gaschz/qubes-network-server
1
0
Fork 0
mirror of https://github.com/Rudd-O/qubes-network-server.git synced 2025-03-01 14:22:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Tag 0.0.17.

Browse Source
This commit is contained in:
Manuel Amador (Rudd-O) 2021-10-29 00:24:42 +00:00
parent 4e6c87fb36
commit 21c09202cc
4 changed files with 54 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build.parameters
View File

@ -1 +1 @@
["RELEASE": "25 34"] ["RELEASE": "32 34 35"]

35
qubes-network-server.spec
View File

@ -3,7 +3,7 @@
%define mybuildnumber %{?build_number}%{?!build_number:1} %define mybuildnumber %{?build_number}%{?!build_number:1}
Name: qubes-network-server Name: qubes-network-server
Version: 0.0.16 Version: 0.0.17
Release: %{mybuildnumber}%{?dist} Release: %{mybuildnumber}%{?dist}
Summary: Turn your Qubes OS into a network server Summary: Turn your Qubes OS into a network server
BuildArch: noarch BuildArch: noarch
@ -16,22 +16,10 @@ BuildRequires: make
BuildRequires: coreutils BuildRequires: coreutils
BuildRequires: tar BuildRequires: tar
BuildRequires: findutils BuildRequires: findutils
%if 0%{?fedora} < 31
BuildRequires: python2
BuildRequires: python2-rpm-macros
%global pythoninterp %{_bindir}/python2
%else
BuildRequires: python3 BuildRequires: python3
BuildRequires: python3-rpm-macros BuildRequires: python3-rpm-macros
%global pythoninterp %{_bindir}/python3
%endif
%if 0%{?fedora} > 29
BuildRequires: systemd-rpm-macros BuildRequires: systemd-rpm-macros
%else %global pythoninterp %{_bindir}/python3
%global _presetdir %{_prefix}/lib/systemd/system-preset
%global _unitdir %{_prefix}/lib/systemd/system
%endif
Requires: qubes-core-agent-networking >= 4.1 Requires: qubes-core-agent-networking >= 4.1
Requires: python3 Requires: python3
@ -57,8 +45,7 @@ BuildRequires: python3-rpm-macros
BuildRequires: python3-setuptools BuildRequires: python3-setuptools
Requires: python3 Requires: python3
Requires: qubes-core-dom0 >= 4.0.49-1 Requires: qubes-core-dom0 >= 4.1
Conflicts: qubes-core-dom0 >= 4.1
%description -n qubes-core-admin-addon-network-server %description -n qubes-core-admin-addon-network-server
This package lets you turn your Qubes OS into a network server. Install this This package lets you turn your Qubes OS into a network server. Install this
@ -88,12 +75,12 @@ echo 'enable qubes-routing-manager.service' > "$RPM_BUILD_ROOT"/%{_presetdir}/75
%config %attr(0644, root, root) %{_unitdir}/qubes-routing-manager.service %config %attr(0644, root, root) %{_unitdir}/qubes-routing-manager.service
%doc README.md TODO %doc README.md TODO
%files -n qubes-core-admin-addon-network-server %files -n qubes-core-admin-addon-network-server
%attr(0644, root, root) %{python3_sitelib}/qubesnetworkserver/* %attr(0644, root, root) %{python3_sitelib}/qubesnetworkserver/*
%{python3_sitelib}/qubesnetworkserver-*.egg-info %{python3_sitelib}/qubesnetworkserver-*.egg-info
%post %post
%systemd_post qubes-routing-manager.service %systemd_post qubes-routing-manager.service
%preun %preun
%systemd_preun qubes-routing-manager.service %systemd_preun qubes-routing-manager.service
@ -101,19 +88,11 @@ echo 'enable qubes-routing-manager.service' > "$RPM_BUILD_ROOT"/%{_presetdir}/75
%postun %postun
%systemd_postun_with_restart qubes-routing-manager.service %systemd_postun_with_restart qubes-routing-manager.service
%post -n qubes-core-admin-addon-network-server %post -n qubes-core-admin-addon-network-server
%if 0%{?fedora} > 29
%systemd_post qubesd.service %systemd_post qubesd.service
%else
systemctl try-restart qubesd.service
%endif
%postun -n qubes-core-admin-addon-network-server %postun -n qubes-core-admin-addon-network-server
%if 0%{?fedora} > 29
%systemd_postun_with_restart qubesd.service %systemd_postun_with_restart qubesd.service
%else
systemctl try-restart qubesd.service
%endif
%changelog %changelog
* Mon Apr 13 2020 Manuel Amador (Rudd-O) <rudd-o@rudd-o.com> * Mon Apr 13 2020 Manuel Amador (Rudd-O) <rudd-o@rudd-o.com>

21
qubesnetworkserver/__init__.py
View File

@ -1,14 +1,25 @@
import qubes.ext import qubes.ext
import qubes.vm.templatevm
def l(text, *parms):
if parms:
text = text % parms
import sys
print("nsext:", text, file=sys.stderr)
sys.stderr.flush()
l("loaded")
class QubesNetworkServerExtension(qubes.ext.Extension): class QubesNetworkServerExtension(qubes.ext.Extension):
def shutdown_routing_for_vm(self, netvm, appvm): def shutdown_routing_for_vm(self, netvm, appvm):
l("shutdown routing for vm %s %s", netvm, appvm)
self.reload_routing_for_vm(netvm, appvm, True) self.reload_routing_for_vm(netvm, appvm, True)
def reload_routing_for_vm(self, netvm, appvm, shutdown=False): def reload_routing_for_vm(self, netvm, appvm, shutdown=False):
'''Reload the routing method for the VM.''' '''Reload the routing method for the VM.'''
l("reload routing for vm %s %s shutdown %s", netvm, appvm, shutdown)
if not netvm.is_running(): if not netvm.is_running():
return return
for addr_family in (4, 6): for addr_family in (4, 6):
@ -36,6 +47,7 @@ class QubesNetworkServerExtension(qubes.ext.Extension):
If `remove` is True, then we remove the respective routing method from If `remove` is True, then we remove the respective routing method from
the Qubes DB instead. the Qubes DB instead.
''' '''
l("setup forwarding for vm vm %s %s %s remove %s", netvm, appvm, ip, remove)
if ip is None: if ip is None:
return return
routing_method = appvm.features.check_with_template( routing_method = appvm.features.check_with_template(
@ -60,6 +72,7 @@ class QubesNetworkServerExtension(qubes.ext.Extension):
**kwargs **kwargs
): ):
# pylint: disable=no-self-use,unused-argument # pylint: disable=no-self-use,unused-argument
l("routing method changed %s", vm)
if 'oldvalue' not in kwargs or kwargs.get('oldvalue') != kwargs.get('value'): if 'oldvalue' not in kwargs or kwargs.get('oldvalue') != kwargs.get('value'):
if vm.netvm: if vm.netvm:
self.reload_routing_for_vm(vm.netvm, vm) self.reload_routing_for_vm(vm.netvm, vm)
@ -68,12 +81,14 @@ class QubesNetworkServerExtension(qubes.ext.Extension):
def on_domain_qdb_create(self, vm, event, **kwargs): def on_domain_qdb_create(self, vm, event, **kwargs):
''' Fills the QubesDB with firewall entries. ''' ''' Fills the QubesDB with firewall entries. '''
# pylint: disable=unused-argument # pylint: disable=unused-argument
l("domain create %s %s", vm, event)
if vm.netvm: if vm.netvm:
self.reload_routing_for_vm(vm.netvm, vm) self.reload_routing_for_vm(vm.netvm, vm)
@qubes.ext.handler('domain-start') @qubes.ext.handler('domain-start')
def on_domain_started(self, vm, event, **kwargs): def on_domain_started(self, vm, event, **kwargs):
# pylint: disable=unused-argument # pylint: disable=unused-argument
l("domain started %s %s", vm, event)
try: try:
for downstream_vm in vm.connected_vms: for downstream_vm in vm.connected_vms:
self.reload_routing_for_vm(vm, downstream_vm) self.reload_routing_for_vm(vm, downstream_vm)
@ -82,7 +97,8 @@ class QubesNetworkServerExtension(qubes.ext.Extension):
@qubes.ext.handler('domain-shutdown') @qubes.ext.handler('domain-shutdown')
def on_domain_shutdown(self, vm, event, **kwargs): def on_domain_shutdown(self, vm, event, **kwargs):
# pylint: disable=unused-argument # pylint: disable=unused-argument
l("domain shutdown %s %s", vm, event)
try: try:
for downstream_vm in self.connected_vms: for downstream_vm in self.connected_vms:
self.shutdown_routing_for_vm(vm, downstream_vm) self.shutdown_routing_for_vm(vm, downstream_vm)
@ -94,5 +110,6 @@ class QubesNetworkServerExtension(qubes.ext.Extension):
@qubes.ext.handler('net-domain-connect') @qubes.ext.handler('net-domain-connect')
def on_net_domain_connect(self, vm, event): def on_net_domain_connect(self, vm, event):
# pylint: disable=unused-argument # pylint: disable=unused-argument
l("domain connect %s %s", vm, event)
if vm.netvm: if vm.netvm:
self.reload_routing_for_vm(vm.netvm, vm) self.reload_routing_for_vm(vm.netvm, vm)

49
src/qubes-routing-manager
View File

@ -37,7 +37,7 @@ class AdjunctWorker(object):
def setup_plain_forwarding_for_address(self, source, enable, family): def setup_plain_forwarding_for_address(self, source, enable, family):
def find_pos_of_first_rule(table, startswith): def find_pos_of_first_rule(table, startswith):
rules = [n for n, l in enumerate(out) if l.startswith(startswith)] rules = [n for n, l in enumerate(table) if l.startswith(startswith)]
if rules: if rules:
return rules[0] return rules[0]
return None return None
@ -48,25 +48,29 @@ class AdjunctWorker(object):
def run_ipt(*args): def run_ipt(*args):
return subprocess.check_call([cmd, "-w"] + list(args)) return subprocess.check_call([cmd, "-w"] + list(args))
out = subprocess.check_output( out_nat = subprocess.check_output(
[cmd + "-save"], universal_newlines=True [cmd + "-save", "-t", "nat"], universal_newlines=True
).splitlines() ).splitlines()
out_filter = subprocess.check_output(
[cmd + "-save", "-t", "filter"], universal_newlines=True
).splitlines()
if enable: if enable:
# Create necessary prerouting chain. # Create necessary prerouting chain.
if not find_pos_of_first_rule(out, ":PR-PLAIN-FORWARDING - "): if not find_pos_of_first_rule(out_nat, ":PR-PLAIN-FORWARDING - "):
logging.info("Creating chain PR-PLAIN-FORWARDING on table nat.")
run_ipt("-t", "nat", "-N", "PR-PLAIN-FORWARDING") run_ipt("-t", "nat", "-N", "PR-PLAIN-FORWARDING")
# Route prerouting traffic to necessary chain. # Route prerouting traffic to necessary chain.
if not find_pos_of_first_rule(out, "-A POSTROUTING -j PR-PLAIN-FORWARDING"): if not find_pos_of_first_rule(out_nat, "-A POSTROUTING -j PR-PLAIN-FORWARDING"):
rule_num = find_pos_of_first_rule(out, "-A POSTROUTING -j MASQUERADE") rule_num = find_pos_of_first_rule(out_nat, "-A POSTROUTING -j MASQUERADE")
if not rule_num: if not rule_num:
# This table does not contain the masquerading rule. # This table does not contain the masquerading rule.
# Accordingly, we will not do anything. # Accordingly, we will not do anything.
return return
first_rule_num = find_pos_of_first_rule(out, "-A POSTROUTING") first_rule_num = find_pos_of_first_rule(out_nat, "-A POSTROUTING")
pos = rule_num - first_rule_num + 1 pos = rule_num - first_rule_num + 1
logging.info("Adding POSTROUTING chain PR-PLAIN-FORWARDING.") logging.info("Adding chain PR-PLAIN-FORWARDING to chain POSTROUTING on table nat.")
run_ipt( run_ipt(
"-t", "-t",
"nat", "nat",
@ -78,34 +82,35 @@ class AdjunctWorker(object):
) )
# Create necessary forward chain. # Create necessary forward chain.
if not find_pos_of_first_rule(out, ":PLAIN-FORWARDING - "): if not find_pos_of_first_rule(out_filter, ":PLAIN-FORWARDING - "):
logging.info("Creating chain PLAIN-FORWARDING on table filter.")
run_ipt("-t", "filter", "-N", "PLAIN-FORWARDING") run_ipt("-t", "filter", "-N", "PLAIN-FORWARDING")
# Route forward traffic to necessary chain. # Route forward traffic to necessary chain.
if not find_pos_of_first_rule(out, "-A FORWARD -j PLAIN-FORWARDING"): if not find_pos_of_first_rule(out_filter, "-A FORWARD -j PLAIN-FORWARDING"):
rule_num = find_pos_of_first_rule( rule_num = find_pos_of_first_rule(
out, "-A FORWARD -i vif+ -o vif+ -j DROP" out_filter, "-A FORWARD -i vif+ -o vif+ -j DROP"
) )
if not rule_num: if not rule_num:
# This table does not contain the masquerading rule. # This table does not contain the masquerading rule.
# Accordingly, we will not do anything. # Accordingly, we will not do anything.
return return
first_rule_num = find_pos_of_first_rule(out, "-A FORWARD") first_rule_num = find_pos_of_first_rule(out_filter, "-A FORWARD")
pos = rule_num - first_rule_num + 1 pos = rule_num - first_rule_num + 1
logging.info("Adding FORWARD chain PLAIN-FORWARDING.") logging.info("Adding chain PLAIN-FORWARDING to chain FORWARD on table filter.")
run_ipt( run_ipt(
"-t", "filter", "-I", "FORWARD", str(pos), "-j", "PLAIN-FORWARDING" "-t", "filter", "-I", "FORWARD", str(pos), "-j", "PLAIN-FORWARDING"
) )
rule = find_pos_of_first_rule( rule = find_pos_of_first_rule(
out, "-A PR-PLAIN-FORWARDING -s {}{} -j ACCEPT".format(source, mask) out_nat, "-A PR-PLAIN-FORWARDING -s {}{} -j ACCEPT".format(source, mask)
) )
if enable: if enable:
if rule: if rule:
pass pass
else: else:
logging.info( logging.info(
"Adding POSTROUTING rule to forward traffic from %s.", source "Adding PR-PLAIN-FORWARDING rule on table nat to forward traffic from %s.", source
) )
run_ipt( run_ipt(
"-t", "-t",
@ -119,23 +124,23 @@ class AdjunctWorker(object):
) )
else: else:
if rule: if rule:
first_rule = find_pos_of_first_rule(out, "-A PR-PLAIN-FORWARDING") first_rule = find_pos_of_first_rule(out_nat, "-A PR-PLAIN-FORWARDING")
pos = rule - first_rule + 1 pos = rule - first_rule + 1
logging.info( logging.info(
"Removing POSTROUTING rule forwarding traffic from %s.", source "Removing PR-PLAIN-FORWARDING rule on table nat forwarding traffic from %s.", source
) )
run_ipt("-t", "nat", "-D", "PR-PLAIN-FORWARDING", str(pos)) run_ipt("-t", "nat", "-D", "PR-PLAIN-FORWARDING", str(pos))
else: else:
pass pass
rule = find_pos_of_first_rule( rule = find_pos_of_first_rule(
out, "-A PLAIN-FORWARDING -d {}{} -o vif+ -j ACCEPT".format(source, mask) out_filter, "-A PLAIN-FORWARDING -d {}{} -o vif+ -j ACCEPT".format(source, mask)
) )
if enable: if enable:
if rule: if rule:
pass pass
else: else:
logging.info("Adding FORWARD rule to allow traffic to %s.", source) logging.info("Adding PLAIN-FORWARDING rule on table filter to allow traffic to %s.", source)
run_ipt( run_ipt(
"-t", "-t",
"filter", "filter",
@ -150,8 +155,8 @@ class AdjunctWorker(object):
) )
else: else:
if rule: if rule:
logging.info("Removing FORWARD rule allowing traffic to %s.", source) logging.info("Removing PLAIN-FORWARDING rule on table filter allowing traffic to %s.", source)
first_rule = find_pos_of_first_rule(out, "-A PLAIN-FORWARDING") first_rule = find_pos_of_first_rule(out_filter, "-A PLAIN-FORWARDING")
pos = rule - first_rule + 1 pos = rule - first_rule + 1
run_ipt("-t", "filter", "-D", "PLAIN-FORWARDING", str(pos)) run_ipt("-t", "filter", "-D", "PLAIN-FORWARDING", str(pos))
else: else: