mirror of
https://github.com/mirage/qubes-mirage-firewall.git
synced 2025-01-15 17:17:08 -05:00
672c82c43c
Before, we used Client_gateway for the IP address of the firewall on the client network and Firewall_uplink for its address on the uplink network. However, Qubes 4 uses the same IP address for both, so we can't separate these any longer, and there doesn't seem to be any advantage to keeping them separate anyway.
38 lines
1.2 KiB
OCaml
38 lines
1.2 KiB
OCaml
(* Copyright (C) 2015, Thomas Leonard <thomas.leonard@unikernel.com>
|
|
See the README file for details. *)
|
|
|
|
open Fw_utils
|
|
|
|
type port = int
|
|
|
|
type ports = {
|
|
sport : port; (* Source port *)
|
|
dport : port; (* Destination *)
|
|
}
|
|
|
|
type host =
|
|
[ `Client of client_link | `Firewall | `NetVM | `External of Ipaddr.t ]
|
|
|
|
type ('src, 'dst) info = {
|
|
packet : Nat_packet.t;
|
|
src : 'src;
|
|
dst : 'dst;
|
|
proto : [ `UDP of ports | `TCP of ports | `ICMP | `Unknown ];
|
|
}
|
|
|
|
(* The first message in a TCP connection has SYN set and ACK clear. *)
|
|
let is_tcp_start = function
|
|
| `IPv4 (_ip, `TCP (hdr, _body)) -> Tcp.Tcp_packet.(hdr.syn && not hdr.ack)
|
|
| _ -> false
|
|
|
|
(* The possible actions we can take for a packet: *)
|
|
type action = [
|
|
| `Accept (* Send the packet to its destination. *)
|
|
| `NAT (* Rewrite the packet's source field so packet appears to
|
|
have come from the firewall, via an unused port.
|
|
Also, add NAT rules so related packets will be translated accordingly. *)
|
|
| `NAT_to of host * port (* As for [`NAT], but also rewrite the packet's
|
|
destination fields so it will be sent to [host:port]. *)
|
|
| `Drop of string (* Drop the packet and log the given reason. *)
|
|
]
|