mirror of
https://github.com/mirage/qubes-mirage-firewall.git
synced 2025-01-15 17:17:08 -05:00
a7001a70d2
We previously assumed that Qubes would always give clients IP addresses on a particular network. However, it is not required to do this and in fact uses a different network for disposable VMs. With this change: - We no longer reject clients with unknown IP addresses - The `Unknown_client` classification is gone; we have no way to tell the difference between a client that isn't connected and an external address. - We now consider every client to be on a point-to-point link and do not answer ARP requests on behalf of other clients. Clients should assume their netmask is 255.255.255.255 (and ignore /qubes-netmask). This is a partial fix for #9. It allows disposable VMs to connect to the firewall but for some reason they don't process any frames we send them (we get their ARP requests but they don't get our replies). Taking eth0 down in the disp VM, then bringing it back up (and re-adding the routes) allows it to work.
40 lines
1.4 KiB
OCaml
40 lines
1.4 KiB
OCaml
(* Copyright (C) 2015, Thomas Leonard <thomas.leonard@unikernel.com>
|
|
See the README file for details. *)
|
|
|
|
(** Put your firewall rules here. *)
|
|
|
|
open Packet
|
|
|
|
(* OCaml normally warns if you don't match all fields, but that's OK here. *)
|
|
[@@@ocaml.warning "-9"]
|
|
|
|
(** {2 Actions}
|
|
|
|
The possible actions are:
|
|
|
|
- [`Accept] : Send the packet to its destination.
|
|
|
|
- [`NAT] : Rewrite the packet's source field so packet appears to
|
|
have come from the firewall, via an unused port.
|
|
Also, add NAT rules so related packets will be translated accordingly.
|
|
|
|
- [`NAT_to (host, port)] :
|
|
As for [`NAT], but also rewrite the packet's destination fields so it
|
|
will be sent to [host:port].
|
|
|
|
- [`Drop reason] drop the packet and log the reason.
|
|
*)
|
|
|
|
(** Decide what to do with a packet from a client VM.
|
|
Note: If the packet matched an existing NAT rule then this isn't called. *)
|
|
let from_client = function
|
|
| { dst = (`External _ | `NetVM) } -> `NAT
|
|
| { dst = `Client_gateway; proto = `UDP { dport = 53 } } -> `NAT_to (`NetVM, 53)
|
|
| { dst = (`Client_gateway | `Firewall_uplink) } -> `Drop "packet addressed to firewall itself"
|
|
| { dst = `Client _ } -> `Drop "prevent communication between client VMs"
|
|
|
|
(** Decide what to do with a packet received from the outside world.
|
|
Note: If the packet matched an existing NAT rule then this isn't called. *)
|
|
let from_netvm = function
|
|
| _ -> `Drop "drop by default"
|