firewall: allow also related traffic

This include ICMP error messages for allowed traffic. Fixes QubesOS/qubes-issues#3406
2017-12-28 05:27:24 +01:00 · 2017-12-28 05:27:24 +01:00 · c324b16252
commit c324b16252
parent 3a83623647
2 changed files with 3 additions and 3 deletions
--- a/qubesagent/firewall.py
+++ b/qubesagent/firewall.py
@ -556,7 +556,7 @@ class NftablesWorker(FirewallWorker):
            '  chain forward {{\n'
            '    type filter hook forward priority 0;\n'
            '    policy drop;\n'
-            '    ct state established accept\n'
+            '    ct state established,related accept\n'
            '  }}\n'
            '}}\n'
        )
--- a/qubesagent/test_firewall.py
+++ b/qubesagent/test_firewall.py
@ -430,14 +430,14 @@ class TestNftablesWorker(TestCase):
            '  chain forward {\n'
            '    type filter hook forward priority 0;\n'
            '    policy drop;\n'
-            '    ct state established accept\n'
+            '    ct state established,related accept\n'
            '  }\n'
            '}\n'
            'table ip6 qubes-firewall {\n'
            '  chain forward {\n'
            '    type filter hook forward priority 0;\n'
            '    policy drop;\n'
-            '    ct state established accept\n'
+            '    ct state established,related accept\n'
            '  }\n'
            '}\n'
        ])