core: fix regression in iptables rule generator

This commit: eb11a2f Use QubesDB instead of Xenstore. introduced regression in iptables rules generator (sed misuse...).
2013-06-14 14:21:08 +02:00 · 2013-06-14 14:21:08 +02:00 · fb353ea615
commit fb353ea615
parent 7484ddfd2b
1 changed files with 11 additions and 11 deletions
--- a/core-modules/006QubesProxyVm.py
+++ b/core-modules/006QubesProxyVm.py
@ -117,7 +117,7 @@ class QubesProxyVm(QubesNetVm):

    def write_iptables_xenstore_entry(self):
        self.qdb.rm("/qubes-iptables-domainrules/")
-        iptables =  "# Generated by Qubes Core on \n".format(datetime.now().ctime())
+        iptables =  "# Generated by Qubes Core on {0}\n".format(datetime.now().ctime())
        iptables += "*filter\n"
        iptables += ":INPUT DROP [0:0]\n"
        iptables += ":FORWARD DROP [0:0]\n"
@ -166,18 +166,18 @@ class QubesProxyVm(QubesNetVm):
                rules_action = accept_action

            for rule in conf["rules"]:
-                iptables += "-A FORWARD -s  -d {1}".format(ip, rule["address"])
+                iptables += "-A FORWARD -s {0} -d {1}".format(ip, rule["address"])
                if rule["netmask"] != 32:
-                    iptables += "/".format(rule["netmask"])
+                    iptables += "/{0}".format(rule["netmask"])

                if rule["proto"] is not None and rule["proto"] != "any":
-                    iptables += " -p ".format(rule["proto"])
+                    iptables += " -p {0}".format(rule["proto"])
                    if rule["portBegin"] is not None and rule["portBegin"] > 0:
-                        iptables += " --dport ".format(rule["portBegin"])
+                        iptables += " --dport {0}".format(rule["portBegin"])
                        if rule["portEnd"] is not None and rule["portEnd"] > rule["portBegin"]:
-                            iptables += ":".format(rule["portEnd"])
+                            iptables += ":{0}".format(rule["portEnd"])

-                iptables += " -j \n".format(rules_action)
+                iptables += " -j {0}\n".format(rules_action)

            if conf["allowDns"] and self.netvm is not None:
                # PREROUTING does DNAT to NetVM DNSes, so we need self.netvm.
@ -191,13 +191,13 @@ class QubesProxyVm(QubesNetVm):
                iptables += "-A FORWARD -s {0} -p tcp -d {1} --dport 53 -j " \
                            "ACCEPT\n".format(ip,self.netvm.secondary_dns)
            if conf["allowIcmp"]:
-                iptables += "-A FORWARD -s  -p icmp -j ACCEPT\n".format(ip)
+                iptables += "-A FORWARD -s {0} -p icmp -j ACCEPT\n".format(ip)
            if conf["allowYumProxy"]:
-                iptables += "-A FORWARD -s  -p tcp -d {1} --dport {2} -j ACCEPT\n".format(ip, yum_proxy_ip, yum_proxy_port)
+                iptables += "-A FORWARD -s {0} -p tcp -d {1} --dport {2} -j ACCEPT\n".format(ip, yum_proxy_ip, yum_proxy_port)
            else:
-                iptables += "-A FORWARD -s  -p tcp -d {1} --dport {2} -j DROP\n".format(ip, yum_proxy_ip, yum_proxy_port)
+                iptables += "-A FORWARD -s {0} -p tcp -d {1} --dport {2} -j DROP\n".format(ip, yum_proxy_ip, yum_proxy_port)

-            iptables += "-A FORWARD -s  -j {1}\n".format(ip, default_action)
+            iptables += "-A FORWARD -s {0} -j {1}\n".format(ip, default_action)
            iptables += "COMMIT\n"
            self.qdb.write("/qubes-iptables-domainrules/"+str(xid), iptables)
        # no need for ending -A FORWARD -j DROP, cause default action is DROP