From dc8325f56490e1d1c315ca8b050e6915ef9a4d86 Mon Sep 17 00:00:00 2001 From: Tomasz Sterna Date: Fri, 11 Mar 2011 19:39:26 +0100 Subject: [PATCH] Use DNS IPs in firewall rules --- dom0/qvm-core/qubes.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/dom0/qvm-core/qubes.py b/dom0/qvm-core/qubes.py index 6a19ea5f..d095d713 100755 --- a/dom0/qvm-core/qubes.py +++ b/dom0/qvm-core/qubes.py @@ -1077,7 +1077,9 @@ class QubesFirewallVm(QubesNetVm): iptables += " -j {0}\n".format(rules_action) if conf["allowDns"]: - iptables += "-A FORWARD -i vif{0}.0 -p udp --dport 53 -j ACCEPT\n".format(xid) + # PREROUTING does DNAT to NetVM DNSes, so we need self.netvm_vm. properties + iptables += "-A FORWARD -i vif{0}.0 -p udp -d {1} --dport 53 -j ACCEPT\n".format(xid,self.netvm_vm.gateway) + iptables += "-A FORWARD -i vif{0}.0 -p udp -d {1} --dport 53 -j ACCEPT\n".format(xid,self.netvm_vm.secondary_dns) iptables += "-A FORWARD -i vif{0}.0 -j {1}\n".format(xid, default_action)