Merge remote-tracking branch 'origin/pr/407'

* origin/pr/407: Remove an unneded use of cat Add permanent neighbor entries again Replace iptables with nftables Use appropriate rpm macros
QubesOS · May 7, 2023 · 5ce5dd9 · 5ce5dd9
2 parents 49275be + 8d52756
commit 5ce5dd9
Show file tree

Hide file tree

Showing 22 changed files with 491 additions and 803 deletions.
diff --git a/Makefile b/Makefile
@@ -2,6 +2,7 @@ VERSION := $(file <version)
 
 LIBDIR ?= /usr/lib
 SYSLIBDIR ?= /lib
+export LIBDIR SYSLIBDIR VERSION
 
 PYTHON ?= /usr/bin/python3
 release := $(shell lsb_release -is)
@@ -124,7 +125,7 @@ endif
 
 # Systemd service files
 SYSTEMD_ALL_SERVICES := $(wildcard vm-systemd/qubes-*.service) vm-systemd/dev-xvdc1-swap.service
-SYSTEMD_NETWORK_SERVICES := vm-systemd/qubes-firewall.service vm-systemd/qubes-iptables.service vm-systemd/qubes-updates-proxy.service
+SYSTEMD_NETWORK_SERVICES := vm-systemd/qubes-firewall.service vm-systemd/qubes-iptables.service vm-systemd/qubes-updates-proxy.service vm-systemd/qubes-antispoof.service
 SYSTEMD_SELINUX_SERVICES := vm-systemd/qubes-relabel-root.service vm-systemd/qubes-relabel-rw.service
 SYSTEMD_CORE_SERVICES := $(filter-out $(SYSTEMD_NETWORK_SERVICES) $(SYSTEMD_SELINUX_SERVICES), $(SYSTEMD_ALL_SERVICES))
 
@@ -208,9 +209,10 @@ install-netvm: install-systemd-networking-dropins install-networkmanager
 	install -m 0644 -D network/tinyproxy-updates.conf $(DESTDIR)/etc/tinyproxy/tinyproxy-updates.conf
 	install -m 0644 -D network/updates-blacklist $(DESTDIR)/etc/tinyproxy/updates-blacklist
 
-	install -m 0400 -D network/iptables $(DESTDIR)/etc/qubes/iptables.rules
-	install -m 0400 -D network/ip6tables $(DESTDIR)/etc/qubes/ip6tables.rules
-	install -m 0400 -D network/ip6tables-enabled $(DESTDIR)/etc/qubes/ip6tables-enabled.rules
+	install -m 0400 -D network/qubes-ipv4.nft $(DESTDIR)/etc/qubes/qubes-ipv4.nft
+	install -m 0400 -D network/qubes-ipv6.nft $(DESTDIR)/etc/qubes/qubes-ipv6.nft
+	install -m 0400 -D network/qubes-antispoof.nft $(DESTDIR)/etc/qubes/qubes-antispoof.nft
+	install -m 0400 -D network/qubes-ipv6-disabled.nft $(DESTDIR)/etc/qubes/qubes-ipv6-disabled.nft
 
 	install -m 0755 -D qubes-rpc/qubes.UpdatesProxy $(DESTDIR)/etc/qubes-rpc/qubes.UpdatesProxy
 

diff --git a/debian/qubes-core-agent-networking.install b/debian/qubes-core-agent-networking.install
@@ -1,8 +1,9 @@
 etc/dhclient.d/qubes-setup-dnat-to-ns.sh
 etc/qubes-rpc/qubes.UpdatesProxy
-etc/qubes/ip6tables.rules
-etc/qubes/ip6tables-enabled.rules
-etc/qubes/iptables.rules
+etc/qubes/qubes-ipv6-disabled.nft
+etc/qubes/qubes-ipv6.nft
+etc/qubes/qubes-ipv4.nft
+etc/qubes/qubes-antispoof.nft
 etc/sysctl.d/81-qubes.conf.optional
 etc/tinyproxy/tinyproxy-updates.conf
 etc/tinyproxy/updates-blacklist
@@ -11,6 +12,7 @@ etc/xen/scripts/vif-qubes-nat.sh
 etc/xen/scripts/vif-route-qubes
 lib/systemd/system/qubes-firewall.service
 lib/systemd/system/qubes-iptables.service
+lib/systemd/system/qubes-antispoof.service
 lib/systemd/system/qubes-network.service
 lib/systemd/system/qubes-network-uplink.service
 lib/systemd/system/[email protected]
@@ -20,7 +22,6 @@ usr/lib/qubes/init/network-proxy-setup.sh
 usr/lib/qubes/init/network-proxy-stop.sh
 usr/lib/qubes/init/network-uplink-wait.sh
 usr/lib/qubes/init/qubes-iptables
-usr/lib/qubes/get-dns-from-resolved
 usr/lib/qubes/qubes-setup-dnat-to-ns
 usr/lib/qubes/setup-ip
 usr/lib/tmpfiles.d/qubes-core-agent-linux.conf

diff --git a/network/Makefile b/network/Makefile
@@ -12,7 +12,6 @@ install:
 	install -t $(DESTDIR)$(QUBESLIBDIR) \
 		setup-ip \
 		tinyproxy-wrapper \
-		get-dns-from-resolved \
 		update-proxy-configs
 	install -d $(DESTDIR)$(BINDIR)
 	install -t $(DESTDIR)$(BINDIR) \

diff --git a/network/get-dns-from-resolved b/network/get-dns-from-resolved
diff --git a/network/qubes-antispoof.nft b/network/qubes-antispoof.nft
@@ -0,0 +1,42 @@
+#!/usr/sbin/nft -f
+table ip qubes {
+   set downstream {
+      type ipv4_addr
+   }
+
+   set allowed {
+      type ifname . ipv4_addr
+   }
+
+   chain prerouting {
+      type filter hook prerouting priority raw; policy accept;
+      iifgroup 2 goto antispoof
+      ip saddr @downstream counter drop
+   }
+
+   chain antispoof {
+      iifname . ip saddr @allowed accept
+      counter drop
+   }
+}
+
+table ip6 qubes {
+   set downstream {
+      type ipv6_addr
+   }
+
+   set allowed {
+      type ifname . ipv6_addr
+   }
+
+   chain antispoof {
+      iifname . ip6 saddr @allowed accept
+      counter drop
+   }
+
+   chain prerouting {
+      type filter hook prerouting priority raw; policy accept;
+      iifgroup 2 goto antispoof
+      ip6 saddr @downstream counter drop
+   }
+}
diff --git a/network/qubes-iptables b/network/qubes-iptables
@@ -21,36 +21,29 @@
 IPTABLES=iptables
 IPTABLES_DATA_DIR=/etc/qubes
 
-if [ ! -x /sbin/$IPTABLES ]; then
+if [ ! -x "/sbin/$IPTABLES" ]; then
     echo $"${IPTABLES}: /sbin/$IPTABLES does not exist."
     exit 5
 fi
 
-start() {
+start () {
     ipt=$1
-    IPTABLES_DATA=$IPTABLES_DATA_DIR/${ipt}.rules
+    IPTABLES_DATA=$IPTABLES_DATA_DIR/qubes-${ipt}.nft
     ipv6_enabled=
     if qubesdb-read /qubes-ip6 >/dev/null 2>&1 || \
         qubesdb-read /qubes-netvm-gateway6 >/dev/null 2>&1; then
         ipv6_enabled=true
     fi
-    # if IPv6 is enabled, load alternative rules file
-    if [ "$ipt" = "ip6tables" ] && [ -n "$ipv6_enabled" ]; then
-        IPTABLES_DATA=$IPTABLES_DATA_DIR/${ipt}-enabled.rules
+    # if IPv6 is disabled, load alternative rules file
+    if [ "$ipt" = "ip6tables" ] && [ -z "$ipv6_enabled" ]; then
+        IPTABLES_DATA=$IPTABLES_DATA_DIR/qubes-${ipt}-disabled.nft
     fi
-    CMD=$ipt
     # Do not start if there is no config file.
     [ ! -f "$IPTABLES_DATA" ] && return 6
 
-    CMD_ARGS=
-    if "$CMD-restore" --help 2>&1 | grep -q wait=; then
-        # 'wait' must be last on command line if secs not specified
-        CMD_ARGS=--wait
-    fi
-
-    echo -n $"${CMD}: Applying firewall rules: "
+    echo -n "nft: Applying firewall rules: "
 
-    "$CMD-restore" "$IPTABLES_DATA" $CMD_ARGS
+    nft -f "$IPTABLES_DATA"
     ret="$?"
     if [ "$ret" -eq 0 ]; then
         echo OK
@@ -63,7 +56,7 @@ start() {
 
 case "$1" in
     start)
-	start iptables && start ip6tables
+	start ipv4 && start ipv6
 	RETVAL=$?
 	;;
     *)

diff --git a/network/qubes-ipv4.nft b/network/qubes-ipv4.nft
@@ -0,0 +1,35 @@
+#!/usr/sbin/nft -f
+table ip qubes {
+   chain postrouting {
+      type nat hook postrouting priority srcnat; policy accept;
+      oifgroup 2 accept
+      oif lo accept
+      masquerade
+   }
+
+   chain input {
+      type filter hook input priority filter; policy drop;
+      jump custom-input
+      ct state invalid counter drop
+      iifgroup 2 meta l4proto udp udp dport 68 counter drop
+      ct state related,established accept
+      iifgroup 2 meta l4proto icmp accept
+      iif lo accept
+      iifgroup 2 counter reject with icmp type host-prohibited
+      counter
+   }
+
+   chain forward {
+      type filter hook forward priority filter; policy accept;
+      jump custom-forward
+      ct state invalid counter drop
+      ct state related,established accept
+      iifgroup != 2 counter drop
+      oifgroup 2 counter drop
+   }
+
+   # These chains are reserved for end-users.  Qubes OS itself will
+   # never modify them.
+   chain custom-input {}
+   chain custom-forward {}
+}
diff --git a/network/qubes-ipv6-disabled.nft b/network/qubes-ipv6-disabled.nft
@@ -0,0 +1,13 @@
+#!/usr/sbin/nft -f
+table ip6 qbs-filter {
+   chain input {
+      type filter hook input priority filter; policy drop;
+      iif lo accept
+      counter
+   }
+
+   chain forward {
+      type filter hook forward priority filter; policy drop;
+      counter
+   }
+}
diff --git a/network/qubes-ipv6.nft b/network/qubes-ipv6.nft
@@ -0,0 +1,40 @@
+#!/usr/sbin/nft -f
+table ip6 qubes {
+   chain postrouting {
+      type nat hook postrouting priority srcnat; policy accept;
+      oifgroup 2 accept
+      oif lo accept
+      masquerade
+   }
+
+   chain _icmpv6 {
+      meta l4proto != ipv6-icmp counter reject with icmpv6 type admin-prohibited
+      icmpv6 type { nd-router-advert, nd-redirect } counter drop
+      accept
+   }
+
+   chain input {
+      type filter hook input priority filter; policy drop;
+      jump custom-input
+      ct state invalid counter drop
+      ct state related,established accept
+      iifgroup 2 goto _icmpv6
+      iif lo accept
+      meta l4proto udp ip6 saddr fe80::/64 ip6 daddr fe80::/64 udp dport 546 accept
+      meta l4proto ipv6-icmp accept
+      counter
+   }
+
+   chain forward {
+      type filter hook forward priority filter; policy accept;
+      ct state invalid counter drop
+      ct state related,established accept
+      iifgroup != 2 counter drop
+      oifgroup 2 counter drop
+   }
+
+   # These chains are reserved for end-users.  Qubes OS itself will
+   # never modify them.
+   chain custom-input {}
+   chain custom-forward {}
+}