Qubes/core-agent-linux
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

vm: disable forwarding when iptables rules are being (re)applied

Browse Source
This commit is contained in:
Joanna Rutkowska 2011-08-18 18:47:08 +02:00
parent 61d88dd8df
commit 81917388ef
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
proxyvm/bin/qubes_firewall
View File

@ -13,11 +13,20 @@ echo $$ >$PIDFILE
trap 'exit 0' SIGTERM trap 'exit 0' SIGTERM
while true; do while true; do
echo "1" > /proc/sys/net/ipv4/ip_forward
# Wait for changes in xenstore file # Wait for changes in xenstore file
/usr/bin/xenstore-watch-qubes $XENSTORE_IPTABLES /usr/bin/xenstore-watch-qubes $XENSTORE_IPTABLES
TRIGGER=$(/usr/bin/xenstore-read $XENSTORE_IPTABLES) TRIGGER=$(/usr/bin/xenstore-read $XENSTORE_IPTABLES)
if ! [ "$TRIGGER" = "reload" ]; then continue ; fi if ! [ "$TRIGGER" = "reload" ]; then continue ; fi
# Disable forarding to prevent potential "leaks" that might
# be bypassing the firewall or some proxy service (e.g. tor)
# during the time when the rules are being (re)applied
echo "0" > /proc/sys/net/ipv4/ip_forward
RULES=$(/usr/bin/xenstore-read $XENSTORE_IPTABLES_HEADER) RULES=$(/usr/bin/xenstore-read $XENSTORE_IPTABLES_HEADER)
IPTABLES_SAVE=$(/sbin/iptables-save | sed '/^\*filter/,/^COMMIT/d') IPTABLES_SAVE=$(/sbin/iptables-save | sed '/^\*filter/,/^COMMIT/d')
OUT=`echo -e "$RULES\n$IPTABLES_SAVE" | /sbin/iptables-restore 2>&1 || :` OUT=`echo -e "$RULES\n$IPTABLES_SAVE" | /sbin/iptables-restore 2>&1 || :`