core/proxyvm: allow TCP traffic to DNS servers

Some DNS queries requires TCP - namely those with response not fitting in 512 bytes.
2014-01-21 04:45:41 +01:00 · 2014-01-21 04:45:41 +01:00 · 4ea600c8d3
commit 4ea600c8d3
parent 7a639911f8
1 changed files with 10 additions and 3 deletions
--- a/core-modules/006QubesProxyVm.py
+++ b/core-modules/006QubesProxyVm.py
@ -178,9 +178,16 @@ class QubesProxyVm(QubesNetVm):
                iptables += " -j {0}\n".format(rules_action)

            if conf["allowDns"] and self.netvm is not None:
-                # PREROUTING does DNAT to NetVM DNSes, so we need self.netvm. properties
-                iptables += "-A FORWARD -s {0} -p udp -d {1} --dport 53 -j ACCEPT\n".format(ip,self.netvm.gateway)
-                iptables += "-A FORWARD -s {0} -p udp -d {1} --dport 53 -j ACCEPT\n".format(ip,self.netvm.secondary_dns)
+                # PREROUTING does DNAT to NetVM DNSes, so we need self.netvm.
+                # properties
+                iptables += "-A FORWARD -s {0} -p udp -d {1} --dport 53 -j " \
+                            "ACCEPT\n".format(ip,self.netvm.gateway)
+                iptables += "-A FORWARD -s {0} -p udp -d {1} --dport 53 -j " \
+                            "ACCEPT\n".format(ip,self.netvm.secondary_dns)
+                iptables += "-A FORWARD -s {0} -p tcp -d {1} --dport 53 -j " \
+                            "ACCEPT\n".format(ip,self.netvm.gateway)
+                iptables += "-A FORWARD -s {0} -p tcp -d {1} --dport 53 -j " \
+                            "ACCEPT\n".format(ip,self.netvm.secondary_dns)
            if conf["allowIcmp"]:
                iptables += "-A FORWARD -s {0} -p icmp -j ACCEPT\n".format(ip)
            if conf["allowYumProxy"]: