From f07f98474fac202cc4b18aa8b890a42b5ce5fa05 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Ouellet Date: Wed, 15 Mar 2017 03:33:35 -0400 Subject: [PATCH] Properly handle from-0.0.0.0/0 for whole internet For rules like this: [user@dom0 ~]$ qvm-static-ip -g net-testing static_ip 192.168.1.123 [user@dom0 ~]$ qvm-firewall -l net-testing Firewall policy: DENY all traffic except ICMP: ALLOW DNS: ALLOW Qubes yum proxy: DENY -----+---------------------+-------+---------+ num | address | proto | port(s) | -----+---------------------+-------+---------+ 1 | from-0.0.0.0/0 | tcp | http | 2 | from-0.0.0.0/0 | tcp | https | 3 | 192.30.252.0/22 | tcp | https | 4 | from-192.168.1.0/24 | tcp | ssh | The following rules are observed before & after this patch (only differing rules shown): sys-firewall qubesdb-read /qubes-iptables-domainrules/${domid} before: -A PR-QBS-FORWARD -s 0.0.0.0 -d 192.168.1.123/0 -p tcp --dport 80 -j ACCEPT -A PR-QBS-FORWARD -s 0.0.0.0 -d 192.168.1.123/0 -p tcp --dport 443 -j ACCEPT -A PR-QBS-FORWARD -s 192.168.1.0 -d 192.168.1.123/24 -p tcp --dport 22 -j ACCEPT after: -A PR-QBS-FORWARD -d 192.168.1.123 -p tcp --dport 80 -j ACCEPT -A PR-QBS-FORWARD -d 192.168.1.123 -p tcp --dport 443 -j ACCEPT -A PR-QBS-FORWARD -s 192.168.1.0/24 -d 192.168.1.123 -p tcp --dport 22 -j ACCEPT sys-firewall iptables-save before: -A PR-QBS-FORWARD -s 0.0.0.0/32 -p tcp -m tcp --dport 80 -j ACCEPT -A PR-QBS-FORWARD -s 0.0.0.0/32 -p tcp -m tcp --dport 443 -j ACCEPT -A PR-QBS-FORWARD -s 192.168.1.0/32 -d 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT after: -A PR-QBS-FORWARD -d 192.168.1.123/32 -p tcp -m tcp --dport 80 -j ACCEPT -A PR-QBS-FORWARD -d 192.168.1.123/32 -p tcp -m tcp --dport 443 -j ACCEPT -A PR-QBS-FORWARD -s 192.168.1.0/24 -d 192.168.1.123/32 -p tcp -m tcp --dport 22 -j ACCEPT net-testing iptables-save before: -A FORTRESS-INPUT -s 0.0.0.0/32 -p tcp -m tcp --dport 80 -j ACCEPT -A FORTRESS-INPUT -s 0.0.0.0/32 -p tcp -m tcp --dport 443 -j ACCEPT -A FORTRESS-INPUT -s 192.168.1.0/32 -d 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT after: -A FORTRESS-INPUT -d 192.168.1.123/32 -p tcp -m tcp --dport 80 -j ACCEPT -A FORTRESS-INPUT -d 192.168.1.123/32 -p tcp -m tcp --dport 443 -j ACCEPT -A FORTRESS-INPUT -s 192.168.1.0/24 -d 192.168.1.123/32 -p tcp -m tcp --dport 22 -j ACCEPT sys-net: No changes. Note that this also fixes an issue where the netmask in from- rules was being applied to -d instead of -s. --- plugin/007FortressQubesProxyVm.py | 52 ++++++++++++++++++------------- version | 2 +- 2 files changed, 32 insertions(+), 22 deletions(-) diff --git a/plugin/007FortressQubesProxyVm.py b/plugin/007FortressQubesProxyVm.py index 1e541b5..b73c479 100644 --- a/plugin/007FortressQubesProxyVm.py +++ b/plugin/007FortressQubesProxyVm.py @@ -96,35 +96,45 @@ class QubesProxyVm(OriginalQubesProxyVm): rules_action = accept_action for rule in conf["rules"]: - if getattr(vm, "static_ip", None) and rule["address"].startswith("from-"): - ruletext = "-s {0} -d {1}".format(rule["address"][len("from-"):], ip) - if rule["netmask"] != 32: - ruletext += "/{0}".format(rule["netmask"]) + is_inbound = rule["address"].startswith("from-") and getattr(vm, "static_ip", None) + if is_inbound: + src_addr = rule["address"][len("from-"):] + src_mask = rule["netmask"] + dst_addr = ip + dst_mask = 32 + else: + src_addr = ip + src_mask = 32 + dst_addr = rule["address"] + dst_mask = rule["netmask"] - if rule["proto"] is not None and rule["proto"] != "any": - ruletext += " -p {0}".format(rule["proto"]) - if rule["portBegin"] is not None and rule["portBegin"] > 0: - ruletext += " --dport {0}".format(rule["portBegin"]) - if rule["portEnd"] is not None and rule["portEnd"] > rule["portBegin"]: - ruletext += ":{0}".format(rule["portEnd"]) + args = [] - ruletext += " -j {0}\n".format(rules_action) - iptables += "-A PR-QBS-FORWARD " + ruletext - vm_iptables += "-A FORTRESS-INPUT " + ruletext - continue + def constrain(sd, addr, mask): + if mask != 0: + if mask == 32: + args.append("{0} {1}".format(sd, addr)) + else: + args.append("{0} {1}/{2}".format(sd, addr, mask)) - iptables += "-A PR-QBS-FORWARD -s {0} -d {1}".format(ip, rule["address"]) - if rule["netmask"] != 32: - iptables += "/{0}".format(rule["netmask"]) + constrain("-s", src_addr, src_mask) + constrain("-d", dst_addr, dst_mask) if rule["proto"] is not None and rule["proto"] != "any": - iptables += " -p {0}".format(rule["proto"]) + args.append("-p {0}".format(rule["proto"])) if rule["portBegin"] is not None and rule["portBegin"] > 0: - iptables += " --dport {0}".format(rule["portBegin"]) if rule["portEnd"] is not None and rule["portEnd"] > rule["portBegin"]: - iptables += ":{0}".format(rule["portEnd"]) + portrange = "{0}:{1}".format(rule["portBegin"], rule["portEnd"]) + else: + portrange = rule["portBegin"] + args.append("--dport {0}".format(portrange)) - iptables += " -j {0}\n".format(rules_action) + args.append("-j {0}".format(rules_action)) + ruletext = ' '.join(args) + + iptables += "-A PR-QBS-FORWARD {0}\n".format(ruletext) + if is_inbound: + vm_iptables += "-A FORTRESS-INPUT {0}\n".format(ruletext) if conf["allowDns"] and self.netvm is not None: # PREROUTING does DNAT to NetVM DNSes, so we need self.netvm. diff --git a/version b/version index 5a5831a..d169b2f 100644 --- a/version +++ b/version @@ -1 +1 @@ -0.0.7 +0.0.8