qubes-mirage-firewall icon indicating copy to clipboard operation
qubes-mirage-firewall copied to clipboard

Published 20 hours ago verified publisher icon mirage

Consider support for openbsd HVM as netvm

Open Szewcson opened this issue 1 year ago • 12 comments

On Qubes forum (https://forum.qubes-os.org/t/unable-to-shutdown-mirage-firewall-without-netvm-attached/13606) some users reporting problems with mieage-firewall that not have netvm attached. Since it is not a normal use case it is the right configuration when using openbsd as netvm (https://github.com/jcholsap/freemod/issues/1). Maybe adding support (fixing this issue and providing trustworthy script for configuring routing in that case) is worth considering.

Szewcson avatar Sep 12 '22 11:09 Szewcson

Hi, thanks for this report. If I understand correctly, openbsd's netvm must specifically set the netvm to "none" for mirage-fw. When I try to start mirage-fw with netvm set to "none", I get the following result in the log:

...
[2022-09-12 13:29:33] 2022-09-12 11:29:33 -00:00: WRN [dao] QubesDB key "/qubes-ip" not (yet) present; waiting for QubesDB to change...
...

but mirage-fw starts correctly.

The message is written by https://github.com/mirage/qubes-mirage-firewall/blob/2af63f1f45338cc3c160dd453d8473a182bc7d8b/dao.ml#L153 which is called in https://github.com/mirage/qubes-mirage-firewall/blob/2af63f1f45338cc3c160dd453d8473a182bc7d8b/unikernel.ml#L69

To me it's probably doable to add options to manually configure the IP, gateway IP, and DNS IP(s) instead of reading qubesDB (but both cases should be mutually exclusive). And the script linked in the issue seems to only route all traffic to the gateway with NAT (more complicated scripts may not be easy to write here, and writing a shell interpreter will be out of scope IMO).

palainp avatar Sep 12 '22 12:09 palainp

I don't fully understand what is needed to create this setup yet, since I'm not trying it myself. As I understand problem is that there is no qubes-agents for bsd so the configuration should be manual. As for routing I have no idea what is doable.

Szewcson avatar Sep 12 '22 13:09 Szewcson

I see that even VM without net qube has active firewall settings. So maybe it is possible to use it like in normal use case. So I think that main difference will be using manually set addressees.

Szewcson avatar Sep 12 '22 18:09 Szewcson

hmm, I added some command line options to set the ip/gw/dns configuration if qubesDB does not provide anything (keys are missing), but it now fails to read with xenstore. The issue is that netvm won't be started before mirage-fw and has no network connection (as a client in the current naming) during the startup stage.

It will need a rewrite on how uplink is used. To go further, I would have to configure a netvm openbsd HVM which will take me some times ;)

palainp avatar Sep 15 '22 18:09 palainp

Configuring netvm according to those guides is rather simple task if You have knowladge about networks (for me that part was the hardest since I have a little experience with that topic). There is a hint in the topic I posted that when You are using dvm as "netvm" (a firewall but since OpenBSD not have netback driver we are connecting using netfront) You should add additional line in hosntame.xnf0 for cloning interface to other subnet. But You can encounter problems with drivers (as I did - none of my NICs not working on OpenBSD when passed through).

Szewcson avatar Sep 16 '22 06:09 Szewcson