qubes-firewall: Move dynamic forward rules to a dedicated chain.

Users can jump to this chain to implement their custom configurations. Closes: QubesOS/qubes-issues#9340
QubesOS · Jul 5, 2024 · 6847689 · 6847689
1 parent 47ae4a3
commit 6847689
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/qubesagent/firewall.py b/qubesagent/firewall.py
@@ -401,7 +401,7 @@ def create_chain(self, addr, chain, family):
             'table {family} {table} {{\n'
             '  chain {chain} {{\n'
             '  }}\n'
-            '  chain forward {{\n'
+            '  chain qubes-forward {{\n'
             '    {family} saddr {ip} jump {chain}\n'
             '  }}\n'
             '}}\n'.format(
@@ -600,11 +600,14 @@ def apply_rules(self, source, rules):
     def init(self):
         nft_init = (
             'table {family} qubes-firewall {{\n'
+            '  chain qubes-forward {{\n'
+            '  }}\n'
             '  chain forward {{\n'
             '    type filter hook forward priority 0;\n'
             '    policy drop;\n'
             '    ct state established,related accept\n'
             '    meta iifname != "vif*" accept\n'
+            '    jump qubes-forward\n'
             '  }}\n'
             '  chain prerouting {{\n'
             '    type filter hook prerouting priority -300;\n'