enforce libvirt_fwo_enable and disable

doomedraven · doomedraven · commit ea10270d4738 · 2026-02-01T08:46:11.000+01:00
diff --git a/lib/cuckoo/core/analysis_manager.py b/lib/cuckoo/core/analysis_manager.py
@@ -601,6 +601,7 @@ def route_network(self):
                 str(self.socks5s[self.route]["dnsport"]),
                 str(self.socks5s[self.route]["port"]),
             )
+            self.rooter_response = rooter("libvirt_fwo_enable", self.machine.interface, self.machine.ip)
 
         elif self.route in ("none", "None", "drop"):
             self.rooter_response = rooter("drop_enable", self.machine.ip, str(self.cfg.resultserver.port))
@@ -618,6 +619,7 @@ def route_network(self):
             self.route = "drop"
 
         if self.interface:
+            self.rooter_response = rooter("libvirt_fwo_enable", self.machine.interface, self.machine.ip)
             if self.no_local_routing:
                 input_interface = "dirty-line"
                 # Traffic from lan to machine
@@ -666,6 +668,7 @@ def route_network(self):
     def unroute_network(self):
         routing = Config("routing")
         if self.interface:
+            self.rooter_response = rooter("libvirt_fwo_disable", self.machine.interface, self.machine.ip)
             if self.no_local_routing:
                 input_interface = "dirty-line"
                 # Traffic from lan to machine
@@ -735,6 +738,7 @@ def unroute_network(self):
                 str(self.socks5s[self.route]["dnsport"]),
                 str(self.socks5s[self.route]["port"]),
             )
+            self.rooter_response = rooter("libvirt_fwo_disable", self.machine.interface, self.machine.ip)
 
         elif self.route in ("none", "None", "drop"):
             self.rooter_response = rooter("drop_disable", self.machine.ip, str(self.cfg.resultserver.port))
diff --git a/utils/rooter.py b/utils/rooter.py
@@ -469,6 +469,14 @@ def polarproxy_disable(interface, client, tls_port, proxy_port):
         "ACCEPT"
     )
 
+def libvirt_fwo_enable(interface, source):
+    """Enable LIBVIRT_FWO for a specific interface and source."""
+    run_iptables("-I", "LIBVIRT_FWO", "1", "-i", interface, "-s", source, "-j", "ACCEPT")
+
+def libvirt_fwo_disable(interface, source):
+    """Disable LIBVIRT_FWO for a specific interface and source."""
+    run_iptables("-D", "LIBVIRT_FWO", "-i", interface, "-s", source, "-j", "ACCEPT")
+
 def init_rttable(rt_table, interface):
     """Initialise routing table for this interface using routes
     from main table."""
@@ -1005,6 +1013,8 @@ def drop_disable(ipaddr, resultserver_port):
     "disable_mitmdump": disable_mitmdump,
     "polarproxy_enable": polarproxy_enable,
     "polarproxy_disable": polarproxy_disable,
+    "libvirt_fwo_enable": libvirt_fwo_enable,
+    "libvirt_fwo_disable": libvirt_fwo_disable,
 }
 
 if __name__ == "__main__":
