From 3a8362364708b8b7526bb718a361c2fabbdf50b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Thu, 28 Dec 2017 05:15:00 +0100 Subject: [PATCH] firewall: don't crash the whole qubes-firewall service on DNS fail If DNS resolution fails, just block the traffic (for this VM), but don't crash the whole service. Fixes QubesOS/qubes-issues#3277 --- qubesagent/firewall.py | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/qubesagent/firewall.py b/qubesagent/firewall.py index e811c6c..267090d 100755 --- a/qubesagent/firewall.py +++ b/qubesagent/firewall.py @@ -248,8 +248,12 @@ class IptablesWorker(FirewallWorker): elif 'dst6' in rule: dsthosts = [rule['dst6']] elif 'dsthost' in rule: - addrinfo = socket.getaddrinfo(rule['dsthost'], None, - (socket.AF_INET6 if family == 6 else socket.AF_INET)) + try: + addrinfo = socket.getaddrinfo(rule['dsthost'], None, + (socket.AF_INET6 if family == 6 else socket.AF_INET)) + except socket.gaierror as e: + raise RuleParseError('Failed to resolve {}: {}'.format( + rule['dsthost'], str(e))) dsthosts = set(item[4][0] + fullmask for item in addrinfo) else: dsthosts = None @@ -458,8 +462,12 @@ class NftablesWorker(FirewallWorker): elif 'dst6' in rule: nft_rule += ' ip6 daddr {}'.format(rule['dst6']) elif 'dsthost' in rule: - addrinfo = socket.getaddrinfo(rule['dsthost'], None, - (socket.AF_INET6 if family == 6 else socket.AF_INET)) + try: + addrinfo = socket.getaddrinfo(rule['dsthost'], None, + (socket.AF_INET6 if family == 6 else socket.AF_INET)) + except socket.gaierror as e: + raise RuleParseError('Failed to resolve {}: {}'.format( + rule['dsthost'], str(e))) nft_rule += ' {} daddr {{ {} }}'.format(ip_match, ', '.join(set(item[4][0] + fullmask for item in addrinfo)))