Merge branch 'master' of git.qubes-os.org:/var/lib/qubes/git/marmarek/core

2011-04-06 10:40:51 +02:00 · 2011-04-06 10:40:51 +02:00 · 102d5735e7
commit 102d5735e7
parent 00107ccd84 95a52d388b
2 changed files with 4 additions and 2 deletions
--- a/common/iptables
+++ b/common/iptables
@ -19,9 +19,9 @@ COMMIT
 -A INPUT -p icmp -j ACCEPT
 -A INPUT -i lo -j ACCEPT
 -A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A FORWARD -i vif+ -o vif+ -j DROP
 -A FORWARD -i vif+ -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A FORWARD -j DROP
 COMMIT
 # Completed on Mon Sep  6 08:57:46 2010
--- a/dom0/qvm-core/qubes.py
+++ b/dom0/qvm-core/qubes.py
@ -1392,8 +1392,11 @@ class QubesProxyVm(QubesNetVm):
        iptables += "-A INPUT -i lo -j ACCEPT\n"
        iptables += "-A INPUT -j REJECT --reject-with icmp-host-prohibited\n"

+        iptables += "-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT\n"
        # Allow dom0 networking
        iptables += "-A FORWARD -i vif0.0 -j ACCEPT\n"
+        # Deny inter-VMs networking
+        iptables += "-A FORWARD -i vif+ -o vif+ -j DROP\n"

        vms = [vm for vm in self.connected_vms.values()]
        for vm in vms:
@ -1441,7 +1444,6 @@ class QubesProxyVm(QubesNetVm):
            iptables += "-A FORWARD -i vif{0}.0 -j {1}\n".format(xid, default_action)

        iptables += "#End of VM rules\n"
-        iptables += "-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT\n"
        iptables += "-A FORWARD -j DROP\n"

        iptables += "COMMIT"