firewall: skip expired rules

Expired rules are skipped while loading the firewall. Do that also when
such rules expired after loading the firewall. This applies to both
Admin API and actually applying the rules (sending them to appropriate
VM).

Related QubesOS/qubes-issues#3020
This commit is contained in:
Marek Marczykowski-Górecki 2017-10-16 01:47:20 +02:00
parent ae473a8c26
commit 27b96cce4c
No known key found for this signature in database
GPG Key ID: 063938BA42CFA724
4 changed files with 12 additions and 4 deletions

View File

@ -1131,7 +1131,8 @@ class QubesAdminAPI(qubes.api.AbstractQubesAPI):
self.fire_event_for_permission() self.fire_event_for_permission()
return ''.join('{}\n'.format(rule.api_rule) return ''.join('{}\n'.format(rule.api_rule)
for rule in self.dest.firewall.rules) for rule in self.dest.firewall.rules
if rule.api_rule is not None)
@qubes.api.method('admin.vm.firewall.Set', @qubes.api.method('admin.vm.firewall.Set',
scope='local', write=True) scope='local', write=True)

View File

@ -349,6 +349,8 @@ class Rule(qubes.PropertyHolder):
@property @property
def api_rule(self): def api_rule(self):
values = [] values = []
if self.expire and self.expire.expired:
return None
# put comment at the end # put comment at the end
for prop in sorted(self.property_list(), for prop in sorted(self.property_list(),
key=(lambda p: p.__name__ == 'comment')): key=(lambda p: p.__name__ == 'comment')):
@ -592,6 +594,8 @@ class Firewall(object):
if addr_family is not None: if addr_family is not None:
exclude_dsttype = 'dst4' if addr_family == 6 else 'dst6' exclude_dsttype = 'dst4' if addr_family == 6 else 'dst6'
for ruleno, rule in zip(itertools.count(), self.rules): for ruleno, rule in zip(itertools.count(), self.rules):
if rule.expire and rule.expire.expired:
continue
# exclude rules for another address family # exclude rules for another address family
if rule.dsthost and rule.dsthost.type == exclude_dsttype: if rule.dsthost and rule.dsthost.type == exclude_dsttype:
continue continue

View File

@ -1736,8 +1736,11 @@ class TC_00_VMs(AdminAPITestCase):
dstports='1-1024'), dstports='1-1024'),
qubes.firewall.Rule(action='drop', proto='icmp', qubes.firewall.Rule(action='drop', proto='icmp',
comment='No ICMP'), comment='No ICMP'),
# should not output expired rule
qubes.firewall.Rule(action='drop', proto='udp', qubes.firewall.Rule(action='drop', proto='udp',
expire='1499450306'), expire='1499450306'),
qubes.firewall.Rule(action='drop', proto='udp',
expire='2099450306'),
qubes.firewall.Rule(action='accept'), qubes.firewall.Rule(action='accept'),
] ]
value = self.call_mgmt_func(b'admin.vm.firewall.Get', value = self.call_mgmt_func(b'admin.vm.firewall.Get',
@ -1745,7 +1748,7 @@ class TC_00_VMs(AdminAPITestCase):
self.assertEqual(value, self.assertEqual(value,
'action=accept proto=tcp dstports=1-1024\n' 'action=accept proto=tcp dstports=1-1024\n'
'action=drop proto=icmp comment=No ICMP\n' 'action=drop proto=icmp comment=No ICMP\n'
'action=drop expire=1499450306 proto=udp\n' 'action=drop expire=2099450306 proto=udp\n'
'action=accept\n') 'action=accept\n')
self.assertFalse(self.vm.firewall.save.called) self.assertFalse(self.vm.firewall.save.called)
self.assertFalse(self.app.save.called) self.assertFalse(self.app.save.called)

View File

@ -468,7 +468,7 @@ class TC_08_Rule(qubes.tests.QubesTestCase):
self.assertEqual(rule.api_rule, rule_txt) self.assertEqual(rule.api_rule, rule_txt)
def test_009_from_api_string(self): def test_009_from_api_string(self):
rule_txt = 'action=accept expire=1463292452 proto=tcp ' \ rule_txt = 'action=accept expire=2063292452 proto=tcp ' \
'comment=Some comment, with spaces' 'comment=Some comment, with spaces'
with self.assertNotRaises(ValueError): with self.assertNotRaises(ValueError):
rule = qubes.firewall.Rule.from_api_string( rule = qubes.firewall.Rule.from_api_string(
@ -476,7 +476,7 @@ class TC_08_Rule(qubes.tests.QubesTestCase):
self.assertEqual(rule.comment, 'Some comment, with spaces') self.assertEqual(rule.comment, 'Some comment, with spaces')
self.assertEqual(rule.proto, 'tcp') self.assertEqual(rule.proto, 'tcp')
self.assertEqual(rule.action, 'accept') self.assertEqual(rule.action, 'accept')
self.assertEqual(rule.expire, '1463292452') self.assertEqual(rule.expire, '2063292452')
self.assertIsNone(rule.dstports) self.assertIsNone(rule.dstports)
self.assertIsNone(rule.dsthost) self.assertIsNone(rule.dsthost)
self.assertEqual(rule.api_rule, rule_txt) self.assertEqual(rule.api_rule, rule_txt)