Properly handle from-0.0.0.0/0 for whole internet

For rules like this:
    [user@dom0 ~]$ qvm-static-ip -g net-testing static_ip
    192.168.1.123
    [user@dom0 ~]$ qvm-firewall -l net-testing
    Firewall policy: DENY all traffic except
    ICMP: ALLOW
    DNS: ALLOW
    Qubes yum proxy: DENY
    -----+---------------------+-------+---------+
     num |       address       | proto | port(s) |
    -----+---------------------+-------+---------+
      1  | from-0.0.0.0/0      | tcp   | http    |
      2  | from-0.0.0.0/0      | tcp   | https   |
      3  | 192.30.252.0/22     | tcp   | https   |
      4  | from-192.168.1.0/24 | tcp   | ssh     |

The following rules are observed before & after this patch (only
differing rules shown):

sys-firewall qubesdb-read /qubes-iptables-domainrules/${domid} before:
    -A PR-QBS-FORWARD -s 0.0.0.0 -d 192.168.1.123/0 -p tcp --dport 80 -j ACCEPT
    -A PR-QBS-FORWARD -s 0.0.0.0 -d 192.168.1.123/0 -p tcp --dport 443 -j ACCEPT
    -A PR-QBS-FORWARD -s 192.168.1.0 -d 192.168.1.123/24 -p tcp --dport 22 -j ACCEPT
after:
    -A PR-QBS-FORWARD -d 192.168.1.123 -p tcp --dport 80 -j ACCEPT
    -A PR-QBS-FORWARD -d 192.168.1.123 -p tcp --dport 443 -j ACCEPT
    -A PR-QBS-FORWARD -s 192.168.1.0/24 -d 192.168.1.123 -p tcp --dport 22 -j ACCEPT

sys-firewall iptables-save before:
    -A PR-QBS-FORWARD -s 0.0.0.0/32 -p tcp -m tcp --dport 80 -j ACCEPT
    -A PR-QBS-FORWARD -s 0.0.0.0/32 -p tcp -m tcp --dport 443 -j ACCEPT
    -A PR-QBS-FORWARD -s 192.168.1.0/32 -d 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
after:
    -A PR-QBS-FORWARD -d 192.168.1.123/32 -p tcp -m tcp --dport 80 -j ACCEPT
    -A PR-QBS-FORWARD -d 192.168.1.123/32 -p tcp -m tcp --dport 443 -j ACCEPT
    -A PR-QBS-FORWARD -s 192.168.1.0/24 -d 192.168.1.123/32 -p tcp -m tcp --dport 22 -j ACCEPT

net-testing iptables-save before:
    -A FORTRESS-INPUT -s 0.0.0.0/32 -p tcp -m tcp --dport 80 -j ACCEPT
    -A FORTRESS-INPUT -s 0.0.0.0/32 -p tcp -m tcp --dport 443 -j ACCEPT
    -A FORTRESS-INPUT -s 192.168.1.0/32 -d 192.168.1.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
after:
    -A FORTRESS-INPUT -d 192.168.1.123/32 -p tcp -m tcp --dport 80 -j ACCEPT
    -A FORTRESS-INPUT -d 192.168.1.123/32 -p tcp -m tcp --dport 443 -j ACCEPT
    -A FORTRESS-INPUT -s 192.168.1.0/24 -d 192.168.1.123/32 -p tcp -m tcp --dport 22 -j ACCEPT

sys-net: No changes.

Note that this also fixes an issue where the netmask in from- rules was
being applied to -d instead of -s.

plugin/007FortressQubesProxyVm.py

@@ -96,35 +96,45 @@ class QubesProxyVm(OriginalQubesProxyVm):
                 rules_action = accept_action
 
             for rule in conf["rules"]:
-                if getattr(vm, "static_ip", None) and rule["address"].startswith("from-"):
-                    ruletext = "-s {0} -d {1}".format(rule["address"][len("from-"):], ip)
-                    if rule["netmask"] != 32:
-                        ruletext += "/{0}".format(rule["netmask"])
+                is_inbound = rule["address"].startswith("from-") and getattr(vm, "static_ip", None)
+                if is_inbound:
+                    src_addr = rule["address"][len("from-"):]
+                    src_mask = rule["netmask"]
+                    dst_addr = ip
+                    dst_mask = 32
+                else:
+                    src_addr = ip
+                    src_mask = 32
+                    dst_addr = rule["address"]
+                    dst_mask = rule["netmask"]
 
-                    if rule["proto"] is not None and rule["proto"] != "any":
-                        ruletext += " -p {0}".format(rule["proto"])
-                        if rule["portBegin"] is not None and rule["portBegin"] > 0:
-                            ruletext += " --dport {0}".format(rule["portBegin"])
-                            if rule["portEnd"] is not None and rule["portEnd"] > rule["portBegin"]:
-                                ruletext += ":{0}".format(rule["portEnd"])
+                args = []
 
-                    ruletext += " -j {0}\n".format(rules_action)
-                    iptables += "-A PR-QBS-FORWARD " + ruletext
-                    vm_iptables += "-A FORTRESS-INPUT " + ruletext
-                    continue
+                def constrain(sd, addr, mask):
+                    if mask != 0:
+                        if mask == 32:
+                            args.append("{0} {1}".format(sd, addr))
+                        else:
+                            args.append("{0} {1}/{2}".format(sd, addr, mask))
 
-                iptables += "-A PR-QBS-FORWARD -s {0} -d {1}".format(ip, rule["address"])
-                if rule["netmask"] != 32:
-                    iptables += "/{0}".format(rule["netmask"])
+                constrain("-s", src_addr, src_mask)
+                constrain("-d", dst_addr, dst_mask)
 
                 if rule["proto"] is not None and rule["proto"] != "any":
-                    iptables += " -p {0}".format(rule["proto"])
+                    args.append("-p {0}".format(rule["proto"]))
                     if rule["portBegin"] is not None and rule["portBegin"] > 0:
-                        iptables += " --dport {0}".format(rule["portBegin"])
                         if rule["portEnd"] is not None and rule["portEnd"] > rule["portBegin"]:
-                            iptables += ":{0}".format(rule["portEnd"])
+                            portrange = "{0}:{1}".format(rule["portBegin"], rule["portEnd"])
+                        else:
+                            portrange = rule["portBegin"]
+                        args.append("--dport {0}".format(portrange))
 
-                iptables += " -j {0}\n".format(rules_action)
+                args.append("-j {0}".format(rules_action))
+                ruletext = ' '.join(args)
+
+                iptables += "-A PR-QBS-FORWARD {0}\n".format(ruletext)
+                if is_inbound:
+                    vm_iptables += "-A FORTRESS-INPUT {0}\n".format(ruletext)
 
             if conf["allowDns"] and self.netvm is not None:
                 # PREROUTING does DNAT to NetVM DNSes, so we need self.netvm.

version

@@ -1 +1 @@
-0.0.7
+0.0.8