Brown paper bug. Fixed.

qubes-network-server.spec

@@ -3,7 +3,7 @@
 %define mybuildnumber %{?build_number}%{?!build_number:1}
 
 Name:           qubes-network-server
-Version:        0.0.7
+Version:        0.0.8
 Release:        %{mybuildnumber}%{?dist}
 Summary:        Turn your Qubes OS into a network server
 BuildArch:      noarch

src/usr/lib64/python2.7/site-packages/qubes/modules/001FortressQubesVm.py

@@ -106,7 +106,7 @@ class QubesVm(OriginalQubesVm):
 
     def start_qrexec_daemon(self, verbose=False, notify_function=None):
         ret = OriginalQubesVm.start_qrexec_daemon(self, verbose=verbose, notify_function=notify_function)
-        if self.type not in ['AppVM', 'HVM']:
+        if self.type in ['AppVM', 'HVM']:
             self.deploy_appvm_firewall(verbose=verbose, notify_function=notify_function)
         self.adjust_proxy_arp(verbose=verbose, notify_function=notify_function)
         self.adjust_own_firewall_rules()
@@ -396,6 +396,19 @@ class QubesVm(OriginalQubesVm):
             f.close()
 
     def deploy_appvm_firewall(self, verbose = False, notify_function=None):
+        # FIXME FIXME FIXME!
+        #
+        # Finish porting all code here that sets rules in AppVMs to
+        # use this daemon instead, so that rules can be configured
+        # to work properly without bullshit of any kind.
+        #
+        # See 007FortressQubesProxyVm.py code for where that may
+        # happen, as well as any place where FORTRESS-INPUT appears
+        # or is involved.
+        #
+        # Maybe: templatize qubes-appvm-firewall so that the template
+        # can take the name of the chain and the name of the key
+        # from this upstream program which deploys it into VMs.
         def n(msg):
             if notify_function:
                 notify_function("info", msg)