network: rewrite qubes-firewall daemon

This rewrite is mainly to adopt new interface for Qubes 4.x. Main changes: - change language from bash to python, introduce qubesagent python package - support both nftables (preferred) and iptables - new interface (https://qubes-os.org/doc/vm-interface/) - IPv6 support - unit tests included - nftables version support running along with other firewall loaded Fixes QubesOS/qubes-issues#1815 QubesOS/qubes-issues#718
marmarek · Sep 12, 2016 · ee0a292 · ee0a292
1 parent b50cba3
commit ee0a292
Show file tree

Hide file tree

Showing 10 changed files with 1,124 additions and 59 deletions.
diff --git a/Makefile b/Makefile
@@ -146,6 +146,11 @@ install-common:
 	$(MAKE) -C autostart-dropins install
 	install -m 0644 -D misc/fstab $(DESTDIR)/etc/fstab
 
+	# force /usr/bin before /bin to have /usr/bin/python instead of /bin/python
+	PATH="/usr/bin:$(PATH)" python setup.py install -O1 --root $(DESTDIR)
+	mkdir -p $(DESTDIR)$(SBINDIR)
+	mv $(DESTDIR)/usr/bin/qubes-firewall $(DESTDIR)$(SBINDIR)/qubes-firewall
+
 	install -D -m 0440 misc/qubes.sudoers $(DESTDIR)/etc/sudoers.d/qubes
 	install -D -m 0440 misc/sudoers.d_qt_x11_no_mitshm $(DESTDIR)/etc/sudoers.d/qt_x11_no_mitshm
 	install -D -m 0644 misc/20_tcp_timestamps.conf $(DESTDIR)/etc/sysctl.d/20_tcp_timestamps.conf
@@ -200,7 +205,6 @@ install-common:
 
 
 	install -d $(DESTDIR)/$(SBINDIR)
-	install network/qubes-firewall $(DESTDIR)/$(SBINDIR)/
 	install network/qubes-netwatcher $(DESTDIR)/$(SBINDIR)/
 
 	install -d $(DESTDIR)$(BINDIR)

diff --git a/debian/control b/debian/control
@@ -38,6 +38,7 @@ Depends:
     net-tools,
     psmisc,
     python2.7,
+    python-daemon,
     python-gi,
     python-xdg,
     python-dbus,

diff --git a/network/ip6tables b/network/ip6tables
@@ -3,6 +3,8 @@
 :INPUT DROP [1:72]
 :FORWARD DROP [0:0]
 :OUTPUT ACCEPT [0:0]
+:QBS-FORWARD - [0:0]
 -A INPUT -i lo -j ACCEPT
+-A FORWARD -j QBS-FORWARD
 COMMIT
 # Completed on Tue Sep 25 16:00:20 2012
diff --git a/network/iptables b/network/iptables
@@ -17,13 +17,15 @@ COMMIT
 :INPUT ACCEPT [168:11399]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [128:12536]
+:QBS-FORWARD - [0:0]
 -A INPUT -i vif+ -p udp -m udp --dport 68 -j DROP
 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A INPUT -i vif+ -p icmp -j ACCEPT
 -A INPUT -i lo -j ACCEPT
 -A INPUT -i vif+ -j REJECT --reject-with icmp-host-prohibited
 -A INPUT -j DROP
 -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -j QBS-FORWARD
 -A FORWARD -i vif+ -o vif+ -j DROP
 -A FORWARD -i vif+ -j ACCEPT
 -A FORWARD -j DROP

diff --git a/network/qubes-firewall b/network/qubes-firewall
diff --git a/qubesagent/__init__.py b/qubesagent/__init__.py