qubes-firewall: Move dynamic forward rules to a dedicated chain.

Users can jump to this chain to implement their custom configurations. Closes: QubesOS/qubes-issues#9340
QubesOS · Jul 5, 2024 · 7447fa2 · 7447fa2
1 parent 47ae4a3
commit 7447fa2
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 2 deletions.
diff --git a/qubesagent/firewall.py b/qubesagent/firewall.py
@@ -401,7 +401,7 @@ def create_chain(self, addr, chain, family):
             'table {family} {table} {{\n'
             '  chain {chain} {{\n'
             '  }}\n'
-            '  chain forward {{\n'
+            '  chain qubes-forward {{\n'
             '    {family} saddr {ip} jump {chain}\n'
             '  }}\n'
             '}}\n'.format(
@@ -600,11 +600,14 @@ def apply_rules(self, source, rules):
     def init(self):
         nft_init = (
             'table {family} qubes-firewall {{\n'
+            '  chain qubes-forward {{\n'
+            '  }}\n'
             '  chain forward {{\n'
             '    type filter hook forward priority 0;\n'
             '    policy drop;\n'
             '    ct state established,related accept\n'
             '    meta iifname != "vif*" accept\n'
+            '    jump qubes-forward\n'
             '  }}\n'
             '  chain prerouting {{\n'
             '    type filter hook prerouting priority -300;\n'

diff --git a/qubesagent/test_firewall.py b/qubesagent/test_firewall.py
@@ -181,7 +181,7 @@ def expected_create_chain(self, family, addr, chain):
             'table {family} qubes-firewall {{\n'
             '  chain {chain} {{\n'
             '  }}\n'
-            '  chain forward {{\n'
+            '  chain qubes-forward {{\n'
             '    {family} saddr {addr} jump {chain}\n'
             '  }}\n'
             '}}\n'.format(family=family, addr=addr, chain=chain))
@@ -293,11 +293,14 @@ def test_006_init(self):
         self.assertEqual(self.obj.loaded_rules,
         [
             'table ip qubes-firewall {\n'
+            '  chain qubes-forward {\n'
+            '  }\n'
             '  chain forward {\n'
             '    type filter hook forward priority 0;\n'
             '    policy drop;\n'
             '    ct state established,related accept\n'
             '    meta iifname != "vif*" accept\n'
+            '    jump qubes-forward\n'
             '  }\n'
             '  chain prerouting {\n'
             '    type filter hook prerouting priority -300;\n'
@@ -309,11 +312,14 @@ def test_006_init(self):
             '  }\n'
             '}\n'
             'table ip6 qubes-firewall {\n'
+            '  chain qubes-forward {\n'
+            '  }\n'
             '  chain forward {\n'
             '    type filter hook forward priority 0;\n'
             '    policy drop;\n'
             '    ct state established,related accept\n'
             '    meta iifname != "vif*" accept\n'
+            '    jump qubes-forward\n'
             '  }\n'
             '  chain prerouting {\n'
             '    type filter hook prerouting priority -300;\n'