Git-Mirrors/qusal
1
0
Fork 0
mirror of https://github.com/ben-grande/qusal.git synced 2024-10-01 02:35:49 -04:00
Code Issues Packages Projects Releases Wiki Activity

fix: port forward validate values from DomUs

Browse Source
This commit is contained in:
Ben Grande 2024-01-29 12:06:33 +01:00
parent cb4ff00113
commit 30f2ebe4ce
1 changed files with 78 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

91
salt/sys-syncthing/files/admin/firewall/qvm-port-forward
View File

@ -24,6 +24,50 @@ create_net_dir(){
run_qube "${qube}" mkdir -p "${hook_dir}" run_qube "${qube}" mkdir -p "${hook_dir}"
} }
validate_handle(){
qube="${1}"
untrusted_handle="${2}"
case "${untrusted_handle}" in
""|*[!0-9]*)
echo "error: ${qube}: invalid handle" >&2
exit 1
;;
esac
}
validate_ipv4(){
qube="${1}"
untrusted_ip="${2}"
case "${untrusted_ip}" in
""|*[!0-9./]*)
echo "error: ${qube}: invalid IPv4 address" >&2
exit 1
;;
esac
}
validate_ipv6(){
qube="${1}"
untrusted_ip="${2}"
case "${untrusted_ip}" in
""|*[!0-9a-f:/]*)
echo "error: ${qube}: invalid IPv6 address" >&2
exit 1
;;
esac
}
validate_dev(){
qube="${1}"
untrusted_dev="${2}"
case "${untrusted_dev}" in
""|*[!0-9A-Za-z]*)
echo "error: ${qube}: invalid device name" >&2
exit 1
;;
esac
}
get_rule_handle(){ get_rule_handle(){
qube="${1}" qube="${1}"
chain="${2}" chain="${2}"
@ -42,10 +86,13 @@ delete_rule(){
qube="${1}" qube="${1}"
chain="${2}" chain="${2}"
rule="${3}" rule="${3}"
handle="$(get_rule_handle "${qube}" "${chain}" "${rule}")" untrusted_handle_list="$(get_rule_handle "${qube}" "${chain}" "${rule}")"
if test -n "${handle}"; then if test -n "${untrusted_handle_list}"; then
for h in ${handle}; do for untrusted_handle in ${untrusted_handle_list}; do
delete_rule_handle "${qube}" "${chain}" "${h}" unset handle
validate_handle "${qube}" "${untrusted_handle}"
handle="${untrusted_handle}"
delete_rule_handle "${qube}" "${chain}" "${handle}"
done done
fi fi
} }
@ -55,11 +102,19 @@ forward() {
to_qube="${2}" to_qube="${2}"
create_net_dir "${from_qube}" create_net_dir "${from_qube}"
unset dev
## TODO: Handle multiple interfaces in upstream. ## TODO: Handle multiple interfaces in upstream.
dev="$(run_qube "${from_qube}" ip -4 r \ untrusted_dev="$(run_qube "${from_qube}" ip -4 route \
| awk '/^default via /{print $5}' | head -1)" | awk '/^default via /{print $5}' | head -1)"
from_ip="$(run_qube "${from_qube}" ip -4 -o a show dev "${dev}" \ validate_dev "${from_qube}" "${untrusted_dev}"
| awk '{print $4}' | cut -d "/" -f 1)" dev="${untrusted_dev}"
unset from_ip
untrusted_from_ip="$(run_qube "${from_qube}" ip -4 -o addr show dev \
"${dev}" | awk '{print $4}' | cut -d "/" -f 1)"
validate_ipv4 "${from_qube}" "${untrusted_from_ip}"
from_ip="${untrusted_from_ip}"
to_ip="$(qvm-prefs --get -- "${to_qube}" ip)" to_ip="$(qvm-prefs --get -- "${to_qube}" ip)"
to_ip_escaped="$(echo "${to_ip}" | tr "." "-")" to_ip_escaped="$(echo "${to_ip}" | tr "." "-")"
hook="${hook_prefix}${to_ip}-${proto}-${port}.sh" hook="${hook_prefix}${to_ip}-${proto}-${port}.sh"
@ -161,15 +216,25 @@ ${input_rule}"
get_lan(){ get_lan(){
qube="${1}" qube="${1}"
unset dev
## TODO: Handle multiple interfaces in upstream. ## TODO: Handle multiple interfaces in upstream.
dev="$(run_qube "${qube}" ip -4 route \ untrusted_dev="$(run_qube "${qube}" ip -4 route \
| awk '/^default via /{print $5}' | head -1)" | awk '/^default via /{print $5}' | head -1)"
validate_dev "${qube}" "${untrusted_dev}"
dev="${untrusted_dev}"
if test -z "${dev}"; then if test -z "${dev}"; then
echo "error: ${qube}: could not find any device that is up" >&2 echo "error: ${qube}: could not find any device that is up" >&2
exit 1 exit 1
fi fi
lan_ip="$(run_qube "${qube}" ip -4 r show dev "${dev}" prot kernel \
| cut -d " " -f 1)" unset lan_ip
untrusted_lan_ip="$(run_qube "${qube}" ip -4 route show dev "${dev}" \
prot kernel | cut -d " " -f 1)"
validate_ipv4 "${qube}" "${untrusted_lan_ip}"
lan_ip="${untrusted_lan_ip}"
if test -z "${lan_ip}"; then if test -z "${lan_ip}"; then
echo "error: ${qube}: could not find LAN from device ${dev}" >&2 echo "error: ${qube}: could not find LAN from device ${dev}" >&2
exit 1 exit 1
@ -179,7 +244,7 @@ get_lan(){
test_qvm_run(){ test_qvm_run(){
qube="${1}" qube="${1}"
if ! run_qube "${qube}" echo "Test QUBESRPC" >/dev/null 2>&1; then if ! run_qube "${qube}" echo "Test QUBESRPC" >/dev/null 2>&1; then
echo "error: ${qube}: could not connect to qubes.VMShell, use a different qube" >&2 echo "error: ${qube}: service qubes.VMShell failed, use a different qube" >&2
exit 1 exit 1
fi fi
} }