- In NetVMs/ProxyVMs, scripts placed in
/rw/config/network-hooks.dwill be ran when configuring Qubes interfaces. For each script, thecommand,vif,vif_typeandipis passed as arguments (see/etc/xen/scripts/vif-route-qubes). For example, consider a PV app qubeworkwith IP10.137.0.100andsys-firewallas NetVM. Assuming it’s Xen domain id is arbitrary12then, the following script located at/rw/config/network-hooks.d/hook-100.shinsys-firewall:#!/bin/bash command="$1" vif="$2" vif_type="$3" ip="$4" if [ "$ip" == '10.137.0.100' ]; then case "$command" in online) ip route add 192.168.0.100 via 10.137.0.100 ;; offline) ip route del 192.168.0.100 ;; esac fiwill be executed with arguments
online vif12.0 vif 10.137.0.100when startingwork. Please note that in case of an HVM, the script will be called twice - once with vif_typevif, then with vif_typevif_ioemu(and different interface names). As long as the ioemu interface exists, it should be preferred (up to the hook script). When the VM decides to use a PV interface (vif_typevif), the ioemu one will be unplugged.
You can create a script in dom0 that will create the associated list “IP address - qube name” and pass it to your custom firewall VM.
You can also add a custom Qubes RPC service that could be called from sys-custom-fw qube script in /rw/config/network-hooks.d on new qube connect/disconnect event to request the dom0 to update the connected qubes associated list:
You can use QubesDB to pass the list to your custom firewall VM, e.g:
In dom0:
qubesdb-write -d sys-custom-fw /connected_qubes_list/10.138.30.88 myqube1
Then read the list in sys-custom-fw:
# get the list of IP addresses of qubes
qubesdb-list /connected_qubes_list/
# read the qube name associated with this IP address
qubesdb-read /connected_qubes_list/10.138.30.88