From c324b1625207c8bc5673957a96c7d3cfb90395ba Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Thu, 28 Dec 2017 05:27:24 +0100
Subject: [PATCH] firewall: allow also related traffic

This include ICMP error messages for allowed traffic.

Fixes QubesOS/qubes-issues#3406
---
 qubesagent/firewall.py      | 2 +-
 qubesagent/test_firewall.py | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/qubesagent/firewall.py b/qubesagent/firewall.py
index 267090d..7e36f7f 100755
--- a/qubesagent/firewall.py
+++ b/qubesagent/firewall.py
@@ -556,7 +556,7 @@ class NftablesWorker(FirewallWorker):
             '  chain forward {{\n'
             '    type filter hook forward priority 0;\n'
             '    policy drop;\n'
-            '    ct state established accept\n'
+            '    ct state established,related accept\n'
             '  }}\n'
             '}}\n'
         )
diff --git a/qubesagent/test_firewall.py b/qubesagent/test_firewall.py
index c271f6c..f122eb6 100644
--- a/qubesagent/test_firewall.py
+++ b/qubesagent/test_firewall.py
@@ -430,14 +430,14 @@ class TestNftablesWorker(TestCase):
             '  chain forward {\n'
             '    type filter hook forward priority 0;\n'
             '    policy drop;\n'
-            '    ct state established accept\n'
+            '    ct state established,related accept\n'
             '  }\n'
             '}\n'
             'table ip6 qubes-firewall {\n'
             '  chain forward {\n'
             '    type filter hook forward priority 0;\n'
             '    policy drop;\n'
-            '    ct state established accept\n'
+            '    ct state established,related accept\n'
             '  }\n'
             '}\n'
         ])