From b30fa8cab8482c3e3dc8fe361031011398c873d8 Mon Sep 17 00:00:00 2001
From: Marek Marczykowski <marmarek@invisiblethingslab.com>
Date: Fri, 2 Mar 2012 00:15:28 +0100
Subject: [PATCH 1/3] vm/dom-updates: always use --resolve

Required when update needs some additional packages
---
 misc/qubes_download_dom0_updates.sh | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/misc/qubes_download_dom0_updates.sh b/misc/qubes_download_dom0_updates.sh
index b6dc4fc9..575ebe77 100755
--- a/misc/qubes_download_dom0_updates.sh
+++ b/misc/qubes_download_dom0_updates.sh
@@ -71,7 +71,6 @@ if [ "$DOIT" != "1" -a "$PKGS_FROM_CMDLINE" != "1" ]; then
 fi
 
 if [ "$PKGS_FROM_CMDLINE" == 1 ]; then
-    OPTS="$OPTS --resolve"
     GUI=0
 fi
 
@@ -81,11 +80,11 @@ set -e
 
 if [ "$GUI" = 1 ]; then
     ( echo "1"
-    yumdownloader --destdir "$DOM0_UPDATES_DIR/packages" $OPTS $PKGLIST
+    yumdownloader --resolve --destdir "$DOM0_UPDATES_DIR/packages" $OPTS $PKGLIST
     echo 100 ) | zenity --progress --pulsate --auto-close --auto-kill \
          --text="Downloading updates for Dom0, please wait..." --title="Qubes Dom0 updates"
 else
-    yumdownloader --destdir "$DOM0_UPDATES_DIR/packages" $OPTS $PKGLIST
+    yumdownloader --resolve --destdir "$DOM0_UPDATES_DIR/packages" $OPTS $PKGLIST
 fi
 
 if ls $DOM0_UPDATES_DIR/packages/*.rpm > /dev/null 2>&1; then

From 997fec6fd63017783d600e3b11f92fd9591afa76 Mon Sep 17 00:00:00 2001
From: Marek Marczykowski <marmarek@invisiblethingslab.com>
Date: Fri, 2 Mar 2012 01:16:03 +0100
Subject: [PATCH 2/3] dom0/qvm-firewall: provide vif name by QubesVM

---
 dom0/qvm-core/qubes.py | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py
index dd844013..47b56dca 100755
--- a/dom0/qvm-core/qubes.py
+++ b/dom0/qvm-core/qubes.py
@@ -378,6 +378,14 @@ class QubesVm(object):
         else:
             return None
 
+    @property
+    def vif(self):
+        if not self.is_running():
+            return None
+        if self.netvm_vm is None:
+            return None
+        return "vif{0}.+".format(self.xid)
+
     def is_updateable(self):
         return self.updateable
 
@@ -1816,8 +1824,12 @@ class QubesProxyVm(QubesNetVm):
             if xid < 0: # VM not active ATM
                 continue
 
+            vif = vm.vif
+            if vif is None:
+                continue
+
             iptables += "# '{0}' VM:\n".format(vm.name)
-            iptables += "-A FORWARD ! -s {0}/32 -i vif{1}.+ -j DROP\n".format(vm.ip, xid)
+            iptables += "-A FORWARD ! -s {0}/32 -i {1} -j DROP\n".format(vm.ip, vif)
 
             accept_action = "ACCEPT"
             reject_action = "REJECT --reject-with icmp-host-prohibited"
@@ -1830,7 +1842,7 @@ class QubesProxyVm(QubesNetVm):
                 rules_action = accept_action
 
             for rule in conf["rules"]:
-                iptables += "-A FORWARD -i vif{0}.+ -d {1}".format(xid, rule["address"])
+                iptables += "-A FORWARD -i {0} -d {1}".format(vif, rule["address"])
                 if rule["netmask"] != 32:
                     iptables += "/{0}".format(rule["netmask"])
 
@@ -1845,12 +1857,12 @@ class QubesProxyVm(QubesNetVm):
 
             if conf["allowDns"]:
                 # PREROUTING does DNAT to NetVM DNSes, so we need self.netvm_vm. properties
-                iptables += "-A FORWARD -i vif{0}.+ -p udp -d {1} --dport 53 -j ACCEPT\n".format(xid,self.netvm_vm.gateway)
-                iptables += "-A FORWARD -i vif{0}.+ -p udp -d {1} --dport 53 -j ACCEPT\n".format(xid,self.netvm_vm.secondary_dns)
+                iptables += "-A FORWARD -i {0} -p udp -d {1} --dport 53 -j ACCEPT\n".format(vif,self.netvm_vm.gateway)
+                iptables += "-A FORWARD -i {0} -p udp -d {1} --dport 53 -j ACCEPT\n".format(vif,self.netvm_vm.secondary_dns)
             if conf["allowIcmp"]:
-                iptables += "-A FORWARD -i vif{0}.+ -p icmp -j ACCEPT\n".format(xid)
+                iptables += "-A FORWARD -i {0} -p icmp -j ACCEPT\n".format(vif)
 
-            iptables += "-A FORWARD -i vif{0}.+ -j {1}\n".format(xid, default_action)
+            iptables += "-A FORWARD -i {0} -j {1}\n".format(vif, default_action)
             iptables += "COMMIT\n"
             xs.write('', "/local/domain/"+str(self.get_xid())+"/qubes_iptables_domainrules/"+str(xid), iptables)
         # no need for ending -A FORWARD -j DROP, cause default action is DROP

From 287e9f72fe924573208c6736892eeef60bd45726 Mon Sep 17 00:00:00 2001
From: Marek Marczykowski <marmarek@invisiblethingslab.com>
Date: Fri, 2 Mar 2012 02:26:37 +0100
Subject: [PATCH 3/3] dom0/core: provide vif name also for paused VMs

---
 dom0/qvm-core/qubes.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py
index 47b56dca..afe5fb18 100755
--- a/dom0/qvm-core/qubes.py
+++ b/dom0/qvm-core/qubes.py
@@ -380,7 +380,7 @@ class QubesVm(object):
 
     @property
     def vif(self):
-        if not self.is_running():
+        if self.xid < 0:
             return None
         if self.netvm_vm is None:
             return None