From 74386d2d436dd831020d0a6ed6063f5c0f05ce4f Mon Sep 17 00:00:00 2001
From: Marek Marczykowski <marmarek@invisiblethingslab.com>
Date: Mon, 27 Feb 2012 15:46:23 +0100
Subject: [PATCH] dom0/qubes-firewall: make protocol selection smart

---
 dom0/qvm-core/qubes.py | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py
index 0a78f62b..8cfca7bb 100755
--- a/dom0/qvm-core/qubes.py
+++ b/dom0/qvm-core/qubes.py
@@ -1006,7 +1006,10 @@ class QubesVm(object):
         for rule in conf["rules"]:
             # For backward compatibility
             if "proto" not in rule:
-                rule["proto"] = "tcp"
+                if rule["portBegin"] is not None and rule["portBegin"] > 0:
+                    rule["proto"] = "tcp"
+                else:
+                    rule["proto"] = "any"
             element = xml.etree.ElementTree.Element(
                     "rule",
                     address=rule["address"],
@@ -1065,16 +1068,19 @@ class QubesVm(object):
                 else:
                     rule["netmask"] = 32
 
-                # For backward compatibility default to tcp
-                if rule["proto"] is None:
-                    rule["proto"] = "tcp"
-
                 if rule["port"] is not None:
                     rule["portBegin"] = int(rule["port"])
                 else:
                     # backward compatibility
                     rule["portBegin"] = 0
 
+                # For backward compatibility
+                if rule["proto"] is None:
+                    if rule["portBegin"] > 0:
+                        rule["proto"] = "tcp"
+                    else:
+                        rule["proto"] = "any"
+
                 if rule["toport"] is not None:
                     rule["portEnd"] = int(rule["toport"])
                 else: