From 7447fa264a502d17fadc512f789653519358ecd2 Mon Sep 17 00:00:00 2001 From: 3hhh Date: Fri, 5 Jul 2024 14:24:16 +0200 Subject: [PATCH] qubes-firewall: Move dynamic forward rules to a dedicated chain. Users can jump to this chain to implement their custom configurations. Closes: QubesOS/qubes-issues#9340 --- qubesagent/firewall.py | 5 ++++- qubesagent/test_firewall.py | 8 +++++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/qubesagent/firewall.py b/qubesagent/firewall.py index 1634329d..7c318453 100755 --- a/qubesagent/firewall.py +++ b/qubesagent/firewall.py @@ -401,7 +401,7 @@ def create_chain(self, addr, chain, family): 'table {family} {table} {{\n' ' chain {chain} {{\n' ' }}\n' - ' chain forward {{\n' + ' chain qubes-forward {{\n' ' {family} saddr {ip} jump {chain}\n' ' }}\n' '}}\n'.format( @@ -600,11 +600,14 @@ def apply_rules(self, source, rules): def init(self): nft_init = ( 'table {family} qubes-firewall {{\n' + ' chain qubes-forward {{\n' + ' }}\n' ' chain forward {{\n' ' type filter hook forward priority 0;\n' ' policy drop;\n' ' ct state established,related accept\n' ' meta iifname != "vif*" accept\n' + ' jump qubes-forward\n' ' }}\n' ' chain prerouting {{\n' ' type filter hook prerouting priority -300;\n' diff --git a/qubesagent/test_firewall.py b/qubesagent/test_firewall.py index 79d16c49..4938d451 100644 --- a/qubesagent/test_firewall.py +++ b/qubesagent/test_firewall.py @@ -181,7 +181,7 @@ def expected_create_chain(self, family, addr, chain): 'table {family} qubes-firewall {{\n' ' chain {chain} {{\n' ' }}\n' - ' chain forward {{\n' + ' chain qubes-forward {{\n' ' {family} saddr {addr} jump {chain}\n' ' }}\n' '}}\n'.format(family=family, addr=addr, chain=chain)) @@ -293,11 +293,14 @@ def test_006_init(self): self.assertEqual(self.obj.loaded_rules, [ 'table ip qubes-firewall {\n' + ' chain qubes-forward {\n' + ' }\n' ' chain forward {\n' ' type filter hook forward priority 0;\n' ' policy drop;\n' ' ct state established,related accept\n' ' meta iifname != "vif*" accept\n' + ' jump qubes-forward\n' ' }\n' ' chain prerouting {\n' ' type filter hook prerouting priority -300;\n' @@ -309,11 +312,14 @@ def test_006_init(self): ' }\n' '}\n' 'table ip6 qubes-firewall {\n' + ' chain qubes-forward {\n' + ' }\n' ' chain forward {\n' ' type filter hook forward priority 0;\n' ' policy drop;\n' ' ct state established,related accept\n' ' meta iifname != "vif*" accept\n' + ' jump qubes-forward\n' ' }\n' ' chain prerouting {\n' ' type filter hook prerouting priority -300;\n'