Qubes/core-admin
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

dom0/qubes-firewall: allow to specify protocol, do not assume always tcp

Browse Source
This commit is contained in:
Marek Marczykowski 2012-02-27 02:02:42 +01:00
parent 1a1ef8a3a0
commit 0ca08d48b8
1 changed files with 24 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
dom0/qvm-core/qubes.py
View File

@ -993,15 +993,21 @@ class QubesVm(object):
) )
for rule in conf["rules"]: for rule in conf["rules"]:
# For backward compatibility
if "proto" not in rule:
rule["proto"] = "tcp"
element = xml.etree.ElementTree.Element( element = xml.etree.ElementTree.Element(
"rule", "rule",
address=rule["address"], address=rule["address"],
port=str(rule["portBegin"]), proto=str(rule["proto"]),
) )
if rule["netmask"] is not None and rule["netmask"] != 32: if rule["netmask"] is not None and rule["netmask"] != 32:
element.set("netmask", str(rule["netmask"])) element.set("netmask", str(rule["netmask"]))
if rule["portEnd"] is not None: if rule["portBegin"] is not None and rule["portBegin"] > 0:
element.set("port", str(rule["portBegin"]))
if rule["portEnd"] is not None and rule["portEnd"] > 0:
element.set("toport", str(rule["portEnd"])) element.set("toport", str(rule["portEnd"]))
root.append(element) root.append(element)
tree = xml.etree.ElementTree.ElementTree(root) tree = xml.etree.ElementTree.ElementTree(root)
@ -1038,7 +1044,7 @@ class QubesVm(object):
for element in root: for element in root:
rule = {} rule = {}
attr_list = ("address", "netmask", "port", "toport") attr_list = ("address", "netmask", "proto", "port", "toport")
for attribute in attr_list: for attribute in attr_list:
rule[attribute] = element.get(attribute) rule[attribute] = element.get(attribute)
@ -1048,7 +1054,15 @@ class QubesVm(object):
else: else:
rule["netmask"] = 32 rule["netmask"] = 32
# For backward compatibility default to tcp
if rule["proto" is None:
rule["proto"] = "tcp"
if rule["port"] is not None:
rule["portBegin"] = int(rule["port"]) rule["portBegin"] = int(rule["port"])
else:
# backward compatibility
rule["portBegin"] = 0
if rule["toport"] is not None: if rule["toport"] is not None:
rule["portEnd"] = int(rule["toport"]) rule["portEnd"] = int(rule["toport"])
@ -1814,8 +1828,10 @@ class QubesProxyVm(QubesNetVm):
if rule["netmask"] != 32: if rule["netmask"] != 32:
iptables += "/{0}".format(rule["netmask"]) iptables += "/{0}".format(rule["netmask"])
if rule["proto"] is not None and rule["proto"] != "any":
iptables += " -p {0}".format(rule["proto"])
if rule["portBegin"] is not None and rule["portBegin"] > 0: if rule["portBegin"] is not None and rule["portBegin"] > 0:
iptables += " -p tcp --dport {0}".format(rule["portBegin"]) iptables += " --dport {0}".format(rule["portBegin"])
if rule["portEnd"] is not None and rule["portEnd"] > rule["portBegin"]: if rule["portEnd"] is not None and rule["portEnd"] > rule["portBegin"]:
iptables += ":{0}".format(rule["portEnd"]) iptables += ":{0}".format(rule["portEnd"])