From e6eee9f4e0f1275c6b01091f5eab97abb7c5b91b Mon Sep 17 00:00:00 2001
From: Pawel Marczewski <pawel@invisiblethingslab.com>
Date: Tue, 14 Jan 2020 11:22:16 +0100
Subject: [PATCH] update_connected_ips: set iptables policy to drop while
 updating

---
 qubesagent/firewall.py      | 16 +++++++++++++++-
 qubesagent/test_firewall.py |  6 +++++-
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/qubesagent/firewall.py b/qubesagent/firewall.py
index 0fb73cc..ae4b29e 100755
--- a/qubesagent/firewall.py
+++ b/qubesagent/firewall.py
@@ -411,10 +411,22 @@ class IptablesWorker(FirewallWorker):
             self.apply_rules_family(source, rules, 4)
 
     def update_connected_ips(self, family):
+        ips = self.get_connected_ips(family)
+
+        if not ips:
+            # Just flush.
+            self.run_ipt(family, ['-t', 'raw', '-F', 'QBS-PREROUTING'])
+            self.run_ipt(family, ['-t', 'mangle', '-F', 'QBS-POSTROUTING'])
+            return
+
+        # Temporarily set policy to DROP while updating the rules.
+        self.run_ipt(family, ['-t', 'raw', '-P', 'PREROUTING', 'DROP'])
+        self.run_ipt(family, ['-t', 'mangle', '-P', 'POSTROUTING', 'DROP'])
+
         self.run_ipt(family, ['-t', 'raw', '-F', 'QBS-PREROUTING'])
         self.run_ipt(family, ['-t', 'mangle', '-F', 'QBS-POSTROUTING'])
 
-        for ip in self.get_connected_ips(family):
+        for ip in ips:
             self.run_ipt(family, [
                 '-t', 'raw', '-A', 'QBS-PREROUTING',
                 '!', '-i', 'vif+', '-s', ip, '-j', 'DROP'])
@@ -422,6 +434,8 @@ class IptablesWorker(FirewallWorker):
                 '-t', 'mangle', '-A', 'QBS-POSTROUTING',
                 '!', '-o', 'vif+', '-d', ip, '-j', 'DROP'])
 
+        self.run_ipt(family, ['-t', 'raw', '-P', 'PREROUTING', 'ACCEPT'])
+        self.run_ipt(family, ['-t', 'mangle', '-P', 'POSTROUTING', 'ACCEPT'])
 
     def init(self):
         # Chains QBS-FORWARD, QBS-PREROUTING, QBS-POSTROUTING
diff --git a/qubesagent/test_firewall.py b/qubesagent/test_firewall.py
index 7ecf0c5..909b3e4 100644
--- a/qubesagent/test_firewall.py
+++ b/qubesagent/test_firewall.py
@@ -337,6 +337,8 @@ class TestIptablesWorker(TestCase):
         self.obj.update_connected_ips(4)
 
         self.assertEqual(self.obj.called_commands[4], [
+            ['-t', 'raw', '-P', 'PREROUTING', 'DROP'],
+            ['-t', 'mangle', '-P', 'POSTROUTING', 'DROP'],
             ['-t', 'raw', '-F', 'QBS-PREROUTING'],
             ['-t', 'mangle', '-F', 'QBS-POSTROUTING'],
             ['-t', 'raw', '-A', 'QBS-PREROUTING',
@@ -346,7 +348,9 @@ class TestIptablesWorker(TestCase):
             ['-t', 'raw', '-A', 'QBS-PREROUTING',
              '!', '-i', 'vif+', '-s', '10.137.0.2', '-j', 'DROP'],
             ['-t', 'mangle', '-A', 'QBS-POSTROUTING',
-             '!', '-o', 'vif+', '-d', '10.137.0.2', '-j', 'DROP']
+             '!', '-o', 'vif+', '-d', '10.137.0.2', '-j', 'DROP'],
+            ['-t', 'raw', '-P', 'PREROUTING', 'ACCEPT'],
+            ['-t', 'mangle', '-P', 'POSTROUTING', 'ACCEPT'],
         ])
 
     def test_009_update_connected_ips_empty(self):