Insert custom postrouting chain before masquerade.

2025-03-01 14:22:35 +01:00 · 2024-02-20 08:27:57 +00:00 · 2024-02-20 08:27:57 +00:00 · ef4845548f
commit ef4845548f
parent 7b5cae5b0e
2 changed files with 29 additions and 18 deletions
--- a/qubes-network-server.spec
+++ b/qubes-network-server.spec
@ -3,7 +3,7 @@
 %define mybuildnumber %{?build_number}%{?!build_number:1}

 Name:           qubes-network-server
-Version:        0.1.1
+Version:        0.1.2
 Release:        %{mybuildnumber}%{?dist}
 Summary:        Turn your Qubes OS into a network server
 BuildArch:      noarch
--- a/qubesroutingmanager/init.py
+++ b/qubesroutingmanager/init.py
@ -139,15 +139,20 @@ def append_counter_at_end(
    )


-def append_rule_after(
-    address_family: ADDRESS_FAMILIES, table: str, chain: str, handle: int, *rest: str
+def _append_or_insert_rule(
+    where: Literal["add"] | Literal["insert"],
+    address_family: ADDRESS_FAMILIES,
+    table: str,
+    chain: str,
+    handle: int,
+    *rest: str,
 ) -> None:
    subprocess.check_output(
        [
            NFTABLES_CMD,
            "-n",
            "-j",
-            "add",
+            where,
            "rule",
            address_family,
            table,
@ -160,6 +165,18 @@ def append_rule_after(
    )


+def append_rule_after(
+    address_family: ADDRESS_FAMILIES, table: str, chain: str, handle: int, *rest: str
+) -> None:
+    _append_or_insert_rule("add", address_family, table, chain, handle, *rest)
+
+
+def insert_rule_before(
+    address_family: ADDRESS_FAMILIES, table: str, chain: str, handle: int, *rest: str
+) -> None:
+    _append_or_insert_rule("insert", address_family, table, chain, handle, *rest)
+
+
 def delete_rule(
    address_family: ADDRESS_FAMILIES, table: str, chain: str, handle: int
 ) -> None:
@ -245,31 +262,25 @@ def setup_plain_forwarding_for_address(source: str, enable: bool, family: int) -
            == ADD_FORWARD_RULE_AFTER_THIS_RULE
        )

-    def is_postrouting_lo_accept(rule):
+    def is_postrouting_masquerade(rule):
        return (
            rule["chain"] == postrouting_chain["name"]
-            and len(rule["expr"]) == 2
-            and rule["expr"][0].get("match", {}).get("op", "") == "=="
-            and rule["expr"][0]
-            .get("match", {})
-            .get("left", {})
-            .get("meta", {})
-            .get("key")
-            == "oif"
-            and rule["expr"][0].get("match", {}).get("right", "") == "lo"
-            and "accept" in rule["expr"][1]
+            and len(rule["expr"]) == 1
+            and "masquerade" in rule["expr"][0]
        )

-    for parent_chain, child_chain_name, previous_rule_detector in [
+    for parent_chain, child_chain_name, previous_rule_detector, insertor in [
        (
            forward_chain,
            ROUTING_MANAGER_CHAIN_NAME,
            is_forward_jump_to_custom_forward,
+            append_rule_after,
        ),
        (
            postrouting_chain,
            ROUTING_MANAGER_POSTROUTING_CHAIN_NAME,
-            is_postrouting_lo_accept,
+            is_postrouting_masquerade,
+            insert_rule_before,
        ),
    ]:
        jump_rule: None | Rule = None
@ -302,7 +313,7 @@ def setup_plain_forwarding_for_address(source: str, enable: bool, family: int) -
                child_chain_name,
                TABLE_NAME,
            )
-            append_rule_after(
+            insertor(
                af,
                TABLE_NAME,
                parent_chain["name"],