Use DNS IPs in firewall rules

2011-03-11 19:39:26 +01:00 · 2011-03-11 19:39:26 +01:00 · dc8325f564
commit dc8325f564
parent ae2d170a7e
1 changed files with 3 additions and 1 deletions
--- a/dom0/qvm-core/qubes.py
+++ b/dom0/qvm-core/qubes.py
@ -1077,7 +1077,9 @@ class QubesFirewallVm(QubesNetVm):
                iptables += " -j {0}\n".format(rules_action)

            if conf["allowDns"]:
-                iptables += "-A FORWARD -i vif{0}.0 -p udp --dport 53 -j ACCEPT\n".format(xid)
+                # PREROUTING does DNAT to NetVM DNSes, so we need self.netvm_vm. properties
+                iptables += "-A FORWARD -i vif{0}.0 -p udp -d {1} --dport 53 -j ACCEPT\n".format(xid,self.netvm_vm.gateway)
+                iptables += "-A FORWARD -i vif{0}.0 -p udp -d {1} --dport 53 -j ACCEPT\n".format(xid,self.netvm_vm.secondary_dns)

            iptables += "-A FORWARD -i vif{0}.0 -j {1}\n".format(xid, default_action)