From 893d3f1a8eaa2962b82e80763b26f1521eb62b7e Mon Sep 17 00:00:00 2001
From: Giulio <giulio@gmx.com>
Date: Mon, 28 Jun 2021 13:23:49 +0200
Subject: [PATCH] First net.py propragation poc

---
 qubes/firewall.py   | 23 +++++++++++++++++++++++
 qubes/vm/mix/net.py | 11 +++++++++--
 2 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/qubes/firewall.py b/qubes/firewall.py
index 1ebf93d5..6011a659 100644
--- a/qubes/firewall.py
+++ b/qubes/firewall.py
@@ -683,5 +683,28 @@ class Firewall:
             # exclude rules for another address family
             if rule.dsthost and rule.dsthost.type == exclude_dsttype:
                 continue
+            # exclude forwarding rules, managed separately
+            if rule.action == "forward":
+                continue
             entries['{:04}'.format(ruleno)] = rule.rule
         return entries
+
+    def qdb_forward_entries(self, addr_family=None):
+        ''' In order to keep all the 'parsing' logic here and not in net.py,
+        directly separate forwarding rules from standard rules since they need
+        to be handled differently later.
+        '''
+        entries = {}
+        if addr_family is not None:
+            exclude_dsttype = 'dst4' if addr_family == 6 else 'dst6'
+        for ruleno, rule in zip(itertools.count(), self.rules):
+            if rule.expire and rule.expire.expired:
+                continue
+            # exclude rules for another address family
+            if rule.dsthost and rule.dsthost.type == exclude_dsttype:
+                continue
+            # include only forwarding rules
+            if rule.action != "forward":
+                continue
+            entries['{:04}'.format(ruleno)] = rule.rule
+        return entries            
diff --git a/qubes/vm/mix/net.py b/qubes/vm/mix/net.py
index bc2f20b9..ac0ffa7f 100644
--- a/qubes/vm/mix/net.py
+++ b/qubes/vm/mix/net.py
@@ -366,7 +366,7 @@ class NetVMMixin(qubes.events.Emitter):
         if self.netvm is None:
             return
 
-        '''Recursively resolve netvm until tone has no netvm set'''
+        '''Recursively resolve netvm until no netvm is set, order is important'''
         netpath = list()
         netvm = self.netvm
         while netvm:
@@ -390,10 +390,17 @@ class NetVMMixin(qubes.events.Emitter):
             # remove old entries if any (but don't touch base empty entry - it
             # would trigger reload right away
             self.untrusted_qdb.rm(base_dir)
-            # write new rules
+            # write new accept/drop rules
             for key, value in vm.firewall.qdb_entries(
                     addr_family=addr_family).items():
                 self.untrusted_qdb.write(base_dir + key, value)
+            base_dir = '/qubes-firewall-forward/{}/'.format(ip)
+            self.untrusted_qdb.rm(base_dir)
+            # write new forward rules
+            for key, value in vm.firewall.qdb_forward_entries(
+                    addr_family=addr_family).items():
+                    for netvm in netpath:
+                        self.untrusted_qdb.write(base_dir + key, value)
             # signal its done
             self.untrusted_qdb.write(base_dir[:-1], '')