Merge branch 'master' of git.qubes-os.org:/var/lib/qubes/git/smoku/core into spring-merge

This commit is contained in:
Rafal Wojtczuk 2011-03-23 09:23:38 +01:00
commit 105486135b

View File

@ -1294,17 +1294,15 @@ class QubesProxyVm(QubesNetVm):
iptables += "# '{0}' VM:\n".format(vm.name) iptables += "# '{0}' VM:\n".format(vm.name)
iptables += "-A FORWARD ! -s {0}/32 -i vif{1}.0 -j DROP\n".format(vm.ip, xid) iptables += "-A FORWARD ! -s {0}/32 -i vif{1}.0 -j DROP\n".format(vm.ip, xid)
accept_action = "ACCEPT" accept_action = "ACCEPT"
reject_action = "REJECT --reject-with icmp-host-prohibited" reject_action = "REJECT --reject-with icmp-host-prohibited"
if conf["allow"]: if conf["allow"]:
rules_action = accept_action
default_action = reject_action
iptables += "-A FORWARD -i vif{0}.0 -p icmp -j ACCEPT\n".format(xid)
else:
rules_action = reject_action
default_action = accept_action default_action = accept_action
rules_action = reject_action
else:
default_action = reject_action
rules_action = accept_action
for rule in conf["rules"]: for rule in conf["rules"]:
iptables += "-A FORWARD -i vif{0}.0 -d {1}".format(xid, rule["address"]) iptables += "-A FORWARD -i vif{0}.0 -d {1}".format(xid, rule["address"])
@ -1322,6 +1320,8 @@ class QubesProxyVm(QubesNetVm):
# PREROUTING does DNAT to NetVM DNSes, so we need self.netvm_vm. properties # PREROUTING does DNAT to NetVM DNSes, so we need self.netvm_vm. properties
iptables += "-A FORWARD -i vif{0}.0 -p udp -d {1} --dport 53 -j ACCEPT\n".format(xid,self.netvm_vm.gateway) iptables += "-A FORWARD -i vif{0}.0 -p udp -d {1} --dport 53 -j ACCEPT\n".format(xid,self.netvm_vm.gateway)
iptables += "-A FORWARD -i vif{0}.0 -p udp -d {1} --dport 53 -j ACCEPT\n".format(xid,self.netvm_vm.secondary_dns) iptables += "-A FORWARD -i vif{0}.0 -p udp -d {1} --dport 53 -j ACCEPT\n".format(xid,self.netvm_vm.secondary_dns)
if conf["allowIcmp"]:
iptables += "-A FORWARD -i vif{0}.0 -p icmp -j ACCEPT\n".format(xid)
iptables += "-A FORWARD -i vif{0}.0 -j {1}\n".format(xid, default_action) iptables += "-A FORWARD -i vif{0}.0 -j {1}\n".format(xid, default_action)
@ -1491,7 +1491,8 @@ class QubesAppVm(QubesCowVm):
root = xml.etree.ElementTree.Element( root = xml.etree.ElementTree.Element(
"QubesFirwallRules", "QubesFirwallRules",
policy = "allow" if conf["allow"] else "deny", policy = "allow" if conf["allow"] else "deny",
dns = "allow" if conf["allowDns"] else "deny" dns = "allow" if conf["allowDns"] else "deny",
icmp = "allow" if conf["allowIcmp"] else "deny"
) )
for rule in conf["rules"]: for rule in conf["rules"]:
@ -1525,7 +1526,7 @@ class QubesAppVm(QubesCowVm):
return True return True
def get_firewall_conf(self): def get_firewall_conf(self):
conf = { "rules": list(), "allow": True, "allowDns": True } conf = { "rules": list(), "allow": True, "allowDns": True, "allowIcmp": True }
try: try:
tree = xml.etree.ElementTree.parse(self.firewall_conf) tree = xml.etree.ElementTree.parse(self.firewall_conf)
@ -1533,6 +1534,7 @@ class QubesAppVm(QubesCowVm):
conf["allow"] = (root.get("policy") == "allow") conf["allow"] = (root.get("policy") == "allow")
conf["allowDns"] = (root.get("dns") == "allow") conf["allowDns"] = (root.get("dns") == "allow")
conf["allowIcmp"] = (root.get("icmp") == "allow")
for element in root: for element in root:
rule = {} rule = {}