From 5123f466eb24e78551b6f412849c26838326c1de Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Mon, 12 Sep 2016 06:02:07 +0200
Subject: [PATCH] qubes/firewall: allow listing only IPv4/IPv6 rules

This will allow setting only IPv4-related rules to IPv4 address, and the
same for IPv6

QubesOS/qubes-issues#1815
---
 qubes/firewall.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/qubes/firewall.py b/qubes/firewall.py
index 16519e5a..671d6674 100644
--- a/qubes/firewall.py
+++ b/qubes/firewall.py
@@ -467,10 +467,16 @@ class Firewall(object):
                              "qubes-reload-firewall@%s.timer" % self.vm.name])
 
 
-    def qdb_entries(self):
+    def qdb_entries(self, addr_family=None):
         entries = {
             'policy': str(self.policy)
         }
+        exclude_dsttype = None
+        if addr_family is not None:
+            exclude_dsttype = 'dst4' if addr_family == 6 else 'dst6'
         for ruleno, rule in zip(itertools.count(), self.rules):
+            # exclude rules for another address family
+            if rule.dsthost and rule.dsthost.type == exclude_dsttype:
+                continue
             entries['{:04}'.format(ruleno)] = rule.rule
         return entries