diff --git a/build.parameters b/build.parameters index b6a422e..1d94220 100644 --- a/build.parameters +++ b/build.parameters @@ -1 +1 @@ -["RELEASE": "25 34"] +["RELEASE": "32 34 35"] diff --git a/qubes-network-server.spec b/qubes-network-server.spec index fd2db57..6847784 100644 --- a/qubes-network-server.spec +++ b/qubes-network-server.spec @@ -3,7 +3,7 @@ %define mybuildnumber %{?build_number}%{?!build_number:1} Name: qubes-network-server -Version: 0.0.16 +Version: 0.0.17 Release: %{mybuildnumber}%{?dist} Summary: Turn your Qubes OS into a network server BuildArch: noarch @@ -16,22 +16,10 @@ BuildRequires: make BuildRequires: coreutils BuildRequires: tar BuildRequires: findutils -%if 0%{?fedora} < 31 -BuildRequires: python2 -BuildRequires: python2-rpm-macros -%global pythoninterp %{_bindir}/python2 -%else BuildRequires: python3 BuildRequires: python3-rpm-macros -%global pythoninterp %{_bindir}/python3 -%endif - -%if 0%{?fedora} > 29 BuildRequires: systemd-rpm-macros -%else -%global _presetdir %{_prefix}/lib/systemd/system-preset -%global _unitdir %{_prefix}/lib/systemd/system -%endif +%global pythoninterp %{_bindir}/python3 Requires: qubes-core-agent-networking >= 4.1 Requires: python3 @@ -57,8 +45,7 @@ BuildRequires: python3-rpm-macros BuildRequires: python3-setuptools Requires: python3 -Requires: qubes-core-dom0 >= 4.0.49-1 -Conflicts: qubes-core-dom0 >= 4.1 +Requires: qubes-core-dom0 >= 4.1 %description -n qubes-core-admin-addon-network-server This package lets you turn your Qubes OS into a network server. Install this @@ -88,12 +75,12 @@ echo 'enable qubes-routing-manager.service' > "$RPM_BUILD_ROOT"/%{_presetdir}/75 %config %attr(0644, root, root) %{_unitdir}/qubes-routing-manager.service %doc README.md TODO -%files -n qubes-core-admin-addon-network-server +%files -n qubes-core-admin-addon-network-server %attr(0644, root, root) %{python3_sitelib}/qubesnetworkserver/* %{python3_sitelib}/qubesnetworkserver-*.egg-info %post -%systemd_post qubes-routing-manager.service +%systemd_post qubes-routing-manager.service %preun %systemd_preun qubes-routing-manager.service @@ -101,19 +88,11 @@ echo 'enable qubes-routing-manager.service' > "$RPM_BUILD_ROOT"/%{_presetdir}/75 %postun %systemd_postun_with_restart qubes-routing-manager.service -%post -n qubes-core-admin-addon-network-server -%if 0%{?fedora} > 29 +%post -n qubes-core-admin-addon-network-server %systemd_post qubesd.service -%else -systemctl try-restart qubesd.service -%endif -%postun -n qubes-core-admin-addon-network-server -%if 0%{?fedora} > 29 +%postun -n qubes-core-admin-addon-network-server %systemd_postun_with_restart qubesd.service -%else -systemctl try-restart qubesd.service -%endif %changelog * Mon Apr 13 2020 Manuel Amador (Rudd-O) diff --git a/qubesnetworkserver/__init__.py b/qubesnetworkserver/__init__.py index 72540f1..8c6b9eb 100644 --- a/qubesnetworkserver/__init__.py +++ b/qubesnetworkserver/__init__.py @@ -1,14 +1,25 @@ import qubes.ext -import qubes.vm.templatevm +def l(text, *parms): + if parms: + text = text % parms + import sys + print("nsext:", text, file=sys.stderr) + sys.stderr.flush() + + +l("loaded") + class QubesNetworkServerExtension(qubes.ext.Extension): def shutdown_routing_for_vm(self, netvm, appvm): + l("shutdown routing for vm %s %s", netvm, appvm) self.reload_routing_for_vm(netvm, appvm, True) def reload_routing_for_vm(self, netvm, appvm, shutdown=False): '''Reload the routing method for the VM.''' + l("reload routing for vm %s %s shutdown %s", netvm, appvm, shutdown) if not netvm.is_running(): return for addr_family in (4, 6): @@ -36,6 +47,7 @@ class QubesNetworkServerExtension(qubes.ext.Extension): If `remove` is True, then we remove the respective routing method from the Qubes DB instead. ''' + l("setup forwarding for vm vm %s %s %s remove %s", netvm, appvm, ip, remove) if ip is None: return routing_method = appvm.features.check_with_template( @@ -60,6 +72,7 @@ class QubesNetworkServerExtension(qubes.ext.Extension): **kwargs ): # pylint: disable=no-self-use,unused-argument + l("routing method changed %s", vm) if 'oldvalue' not in kwargs or kwargs.get('oldvalue') != kwargs.get('value'): if vm.netvm: self.reload_routing_for_vm(vm.netvm, vm) @@ -68,12 +81,14 @@ class QubesNetworkServerExtension(qubes.ext.Extension): def on_domain_qdb_create(self, vm, event, **kwargs): ''' Fills the QubesDB with firewall entries. ''' # pylint: disable=unused-argument + l("domain create %s %s", vm, event) if vm.netvm: self.reload_routing_for_vm(vm.netvm, vm) @qubes.ext.handler('domain-start') def on_domain_started(self, vm, event, **kwargs): # pylint: disable=unused-argument + l("domain started %s %s", vm, event) try: for downstream_vm in vm.connected_vms: self.reload_routing_for_vm(vm, downstream_vm) @@ -82,7 +97,8 @@ class QubesNetworkServerExtension(qubes.ext.Extension): @qubes.ext.handler('domain-shutdown') def on_domain_shutdown(self, vm, event, **kwargs): - # pylint: disable=unused-argument + # pylint: disable=unused-argument + l("domain shutdown %s %s", vm, event) try: for downstream_vm in self.connected_vms: self.shutdown_routing_for_vm(vm, downstream_vm) @@ -94,5 +110,6 @@ class QubesNetworkServerExtension(qubes.ext.Extension): @qubes.ext.handler('net-domain-connect') def on_net_domain_connect(self, vm, event): # pylint: disable=unused-argument + l("domain connect %s %s", vm, event) if vm.netvm: self.reload_routing_for_vm(vm.netvm, vm) diff --git a/src/qubes-routing-manager b/src/qubes-routing-manager index 1410dec..294b04d 100755 --- a/src/qubes-routing-manager +++ b/src/qubes-routing-manager @@ -37,7 +37,7 @@ class AdjunctWorker(object): def setup_plain_forwarding_for_address(self, source, enable, family): def find_pos_of_first_rule(table, startswith): - rules = [n for n, l in enumerate(out) if l.startswith(startswith)] + rules = [n for n, l in enumerate(table) if l.startswith(startswith)] if rules: return rules[0] return None @@ -48,25 +48,29 @@ class AdjunctWorker(object): def run_ipt(*args): return subprocess.check_call([cmd, "-w"] + list(args)) - out = subprocess.check_output( - [cmd + "-save"], universal_newlines=True + out_nat = subprocess.check_output( + [cmd + "-save", "-t", "nat"], universal_newlines=True ).splitlines() - + out_filter = subprocess.check_output( + [cmd + "-save", "-t", "filter"], universal_newlines=True + ).splitlines() + if enable: # Create necessary prerouting chain. - if not find_pos_of_first_rule(out, ":PR-PLAIN-FORWARDING - "): + if not find_pos_of_first_rule(out_nat, ":PR-PLAIN-FORWARDING - "): + logging.info("Creating chain PR-PLAIN-FORWARDING on table nat.") run_ipt("-t", "nat", "-N", "PR-PLAIN-FORWARDING") # Route prerouting traffic to necessary chain. - if not find_pos_of_first_rule(out, "-A POSTROUTING -j PR-PLAIN-FORWARDING"): - rule_num = find_pos_of_first_rule(out, "-A POSTROUTING -j MASQUERADE") + if not find_pos_of_first_rule(out_nat, "-A POSTROUTING -j PR-PLAIN-FORWARDING"): + rule_num = find_pos_of_first_rule(out_nat, "-A POSTROUTING -j MASQUERADE") if not rule_num: # This table does not contain the masquerading rule. # Accordingly, we will not do anything. return - first_rule_num = find_pos_of_first_rule(out, "-A POSTROUTING") + first_rule_num = find_pos_of_first_rule(out_nat, "-A POSTROUTING") pos = rule_num - first_rule_num + 1 - logging.info("Adding POSTROUTING chain PR-PLAIN-FORWARDING.") + logging.info("Adding chain PR-PLAIN-FORWARDING to chain POSTROUTING on table nat.") run_ipt( "-t", "nat", @@ -78,34 +82,35 @@ class AdjunctWorker(object): ) # Create necessary forward chain. - if not find_pos_of_first_rule(out, ":PLAIN-FORWARDING - "): + if not find_pos_of_first_rule(out_filter, ":PLAIN-FORWARDING - "): + logging.info("Creating chain PLAIN-FORWARDING on table filter.") run_ipt("-t", "filter", "-N", "PLAIN-FORWARDING") # Route forward traffic to necessary chain. - if not find_pos_of_first_rule(out, "-A FORWARD -j PLAIN-FORWARDING"): + if not find_pos_of_first_rule(out_filter, "-A FORWARD -j PLAIN-FORWARDING"): rule_num = find_pos_of_first_rule( - out, "-A FORWARD -i vif+ -o vif+ -j DROP" + out_filter, "-A FORWARD -i vif+ -o vif+ -j DROP" ) if not rule_num: # This table does not contain the masquerading rule. # Accordingly, we will not do anything. return - first_rule_num = find_pos_of_first_rule(out, "-A FORWARD") + first_rule_num = find_pos_of_first_rule(out_filter, "-A FORWARD") pos = rule_num - first_rule_num + 1 - logging.info("Adding FORWARD chain PLAIN-FORWARDING.") + logging.info("Adding chain PLAIN-FORWARDING to chain FORWARD on table filter.") run_ipt( "-t", "filter", "-I", "FORWARD", str(pos), "-j", "PLAIN-FORWARDING" ) rule = find_pos_of_first_rule( - out, "-A PR-PLAIN-FORWARDING -s {}{} -j ACCEPT".format(source, mask) + out_nat, "-A PR-PLAIN-FORWARDING -s {}{} -j ACCEPT".format(source, mask) ) if enable: if rule: pass else: logging.info( - "Adding POSTROUTING rule to forward traffic from %s.", source + "Adding PR-PLAIN-FORWARDING rule on table nat to forward traffic from %s.", source ) run_ipt( "-t", @@ -119,23 +124,23 @@ class AdjunctWorker(object): ) else: if rule: - first_rule = find_pos_of_first_rule(out, "-A PR-PLAIN-FORWARDING") + first_rule = find_pos_of_first_rule(out_nat, "-A PR-PLAIN-FORWARDING") pos = rule - first_rule + 1 logging.info( - "Removing POSTROUTING rule forwarding traffic from %s.", source + "Removing PR-PLAIN-FORWARDING rule on table nat forwarding traffic from %s.", source ) run_ipt("-t", "nat", "-D", "PR-PLAIN-FORWARDING", str(pos)) else: pass rule = find_pos_of_first_rule( - out, "-A PLAIN-FORWARDING -d {}{} -o vif+ -j ACCEPT".format(source, mask) + out_filter, "-A PLAIN-FORWARDING -d {}{} -o vif+ -j ACCEPT".format(source, mask) ) if enable: if rule: pass else: - logging.info("Adding FORWARD rule to allow traffic to %s.", source) + logging.info("Adding PLAIN-FORWARDING rule on table filter to allow traffic to %s.", source) run_ipt( "-t", "filter", @@ -150,8 +155,8 @@ class AdjunctWorker(object): ) else: if rule: - logging.info("Removing FORWARD rule allowing traffic to %s.", source) - first_rule = find_pos_of_first_rule(out, "-A PLAIN-FORWARDING") + logging.info("Removing PLAIN-FORWARDING rule on table filter allowing traffic to %s.", source) + first_rule = find_pos_of_first_rule(out_filter, "-A PLAIN-FORWARDING") pos = rule - first_rule + 1 run_ipt("-t", "filter", "-D", "PLAIN-FORWARDING", str(pos)) else: