int) + +type t = { + protocol : Dns.proto; + nameserver : io_addr; + stack : stack; + timeout_ns : int64; + mutable requests : string Lwt_condition.t IM.t; +} + +type context = t + +let nameservers { protocol; nameserver; _ } = (protocol, [ nameserver ]) +let rng = Mirage_crypto_rng.generate ?g:None +let clock = Mirage_mtime.elapsed_ns + +let rec read t = + let _, _, answer = t.stack in + Lwt_mvar.take answer >>= fun (_, data) -> + (if String.length data > 2 then + match IM.find_opt (String.get_uint16_be data 0) t.requests with + | Some cond -> Lwt_condition.broadcast cond data + | None -> ()); + read t + +let create ?nameservers ~timeout stack = + let protocol, nameserver = + match nameservers with + | None | Some (_, []) -> invalid_arg "no nameserver found" + | Some (proto, ns :: _) -> (proto, ns) + in + let t = + { protocol; nameserver; stack; timeout_ns = timeout; requests = IM.empty } + in + Lwt.async (fun () -> read t); + t + +let with_timeout timeout_ns f = + let timeout = + Mirage_sleep.ns timeout_ns >|= fun () -> Error (`Msg "DNS request timeout") + in + Lwt.pick [ f; timeout ] + +let connect (t : t) = Lwt.return (Ok (t.protocol, t)) + +let send_recv (ctx : context) buf : (string, [> `Msg of string ]) result Lwt.t = + let dst, dst_port = ctx.nameserver in + let router, send_udp, _ = ctx.stack in + let src_port, evict = + My_nat.free_udp_port router.nat ~src:router.config.our_ip ~dst ~dst_port:53 + in + let id = String.get_uint16_be buf 0 in + with_timeout ctx.timeout_ns + (let cond = Lwt_condition.create () in + ctx.requests <- IM.add id cond ctx.requests; + send_udp ~src_port ~dst ~dst_port buf >|= Rresult.R.open_error_msg + >>= function + | Ok () -> Lwt_condition.wait cond >|= fun dns_response -> Ok dns_response + | Error _ as e -> Lwt.return e) + >|= fun result -> + ctx.requests <- IM.remove id ctx.requests; + evict (); + result + +let close _ = Lwt.return_unit +let bind = Lwt.bind +let lift = Lwt.return diff --git a/my_nat.ml b/my_nat.ml index bfaf702..e6b70e6 100644 --- a/my_nat.ml +++ b/my_nat.ml @@ -1,81 +1,86 @@ (* Copyright (C) 2015, Thomas Leonard See the README file for details. *) -open Lwt.Infix - let src = Logs.Src.create "my-nat" ~doc:"NAT shim" + module Log = (val Logs.src_log src : Logs.LOG) -type action = [ - | `NAT - | `Redirect of Mirage_nat.endpoint -] +type action = [ `NAT | `Redirect of Mirage_nat.endpoint ] module Nat = Mirage_nat_lru -type t = { - table : Nat.t; - get_time : unit -> Mirage_nat.time; -} +module S = Set.Make (struct + type t = int -let create ~get_time ~max_entries = + let compare (a : int) (b : int) = compare a b +end) + +type t = { table : Nat.t; mutable udp_dns : S.t; last_resort_port : int } + +let pick_port () = 1024 + Random.int (0xffff - 1024) + +let create ~max_entries = let tcp_size = 7 * max_entries / 8 in let udp_size = max_entries - tcp_size in - Nat.empty ~tcp_size ~udp_size ~icmp_size:100 >|= fun table -> - { get_time; table } + let table = Nat.empty ~tcp_size ~udp_size ~icmp_size:100 in + let last_resort_port = pick_port () in + { table; udp_dns = S.empty; last_resort_port } + +let pick_free_port t proto = + let rec go retries = + if retries = 0 then None + else + let p = 1024 + Random.int (0xffff - 1024) in + match proto with + | `Udp when S.mem p t.udp_dns || p = t.last_resort_port -> go (retries - 1) + | _ -> Some p + in + go 10 + +let free_udp_port t ~src ~dst ~dst_port = + let rec go retries = + if retries = 0 then (t.last_resort_port, Fun.id) + else + let src_port = + Option.value ~default:t.last_resort_port (pick_free_port t `Udp) + in + if Nat.is_port_free t.table `Udp ~src ~dst ~src_port ~dst_port then + let remove = + if src_port <> t.last_resort_port then ( + t.udp_dns <- S.add src_port t.udp_dns; + fun () -> t.udp_dns <- S.remove src_port t.udp_dns) + else Fun.id + in + (src_port, remove) + else go (retries - 1) + in + go 10 + +let dns_port t port = S.mem port t.udp_dns || port = t.last_resort_port let translate t packet = - Nat.translate t.table packet >|= function - | Error (`Untranslated | `TTL_exceeded as e) -> - Log.debug (fun f -> f "Failed to NAT %a: %a" - Nat_packet.pp packet - Mirage_nat.pp_error e - ); - None + match Nat.translate t.table packet with + | Error ((`Untranslated | `TTL_exceeded) as e) -> + Log.debug (fun f -> + f "Failed to NAT %a: %a" Nat_packet.pp packet Mirage_nat.pp_error e); + None | Ok packet -> Some packet -let random_user_port () = - 1024 + Random.int (0xffff - 1024) - -let reset t = - Nat.reset t.table +let remove_connections t ip = ignore (Nat.remove_connections t.table ip) let add_nat_rule_and_translate t ~xl_host action packet = - let now = t.get_time () in - let apply_action xl_port = - Lwt.catch (fun () -> - Nat.add t.table ~now packet (xl_host, xl_port) action - ) - (function - | Out_of_memory -> Lwt.return (Error `Out_of_memory) - | x -> Lwt.fail x - ) + let proto = + match packet with + | `IPv4 (_, `TCP _) -> `Tcp + | `IPv4 (_, `UDP _) -> `Udp + | `IPv4 (_, `ICMP _) -> `Icmp in - let rec aux ~retries = - let xl_port = random_user_port () in - apply_action xl_port >>= function - | Error `Out_of_memory -> - (* Because hash tables resize in big steps, this can happen even if we have a fair - chunk of free memory. *) - Log.warn (fun f -> f "Out_of_memory adding NAT rule. Dropping NAT table..."); - Nat.reset t.table >>= fun () -> - aux ~retries:(retries - 1) - | Error `Overlap when retries < 0 -> Lwt.return (Error "Too many retries") - | Error `Overlap -> - if retries = 0 then ( - Log.warn (fun f -> f "Failed to find a free port; resetting NAT table"); - Nat.reset t.table >>= fun () -> - aux ~retries:(retries - 1) - ) else ( - aux ~retries:(retries - 1) - ) - | Error `Cannot_NAT -> - Lwt.return (Error "Cannot NAT this packet") - | Ok () -> + match + Nat.add t.table packet xl_host (fun () -> pick_free_port t proto) action + with + | Error `Overlap -> Error "Too many retries" + | Error `Cannot_NAT -> Error "Cannot NAT this packet" + | Ok () -> Log.debug (fun f -> f "Updated NAT table: %a" Nat.pp_summary t.table); - translate t packet >|= function - | None -> Error "No NAT entry, even after adding one!" - | Some packet -> - Ok packet - in - aux ~retries:100 + Option.to_result ~none:"No NAT entry, even after adding one!" + (translate t packet) diff --git a/my_nat.mli b/my_nat.mli index 770eaa0..a9d3829 100644 --- a/my_nat.mli +++ b/my_nat.mli @@ -4,14 +4,23 @@ (* Abstract over NAT interface (todo: remove this) *) type t +type action = [ `NAT | `Redirect of Mirage_nat.endpoint ] -type action = [ - | `NAT - | `Redirect of Mirage_nat.endpoint -] +val free_udp_port : + t -> + src:Ipaddr.V4.t -> + dst:Ipaddr.V4.t -> + dst_port:int -> + int * (unit -> unit) -val create : get_time:(unit -> Mirage_nat.time) -> max_entries:int -> t Lwt.t -val reset : t -> unit Lwt.t -val translate : t -> Nat_packet.t -> Nat_packet.t option Lwt.t -val add_nat_rule_and_translate : t -> xl_host:Ipaddr.V4.t -> - action -> Nat_packet.t -> (Nat_packet.t, string) result Lwt.t +val dns_port : t -> int -> bool +val create : max_entries:int -> t +val remove_connections : t -> Ipaddr.V4.t -> unit +val translate : t -> Nat_packet.t -> Nat_packet.t option + +val add_nat_rule_and_translate : + t -> + xl_host:Ipaddr.V4.t -> + action -> + Nat_packet.t -> + (Nat_packet.t, string) result diff --git a/packet.ml b/packet.ml index 7838a6b..d6d4f92 100644 --- a/packet.ml +++ b/packet.ml @@ -5,33 +5,56 @@ open Fw_utils type port = int -type ports = { - sport : port; (* Source port *) - dport : port; (* Destination *) -} - -type host = +type host = [ `Client of client_link | `Firewall | `NetVM | `External of Ipaddr.t ] -type ('src, 'dst) info = { - packet : Nat_packet.t; +type transport_header = + [ `TCP of Tcp.Tcp_packet.t | `UDP of Udp_packet.t | `ICMP of Icmpv4_packet.t ] + +type ('src, 'dst) t = { + ipv4_header : Ipv4_packet.t; + transport_header : transport_header; + transport_payload : Cstruct.t; src : 'src; dst : 'dst; - proto : [ `UDP of ports | `TCP of ports | `ICMP | `Unknown ]; } -(* The first message in a TCP connection has SYN set and ACK clear. *) -let is_tcp_start = function - | `IPv4 (_ip, `TCP (hdr, _body)) -> Tcp.Tcp_packet.(hdr.syn && not hdr.ack) - | _ -> false +let pp_transport_header f = function + | `ICMP h -> Icmpv4_packet.pp f h + | `TCP h -> Tcp.Tcp_packet.pp f h + | `UDP h -> Udp_packet.pp f h -(* The possible actions we can take for a packet: *) -type action = [ - | `Accept (* Send the packet to its destination. *) - | `NAT (* Rewrite the packet's source field so packet appears to - have come from the firewall, via an unused port. - Also, add NAT rules so related packets will be translated accordingly. *) - | `NAT_to of host * port (* As for [`NAT], but also rewrite the packet's +let pp_host fmt = function + | `Client c -> Ipaddr.V4.pp fmt c#other_ip + | `Unknown_client ip -> Format.fprintf fmt "unknown-client(%a)" Ipaddr.pp ip + | `NetVM -> Format.pp_print_string fmt "net-vm" + | `External ip -> Format.fprintf fmt "external(%a)" Ipaddr.pp ip + | `Firewall -> Format.pp_print_string fmt "firewall(client-gw)" + +let to_mirage_nat_packet t : Nat_packet.t = + match t.transport_header with + | `TCP h -> `IPv4 (t.ipv4_header, `TCP (h, t.transport_payload)) + | `UDP h -> `IPv4 (t.ipv4_header, `UDP (h, t.transport_payload)) + | `ICMP h -> `IPv4 (t.ipv4_header, `ICMP (h, t.transport_payload)) + +let of_mirage_nat_packet ~src ~dst packet : ('a, 'b) t option = + let (`IPv4 (ipv4_header, ipv4_payload)) = packet in + let transport_header, transport_payload = + match ipv4_payload with + | `TCP (h, p) -> (`TCP h, p) + | `UDP (h, p) -> (`UDP h, p) + | `ICMP (h, p) -> (`ICMP h, p) + in + Some { ipv4_header; transport_header; transport_payload; src; dst } + +(* possible actions to take for a packet: *) +type action = + [ `Accept (* Send to destination, unmodified. *) + | `NAT + (* Rewrite source field to the firewall's IP, with a fresh source port. + Also, add translation rules for future traffic in both directions, + between these hosts on these ports, and corresponding ICMP error traffic. *) + | `NAT_to of host * port + (* As for [`NAT], but also rewrite the packet's destination fields so it will be sent to [host:port]. *) - | `Drop of string (* Drop the packet and log the given reason. *) -] + | `Drop of string (* Drop packet for this reason. *) ] diff --git a/packet.mli b/packet.mli new file mode 100644 index 0000000..af8ee43 --- /dev/null +++ b/packet.mli @@ -0,0 +1,35 @@ +type port = int + +type host = + [ `Client of Fw_utils.client_link (** an IP address on the private network *) + | `Firewall (** the firewall's IP on the private network *) + | `NetVM (** the IP of the firewall's default route *) + | `External of Ipaddr.t (** an IP on the public network *) ] + +type transport_header = + [ `TCP of Tcp.Tcp_packet.t | `UDP of Udp_packet.t | `ICMP of Icmpv4_packet.t ] + +type ('src, 'dst) t = { + ipv4_header : Ipv4_packet.t; + transport_header : transport_header; + transport_payload : Cstruct.t; + src : 'src; + dst : 'dst; +} + +val pp_transport_header : Format.formatter -> transport_header -> unit +val pp_host : Format.formatter -> host -> unit +val to_mirage_nat_packet : ('a, 'b) t -> Nat_packet.t +val of_mirage_nat_packet : src:'a -> dst:'b -> Nat_packet.t -> ('a, 'b) t option + +(* possible actions to take for a packet: *) +type action = + [ `Accept (* Send to destination, unmodified. *) + | `NAT + (* Rewrite source field to the firewall's IP, with a fresh source port. + Also, add translation rules for future traffic in both directions, + between these hosts on these ports, and corresponding ICMP error traffic. *) + | `NAT_to of host * port + (* As for [`NAT], but also rewrite the packet's + destination fields so it will be sent to [host:port]. *) + | `Drop of string (* Drop packet for this reason. *) ] diff --git a/qubes-firewall-release.sha256 b/qubes-firewall-release.sha256 new file mode 100644 index 0000000..220644c --- /dev/null +++ b/qubes-firewall-release.sha256 @@ -0,0 +1 @@ +0c3c2c0e62a834112c69d7cddc5dd6f70ecb93afa988768fb860ed26e423b1f8 dist/qubes-firewall.xen diff --git a/qubes-firewall.sha256 b/qubes-firewall.sha256 new file mode 100644 index 0000000..f6c0982 --- /dev/null +++ b/qubes-firewall.sha256 @@ -0,0 +1 @@ +ac049069b35f786fa11b18a2261d7dbecd588301af0363ef6888ec9d924dc989 dist/qubes-firewall.xen diff --git a/router.ml b/router.ml deleted file mode 100644 index 4d7ed90..0000000 --- a/router.ml +++ /dev/null @@ -1,34 +0,0 @@ -(* Copyright (C) 2015, Thomas Leonard - See the README file for details. *) - -open Fw_utils - -(* The routing table *) - -type t = { - client_eth : Client_eth.t; - nat : My_nat.t; - uplink : interface; -} - -let create ~client_eth ~uplink ~nat = - { client_eth; nat; uplink } - -let target t buf = - let dst_ip = buf.Ipv4_packet.dst in - match Client_eth.lookup t.client_eth dst_ip with - | Some client_link -> Some (client_link :> interface) - | None -> Some t.uplink - -let add_client t = Client_eth.add_client t.client_eth -let remove_client t = Client_eth.remove_client t.client_eth - -let classify t ip = - if ip = Ipaddr.V4 t.uplink#my_ip then `Firewall - else if ip = Ipaddr.V4 t.uplink#other_ip then `NetVM - else (Client_eth.classify t.client_eth ip :> Packet.host) - -let resolve t = function - | `Firewall -> Ipaddr.V4 t.uplink#my_ip - | `NetVM -> Ipaddr.V4 t.uplink#other_ip - | #Client_eth.host as host -> Client_eth.resolve t.client_eth host diff --git a/router.mli b/router.mli deleted file mode 100644 index 80678fb..0000000 --- a/router.mli +++ /dev/null @@ -1,32 +0,0 @@ -(* Copyright (C) 2015, Thomas Leonard - See the README file for details. *) - -(** Routing packets to the right network interface. *) - -open Fw_utils - -type t = private { - client_eth : Client_eth.t; - nat : My_nat.t; - uplink : interface; -} -(** A routing table. *) - -val create : - client_eth:Client_eth.t -> - uplink:interface -> - nat:My_nat.t -> - t -(** [create ~client_eth ~uplink] is a new routing table - that routes packets outside of [client_eth] via [uplink]. *) - -val target : t -> Ipv4_packet.t -> interface option -(** [target t packet] is the interface to which [packet] should be routed. *) - -val add_client : t -> client_link -> unit Lwt.t -(** [add_client t iface] adds a rule for routing packets addressed to [iface]. *) - -val remove_client : t -> client_link -> unit - -val classify : t -> Ipaddr.t -> Packet.host -val resolve : t -> Packet.host -> Ipaddr.t diff --git a/rules.ml b/rules.ml index ec0c1c3..c85a596 100644 --- a/rules.ml +++ b/rules.ml @@ -1,62 +1,122 @@ (* Copyright (C) 2015, Thomas Leonard See the README file for details. *) -(** Put your firewall rules in this file. *) +(** This module applies firewall rules from QubesDB. *) -open Packet (* Allow us to use definitions in packet.ml *) +open Packet +open Lwt.Infix +module Q = Pf_qubes.Parse_qubes -(* List your AppVM IP addresses here if you want to match on them in the rules below. - Any client not listed here will appear as [`Client `Unknown]. *) -let clients = [ - (* - "10.137.0.12", `Dev; - "10.137.0.14", `Untrusted; - *) -] +let src = Logs.Src.create "rules" ~doc:"Firewall rules" -(* List your external (non-AppVM) IP addresses here if you want to match on them in the rules below. - Any external machine not listed here will appear as [`External `Unknown]. *) -let externals = [ - (* - "8.8.8.8", `GoogleDNS; - *) -] +module Log = (val Logs.src_log src : Logs.LOG) -(* OCaml normally warns if you don't match all fields, but that's OK here. *) -[@@@ocaml.warning "-9"] +let dns_port = 53 -(** This function decides what to do with a packet from a client VM. +module Classifier = struct + let matches_port dstports (port : int) = + match dstports with + | None -> true + | Some (Q.Range_inclusive (min, max)) -> min <= port && port <= max - It takes as input an argument [info] (of type [Packet.info]) describing the - packet, and returns an action (of type [Packet.action]) to perform. + let matches_proto rule dns_servers packet = + match (rule.Q.proto, rule.Q.specialtarget) with + | None, None -> true + | None, Some `dns + when List.mem packet.ipv4_header.Ipv4_packet.dst dns_servers -> ( + (* specialtarget=dns applies only to the specialtarget destination IPs, and + specialtarget=dns is also implicitly tcp/udp port 53 *) + match packet.transport_header with + | `TCP header -> header.Tcp.Tcp_packet.dst_port = dns_port + | `UDP header -> header.Udp_packet.dst_port = dns_port + | _ -> false) + (* DNS rules can only match traffic headed to the specialtarget hosts, so any other destination + isn't a match for DNS rules *) + | None, Some `dns -> false + | Some rule_proto, _ -> ( + match (rule_proto, packet.transport_header) with + | `tcp, `TCP header -> + matches_port rule.Q.dstports header.Tcp.Tcp_packet.dst_port + | `udp, `UDP header -> + matches_port rule.Q.dstports header.Udp_packet.dst_port + | `icmp, `ICMP header -> ( + match rule.Q.icmp_type with + | None -> true + | Some rule_icmp_type -> + 0 + = compare rule_icmp_type + @@ Icmpv4_wire.ty_to_int header.Icmpv4_packet.ty) + | _, _ -> false) - See packet.ml for the definitions of [info] and [action]. + let matches_dest dns_client rule packet = + let ip = packet.ipv4_header.Ipv4_packet.dst in + match rule.Q.dst with + | `any -> Lwt.return @@ `Match rule + | `hosts subnet -> + Lwt.return + @@ + if Ipaddr.Prefix.mem Ipaddr.(V4 ip) subnet then `Match rule + else `No_match + | `dnsname name -> ( + Log.debug (fun f -> f "Resolving %a" Domain_name.pp name); + dns_client name >|= function + | Ok (_ttl, found_ips) -> + if Ipaddr.V4.Set.mem ip found_ips then `Match rule else `No_match + | Error (`Msg m) -> + Log.warn (fun f -> + f "Ignoring rule %a, could not resolve" Q.pp_rule rule); + Log.debug (fun f -> f "%s" m); + `No_match + | Error _ -> + assert + false (* TODO: fix type of dns_client so that this case can go *)) +end - Note: If the packet matched an existing NAT rule then this isn't called. *) -let from_client (info : ([`Client of _], _) Packet.info) : Packet.action = - match info with - (* Examples (add your own rules here): +let find_first_match dns_client dns_servers packet acc rule = + match acc with + | `No_match -> + if Classifier.matches_proto rule dns_servers packet then + Classifier.matches_dest dns_client rule packet + else Lwt.return `No_match + | q -> Lwt.return q - 1. Allows Dev to send SSH packets to Untrusted. - Note: responses are not covered by this! - 2. Allows Untrusted to reply to Dev. - 3. Blocks an external site. +(* Does the packet match our rules? *) +let classify_client_packet dns_client dns_servers + (packet : ([ `Client of Fw_utils.client_link ], _) Packet.t) = + let (`Client client_link) = packet.src in + let rules = client_link#get_rules in + Lwt_list.fold_left_s + (find_first_match dns_client dns_servers packet) + `No_match rules + >|= function + | `No_match -> `Drop "No matching rule; assuming default drop" + | `Match { Q.action = Q.Accept; _ } -> `Accept + | `Match ({ Q.action = Q.Drop; _ } as rule) -> + `Drop + (Format.asprintf "rule number %a explicitly drops this packet" Q.pp_rule + rule) - In all cases, make sure you've added the VM name to [clients] or [externals] above, or it won't - match anything! *) - (* - | { src = `Client `Dev; dst = `Client `Untrusted; proto = `TCP { dport = 22 } } -> `Accept - | { src = `Client `Untrusted; dst = `Client `Dev; proto = `TCP _; packet } - when not (is_tcp_start packet) -> `Accept - | { dst = `External `GoogleDNS } -> `Drop "block Google DNS" - *) - | { dst = (`External _ | `NetVM) } -> `NAT - | { dst = `Firewall; proto = `UDP { dport = 53 } } -> `NAT_to (`NetVM, 53) - | { dst = `Firewall } -> `Drop "packet addressed to firewall itself" - | { dst = `Client _ } -> `Drop "prevent communication between client VMs by default" +let translate_accepted_packets dns_client dns_servers packet = + classify_client_packet dns_client dns_servers packet >|= function + | `Accept -> `NAT + | `Drop s -> `Drop s -(** Decide what to do with a packet received from the outside world. - Note: If the packet matched an existing NAT rule then this isn't called. *) -let from_netvm (info : ([`NetVM | `External of _], _) Packet.info) : Packet.action = - match info with - | _ -> `Drop "drop by default" +(** Packets from the private interface that don't match any NAT table entry are + being checked against the fw rules here *) +let from_client dns_client dns_servers + (packet : ([ `Client of Fw_utils.client_link ], _) Packet.t) : + Packet.action Lwt.t = + match packet with + | { dst = `External _; _ } | { dst = `NetVM; _ } -> + translate_accepted_packets dns_client dns_servers packet + | { dst = `Firewall; _ } -> + Lwt.return @@ `Drop "packet addressed to firewall itself" + | { dst = `Client _; _ } -> + classify_client_packet dns_client dns_servers packet + | _ -> Lwt.return @@ `Drop "could not classify packet" + +(** Packets from the outside world that don't match any NAT table entry are + being dropped by default *) +let from_netvm (_packet : ([ `NetVM | `External of _ ], _) Packet.t) : + Packet.action Lwt.t = + Lwt.return @@ `Drop "drop by default" diff --git a/test/config.ml b/test/config.ml new file mode 100644 index 0000000..d5589d5 --- /dev/null +++ b/test/config.ml @@ -0,0 +1,33 @@ +open Mirage + +let pin = "git+https://github.com/roburio/alcotest.git#mirage" + +let packages = + [ + package "ethernet"; + package "arp"; + package "arp-mirage"; + package "ipaddr"; + package "tcpip" ~sublibs:[ "stack-direct"; "icmpv4"; "ipv4"; "udp"; "tcp" ]; + package "mirage-qubes"; + package "mirage-qubes-ipv4"; + package "dns-client" ~sublibs:[ "mirage" ]; + package ~pin "alcotest"; + package ~pin "alcotest-mirage"; + ] + +let client = + foreign ~packages "Unikernel.Client" + @@ random @-> time @-> mclock @-> network @-> qubesdb @-> job + +let db = default_qubesdb +let network = default_network + +let () = + let job = + [ + client $ default_random $ default_time $ default_monotonic_clock $ network + $ db; + ] + in + register "http-fetch" job diff --git a/test/test.sh b/test/test.sh new file mode 100755 index 0000000..2971207 --- /dev/null +++ b/test/test.sh @@ -0,0 +1,138 @@ +#!/bin/bash +function explain_commands { + echo "1) Set up test qubes:" +echo "First, set up the test-mirage script from https://github.com/talex5/qubes-test-mirage.git" + +echo "Then, use `qubes-manager` to create two new AppVMs called `mirage-fw-test` and `fetchmotron`. +You can make it standalone or not and use any template (it doesn't matter +because unikernels already contain all their code and don't need to use a disk +to boot)." + +echo "Next, still in dom0, create a new `mirage-fw-test` and `fetchmotron` kernels, with an empty `modules.img` and `vmlinuz` and a compressed empty file for the initramfs, and then set that as the kernel for the new VMs: + + mkdir /var/lib/qubes/vm-kernels/mirage-fw-test + cd /var/lib/qubes/vm-kernels/mirage-fw-test + touch modules.img vmlinuz test-mirage-ok + cat /dev/null | gzip > initramfs + qvm-prefs -s mirage-fw-test kernel mirage-fw-test + + mkdir /var/lib/qubes/vm-kernels/fetchmotron + cd /var/lib/qubes/vm-kernels/fetchmotron + touch modules.img vmlinuz test-mirage-ok + cat /dev/null | gzip > initramfs + qvm-prefs -s fetchmotron kernel fetchmotron +" +} + +function explain_service { +echo "2) Set up rule update service:" +echo "In dom0, make a new service: + +sudo bash +echo /usr/local/bin/update-firewall > /etc/qubes-rpc/yomimono.updateFirewall + +Make a policy file for this service, YOUR_DEV_VM being the qube from which you build (e.g. ocamldev): + +cd /etc/qubes-rpc/policy +cat << EOF >> yomimono.updateFirewall +YOUR_DEV_VM dom0 allow + +copy the update-firewall script: + +cd /usr/local/bin +qvm-run -p YOUR_DEV_VM 'cat /path/to/qubes-mirage-firewall/test/update-firewall.sh' > update-firewall +chmod +x update-firewall + +Now, back to YOUR_DEV_VM. Let's test to change fetchmotron's firewall rules: + +qrexec-client-vm dom0 yomimono.updateFirewall" +} + +function explain_upstream { +echo "Also, start the test services on the upstream NetVM (which is available at 10.137.0.5 from the test unikernel). +For the UDP and TCP reply services: +Install nmap-ncat (to persist this package, install it in your sys-net template VM): + +sudo dnf install nmap-ncat + +Allow incoming traffic from local virtual interfaces on the appropriate ports, +then run the services: + +sudo iptables -I INPUT -i vif+ -p udp --dport $udp_echo_port -j ACCEPT +sudo iptables -I INPUT -i vif+ -p tcp --dport $tcp_echo_port_lower -j ACCEPT +sudo iptables -I INPUT -i vif+ -p tcp --dport $tcp_echo_port_upper -j ACCEPT +ncat -e /bin/cat -k -u -l $udp_echo_port & +ncat -e /bin/cat -k -l $tcp_echo_port_lower & +ncat -e /bin/cat -k -l $tcp_echo_port_upper & +" +} + +if ! [ -x "$(command -v test-mirage)" ]; then + echo 'Error: test-mirage is not installed.' >&2 + explain_commands >&2 + exit 1 +fi +qrexec-client-vm dom0 yomimono.updateFirewall +if [ $? -ne 0 ]; then + echo "Error: can't update firewall rules." >&2 + explain_service >&2 + exit 1 +fi +echo_host=10.137.0.5 +udp_echo_port=1235 +tcp_echo_port_lower=6668 +tcp_echo_port_upper=6670 + +# Pretest that checks if our echo servers work. +# NOTE: we assume the dev qube has the same netvm as fetchmotron. +# If yours is different, this test will fail (comment it out) +function pretest { + protocol=$1 + port=$2 + if [ "$protocol" = "udp" ]; then + udp_arg="-u" + else + udp_arg="" + fi + reply=$(echo hi | nc $udp_arg $echo_host -w 1 $port) + if [ "$reply" != "hi" ]; then + echo "echo hi | nc $udp_arg $echo_host -w 1 $port" + echo "echo services not reachable at $protocol $echo_host:$port" >&2 + explain_upstream >&2 + exit 1 + fi +} + +pretest "udp" "$udp_echo_port" +pretest "tcp" "$tcp_echo_port_lower" +pretest "tcp" "$tcp_echo_port_upper" + +echo "We're gonna set up a unikernel for the mirage-fw-test qube" +cd .. +make clean && \ +#mirage configure -t xen -l "application:error,net-xen xenstore:error,firewall:debug,frameQ:debug,uplink:debug,rules:debug,udp:debug,ipv4:debug,fw-resolver:debug" && \ +mirage configure -t xen -l "net-xen xenstore:error,application:warning,qubes.db:warning" && \ +#mirage configure -t xen -l "*:debug" && \ +make depend && \ +make +if [ $? -ne 0 ]; then + echo "Could not build unikernel for mirage-fw-test qube" >&2 + exit 1 +fi +cd test + +echo "We're gonna set up a unikernel for fetchmotron qube" +make clean && \ +mirage configure -t qubes -l "net-xen frontend:error,firewall test:debug" && \ +#mirage configure -t qubes -l "*:error" && \ +make depend && \ +make +if [ $? -ne 0 ]; then + echo "Could not build unikernel for fetchmotron qube" >&2 + exit 1 +fi + +cd .. +test-mirage qubes_firewall.xen mirage-fw-test & +cd test +test-mirage http_fetch.xen fetchmotron diff --git a/test/unikernel.ml b/test/unikernel.ml new file mode 100644 index 0000000..2a0c23a --- /dev/null +++ b/test/unikernel.ml @@ -0,0 +1,467 @@ +open Lwt.Infix + +(* https://www.qubes-os.org/doc/vm-interface/#firewall-rules-in-4x *) +let src = Logs.Src.create "firewall test" ~doc:"Firewalltest" + +module Log = (val Logs.src_log src : Logs.LOG) + +(* TODO + * things we can have in rule + * - action: + x accept (UDP fetch test) + x drop (TCP connect denied test) + * - proto: + x None (TCP connect denied test) + x TCP (TCP connect test) + x UDP (UDP fetch test) + x ICMP (ping test) + * - specialtarget: + x None (UDP fetch test, TCP connect denied test) + x DNS (TCP connect test, TCP connect denied test) + * - destination: + x Any (TCP connect denied test) + x Some ipv4 host (UDP fetch test) + Some ipv6 host (we can't do this right now) + Some hostname (need a bunch of DNS stuff for that) + * - destination ports: + x none (TCP connect denied test) + x range is one port (UDP fetch test) + x range has different ports in pair + * - icmp type: + x None (TCP connect denied, UDP fetch test) + x query type (ping test) + error type + x - errors related to allowed traffic (does it have a host waiting for it?) + x - directly allowed outbound icmp errors (e.g. for forwarding) + * - number (ordering over rules, to resolve conflicts by precedence) + no overlap between rules, i.e. ordering unimportant + error case: multiple rules with same number? + x conflicting rules (specific accept rules with low numbers, drop all with high number) +*) + +(* Point-to-point links out of a netvm always have this IP TODO clarify with Marek *) +let netvm = "10.137.0.5" + +(* default "nameserver"s, which netvm redirects to whatever its real nameservers are *) +let nameserver_1, nameserver_2 = ("10.139.1.1", "10.139.1.2") + +module Client + (R : Mirage_crypto_rng_mirage.S) + (Time : Mirage_time.S) + (Clock : Mirage_clock.MCLOCK) + (NET : Mirage_net.S) + (DB : Qubes.S.DB) = +struct + module E = Ethernet.Make (NET) + module A = Arp.Make (E) (Time) + module I = Qubesdb_ipv4.Make (DB) (R) (Clock) (E) (A) + module Icmp = Icmpv4.Make (I) + module U = Udp.Make (I) (R) + module T = Tcp.Flow.Make (I) (Time) (Clock) (R) + module Alcotest = Alcotest_mirage.Make (Clock) + + module Stack = struct + (* A Mirage_stack.V4 implementation which diverts DHCP messages to a DHCP + server. The DHCP server needs to get the entire Ethernet frame, because + the Ethernet source address is the address to send replies to, its IPv4 + addresses (source, destination) do not matter (since the DHCP client that + sent this request does not have an IP address yet). ARP cannot be used + by DHCP, because the client does not have an IP address (and thus no ARP + replies). *) + + module UDPV4 = U + module TCPV4 = T + module IPV4 = I + + type t = { + net : NET.t; + eth : E.t; + arp : A.t; + ip : I.t; + icmp : Icmp.t; + udp : U.t; + tcp : T.t; + udp_listeners : (int, U.callback) Hashtbl.t; + tcp_listeners : (int, T.listener) Hashtbl.t; + mutable icmp_listener : + (src:Ipaddr.V4.t -> dst:Ipaddr.V4.t -> Cstruct.t -> unit Lwt.t) option; + } + + let ipv4 { ip; _ } = ip + let udpv4 { udp; _ } = udp + let tcpv4 { tcp; _ } = tcp + let icmpv4 { icmp; _ } = icmp + let listener h port = Hashtbl.find_opt h port + let udp_listener h ~dst_port = listener h dst_port + + let listen_udpv4 { udp_listeners; _ } ~port cb = + Hashtbl.replace udp_listeners port cb + + let stop_listen_udpv4 { udp_listeners; _ } ~port = + Hashtbl.remove udp_listeners port + + let listen_tcpv4 ?keepalive { tcp_listeners; _ } ~port cb = + Hashtbl.replace tcp_listeners port { T.process = cb; T.keepalive } + + let stop_listen_tcpv4 { tcp_listeners; _ } ~port = + Hashtbl.remove tcp_listeners port + + let listen_icmp t cb = t.icmp_listener <- cb + + let listen t = + let ethif_listener = + E.input ~arpv4:(A.input t.arp) + ~ipv4: + (I.input + ~tcp:(T.input t.tcp ~listeners:(listener t.tcp_listeners)) + ~udp:(U.input t.udp ~listeners:(udp_listener t.udp_listeners)) + ~default:(fun ~proto ~src ~dst buf -> + match proto with + | 1 -> ( + match t.icmp_listener with + | None -> Icmp.input t.icmp ~src ~dst buf + | Some cb -> cb ~src ~dst buf) + | _ -> Lwt.return_unit) + t.ip) + ~ipv6:(fun _ -> Lwt.return_unit) + t.eth + in + NET.listen t.net ~header_size:Ethernet_wire.sizeof_ethernet ethif_listener + >>= function + | Error e -> + Logs.warn (fun p -> p "%a" NET.pp_error e); + Lwt.return_unit + | Ok _res -> Lwt.return_unit + + let connect net eth arp ip icmp udp tcp = + { + net; + eth; + arp; + ip; + icmp; + udp; + tcp; + udp_listeners = Hashtbl.create 2; + tcp_listeners = Hashtbl.create 2; + icmp_listener = None; + } + + let disconnect _ = + Logs.warn (fun m -> m "ignoring disconnect"); + Lwt.return_unit + end + + module Dns = Dns_client_mirage.Make (R) (Time) (Clock) (Stack) + + let make_ping_packet payload = + let echo_request = + { + Icmpv4_packet.code = 0; + (* constant for echo request/reply *) + ty = Icmpv4_wire.Echo_request; + subheader = Icmpv4_packet.(Id_and_seq (0, 0)); + } + in + Icmpv4_packet.Marshal.make_cstruct echo_request ~payload + + let is_ping_reply src server packet = + (0 = Ipaddr.V4.(compare src @@ of_string_exn server)) + && packet.Icmpv4_packet.code = 0 + && packet.Icmpv4_packet.ty = Icmpv4_wire.Echo_reply + && packet.Icmpv4_packet.subheader = Icmpv4_packet.(Id_and_seq (0, 0)) + + let ping_denied_listener server resp_received stack = + let icmp_listener ~src ~dst:_ buf = + (* hopefully this is a reply to an ICMP echo request we sent *) + Log.info (fun f -> + f "ping test: ICMP message received from %a: %a" I.pp_ipaddr src + Cstruct.hexdump_pp buf); + match Icmpv4_packet.Unmarshal.of_cstruct buf with + | Error e -> + Log.err (fun f -> f "couldn't parse ICMP packet: %s" e); + Lwt.return_unit + | Ok (packet, _payload) -> + Log.info (fun f -> f "ICMP message: %a" Icmpv4_packet.pp packet); + if is_ping_reply src server packet then resp_received := true; + Lwt.return_unit + in + Stack.listen_icmp stack (Some icmp_listener) + + let ping_expect_failure server stack () = + let resp_received = ref false in + Log.info (fun f -> f "Entering ping test: %s" server); + ping_denied_listener server resp_received stack; + Icmp.write (Stack.icmpv4 stack) + ~dst:(Ipaddr.V4.of_string_exn server) + (make_ping_packet (Cstruct.of_string "hi")) + >>= function + | Error e -> + Log.err (fun f -> f "ping test: error sending ping: %a" Icmp.pp_error e); + Lwt.return_unit + | Ok () -> + Log.info (fun f -> f "ping test: sent ping to %s" server); + Time.sleep_ns 2_000_000_000L >>= fun () -> + if !resp_received then + Log.err (fun f -> + f "ping test failed: server %s got a response, block expected :(" + server) + else Log.err (fun f -> f "ping test passed: successfully blocked :)"); + Stack.listen_icmp stack None; + Lwt.return_unit + + let icmp_error_type stack () = + let resp_correct = ref false in + let echo_server = Ipaddr.V4.of_string_exn netvm in + let icmp_callback ~src ~dst:_ buf = + (if Ipaddr.V4.compare src echo_server = 0 then + (* TODO: check that packet is error packet *) + match Icmpv4_packet.Unmarshal.of_cstruct buf with + | Error e -> Log.err (fun f -> f "Error parsing icmp packet %s" e) + | Ok (packet, _) -> + (* TODO don't hardcode the numbers, make a datatype *) + if + packet.Icmpv4_packet.code + = 10 (* unreachable, admin prohibited *) + then resp_correct := true + else + Log.debug (fun f -> + f "Unrelated icmp packet %a" Icmpv4_packet.pp packet)); + Lwt.return_unit + in + let content = Cstruct.of_string "important data" in + Stack.listen_icmp stack (Some icmp_callback); + U.write ~src_port:1337 ~dst:echo_server ~dst_port:1338 (Stack.udpv4 stack) + content + >>= function + | Ok () -> + (* .. listener: test with accept rule, if we get reply we're good *) + Time.sleep_ns 1_000_000_000L >>= fun () -> + if !resp_correct then + Log.info (fun m -> m "UDP fetch test to port %d succeeded :)" 1338) + else + Log.err (fun f -> + f + "UDP fetch test to port %d: failed. :( correct response not \ + received" + 1338); + Stack.listen_icmp stack None; + Lwt.return_unit + | Error e -> + Log.err (fun f -> + f + "UDP fetch test to port %d failed: :( couldn't write the packet: \ + %a" + 1338 U.pp_error e); + Lwt.return_unit + + let tcp_connect msg server port tcp () = + Log.info (fun f -> f "Entering tcp connect test: %s:%d" server port); + let ip = Ipaddr.V4.of_string_exn server in + let msg' = Printf.sprintf "TCP connect test %s to %s:%d" msg server port in + T.create_connection tcp (ip, port) >>= function + | Ok flow -> + Log.info (fun f -> f "%s passed :)" msg'); + T.close flow + | Error e -> + Log.err (fun f -> + f "%s failed: Connection failed (%a) :(" msg' T.pp_error e); + Lwt.return_unit + + let tcp_connect_denied msg server port tcp () = + let ip = Ipaddr.V4.of_string_exn server in + let msg' = + Printf.sprintf "TCP connect denied test %s to %s:%d" msg server port + in + let connect = + T.create_connection tcp (ip, port) >>= function + | Ok flow -> + Log.err (fun f -> + f "%s failed: Connection should be denied, but was not. :(" msg'); + T.close flow + | Error e -> + Log.info (fun f -> + f "%s passed (error text: %a) :)" msg' T.pp_error e); + Lwt.return_unit + in + let timeout = + Time.sleep_ns 1_000_000_000L >>= fun () -> + Log.info (fun f -> f "%s passed :)" msg'); + Lwt.return_unit + in + Lwt.pick [ connect; timeout ] + + let udp_fetch ~src_port ~echo_server_port stack () = + Log.info (fun f -> + f "Entering udp fetch test: %d -> %s:%d" src_port netvm echo_server_port); + let resp_correct = ref false in + let echo_server = Ipaddr.V4.of_string_exn netvm in + let content = Cstruct.of_string "important data" in + let udp_listener : U.callback = + fun ~src ~dst:_ ~src_port buf -> + Log.debug (fun f -> + f "listen_udpv4 function invoked for packet: %a" Cstruct.hexdump_pp + buf); + if 0 = Ipaddr.V4.compare echo_server src && src_port = echo_server_port + then ( + match Cstruct.equal buf content with + | true -> + (* yay *) + Log.info (fun f -> + f "UDP fetch test to port %d: passed :)" echo_server_port); + resp_correct := true; + Lwt.return_unit + | false -> + (* oh no *) + Log.err (fun f -> + f + "UDP fetch test to port %d: failed. :( Packet corrupted; \ + expected %a but got %a" + echo_server_port Cstruct.hexdump_pp content Cstruct.hexdump_pp + buf); + Lwt.return_unit) + else ( + (* disregard this packet *) + Log.debug (fun f -> + f + "packet is not from the echo server or has the wrong source port \ + (%d but we wanted %d)" + src_port echo_server_port); + (* don't cancel the listener, since we want to keep listening *) + Lwt.return_unit) + in + Stack.listen_udpv4 stack ~port:src_port udp_listener; + U.write ~src_port ~dst:echo_server ~dst_port:echo_server_port + (Stack.udpv4 stack) content + >>= function + | Ok () -> + (* .. listener: test with accept rule, if we get reply we're good *) + Time.sleep_ns 1_000_000_000L >>= fun () -> + Stack.stop_listen_udpv4 stack ~port:src_port; + if !resp_correct then Lwt.return_unit + else ( + Log.err (fun f -> + f + "UDP fetch test to port %d: failed. :( correct response not \ + received" + echo_server_port); + Lwt.return_unit) + | Error e -> + Log.err (fun f -> + f + "UDP fetch test to port %d failed: :( couldn't write the packet: \ + %a" + echo_server_port U.pp_error e); + Lwt.return_unit + + let dns_expect_failure ~nameserver ~hostname stack () = + let lookup = Domain_name.(of_string_exn hostname |> host_exn) in + let nameserver' = (`UDP, (Ipaddr.V4.of_string_exn nameserver, 53)) in + let dns = Dns.create ~nameserver:nameserver' stack in + Dns.gethostbyname dns lookup >>= function + | Error (`Msg s) when String.compare s "Truncated UDP response" <> 0 -> + Log.debug (fun f -> + f "DNS test to %s failed as expected: %s" nameserver s); + Log.info (fun f -> + f "DNS traffic to %s correctly blocked :)" nameserver); + Lwt.return_unit + | Error (`Msg s) -> + Log.debug (fun f -> + f "DNS test to %s failed unexpectedly (truncated response): %s :(" + nameserver s); + Lwt.return_unit + | Ok addr -> + Log.err (fun f -> + f "DNS test to %s should have been blocked, but looked up %s:%a" + nameserver hostname Ipaddr.V4.pp addr); + Lwt.return_unit + + let dns_then_tcp_denied server stack () = + let parsed_server = Domain_name.(of_string_exn server |> host_exn) in + (* ask dns about server *) + Log.debug (fun f -> + f "going to make a dns thing using nameserver %s" nameserver_1); + let dns = + Dns.create + ~nameserver:(`UDP, (Ipaddr.V4.of_string_exn nameserver_1, 53)) + stack + in + Log.debug (fun f -> f "OK, going to look up %s now" server); + Dns.gethostbyname dns parsed_server >>= function + | Error (`Msg s) -> + Log.err (fun f -> f "couldn't look up ip for %s: %s" server s); + Lwt.return_unit + | Ok addr -> + Log.debug (fun f -> + f "looked up ip for %s: %a" server Ipaddr.V4.pp addr); + Log.err (fun f -> f "Do more stuff here!!!! :("); + Lwt.return_unit + + let start _random _time _clock network db = + E.connect network >>= fun ethernet -> + A.connect ethernet >>= fun arp -> + I.connect db ethernet arp >>= fun ipv4 -> + Icmp.connect ipv4 >>= fun icmp -> + U.connect ipv4 >>= fun udp -> + T.connect ipv4 >>= fun tcp -> + let stack = Stack.connect network ethernet arp ipv4 icmp udp tcp in + Lwt.async (fun () -> Stack.listen stack); + + (* put this first because tcp_connect_denied tests also generate icmp messages *) + let general_tests : unit Alcotest.test = + ( "firewall tests", + [ + ( "UDP fetch", + `Quick, + udp_fetch ~src_port:9090 ~echo_server_port:1235 stack ); + ("Ping expect failure", `Quick, ping_expect_failure "8.8.8.8" stack); + (* TODO: ping_expect_success to the netvm, for which we have an icmptype rule in update-firewall.sh *) + ("ICMP error type", `Quick, icmp_error_type stack); + ] ) + in + Alcotest.run ~and_exit:false "name" [ general_tests ] >>= fun () -> + let tcp_tests : unit Alcotest.test = + ( "tcp tests", + [ + (* this test fails on 4.0R3 + ("TCP connect", `Quick, tcp_connect "when trying specialtarget" nameserver_1 53 tcp); *) + ("TCP connect", `Quick, tcp_connect_denied "" netvm 53 tcp); + ( "TCP connect", + `Quick, + tcp_connect_denied "when trying below range" netvm 6667 tcp ); + ( "TCP connect", + `Quick, + tcp_connect "when trying lower bound in range" netvm 6668 tcp ); + ( "TCP connect", + `Quick, + tcp_connect "when trying upper bound in range" netvm 6670 tcp ); + ( "TCP connect", + `Quick, + tcp_connect_denied "when trying above range" netvm 6671 tcp ); + ("TCP connect", `Quick, tcp_connect_denied "" netvm 8082 tcp); + ] ) + in + + (* replace the udp-related listeners with the right one for tcp *) + Alcotest.run "name" [ tcp_tests ] >>= fun () -> + (* use the stack abstraction only after the other tests have run, since it's not friendly with outside use of its modules *) + let stack_tests = + ( "stack tests", + [ + ( "DNS expect failure", + `Quick, + dns_expect_failure ~nameserver:"8.8.8.8" ~hostname:"mirage.io" stack + ); + (* the test below won't work on @linse's internet, + * because the nameserver there doesn't answer on TCP port 53, + * only UDP port 53. Dns_mirage_client.ml disregards our request + * to use UDP and uses TCP anyway, so this request can never work there. *) + (* If we can figure out a way to have this test unikernel do a UDP lookup with minimal pain, + * we should re-enable this test. *) + ( "DNS lookup + TCP connect", + `Quick, + dns_then_tcp_denied "google.com" stack ); + ] ) + in + Alcotest.run "name" [ stack_tests ] +end diff --git a/test/update-firewall.sh b/test/update-firewall.sh new file mode 100644 index 0000000..fcfaac4 --- /dev/null +++ b/test/update-firewall.sh @@ -0,0 +1,54 @@ +#!/bin/sh + +# this script sets a deny-all rule for a particular VM, set here as TEST_VM. +# it is intended to be used as part of a test suite which analyzes whether +# an upstream FirewallVM correctly applies rule changes when they occur. + +# Copy this script into dom0 at /usr/local/bin/update-firewall.sh so it can be +# remotely triggered by your development VM as part of the firewall testing +# script. + +TEST_VM=fetchmotron + +#echo "Current $TEST_VM firewall rules:" +#qvm-firewall $TEST_VM list + +echo "Removing $TEST_VM rules..." +rc=0 +while [ "$rc" = "0" ]; do + qvm-firewall $TEST_VM del --rule-no 0 + rc=$? +done + +#echo "$TEST_VM firewall rules are now:" +#qvm-firewall $TEST_VM list + +#echo "Setting $TEST_VM specialtarget=dns rule:" +qvm-firewall $TEST_VM add accept specialtarget=dns + +#echo "Setting $TEST_VM allow rule for UDP port 1235 to 10.137.0.5:" +qvm-firewall $TEST_VM add accept 10.137.0.5 udp 1235 + +#echo "Setting $TEST_VM allow rule for UDP port 1338 to 10.137.0.5:" +qvm-firewall $TEST_VM add accept 10.137.0.5 udp 1338 + +#echo "Setting $TEST_VM allow rule for TCP port 6668-6670 to 10.137.0.5:" +qvm-firewall $TEST_VM add accept 10.137.0.5 tcp 6668-6670 + +#echo "Setting $TEST_VM allow rule for ICMP type 8 (ping) to 10.137.0.5:" +qvm-firewall $TEST_VM add accept 10.137.0.5 icmp icmptype=8 + +#echo "Setting $TEST_VM allow rule for bogus.linse.me:" +qvm-firewall $TEST_VM add accept dsthost=bogus.linse.me + +#echo "Setting deny rule to host google.com:" +qvm-firewall $TEST_VM add drop dsthost=google.com + +#echo "Setting allow-all on port 443 rule:" +qvm-firewall $TEST_VM add accept proto=tcp dstports=443-443 + +#echo "Setting $TEST_VM deny-all rule:" +qvm-firewall $TEST_VM add drop + +echo "$TEST_VM firewall rules are now:" +qvm-firewall $TEST_VM list diff --git a/unikernel.ml b/unikernel.ml index 84cac6d..51841ae 100644 --- a/unikernel.ml +++ b/unikernel.ml @@ -3,83 +3,124 @@ open Lwt open Qubes +open Cmdliner let src = Logs.Src.create "unikernel" ~doc:"Main unikernel code" + module Log = (val Logs.src_log src : Logs.LOG) -module Main (Clock : Mirage_clock_lwt.MCLOCK) = struct - module Uplink = Uplink.Make(Clock) +let nat_table_size = + let doc = + Arg.info ~doc:"The number of NAT entries to allocate." [ "nat-table-size" ] + in + Mirage_runtime.register_arg Arg.(value & opt int 5_000 doc) - (* Set up networking and listen for incoming packets. *) - let network ~clock nat qubesDB = - (* Read configuration from QubesDB *) - Dao.read_network_config qubesDB >>= fun config -> - (* Initialise connection to NetVM *) - Uplink.connect ~clock config >>= fun uplink -> - (* Report success *) - Dao.set_iptables_error qubesDB "" >>= fun () -> - (* Set up client-side networking *) - let client_eth = Client_eth.create - ~client_gw:config.Dao.clients_our_ip in - (* Set up routing between networks and hosts *) - let router = Router.create - ~client_eth - ~uplink:(Uplink.interface uplink) - ~nat - in - (* Handle packets from both networks *) - Lwt.choose [ - Client_net.listen router; - Uplink.listen uplink router +let ipv4 = + let doc = Arg.info ~doc:"Manual IP setting." [ "ipv4" ] in + Mirage_runtime.register_arg Arg.(value & opt string "0.0.0.0" doc) + +let ipv4_gw = + let doc = Arg.info ~doc:"Manual Gateway IP setting." [ "ipv4-gw" ] in + Mirage_runtime.register_arg Arg.(value & opt string "0.0.0.0" doc) + +let ipv4_dns = + let doc = Arg.info ~doc:"Manual DNS IP setting." [ "ipv4-dns" ] in + Mirage_runtime.register_arg Arg.(value & opt string "10.139.1.1" doc) + +let ipv4_dns2 = + let doc = Arg.info ~doc:"Manual Second DNS IP setting." [ "ipv4-dns2" ] in + Mirage_runtime.register_arg Arg.(value & opt string "10.139.1.2" doc) + +module Dns_client = Dns_client.Make (My_dns) + +(* Set up networking and listen for incoming packets. *) +let network dns_client dns_responses dns_servers qubesDB router = + (* Report success *) + Dao.set_iptables_error qubesDB "" >>= fun () -> + (* Handle packets from both networks *) + Lwt.choose + [ + Dispatcher.wait_clients Mirage_mtime.elapsed_ns dns_client dns_servers + qubesDB router; + Dispatcher.uplink_wait_update qubesDB router; + Dispatcher.uplink_listen Mirage_mtime.elapsed_ns dns_responses router; ] - (* We don't use the GUI, but it's interesting to keep an eye on it. - If the other end dies, don't let it take us with it (can happen on logout). *) - let watch_gui gui = - Lwt.async (fun () -> - Lwt.try_bind - (fun () -> - gui >>= fun gui -> - Log.info (fun f -> f "GUI agent connected"); - GUI.listen gui - ) - (fun `Cant_happen -> assert false) - (fun ex -> - Log.warn (fun f -> f "GUI thread failed: %s" (Printexc.to_string ex)); - return () - ) - ) +(* Main unikernel entry point (called from auto-generated main.ml). *) +let start () = + let open Lwt.Syntax in + let start_time = Mirage_mtime.elapsed_ns () in + (* Start qrexec agent and QubesDB agent in parallel *) + let* qrexec = RExec.connect ~domid:0 () in + let agent_listener = RExec.listen qrexec Command.handler in + let* qubesDB = DB.connect ~domid:0 () in + let startup_time = + let ( - ) = Int64.sub in + let time_in_ns = Mirage_mtime.elapsed_ns () - start_time in + Int64.to_float time_in_ns /. 1e9 + in + Log.info (fun f -> + f "QubesDB and qrexec agents connected in %.3f s" startup_time); + (* Watch for shutdown requests from Qubes *) + let shutdown_rq = + Xen_os.Lifecycle.await_shutdown_request () >>= fun (`Poweroff | `Reboot) -> + Lwt.return_unit + in + (* Set up networking *) + let nat = My_nat.create ~max_entries:(nat_table_size ()) in - (* Main unikernel entry point (called from auto-generated main.ml). *) - let start clock = - let start_time = Clock.elapsed_ns clock in - (* Start qrexec agent, GUI agent and QubesDB agent in parallel *) - let qrexec = RExec.connect ~domid:0 () in - GUI.connect ~domid:0 () |> watch_gui; - let qubesDB = DB.connect ~domid:0 () in - (* Wait for clients to connect *) - qrexec >>= fun qrexec -> - let agent_listener = RExec.listen qrexec Command.handler in - qubesDB >>= fun qubesDB -> - let startup_time = - let (-) = Int64.sub in - let time_in_ns = Clock.elapsed_ns clock - start_time in - Int64.to_float time_in_ns /. 1e9 - in - Log.info (fun f -> f "QubesDB and qrexec agents connected in %.3f s" startup_time); - (* Watch for shutdown requests from Qubes *) - let shutdown_rq = - OS.Lifecycle.await_shutdown_request () >>= fun (`Poweroff | `Reboot) -> - return () in - (* Set up networking *) - let get_time () = Clock.elapsed_ns clock in - let max_entries = Key_gen.nat_table_size () in - My_nat.create ~get_time ~max_entries >>= fun nat -> - let net_listener = network ~clock nat qubesDB in - (* Report memory usage to XenStore *) - Memory_pressure.init (); - (* Run until something fails or we get a shutdown request. *) - Lwt.choose [agent_listener; net_listener; shutdown_rq] >>= fun () -> - (* Give the console daemon time to show any final log messages. *) - OS.Time.sleep_ns (1.0 *. 1e9 |> Int64.of_float) -end + let netvm_ip = Ipaddr.V4.of_string_exn (ipv4_gw ()) in + let our_ip = Ipaddr.V4.of_string_exn (ipv4 ()) in + let dns = Ipaddr.V4.of_string_exn (ipv4_dns ()) in + let dns2 = Ipaddr.V4.of_string_exn (ipv4_dns2 ()) in + + let zero_ip = Ipaddr.V4.any in + + let network_config = + if netvm_ip = zero_ip && our_ip = zero_ip then ( + (* Read network configuration from QubesDB *) + Dao.read_network_config qubesDB + >>= fun config -> + if config.netvm_ip = zero_ip || config.our_ip = zero_ip then + Log.info (fun f -> + f + "We currently have no netvm nor command line for setting it up, \ + aborting..."); + assert (config.netvm_ip <> zero_ip && config.our_ip <> zero_ip); + Lwt.return config) + else + let config : Dao.network_config = + { from_cmdline = true; netvm_ip; our_ip; dns; dns2 } + in + Lwt.return config + in + network_config >>= fun config -> + (* We now must have a valid netvm IP address and our IP address or crash *) + Dao.print_network_config config; + + (* Set up client-side networking *) + let* clients = Client_eth.create config in + + (* Set up routing between networks and hosts *) + let router = Dispatcher.create ~config ~clients ~nat ~uplink:None in + + let send_dns_query = Dispatcher.send_dns_client_query router in + let dns_mvar = Lwt_mvar.create_empty () in + let nameservers = (`Udp, [ (config.Dao.dns, 53); (config.Dao.dns2, 53) ]) in + let dns_client = + Dns_client.create ~nameservers (router, send_dns_query, dns_mvar) + in + + let dns_servers = [ config.Dao.dns; config.Dao.dns2 ] in + let net_listener = + network + (Dns_client.getaddrinfo dns_client Dns.Rr_map.A) + dns_mvar dns_servers qubesDB router + in + + (* Report memory usage to XenStore *) + Memory_pressure.init (); + (* Run until something fails or we get a shutdown request. *) + Lwt.choose [ agent_listener; net_listener; shutdown_rq ] >>= fun () -> + (* Give the console daemon time to show any final log messages. *) + Mirage_sleep.ns (1.0 *. 1e9 |> Int64.of_float) diff --git a/uplink.ml b/uplink.ml deleted file mode 100644 index 06d4df3..0000000 --- a/uplink.ml +++ /dev/null @@ -1,71 +0,0 @@ -(* Copyright (C) 2015, Thomas Leonard - See the README file for details. *) - -open Lwt.Infix -open Fw_utils - -module Eth = Ethernet.Make(Netif) - -let src = Logs.Src.create "uplink" ~doc:"Network connection to NetVM" -module Log = (val Logs.src_log src : Logs.LOG) - -module Make(Clock : Mirage_clock_lwt.MCLOCK) = struct - module Arp = Arp.Make(Eth)(OS.Time) - - type t = { - net : Netif.t; - eth : Eth.t; - arp : Arp.t; - interface : interface; - } - - class netvm_iface eth mac ~my_ip ~other_ip : interface = object - val queue = FrameQ.create (Ipaddr.V4.to_string other_ip) - method my_mac = Eth.mac eth - method my_ip = my_ip - method other_ip = other_ip - method writev ethertype fillfn = - FrameQ.send queue (fun () -> - mac >>= fun dst -> - Eth.write eth dst ethertype fillfn >|= or_raise "Write to uplink" Eth.pp_error - ) - end - - let listen t router = - Netif.listen t.net ~header_size:Ethernet_wire.sizeof_ethernet (fun frame -> - (* Handle one Ethernet frame from NetVM *) - Eth.input t.eth - ~arpv4:(Arp.input t.arp) - ~ipv4:(fun ip -> - match Nat_packet.of_ipv4_packet ip with - | exception ex -> - Log.err (fun f -> f "Error unmarshalling ethernet frame from uplink: %s@.%a" (Printexc.to_string ex) - Cstruct.hexdump_pp frame - ); - Lwt.return_unit - | Error e -> - Log.warn (fun f -> f "Ignored unknown IPv4 message from uplink: %a" Nat_packet.pp_error e); - Lwt.return () - | Ok packet -> - Firewall.ipv4_from_netvm router packet - ) - ~ipv6:(fun _ip -> return ()) - frame - ) >|= or_raise "Uplink listen loop" Netif.pp_error - - let interface t = t.interface - - let connect ~clock:_ config = - let ip = config.Dao.uplink_our_ip in - Netif.connect "0" >>= fun net -> - Eth.connect net >>= fun eth -> - Arp.connect eth >>= fun arp -> - Arp.add_ip arp ip >>= fun () -> - let netvm_mac = - Arp.query arp config.Dao.uplink_netvm_ip - >|= or_raise "Getting MAC of our NetVM" Arp.pp_error in - let interface = new netvm_iface eth netvm_mac - ~my_ip:ip - ~other_ip:config.Dao.uplink_netvm_ip in - return { net; eth; arp; interface } -end diff --git a/uplink.mli b/uplink.mli deleted file mode 100644 index 6e2f5f4..0000000 --- a/uplink.mli +++ /dev/null @@ -1,19 +0,0 @@ -(* Copyright (C) 2015, Thomas Leonard - See the README file for details. *) - -(** The link from us to NetVM (and, through that, to the outside world). *) - -open Fw_utils - -module Make(Clock : Mirage_clock_lwt.MCLOCK) : sig - type t - - val connect : clock:Clock.t -> Dao.network_config -> t Lwt.t - (** Connect to our NetVM (gateway). *) - - val interface : t -> interface - (** The network interface to NetVM. *) - - val listen : t -> Router.t -> unit Lwt.t - (** Handle incoming frames from NetVM. *) -end