Qubes/core-admin
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

core/proxyvm: allow TCP traffic to DNS servers

Browse Source 
Some DNS queries requires TCP - namely those with response not fitting
in 512 bytes.
This commit is contained in:
Marek Marczykowski-Górecki 2014-01-21 04:45:41 +01:00
parent 7a639911f8
commit 4ea600c8d3
1 changed files with 10 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
core-modules/006QubesProxyVm.py
View File

@ -178,9 +178,16 @@ class QubesProxyVm(QubesNetVm):
iptables += " -j {0}\n".format(rules_action) iptables += " -j {0}\n".format(rules_action)
if conf["allowDns"] and self.netvm is not None: if conf["allowDns"] and self.netvm is not None:
# PREROUTING does DNAT to NetVM DNSes, so we need self.netvm. properties # PREROUTING does DNAT to NetVM DNSes, so we need self.netvm.
iptables += "-A FORWARD -s {0} -p udp -d {1} --dport 53 -j ACCEPT\n".format(ip,self.netvm.gateway) # properties
iptables += "-A FORWARD -s {0} -p udp -d {1} --dport 53 -j ACCEPT\n".format(ip,self.netvm.secondary_dns) iptables += "-A FORWARD -s {0} -p udp -d {1} --dport 53 -j " \
"ACCEPT\n".format(ip,self.netvm.gateway)
iptables += "-A FORWARD -s {0} -p udp -d {1} --dport 53 -j " \
"ACCEPT\n".format(ip,self.netvm.secondary_dns)
iptables += "-A FORWARD -s {0} -p tcp -d {1} --dport 53 -j " \
"ACCEPT\n".format(ip,self.netvm.gateway)
iptables += "-A FORWARD -s {0} -p tcp -d {1} --dport 53 -j " \
"ACCEPT\n".format(ip,self.netvm.secondary_dns)
if conf["allowIcmp"]: if conf["allowIcmp"]:
iptables += "-A FORWARD -s {0} -p icmp -j ACCEPT\n".format(ip) iptables += "-A FORWARD -s {0} -p icmp -j ACCEPT\n".format(ip)
if conf["allowYumProxy"]: if conf["allowYumProxy"]: