core: fix regression in iptables rule generator

This commit:
eb11a2f Use QubesDB instead of Xenstore.
introduced regression in iptables rules generator (sed misuse...).
This commit is contained in:
Marek Marczykowski 2013-06-14 14:21:08 +02:00 committed by Marek Marczykowski-Górecki
parent 7484ddfd2b
commit fb353ea615

View File

@ -117,7 +117,7 @@ class QubesProxyVm(QubesNetVm):
def write_iptables_xenstore_entry(self): def write_iptables_xenstore_entry(self):
self.qdb.rm("/qubes-iptables-domainrules/") self.qdb.rm("/qubes-iptables-domainrules/")
iptables = "# Generated by Qubes Core on \n".format(datetime.now().ctime()) iptables = "# Generated by Qubes Core on {0}\n".format(datetime.now().ctime())
iptables += "*filter\n" iptables += "*filter\n"
iptables += ":INPUT DROP [0:0]\n" iptables += ":INPUT DROP [0:0]\n"
iptables += ":FORWARD DROP [0:0]\n" iptables += ":FORWARD DROP [0:0]\n"
@ -166,18 +166,18 @@ class QubesProxyVm(QubesNetVm):
rules_action = accept_action rules_action = accept_action
for rule in conf["rules"]: for rule in conf["rules"]:
iptables += "-A FORWARD -s -d {1}".format(ip, rule["address"]) iptables += "-A FORWARD -s {0} -d {1}".format(ip, rule["address"])
if rule["netmask"] != 32: if rule["netmask"] != 32:
iptables += "/".format(rule["netmask"]) iptables += "/{0}".format(rule["netmask"])
if rule["proto"] is not None and rule["proto"] != "any": if rule["proto"] is not None and rule["proto"] != "any":
iptables += " -p ".format(rule["proto"]) iptables += " -p {0}".format(rule["proto"])
if rule["portBegin"] is not None and rule["portBegin"] > 0: if rule["portBegin"] is not None and rule["portBegin"] > 0:
iptables += " --dport ".format(rule["portBegin"]) iptables += " --dport {0}".format(rule["portBegin"])
if rule["portEnd"] is not None and rule["portEnd"] > rule["portBegin"]: if rule["portEnd"] is not None and rule["portEnd"] > rule["portBegin"]:
iptables += ":".format(rule["portEnd"]) iptables += ":{0}".format(rule["portEnd"])
iptables += " -j \n".format(rules_action) iptables += " -j {0}\n".format(rules_action)
if conf["allowDns"] and self.netvm is not None: if conf["allowDns"] and self.netvm is not None:
# PREROUTING does DNAT to NetVM DNSes, so we need self.netvm. # PREROUTING does DNAT to NetVM DNSes, so we need self.netvm.
@ -191,13 +191,13 @@ class QubesProxyVm(QubesNetVm):
iptables += "-A FORWARD -s {0} -p tcp -d {1} --dport 53 -j " \ iptables += "-A FORWARD -s {0} -p tcp -d {1} --dport 53 -j " \
"ACCEPT\n".format(ip,self.netvm.secondary_dns) "ACCEPT\n".format(ip,self.netvm.secondary_dns)
if conf["allowIcmp"]: if conf["allowIcmp"]:
iptables += "-A FORWARD -s -p icmp -j ACCEPT\n".format(ip) iptables += "-A FORWARD -s {0} -p icmp -j ACCEPT\n".format(ip)
if conf["allowYumProxy"]: if conf["allowYumProxy"]:
iptables += "-A FORWARD -s -p tcp -d {1} --dport {2} -j ACCEPT\n".format(ip, yum_proxy_ip, yum_proxy_port) iptables += "-A FORWARD -s {0} -p tcp -d {1} --dport {2} -j ACCEPT\n".format(ip, yum_proxy_ip, yum_proxy_port)
else: else:
iptables += "-A FORWARD -s -p tcp -d {1} --dport {2} -j DROP\n".format(ip, yum_proxy_ip, yum_proxy_port) iptables += "-A FORWARD -s {0} -p tcp -d {1} --dport {2} -j DROP\n".format(ip, yum_proxy_ip, yum_proxy_port)
iptables += "-A FORWARD -s -j {1}\n".format(ip, default_action) iptables += "-A FORWARD -s {0} -j {1}\n".format(ip, default_action)
iptables += "COMMIT\n" iptables += "COMMIT\n"
self.qdb.write("/qubes-iptables-domainrules/"+str(xid), iptables) self.qdb.write("/qubes-iptables-domainrules/"+str(xid), iptables)
# no need for ending -A FORWARD -j DROP, cause default action is DROP # no need for ending -A FORWARD -j DROP, cause default action is DROP