From 47ad18692695112a0007f186a9a4fec04d8e72b8 Mon Sep 17 00:00:00 2001
From: Marek Marczykowski <marmarek@invisiblethingslab.com>
Date: Tue, 1 Nov 2011 15:50:03 +0100
Subject: [PATCH] dom0: set firewall to block-all when setting netvm to none
 (#370)

---
 dom0/qvm-core/qubes.py   | 17 +++++++++++++++++
 dom0/qvm-tools/qvm-prefs |  2 +-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py
index 9a80e2c1..76b2bdab 100755
--- a/dom0/qvm-core/qubes.py
+++ b/dom0/qvm-core/qubes.py
@@ -397,6 +397,23 @@ class QubesVm(object):
 
         raise QubesException ("Change 'updateable' flag is not supported. Please use qvm-create.")
 
+
+    def set_netvm_vm(self, netvm_vm):
+        if self.netvm_vm is not None:
+            self.netvm_vm.connected_vms.pop(self.qid)
+
+        if netvm_vm is None:
+            # Set also firewall to block all traffic as discussed in #370
+            if os.path.exists(self.firewall_conf):
+                shutil.copy(self.firewall_conf, "%s/backup/%s-firewall-%s.xml"
+                        % (qubes_base_dir, self.name, time.strftime('%Y-%m-%d-%H:%M:%S')))
+            self.write_firewall_conf({'allow': False, 'allowDns': False,
+                    'allowIcmp': False, 'rules': []})
+        else:
+            netvm_vm.connected_vms[self.qid]=self
+
+        self.netvm_vm = netvm_vm
+
     def is_template(self):
         return isinstance(self, QubesTemplateVm)
 
diff --git a/dom0/qvm-tools/qvm-prefs b/dom0/qvm-tools/qvm-prefs
index 5a77018a..f90434b7 100755
--- a/dom0/qvm-tools/qvm-prefs
+++ b/dom0/qvm-tools/qvm-prefs
@@ -126,7 +126,7 @@ def set_netvm(vms, vm, args):
             exit (1)
         vm.uses_default_netvm = False
 
-    vm.netvm_vm = netvm_vm
+    vm.set_netvm_vm(netvm_vm)
     if not vm.is_running():
         return
     # this can fail if VM was not connected to any NetVM