From fb353ea615cf4ad48b62212b8231b92475532e39 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Fri, 14 Jun 2013 14:21:08 +0200 Subject: [PATCH] core: fix regression in iptables rule generator This commit: eb11a2f Use QubesDB instead of Xenstore. introduced regression in iptables rules generator (sed misuse...). --- core-modules/006QubesProxyVm.py | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/core-modules/006QubesProxyVm.py b/core-modules/006QubesProxyVm.py index c848308c..2662fb91 100644 --- a/core-modules/006QubesProxyVm.py +++ b/core-modules/006QubesProxyVm.py @@ -117,7 +117,7 @@ class QubesProxyVm(QubesNetVm): def write_iptables_xenstore_entry(self): self.qdb.rm("/qubes-iptables-domainrules/") - iptables = "# Generated by Qubes Core on \n".format(datetime.now().ctime()) + iptables = "# Generated by Qubes Core on {0}\n".format(datetime.now().ctime()) iptables += "*filter\n" iptables += ":INPUT DROP [0:0]\n" iptables += ":FORWARD DROP [0:0]\n" @@ -166,18 +166,18 @@ class QubesProxyVm(QubesNetVm): rules_action = accept_action for rule in conf["rules"]: - iptables += "-A FORWARD -s -d {1}".format(ip, rule["address"]) + iptables += "-A FORWARD -s {0} -d {1}".format(ip, rule["address"]) if rule["netmask"] != 32: - iptables += "/".format(rule["netmask"]) + iptables += "/{0}".format(rule["netmask"]) if rule["proto"] is not None and rule["proto"] != "any": - iptables += " -p ".format(rule["proto"]) + iptables += " -p {0}".format(rule["proto"]) if rule["portBegin"] is not None and rule["portBegin"] > 0: - iptables += " --dport ".format(rule["portBegin"]) + iptables += " --dport {0}".format(rule["portBegin"]) if rule["portEnd"] is not None and rule["portEnd"] > rule["portBegin"]: - iptables += ":".format(rule["portEnd"]) + iptables += ":{0}".format(rule["portEnd"]) - iptables += " -j \n".format(rules_action) + iptables += " -j {0}\n".format(rules_action) if conf["allowDns"] and self.netvm is not None: # PREROUTING does DNAT to NetVM DNSes, so we need self.netvm. @@ -191,13 +191,13 @@ class QubesProxyVm(QubesNetVm): iptables += "-A FORWARD -s {0} -p tcp -d {1} --dport 53 -j " \ "ACCEPT\n".format(ip,self.netvm.secondary_dns) if conf["allowIcmp"]: - iptables += "-A FORWARD -s -p icmp -j ACCEPT\n".format(ip) + iptables += "-A FORWARD -s {0} -p icmp -j ACCEPT\n".format(ip) if conf["allowYumProxy"]: - iptables += "-A FORWARD -s -p tcp -d {1} --dport {2} -j ACCEPT\n".format(ip, yum_proxy_ip, yum_proxy_port) + iptables += "-A FORWARD -s {0} -p tcp -d {1} --dport {2} -j ACCEPT\n".format(ip, yum_proxy_ip, yum_proxy_port) else: - iptables += "-A FORWARD -s -p tcp -d {1} --dport {2} -j DROP\n".format(ip, yum_proxy_ip, yum_proxy_port) + iptables += "-A FORWARD -s {0} -p tcp -d {1} --dport {2} -j DROP\n".format(ip, yum_proxy_ip, yum_proxy_port) - iptables += "-A FORWARD -s -j {1}\n".format(ip, default_action) + iptables += "-A FORWARD -s {0} -j {1}\n".format(ip, default_action) iptables += "COMMIT\n" self.qdb.write("/qubes-iptables-domainrules/"+str(xid), iptables) # no need for ending -A FORWARD -j DROP, cause default action is DROP