From c8f6f2e9fed010199cf660f58c201b3424de4ed6 Mon Sep 17 00:00:00 2001 From: Joanna Rutkowska Date: Thu, 18 Aug 2011 18:47:08 +0200 Subject: [PATCH] vm: disable forwarding when iptables rules are being (re)applied --- proxyvm/bin/qubes_firewall | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/proxyvm/bin/qubes_firewall b/proxyvm/bin/qubes_firewall index 6c7fe398..5a60a07c 100755 --- a/proxyvm/bin/qubes_firewall +++ b/proxyvm/bin/qubes_firewall @@ -13,11 +13,20 @@ echo $$ >$PIDFILE trap 'exit 0' SIGTERM while true; do + + echo "1" > /proc/sys/net/ipv4/ip_forward + # Wait for changes in xenstore file /usr/bin/xenstore-watch-qubes $XENSTORE_IPTABLES TRIGGER=$(/usr/bin/xenstore-read $XENSTORE_IPTABLES) if ! [ "$TRIGGER" = "reload" ]; then continue ; fi + + # Disable forarding to prevent potential "leaks" that might + # be bypassing the firewall or some proxy service (e.g. tor) + # during the time when the rules are being (re)applied + echo "0" > /proc/sys/net/ipv4/ip_forward + RULES=$(/usr/bin/xenstore-read $XENSTORE_IPTABLES_HEADER) IPTABLES_SAVE=$(/sbin/iptables-save | sed '/^\*filter/,/^COMMIT/d') OUT=`echo -e "$RULES\n$IPTABLES_SAVE" | /sbin/iptables-restore 2>&1 || :`