From 6f78a5fcf707140a6401c64a8ed9c8a47ce6e3a1 Mon Sep 17 00:00:00 2001 From: Giulio Date: Wed, 14 Jul 2021 17:23:37 +0200 Subject: [PATCH 01/10] First GSOC forwarding code import --- qubes/firewall.py | 102 ++++++++++++++++++++++++++++++++++++++++++-- qubes/vm/mix/net.py | 42 +++++++++++++++++- 2 files changed, 140 insertions(+), 4 deletions(-) diff --git a/qubes/firewall.py b/qubes/firewall.py index b3b0a3af3..3a2c02720 100644 --- a/qubes/firewall.py +++ b/qubes/firewall.py @@ -76,12 +76,22 @@ def __init__(self, untrusted_value): class Action(RuleChoice): accept = 'accept' drop = 'drop' + forward = 'forward' @property def rule(self): return 'action=' + str(self) +class ForwardType(RuleChoice): + external = 'external' + internal = 'internal' + + @property + def rule(self): + return 'forwardtype=' + str(self) + + class Proto(RuleChoice): tcp = 'tcp' udp = 'udp' @@ -92,8 +102,8 @@ def rule(self): return 'proto=' + str(self) -class DstHost(RuleOption): - '''Represent host/network address: either IPv4, IPv6, or DNS name''' +class Host(RuleOption): +'''Represent host/network address: either IPv4, IPv6, or DNS name''' def __init__(self, untrusted_value, prefixlen=None): if untrusted_value.count('/') > 1: raise ValueError('Too many /: ' + untrusted_value) @@ -155,12 +165,20 @@ def __init__(self, untrusted_value, prefixlen=None): super().__init__(value) + +class DstHost(Host): + @property def rule(self): return self.type + '=' + str(self) +class SrcHost(Host): + + @property + def rule(self): + return 'src' + self.type + '=' + str(self) -class DstPorts(RuleOption): +class Ports(RuleOption): def __init__(self, untrusted_value): if isinstance(untrusted_value, int): untrusted_value = str(untrusted_value) @@ -178,11 +196,19 @@ def __init__(self, untrusted_value): str(self.range[0]) if self.range[0] == self.range[1] else '-'.join(map(str, self.range))) + +class DstPorts(Ports): @property def rule(self): return 'dstports=' + '{!s}-{!s}'.format(*self.range) +class SrcPorts(Ports): + @property + def rule(self): + return 'srcports=' + '{!s}-{!s}'.format(*self.range) + + class IcmpType(RuleOption): def __init__(self, untrusted_value): untrusted_value = int(untrusted_value) @@ -259,13 +285,29 @@ def __init__(self, xml=None, **kwargs): if self.icmptype: self.on_set_icmptype('property-set:icmptype', 'icmptype', self.icmptype, None) + # dependencies for forwarding + if self.forwardtype: + self.on_set_forwardtype('property-set:forwardtype', 'forwardtype', + self.forwardtype, None) + if self.srcports: + self.on_set_srcports('property-set:srcports', 'srcports', + self.srcports, None) self.property_require('action', False, True) + if self.action is 'forward': + self.property_require('forwardtype', False, True) + self.property_require('srcports', False, True) action = qubes.property('action', type=Action, order=0, doc='rule action') + forwardtype = qubes.property('forwardtype', + type=ForwardType, + default=None, + order=1, + doc='forwarding type (\'internal\' or \'external\')') + proto = qubes.property('proto', type=Proto, default=None, @@ -278,6 +320,18 @@ def __init__(self, xml=None, **kwargs): order=1, doc='destination host/network') + srchost = qubes.property('srchost', + type=SrcHost, + default=None, + order=2, + doc='allowed inbound hosts for connections (for forwarding only)') + + srcports = qubes.property('srcports', + type=SrcPorts, + default=None, + order=2, + doc='Inbound port(s) (for forwarding only)') + dstports = qubes.property('dstports', type=DstPorts, default=None, @@ -330,6 +384,24 @@ def on_set_proto(self, event, name, newvalue, oldvalue=None): if newvalue not in ('icmp',): self.icmptype = qubes.property.DEFAULT + @qubes.events.handler('property-set:forwardtype') + def on_set_forwardtype(self, event, name, newvalue, oldvalue=None): + if self.action != 'forward': + raise ValueError( + 'forwardtype valid only for forward action') + + @qubes.events.handler('property-set:srcports') + def on_set_srcports(self, event, name, newvalue, oldvalue=None): + if self.action != 'forward': + raise ValueError( + 'srcports valid only for forward action') + + @qubes.events.handler('property-set:srchost') + def on_set_srchost(self, event, name, newvalue, oldvalue=None): + if self.action != 'forward': + raise ValueError( + 'srchost valid only for forward action') + @qubes.events.handler('property-reset:proto') def on_reset_proto(self, event, name, oldvalue): # pylint: disable=unused-argument @@ -614,5 +686,29 @@ def qdb_entries(self, addr_family=None): # exclude rules for another address family if rule.dsthost and rule.dsthost.type == exclude_dsttype: continue + # exclude forwarding rules, managed separately + if rule.action == "forward": + continue entries['{:04}'.format(ruleno)] = rule.rule return entries + + def qdb_forward_entries(self, addr_family=None, type="internal"): + ''' In order to keep all the 'parsing' logic here and not in net.py, + directly separate forwarding rules from standard rules since they need + to be handled differently later. + ''' + entries = {} + if addr_family is not None: + exclude_dsttype = 'dst4' if addr_family == 6 else 'dst6' + for ruleno, rule in zip(itertools.count(), self.rules): + if rule.expire and rule.expire.expired: + continue + # exclude rules for another address family + if rule.dsthost and rule.dsthost.type == exclude_dsttype: + continue + # include only forwarding rules + if rule.action != "forward": + continue + if rule.forwardtype == type: + entries['{:04}'.format(ruleno)] = rule.rule + return entries \ No newline at end of file diff --git a/qubes/vm/mix/net.py b/qubes/vm/mix/net.py index 7919bd1bd..e8f810bec 100644 --- a/qubes/vm/mix/net.py +++ b/qubes/vm/mix/net.py @@ -360,11 +360,26 @@ def is_networked(self): return self.netvm is not None + def resolve_netpath(self): + '''This VM does not have a network path since it has no netvm''' + if self.netvm is None: + return + + '''Recursively resolve netvm until no netvm is set, order is important''' + netpath = list() + netvm = self + while netvm: + netpath.append(netvm) + netvm = netvm.netvm + return netpath + def reload_firewall_for_vm(self, vm): ''' Reload the firewall rules for the vm ''' if not self.is_running(): return + netpath = self.resolve_netpath() + for addr_family in (4, 6): ip = vm.ip6 if addr_family == 6 else vm.ip if ip is None: @@ -373,13 +388,38 @@ def reload_firewall_for_vm(self, vm): # remove old entries if any (but don't touch base empty entry - it # would trigger reload right away self.untrusted_qdb.rm(base_dir) - # write new rules + + # begin write new accept/drop rules for key, value in vm.firewall.qdb_entries( addr_family=addr_family).items(): self.untrusted_qdb.write(base_dir + key, value) + # signal its done self.untrusted_qdb.write(base_dir[:-1], '') + # begin write new forward rules + # if internal + base_dir = '/qubes-firewall-forward/{}/'.format(ip) + self.untrusted_qdb.rm(base_dir) + + for key, value in vm.firewall.qdb_forward_entries( + addr_family=addr_family, type="internal").items(): + self.untrusted_qdb.write(base_dir + key, value) + self.untrusted_qdb.write(base_dir[:-1], '') + # endif + + # if external + for key, value in vm.firewall.qdb_forward_entries( + addr_family=addr_family, type="external").items(): + current_ip = ip + for netvm in netpath: + base_dir = '/qubes-firewall-forward/{}/'.format(current_ip) + netvm.untrusted_qdb.write(base_dir + key, value) + current_ip = netvm.ip + self.untrusted_qdb.write(base_dir[:-1], '') + # end forward rules + + def set_mapped_ip_info_for_vm(self, vm): ''' Set configuration to possibly hide real IP from the VM. From ada61ec7329b55454ed797ad113e7fb481981ac6 Mon Sep 17 00:00:00 2001 From: Giulio Date: Wed, 14 Jul 2021 18:17:29 +0200 Subject: [PATCH 02/10] Typo --- qubes/firewall.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/qubes/firewall.py b/qubes/firewall.py index 3a2c02720..2a28f0313 100644 --- a/qubes/firewall.py +++ b/qubes/firewall.py @@ -103,7 +103,7 @@ def rule(self): class Host(RuleOption): -'''Represent host/network address: either IPv4, IPv6, or DNS name''' + '''Represent host/network address: either IPv4, IPv6, or DNS name''' def __init__(self, untrusted_value, prefixlen=None): if untrusted_value.count('/') > 1: raise ValueError('Too many /: ' + untrusted_value) @@ -511,7 +511,7 @@ def from_api_string(cls, untrusted_rule): 'dsthost')) kwargs['dsthost'] = DstHost(untrusted_value=untrusted_value) else: - raise ValueError('Unknown firewall option') + raise ValueError('Unknown firewall option {}'.format(untrusted_option)) return cls(**kwargs) From a034316a5398aebf5b30033bbbe89d9363fce491 Mon Sep 17 00:00:00 2001 From: Giulio Date: Thu, 15 Jul 2021 14:14:30 +0200 Subject: [PATCH 03/10] srchost and dsthost fix --- qubes/firewall.py | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/qubes/firewall.py b/qubes/firewall.py index 2a28f0313..917825651 100644 --- a/qubes/firewall.py +++ b/qubes/firewall.py @@ -117,7 +117,7 @@ def __init__(self, untrusted_value, prefixlen=None): raise ValueError( 'netmask for IPv6 must be between 0 and 128') value += '/' + str(self.prefixlen) - self.type = 'dst6' + self.type = '6' except socket.error: try: socket.inet_pton(socket.AF_INET, untrusted_value) @@ -130,9 +130,9 @@ def __init__(self, untrusted_value, prefixlen=None): raise ValueError( 'netmask for IPv4 must be between 0 and 32') value += '/' + str(self.prefixlen) - self.type = 'dst4' + self.type = '4' except socket.error: - self.type = 'dsthost' + self.type = 'host' self.prefixlen = 0 safe_set = string.ascii_lowercase + string.digits + '-._' if not all(c in safe_set for c in untrusted_value): @@ -149,13 +149,13 @@ def __init__(self, untrusted_value, prefixlen=None): value = untrusted_value if prefixlen > 128: raise ValueError('netmask for IPv6 must be <= 128') - self.type = 'dst6' + self.type = '6' except socket.error: try: socket.inet_pton(socket.AF_INET, untrusted_host) if prefixlen > 32: raise ValueError('netmask for IPv4 must be <= 32') - self.type = 'dst4' + self.type = '4' if untrusted_host.count('.') != 3: raise ValueError( 'Invalid number of dots in IPv4 address') @@ -170,7 +170,7 @@ class DstHost(Host): @property def rule(self): - return self.type + '=' + str(self) + return 'dst' + self.type + '=' + str(self) class SrcHost(Host): @@ -292,10 +292,14 @@ def __init__(self, xml=None, **kwargs): if self.srcports: self.on_set_srcports('property-set:srcports', 'srcports', self.srcports, None) + if self.srchost: + self.on_set_srcports('property-set:srchost', 'srchost', + self.srcports, None) self.property_require('action', False, True) if self.action is 'forward': self.property_require('forwardtype', False, True) self.property_require('srcports', False, True) + self.property_require('srchost', False, True) action = qubes.property('action', type=Action, @@ -510,6 +514,11 @@ def from_api_string(cls, untrusted_rule): raise ValueError('Option \'{}\' already set'.format( 'dsthost')) kwargs['dsthost'] = DstHost(untrusted_value=untrusted_value) + elif untrusted_key in ('src4', 'src6'): + if 'srchost' in kwargs: + raise ValueError('Option \'{}\' already set'.format( + 'srchost')) + kwargs['srchost'] = SrcHost(untrusted_value=untrusted_value) else: raise ValueError('Unknown firewall option {}'.format(untrusted_option)) @@ -697,6 +706,9 @@ def qdb_forward_entries(self, addr_family=None, type="internal"): directly separate forwarding rules from standard rules since they need to be handled differently later. ''' + ''' + TODO: missing correct src6/dst4 handling + ''' entries = {} if addr_family is not None: exclude_dsttype = 'dst4' if addr_family == 6 else 'dst6' From 102112a546f9f7360c079da9f9b28694922f662d Mon Sep 17 00:00:00 2001 From: Giulio Date: Thu, 15 Jul 2021 17:17:00 +0200 Subject: [PATCH 04/10] Fixed parsing error when using an hostname as dst/srchost --- qubes/firewall.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/qubes/firewall.py b/qubes/firewall.py index 917825651..4d6fc7f54 100644 --- a/qubes/firewall.py +++ b/qubes/firewall.py @@ -365,6 +365,13 @@ def __init__(self, xml=None, **kwargs): doc='User comment') # noinspection PyUnusedLocal + @qubes.events.handler('property-pre-set:dsthost') + def on_set_dsthost(self, event, name, newvalue, oldvalue=None): + # pylint: disable=unused-argument + if self.action not in ('accept', 'drop'): + raise ValueError( + 'dsthost valid only for \'accept\' and \'drop\' action') + @qubes.events.handler('property-pre-set:dstports') def on_set_dstports(self, event, name, newvalue, oldvalue=None): # pylint: disable=unused-argument From 0cf04fb290469340a59a013531bba6e06e8a0169 Mon Sep 17 00:00:00 2001 From: Giulio Date: Sat, 17 Jul 2021 17:06:56 +0200 Subject: [PATCH 05/10] Fixed and improved rules distribution --- qubes/firewall.py | 14 +++++++------- qubes/vm/mix/net.py | 7 ++++++- 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/qubes/firewall.py b/qubes/firewall.py index 4d6fc7f54..fba44ac90 100644 --- a/qubes/firewall.py +++ b/qubes/firewall.py @@ -22,6 +22,7 @@ import datetime import string +import uuid import itertools import os @@ -696,7 +697,8 @@ def qdb_entries(self, addr_family=None): exclude_dsttype = None if addr_family is not None: exclude_dsttype = 'dst4' if addr_family == 6 else 'dst6' - for ruleno, rule in zip(itertools.count(), self.rules): + for ruleno, rule in zip(itertools.count(), + filter(lambda x: (x.action != "forward"), self.rules)): if rule.expire and rule.expire.expired: continue # exclude rules for another address family @@ -719,15 +721,13 @@ def qdb_forward_entries(self, addr_family=None, type="internal"): entries = {} if addr_family is not None: exclude_dsttype = 'dst4' if addr_family == 6 else 'dst6' - for ruleno, rule in zip(itertools.count(), self.rules): + for ruleno, rule in zip(itertools.count(), + filter(lambda x: (x.action == "forward" and x.forwardtype == type), self.rules)): + if rule.expire and rule.expire.expired: continue # exclude rules for another address family if rule.dsthost and rule.dsthost.type == exclude_dsttype: continue - # include only forwarding rules - if rule.action != "forward": - continue - if rule.forwardtype == type: - entries['{:04}'.format(ruleno)] = rule.rule + entries['{:04}'.format(ruleno)] = rule.rule return entries \ No newline at end of file diff --git a/qubes/vm/mix/net.py b/qubes/vm/mix/net.py index e8f810bec..f4485b222 100644 --- a/qubes/vm/mix/net.py +++ b/qubes/vm/mix/net.py @@ -409,11 +409,16 @@ def reload_firewall_for_vm(self, vm): # endif # if external + # super ugly cleaning, surely has to be improved + cleaned = [] for key, value in vm.firewall.qdb_forward_entries( addr_family=addr_family, type="external").items(): current_ip = ip for netvm in netpath: - base_dir = '/qubes-firewall-forward/{}/'.format(current_ip) + base_dir = '/qubes-firewall-forward/{}/{}/'.format(vm.name, current_ip) + if base_dir not in cleaned: + netvm.untrusted_qdb.rm(base_dir) + cleaned.append(base_dir) netvm.untrusted_qdb.write(base_dir + key, value) current_ip = netvm.ip self.untrusted_qdb.write(base_dir[:-1], '') From 2fc57158e4dbd75ee6af2e62f94776c4c152f15f Mon Sep 17 00:00:00 2001 From: Giulio Date: Sat, 17 Jul 2021 20:44:47 +0200 Subject: [PATCH 06/10] net.py external/internal logic+code refactoring --- qubes/firewall.py | 8 ++++---- qubes/vm/mix/net.py | 47 +++++++++++++++++++++++++-------------------- 2 files changed, 30 insertions(+), 25 deletions(-) diff --git a/qubes/firewall.py b/qubes/firewall.py index fba44ac90..2c55f6ef1 100644 --- a/qubes/firewall.py +++ b/qubes/firewall.py @@ -22,7 +22,6 @@ import datetime import string -import uuid import itertools import os @@ -710,7 +709,7 @@ def qdb_entries(self, addr_family=None): entries['{:04}'.format(ruleno)] = rule.rule return entries - def qdb_forward_entries(self, addr_family=None, type="internal"): + def qdb_forward_entries(self, addr_family=None): ''' In order to keep all the 'parsing' logic here and not in net.py, directly separate forwarding rules from standard rules since they need to be handled differently later. @@ -721,13 +720,14 @@ def qdb_forward_entries(self, addr_family=None, type="internal"): entries = {} if addr_family is not None: exclude_dsttype = 'dst4' if addr_family == 6 else 'dst6' + exclude_srctype = 'src4' if addr_family == 6 else 'src6' for ruleno, rule in zip(itertools.count(), - filter(lambda x: (x.action == "forward" and x.forwardtype == type), self.rules)): + filter(lambda x: (x.action == "forward"), self.rules)): if rule.expire and rule.expire.expired: continue # exclude rules for another address family if rule.dsthost and rule.dsthost.type == exclude_dsttype: continue - entries['{:04}'.format(ruleno)] = rule.rule + entries['{:04}:{}'.format(ruleno, rule.forwardtype)] = rule.rule return entries \ No newline at end of file diff --git a/qubes/vm/mix/net.py b/qubes/vm/mix/net.py index f4485b222..b2dc39f7e 100644 --- a/qubes/vm/mix/net.py +++ b/qubes/vm/mix/net.py @@ -398,30 +398,35 @@ def reload_firewall_for_vm(self, vm): self.untrusted_qdb.write(base_dir[:-1], '') # begin write new forward rules - # if internal - base_dir = '/qubes-firewall-forward/{}/'.format(ip) - self.untrusted_qdb.rm(base_dir) - - for key, value in vm.firewall.qdb_forward_entries( - addr_family=addr_family, type="internal").items(): - self.untrusted_qdb.write(base_dir + key, value) - self.untrusted_qdb.write(base_dir[:-1], '') - # endif + #clean + if netpath: + for netvm in netpath: + base_dir = '/qubes-firewall-forward/{}/'.format(vm.name) + netvm.untrusted_qdb.rm(base_dir) - # if external - # super ugly cleaning, surely has to be improved - cleaned = [] for key, value in vm.firewall.qdb_forward_entries( - addr_family=addr_family, type="external").items(): - current_ip = ip - for netvm in netpath: - base_dir = '/qubes-firewall-forward/{}/{}/'.format(vm.name, current_ip) - if base_dir not in cleaned: - netvm.untrusted_qdb.rm(base_dir) - cleaned.append(base_dir) - netvm.untrusted_qdb.write(base_dir + key, value) - current_ip = netvm.ip + addr_family=addr_family).items(): + forwardtype = key.split(":")[1] + key = key.split(":")[0] + if forwardtype == "internal": + base_dir = '/qubes-firewall-forward/{}/{}/'.format(vm.name, ip) + self.untrusted_qdb.write(base_dir + key, value) + self.untrusted_qdb.write(base_dir + key + '/first', '1') + self.untrusted_qdb.write(base_dir + key + '/last', '1') self.untrusted_qdb.write(base_dir[:-1], '') + elif forwardtype == "external": + current_ip = ip + for i, netvm in enumerate(netpath): + base_dir = '/qubes-firewall-forward/{}/{}/'.format(vm.name, current_ip) + netvm.untrusted_qdb.write(base_dir + key, value) + if i == 0: + netvm.untrusted_qdb.write(base_dir + key + '/first', '1') + if i == len(netpath)-1: + netvm.untrusted_qdb.write(base_dir + key + '/last', '1') + current_ip = netvm.ip + self.untrusted_qdb.write(base_dir[:-1], '') + else: + raise ValueError('Invalid forwardtype') # end forward rules From 8a4ed7f780c073eaea36f247a99cf52fd5f7bf6a Mon Sep 17 00:00:00 2001 From: Giulio Date: Fri, 13 Aug 2021 16:33:12 +0200 Subject: [PATCH 07/10] Fixed first/last --- qubes/firewall.py | 1 - qubes/vm/mix/net.py | 7 ++----- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/qubes/firewall.py b/qubes/firewall.py index 2c55f6ef1..ef2904614 100644 --- a/qubes/firewall.py +++ b/qubes/firewall.py @@ -723,7 +723,6 @@ def qdb_forward_entries(self, addr_family=None): exclude_srctype = 'src4' if addr_family == 6 else 'src6' for ruleno, rule in zip(itertools.count(), filter(lambda x: (x.action == "forward"), self.rules)): - if rule.expire and rule.expire.expired: continue # exclude rules for another address family diff --git a/qubes/vm/mix/net.py b/qubes/vm/mix/net.py index b2dc39f7e..df5e32f8a 100644 --- a/qubes/vm/mix/net.py +++ b/qubes/vm/mix/net.py @@ -411,18 +411,15 @@ def reload_firewall_for_vm(self, vm): if forwardtype == "internal": base_dir = '/qubes-firewall-forward/{}/{}/'.format(vm.name, ip) self.untrusted_qdb.write(base_dir + key, value) - self.untrusted_qdb.write(base_dir + key + '/first', '1') - self.untrusted_qdb.write(base_dir + key + '/last', '1') + self.untrusted_qdb.write(base_dir + '/last', '1') self.untrusted_qdb.write(base_dir[:-1], '') elif forwardtype == "external": current_ip = ip for i, netvm in enumerate(netpath): base_dir = '/qubes-firewall-forward/{}/{}/'.format(vm.name, current_ip) netvm.untrusted_qdb.write(base_dir + key, value) - if i == 0: - netvm.untrusted_qdb.write(base_dir + key + '/first', '1') if i == len(netpath)-1: - netvm.untrusted_qdb.write(base_dir + key + '/last', '1') + netvm.untrusted_qdb.write(base_dir + '/last', '1') current_ip = netvm.ip self.untrusted_qdb.write(base_dir[:-1], '') else: From 6e3e250dae006a69639149b1212456f4c8b909bb Mon Sep 17 00:00:00 2001 From: Giulio Date: Sat, 14 Aug 2021 15:05:07 +0200 Subject: [PATCH 08/10] fix parsing error --- qubes/vm/mix/net.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/qubes/vm/mix/net.py b/qubes/vm/mix/net.py index df5e32f8a..3060ea4d0 100644 --- a/qubes/vm/mix/net.py +++ b/qubes/vm/mix/net.py @@ -411,7 +411,7 @@ def reload_firewall_for_vm(self, vm): if forwardtype == "internal": base_dir = '/qubes-firewall-forward/{}/{}/'.format(vm.name, ip) self.untrusted_qdb.write(base_dir + key, value) - self.untrusted_qdb.write(base_dir + '/last', '1') + self.untrusted_qdb.write(base_dir + 'last', '1') self.untrusted_qdb.write(base_dir[:-1], '') elif forwardtype == "external": current_ip = ip @@ -419,7 +419,7 @@ def reload_firewall_for_vm(self, vm): base_dir = '/qubes-firewall-forward/{}/{}/'.format(vm.name, current_ip) netvm.untrusted_qdb.write(base_dir + key, value) if i == len(netpath)-1: - netvm.untrusted_qdb.write(base_dir + '/last', '1') + netvm.untrusted_qdb.write(base_dir + 'last', '1') current_ip = netvm.ip self.untrusted_qdb.write(base_dir[:-1], '') else: From 26f7b22f28d353b698f9007698f38202710b6345 Mon Sep 17 00:00:00 2001 From: Giulio Date: Sun, 15 Aug 2021 15:17:11 +0200 Subject: [PATCH 09/10] Changes last mechanism for development purposes --- qubes/vm/mix/net.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/qubes/vm/mix/net.py b/qubes/vm/mix/net.py index 3060ea4d0..23b0090f2 100644 --- a/qubes/vm/mix/net.py +++ b/qubes/vm/mix/net.py @@ -411,15 +411,14 @@ def reload_firewall_for_vm(self, vm): if forwardtype == "internal": base_dir = '/qubes-firewall-forward/{}/{}/'.format(vm.name, ip) self.untrusted_qdb.write(base_dir + key, value) - self.untrusted_qdb.write(base_dir + 'last', '1') self.untrusted_qdb.write(base_dir[:-1], '') elif forwardtype == "external": current_ip = ip for i, netvm in enumerate(netpath): base_dir = '/qubes-firewall-forward/{}/{}/'.format(vm.name, current_ip) - netvm.untrusted_qdb.write(base_dir + key, value) if i == len(netpath)-1: - netvm.untrusted_qdb.write(base_dir + 'last', '1') + value += ' last=1' + netvm.untrusted_qdb.write(base_dir + key, value) current_ip = netvm.ip self.untrusted_qdb.write(base_dir[:-1], '') else: From e3a64629393ee89854d5c797b112cc7d0305c4b2 Mon Sep 17 00:00:00 2001 From: Giulio Date: Fri, 20 Aug 2021 01:09:49 +0200 Subject: [PATCH 10/10] Good fix! --- qubes/vm/mix/net.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/qubes/vm/mix/net.py b/qubes/vm/mix/net.py index 23b0090f2..c67dedd49 100644 --- a/qubes/vm/mix/net.py +++ b/qubes/vm/mix/net.py @@ -420,7 +420,7 @@ def reload_firewall_for_vm(self, vm): value += ' last=1' netvm.untrusted_qdb.write(base_dir + key, value) current_ip = netvm.ip - self.untrusted_qdb.write(base_dir[:-1], '') + netvm.untrusted_qdb.write(base_dir[:-1], '') else: raise ValueError('Invalid forwardtype') # end forward rules