From 133219f6d390b9bb2fdf3831951d38a4ea4911c7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Mon, 15 Oct 2018 06:05:05 +0200
Subject: [PATCH] Do not generate R3 compat firewall rules if R4 format is
 supported

R3 format had limitation of ~40 rules per VM. Do not generate compat
rules (possibly hitting that limitation) if new format, free of that
limitation is supported.

Fixes QubesOS/qubes-issues#1570
Fixes QubesOS/qubes-issues#4228
---
 qubes/ext/r3compatibility.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/qubes/ext/r3compatibility.py b/qubes/ext/r3compatibility.py
index acc1dd08..2fa8ec3a 100644
--- a/qubes/ext/r3compatibility.py
+++ b/qubes/ext/r3compatibility.py
@@ -80,6 +80,9 @@ class R3Compatibility(qubes.ext.Extension):
 
     def write_iptables_qubesdb_entry(self, firewallvm):
         # pylint: disable=no-self-use
+        # skip compatibility rules if new format support is advertised
+        if firewallvm.features.check_with_template('qubes-firewall', False):
+            return
         firewallvm.untrusted_qdb.rm("/qubes-iptables-domainrules/")
         iptables = "# Generated by Qubes Core on {0}\n".format(
             datetime.datetime.now().ctime())