mirror of
https://github.com/mirage/qubes-mirage-firewall.git
synced 2024-10-01 05:05:39 +00:00
acf46b4231
Previously we passed in the interface, from which it was possible (but a little difficult) to extract the IP address and compare with some predefined ones. Now, we allow the user to list IP addresses and named tags for them, which can be matched on easily. Added example rules showing how to block access to an external service or allow SSH between AppVMs. Requested at https://groups.google.com/d/msg/qubes-users/BnL0nZGpJOE/61HOBg1rCgAJ.
28 lines
773 B
OCaml
28 lines
773 B
OCaml
(* Copyright (C) 2015, Thomas Leonard <thomas.leonard@unikernel.com>
|
|
See the README file for details. *)
|
|
|
|
open Fw_utils
|
|
|
|
type port = int
|
|
|
|
type ports = {
|
|
sport : port; (* Source port *)
|
|
dport : port; (* Destination *)
|
|
}
|
|
|
|
type host =
|
|
[ `Client of client_link | `Client_gateway | `Firewall_uplink | `NetVM | `External of Ipaddr.t ]
|
|
|
|
(* Note: 'a is either [host], or the result of applying [Rules.clients] and [Rules.externals] to a host. *)
|
|
type 'a info = {
|
|
packet : Nat_packet.t;
|
|
src : 'a;
|
|
dst : 'a;
|
|
proto : [ `UDP of ports | `TCP of ports | `ICMP | `Unknown ];
|
|
}
|
|
|
|
(* The first message in a TCP connection has SYN set and ACK clear. *)
|
|
let is_tcp_start = function
|
|
| `IPv4 (_ip, `TCP (hdr, _body)) -> Tcp.Tcp_packet.(hdr.syn && not hdr.ack)
|
|
| _ -> false
|