Qubes/core-agent-linux
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

qubes-firewall: call firewall-user-script at service startup

Browse Source 
Call it just after creating base chains in iptables/nftables. This allow
the user to modify how those rules are plugged in, add custom rules at
beginning/end etc.

Fixes QubesOS/qubes-issues#3260
This commit is contained in:
Marek Marczykowski-Górecki 2018-02-05 16:27:52 +01:00
parent c6cdbf87b0
commit 6c33652ed4
No known key found for this signature in database
GPG Key ID: 063938BA42CFA724
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
qubesagent/firewall.py
View File

@ -62,6 +62,13 @@ class FirewallWorker(object):
'''Apply rules in given source address''' '''Apply rules in given source address'''
raise NotImplementedError raise NotImplementedError
def run_user_script(self):
'''Run user script in /rw/config'''
user_script_path = '/rw/config/qubes-firewall-user-script'
if os.path.isfile(user_script_path) and \
os.access(user_script_path, os.X_OK):
subprocess.call([user_script_path])
def read_rules(self, target): def read_rules(self, target):
'''Read rules from QubesDB and return them as a list of dicts''' '''Read rules from QubesDB and return them as a list of dicts'''
entries = self.qdb.multiread('/qubes-firewall/{}/'.format(target)) entries = self.qdb.multiread('/qubes-firewall/{}/'.format(target))
@ -133,6 +140,7 @@ class FirewallWorker(object):
def main(self): def main(self):
self.terminate_requested = False self.terminate_requested = False
self.init() self.init()
self.run_user_script()
# initial load # initial load
for source_addr in self.list_targets(): for source_addr in self.list_targets():
self.handle_addr(source_addr) self.handle_addr(source_addr)