firewall: don't crash the whole qubes-firewall service on DNS fail

If DNS resolution fails, just block the traffic (for this VM), but don't crash the whole service. Fixes QubesOS/qubes-issues#3277
2017-12-28 05:15:00 +01:00 · 2017-12-28 05:15:00 +01:00 · 3a83623647
commit 3a83623647
parent 180146a5c2
1 changed files with 12 additions and 4 deletions
--- a/qubesagent/firewall.py
+++ b/qubesagent/firewall.py
@ -248,8 +248,12 @@ class IptablesWorker(FirewallWorker):
            elif 'dst6' in rule:
                dsthosts = [rule['dst6']]
            elif 'dsthost' in rule:
-                addrinfo = socket.getaddrinfo(rule['dsthost'], None,
-                    (socket.AF_INET6 if family == 6 else socket.AF_INET))
+                try:
+                    addrinfo = socket.getaddrinfo(rule['dsthost'], None,
+                        (socket.AF_INET6 if family == 6 else socket.AF_INET))
+                except socket.gaierror as e:
+                    raise RuleParseError('Failed to resolve {}: {}'.format(
+                        rule['dsthost'], str(e)))
                dsthosts = set(item[4][0] + fullmask for item in addrinfo)
            else:
                dsthosts = None
@ -458,8 +462,12 @@ class NftablesWorker(FirewallWorker):
            elif 'dst6' in rule:
                nft_rule += ' ip6 daddr {}'.format(rule['dst6'])
            elif 'dsthost' in rule:
-                addrinfo = socket.getaddrinfo(rule['dsthost'], None,
-                    (socket.AF_INET6 if family == 6 else socket.AF_INET))
+                try:
+                    addrinfo = socket.getaddrinfo(rule['dsthost'], None,
+                        (socket.AF_INET6 if family == 6 else socket.AF_INET))
+                except socket.gaierror as e:
+                    raise RuleParseError('Failed to resolve {}: {}'.format(
+                        rule['dsthost'], str(e)))
                nft_rule += ' {} daddr {{ {} }}'.format(ip_match,
                    ', '.join(set(item[4][0] + fullmask for item in addrinfo)))