Merge pull request #178 from palainp/common-vif

manage a dynamic uplink

Dockerfile

@@ -2,14 +2,14 @@
 # It will probably still work on newer images, though, unless an update
 # changes some compiler optimisations (unlikely).
 # bookworm-slim taken from https://hub.docker.com/_/debian/tags?page=1&name=bookworm-slim
-FROM debian@sha256:ea5ad531efe1ac11ff69395d032909baf423b8b88e9aade07e11b40b2e5a1338
+FROM debian@sha256:3d5df92588469a4c503adbead0e4129ef3f88e223954011c2169073897547cac
 # install remove default packages repository
 RUN rm /etc/apt/sources.list.d/debian.sources
 # and set the package source to a specific release too
 # taken from https://snapshot.debian.org/archive/debian
-RUN printf "deb [check-valid-until=no] http://snapshot.debian.org/archive/debian/20231107T084929Z bookworm main\n" > /etc/apt/sources.list
+RUN printf "deb [check-valid-until=no] http://snapshot.debian.org/archive/debian/20240419T024211Z bookworm main\n" > /etc/apt/sources.list
 # taken from https://snapshot.debian.org/archive/debian-security/
-RUN printf "deb [check-valid-until=no] http://snapshot.debian.org/archive/debian-security/20231108T004541Z bookworm-security main\n" >> /etc/apt/sources.list
+RUN printf "deb [check-valid-until=no] http://snapshot.debian.org/archive/debian-security/20240419T111010Z bookworm-security main\n" >> /etc/apt/sources.list
 
 RUN apt update && apt install --no-install-recommends --no-install-suggests -y wget ca-certificates git patch unzip bzip2 make gcc g++ libc-dev
 RUN wget -O /usr/bin/opam https://github.com/ocaml/opam/releases/download/2.1.5/opam-2.1.5-i686-linux && chmod 755 /usr/bin/opam
@@ -23,13 +23,13 @@ ENV OPAMCONFIRMLEVEL=unsafe-yes
 # Remove this line (and the base image pin above) if you want to test with the
 # latest versions.
 # taken from https://github.com/ocaml/opam-repository
-RUN opam init --disable-sandboxing -a --bare https://github.com/ocaml/opam-repository.git#d1a8bf040fbb2c81ddb2612f1a49a471a06083dc
+RUN opam init --disable-sandboxing -a --bare https://github.com/ocaml/opam-repository.git#4399f486aa6edefdc96d5e206a65ce42288ebfdd
 RUN opam switch create myswitch 4.14.1
 RUN opam exec -- opam install -y mirage opam-monorepo ocaml-solo5
 RUN mkdir /tmp/orb-build
 ADD config.ml /tmp/orb-build/config.ml
 WORKDIR /tmp/orb-build
 CMD opam exec -- sh -exc 'mirage configure -t xen --extra-repos=\
-opam-overlays:https://github.com/dune-universe/opam-overlays.git#91a371754a2c9f4febbb6c7bb039649ad49a3c13,\
-mirage-overlays:https://github.com/dune-universe/mirage-opam-overlays.git#05f1c1823d891ce4d8adab91f5db3ac51d86dc0b \
---allocation-policy=best-fit && make depend && make tar'
+opam-overlays:https://github.com/dune-universe/opam-overlays.git#4e75ee36715b27550d5bdb87686bb4ae4c9e89c4,\
+mirage-overlays:https://github.com/dune-universe/mirage-opam-overlays.git#797cb363df3ff763c43c8fbec5cd44de2878757e \
+&& make depend && make tar'

README.md

@@ -121,6 +121,17 @@ https://www.qubes-os.org/doc/software-update-dom0/ says:
 > there are no significant security implications in this choice. By default,
 > this role is assigned to the firewallvm.
 
+### Configure firewall with OpenBSD-like netvm
+
+OpenBSD is currently unable to be used as netvm, so if you want to use a BSD as your sys-net VM, you'll need to set its netvm to qubes-mirage-firewall (see https://github.com/mirage/qubes-mirage-firewall/issues/146 for more information).
+That means you'll have `AppVMs -> qubes-mirage-firewall <- OpenBSD` with the arrow standing for the netvm property setting.
+
+In that case you'll have to tell qubes-mirage-firewall which AppVM client should be used as uplink:
+```
+qvm-prefs --set mirage-firewall -- kernelopts '--ipv4=X.X.X.X --ipv4-gw=Y.Y.Y.Y'
+```
+with `X.X.X.X` the IP address for mirage-firewall and `Y.Y.Y.Y` the IP address of your OpenBSD HVM.
+
 ### Components
 
 This diagram show the main components (each box corresponds to a source `.ml` file with the same name):

build-with.sh

@@ -20,5 +20,5 @@ $builder build -t qubes-mirage-firewall .
 echo Building Firewall...
 $builder run --rm -i -v `pwd`:/tmp/orb-build:Z qubes-mirage-firewall
 echo "SHA2 of build:   $(sha256sum ./dist/qubes-firewall.xen)"
-echo "SHA2 last known: 2c3f68f49afdeaeedd2c03f8ef6d30d6bb4d6306bda0a1ff40f95f440a90034c"
+echo "SHA2 last known:  163991ea96842e03d378501a0be99057ad2489440aff8ae81d850624d98fd3f0"
 echo "(hashes should match for released versions)"

client_eth.ml

@@ -10,19 +10,20 @@ module Log = (val Logs.src_log src : Logs.LOG)
 type t = {
   mutable iface_of_ip : client_link IpMap.t;
   changed : unit Lwt_condition.t;   (* Fires when [iface_of_ip] changes. *)
-  client_gw : Ipaddr.V4.t;  (* The IP that clients are given as their default gateway. *)
+  my_ip : Ipaddr.V4.t;  (* The IP that clients are given as their default gateway. *)
 }
 
 type host =
   [ `Client of client_link
   | `Firewall
   | `External of Ipaddr.t ]
 
-let create ~client_gw =
+let create config =
   let changed = Lwt_condition.create () in
-  { iface_of_ip = IpMap.empty; client_gw; changed }
+  let my_ip = config.Dao.our_ip in
+  Lwt.return { iface_of_ip = IpMap.empty; my_ip; changed }
 
-let client_gw t = t.client_gw
+let client_gw t = t.my_ip
 
 let add_client t iface =
   let ip = iface#other_ip in
@@ -52,14 +53,14 @@ let classify t ip =
   match ip with
   | Ipaddr.V6 _ -> `External ip
   | Ipaddr.V4 ip4 ->
-    if ip4 = t.client_gw then `Firewall
+    if ip4 = t.my_ip then `Firewall
     else match lookup t ip4 with
       | Some client_link -> `Client client_link
       | None -> `External ip
 
 let resolve t : host -> Ipaddr.t = function
   | `Client client_link -> Ipaddr.V4 client_link#other_ip
-  | `Firewall -> Ipaddr.V4 t.client_gw
+  | `Firewall -> Ipaddr.V4 t.my_ip
   | `External addr -> addr
 
 module ARP = struct
@@ -69,7 +70,7 @@ module ARP = struct
   }
 
   let lookup t ip =
-    if ip = t.net.client_gw then Some t.client_link#my_mac
+    if ip = t.net.my_ip then Some t.client_link#my_mac
     else if (Ipaddr.V4.to_octets ip).[3] = '\x01' then (
       Log.info (fun f -> f ~header:t.client_link#log_header
                    "Request for %a is invalid, but pretending it's me (see Qubes issue #5022)" Ipaddr.V4.pp ip);

client_eth.mli

@@ -17,7 +17,7 @@ type host =
    disconnected client.
    See: https://github.com/talex5/qubes-mirage-firewall/issues/9#issuecomment-246956850 *)
 
-val create : client_gw:Ipaddr.V4.t -> t
+val create : Dao.network_config -> t Lwt.t
 (** [create ~client_gw] is a network of client machines.
     Qubes will have configured the client machines to use [client_gw] as their default gateway. *)
 

config.ml

@@ -1,21 +1,20 @@
+(* mirage >= 4.5.0 & < 5.0.0 *)
 (* Copyright (C) 2017, Thomas Leonard <[email protected]>
    See the README file for details. *)
 
 (** Configuration for the "mirage" tool. *)
 
 open Mirage
 
-let table_size =
-  let info = Key.Arg.info
-      ~doc:"The number of NAT entries to allocate."
-      ~docv:"ENTRIES" ["nat-table-size"]
-  in
-  let key = Key.Arg.opt ~stage:`Both Key.Arg.int 5_000 info in
-  Key.create "nat_table_size" key
+let nat_table_size = runtime_arg ~pos:__POS__ "Unikernel.nat_table_size"
+let ipv4 = runtime_arg ~pos:__POS__ "Unikernel.ipv4"
+let ipv4_gw = runtime_arg ~pos:__POS__ "Unikernel.ipv4_gw"
+let ipv4_dns = runtime_arg ~pos:__POS__ "Unikernel.ipv4_dns"
+let ipv4_dns2 = runtime_arg ~pos:__POS__ "Unikernel.ipv4_dns2"
 
 let main =
-  foreign
-    ~keys:[Key.v table_size]
+   main
+    ~runtime_args:[ nat_table_size; ipv4; ipv4_gw; ipv4_dns; ipv4_dns2; ]
     ~packages:[
       package "vchan" ~min:"4.0.2";
       package "cstruct";
@@ -24,8 +23,8 @@ let main =
       package ~min:"2.3.0" ~sublibs:["mirage"] "arp";
       package ~min:"3.0.0" "ethernet";
       package "shared-memory-ring" ~min:"3.0.0";
-      package ~min:"2.1.2" "netchannel";
-      package "mirage-net-xen";
+      package ~min:"2.1.3" "netchannel";
+      package "mirage-net-xen" ~min:"2.1.3";
       package "ipaddr" ~min:"5.2.0";
       package "mirage-qubes" ~min:"0.9.1";
       package ~min:"3.0.1" "mirage-nat";