|
|
@@ -117,7 +117,7 @@ class QubesProxyVm(QubesNetVm):
|
|
|
|
|
|
def write_iptables_xenstore_entry(self):
|
|
|
self.qdb.rm("/qubes-iptables-domainrules/")
|
|
|
- iptables = "# Generated by Qubes Core on \n".format(datetime.now().ctime())
|
|
|
+ iptables = "# Generated by Qubes Core on {0}\n".format(datetime.now().ctime())
|
|
|
iptables += "*filter\n"
|
|
|
iptables += ":INPUT DROP [0:0]\n"
|
|
|
iptables += ":FORWARD DROP [0:0]\n"
|
|
|
@@ -166,18 +166,18 @@ class QubesProxyVm(QubesNetVm):
|
|
|
rules_action = accept_action
|
|
|
|
|
|
for rule in conf["rules"]:
|
|
|
- iptables += "-A FORWARD -s -d {1}".format(ip, rule["address"])
|
|
|
+ iptables += "-A FORWARD -s {0} -d {1}".format(ip, rule["address"])
|
|
|
if rule["netmask"] != 32:
|
|
|
- iptables += "/".format(rule["netmask"])
|
|
|
+ iptables += "/{0}".format(rule["netmask"])
|
|
|
|
|
|
if rule["proto"] is not None and rule["proto"] != "any":
|
|
|
- iptables += " -p ".format(rule["proto"])
|
|
|
+ iptables += " -p {0}".format(rule["proto"])
|
|
|
if rule["portBegin"] is not None and rule["portBegin"] > 0:
|
|
|
- iptables += " --dport ".format(rule["portBegin"])
|
|
|
+ iptables += " --dport {0}".format(rule["portBegin"])
|
|
|
if rule["portEnd"] is not None and rule["portEnd"] > rule["portBegin"]:
|
|
|
- iptables += ":".format(rule["portEnd"])
|
|
|
+ iptables += ":{0}".format(rule["portEnd"])
|
|
|
|
|
|
- iptables += " -j \n".format(rules_action)
|
|
|
+ iptables += " -j {0}\n".format(rules_action)
|
|
|
|
|
|
if conf["allowDns"] and self.netvm is not None:
|
|
|
# PREROUTING does DNAT to NetVM DNSes, so we need self.netvm.
|
|
|
@@ -191,13 +191,13 @@ class QubesProxyVm(QubesNetVm):
|
|
|
iptables += "-A FORWARD -s {0} -p tcp -d {1} --dport 53 -j " \
|
|
|
"ACCEPT\n".format(ip,self.netvm.secondary_dns)
|
|
|
if conf["allowIcmp"]:
|
|
|
- iptables += "-A FORWARD -s -p icmp -j ACCEPT\n".format(ip)
|
|
|
+ iptables += "-A FORWARD -s {0} -p icmp -j ACCEPT\n".format(ip)
|
|
|
if conf["allowYumProxy"]:
|
|
|
- iptables += "-A FORWARD -s -p tcp -d {1} --dport {2} -j ACCEPT\n".format(ip, yum_proxy_ip, yum_proxy_port)
|
|
|
+ iptables += "-A FORWARD -s {0} -p tcp -d {1} --dport {2} -j ACCEPT\n".format(ip, yum_proxy_ip, yum_proxy_port)
|
|
|
else:
|
|
|
- iptables += "-A FORWARD -s -p tcp -d {1} --dport {2} -j DROP\n".format(ip, yum_proxy_ip, yum_proxy_port)
|
|
|
+ iptables += "-A FORWARD -s {0} -p tcp -d {1} --dport {2} -j DROP\n".format(ip, yum_proxy_ip, yum_proxy_port)
|
|
|
|
|
|
- iptables += "-A FORWARD -s -j {1}\n".format(ip, default_action)
|
|
|
+ iptables += "-A FORWARD -s {0} -j {1}\n".format(ip, default_action)
|
|
|
iptables += "COMMIT\n"
|
|
|
self.qdb.write("/qubes-iptables-domainrules/"+str(xid), iptables)
|
|
|
# no need for ending -A FORWARD -j DROP, cause default action is DROP
|
Marek Marczykowski