From d82001819dd92030579556d50518a5b676360ac9 Mon Sep 17 00:00:00 2001
From: Tomasz Sterna <tomek@xiaoka.com>
Date: Mon, 14 Mar 2011 20:57:08 +0100
Subject: [PATCH 1/3] Properly call QubesProxyVm superclass

---
 dom0/qvm-core/qubes.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py
index 2ac48904..176673dd 100755
--- a/dom0/qvm-core/qubes.py
+++ b/dom0/qvm-core/qubes.py
@@ -1116,7 +1116,7 @@ class QubesProxyVm(QubesNetVm):
     def start(self, debug_console = False, verbose = False, preparing_dvm = False):
         if dry_run:
             return
-        retcode = super(QubesFirewallVm, self).start(debug_console=debug_console, verbose=verbose, preparing_dvm=preparing_dvm)
+        retcode = super(QubesProxyVm, self).start(debug_console=debug_console, verbose=verbose, preparing_dvm=preparing_dvm)
         self.netvm_vm.add_external_ip_permission(self.get_xid())
         self.write_netvm_domid_entry()
         return retcode
@@ -1125,7 +1125,7 @@ class QubesProxyVm(QubesNetVm):
         if dry_run:
             return
         self.netvm_vm.remove_external_ip_permission(self.get_xid())
-        super(QubesFirewallVm, self).force_shutdown()
+        super(QubesProxyVm, self).force_shutdown()
 
     def create_xenstore_entries(self, xid):
         if dry_run:

From aa58bec1d9d5d1d5877ef7aa9f217b05ccd9d400 Mon Sep 17 00:00:00 2001
From: Tomasz Sterna <tomek@xiaoka.com>
Date: Fri, 18 Mar 2011 14:12:19 +0100
Subject: [PATCH 2/3] Fixed default policy handling in firewall rules

---
 dom0/qvm-core/qubes.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py
index 176673dd..dd36bfd4 100755
--- a/dom0/qvm-core/qubes.py
+++ b/dom0/qvm-core/qubes.py
@@ -1189,12 +1189,12 @@ class QubesProxyVm(QubesNetVm):
             reject_action = "REJECT --reject-with icmp-host-prohibited"
 
             if conf["allow"]:
-                rules_action = accept_action
-                default_action = reject_action
+                default_action = accept_action
+                rules_action = reject_action
                 iptables += "-A FORWARD -i vif{0}.0 -p icmp -j ACCEPT\n".format(xid)
             else:
-                rules_action = reject_action
-                default_action = accept_action
+                default_action = reject_action
+                rules_action = accept_action
 
             for rule in conf["rules"]:
                 iptables += "-A FORWARD -i vif{0}.0 -d {1}".format(xid, rule["address"])

From 481e9871c45924fbf95078fe39a2c5572b1cb7a8 Mon Sep 17 00:00:00 2001
From: Tomasz Sterna <tomek@xiaoka.com>
Date: Mon, 21 Mar 2011 22:06:53 +0100
Subject: [PATCH 3/3] Implemented implicit rule to allow ICMP traffic in
 firewall

---
 dom0/qvm-core/qubes.py | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py
index dd36bfd4..e165e482 100755
--- a/dom0/qvm-core/qubes.py
+++ b/dom0/qvm-core/qubes.py
@@ -1184,14 +1184,12 @@ class QubesProxyVm(QubesNetVm):
             iptables += "# '{0}' VM:\n".format(vm.name)
             iptables += "-A FORWARD ! -s {0}/32 -i vif{1}.0 -j DROP\n".format(vm.ip, xid)
 
-
             accept_action = "ACCEPT"
             reject_action = "REJECT --reject-with icmp-host-prohibited"
 
             if conf["allow"]:
                 default_action = accept_action
                 rules_action = reject_action
-                iptables += "-A FORWARD -i vif{0}.0 -p icmp -j ACCEPT\n".format(xid)
             else:
                 default_action = reject_action
                 rules_action = accept_action
@@ -1212,6 +1210,8 @@ class QubesProxyVm(QubesNetVm):
                 # PREROUTING does DNAT to NetVM DNSes, so we need self.netvm_vm. properties
                 iptables += "-A FORWARD -i vif{0}.0 -p udp -d {1} --dport 53 -j ACCEPT\n".format(xid,self.netvm_vm.gateway)
                 iptables += "-A FORWARD -i vif{0}.0 -p udp -d {1} --dport 53 -j ACCEPT\n".format(xid,self.netvm_vm.secondary_dns)
+            if conf["allowIcmp"]:
+                iptables += "-A FORWARD -i vif{0}.0 -p icmp -j ACCEPT\n".format(xid)
 
             iptables += "-A FORWARD -i vif{0}.0 -j {1}\n".format(xid, default_action)
 
@@ -1397,7 +1397,8 @@ class QubesAppVm(QubesCowVm):
         root = xml.etree.ElementTree.Element(
                 "QubesFirwallRules",
                 policy = "allow" if conf["allow"] else "deny",
-                dns = "allow" if conf["allowDns"] else "deny"
+                dns = "allow" if conf["allowDns"] else "deny",
+                icmp = "allow" if conf["allowIcmp"] else "deny"
         )
 
         for rule in conf["rules"]:
@@ -1431,7 +1432,7 @@ class QubesAppVm(QubesCowVm):
         return True
 
     def get_firewall_conf(self):
-        conf = { "rules": list(), "allow": True, "allowDns": True }
+        conf = { "rules": list(), "allow": True, "allowDns": True, "allowIcmp": True }
 
         try:
             tree = xml.etree.ElementTree.parse(self.firewall_conf)
@@ -1439,6 +1440,7 @@ class QubesAppVm(QubesCowVm):
 
             conf["allow"] = (root.get("policy") == "allow")
             conf["allowDns"] = (root.get("dns") == "allow")
+            conf["allowIcmp"] = (root.get("icmp") == "allow")
 
             for element in root:
                 rule = {}