pikvm/pikvm#957: Added ESTABLISHED,RELATED rule to otgnet

2 files changed, 15 insertions, 0 deletions

diff --git a/kvmd/apps/otgnet/__init__.py b/kvmd/apps/otgnet/__init__.py
index a3d69216..b3bfd9a4 100644
--- a/kvmd/apps/otgnet/__init__.py
+++ b/kvmd/apps/otgnet/__init__.py
@@ -39,6 +39,7 @@ from .. import init
 from .netctl import BaseCtl
 from .netctl import IfaceUpCtl
 from .netctl import IfaceAddIpCtl
+from .netctl import IptablesAllowEstRelCtl
 from .netctl import IptablesDropAllCtl
 from .netctl import IptablesAllowIcmpCtl
 from .netctl import IptablesAllowPortCtl
@@ -101,6 +102,7 @@ class _Service:  # pylint: disable=too-many-instance-attributes
         ctls: list[BaseCtl] = [
             CustomCtl(self.__pre_start_cmd, self.__post_stop_cmd, placeholders),
             IfaceUpCtl(self.__ip_cmd, netcfg.iface),
+            IptablesAllowEstRelCtl(self.__iptables_cmd, netcfg.iface),
             *([IptablesAllowIcmpCtl(self.__iptables_cmd, netcfg.iface)] if self.__allow_icmp else []),
             *[
                 IptablesAllowPortCtl(self.__iptables_cmd, netcfg.iface, port, tcp)
diff --git a/kvmd/apps/otgnet/netctl.py b/kvmd/apps/otgnet/netctl.py
index 15b5ea8c..4c3f2b69 100644
--- a/kvmd/apps/otgnet/netctl.py
+++ b/kvmd/apps/otgnet/netctl.py
@@ -45,6 +45,19 @@ class IfaceAddIpCtl(BaseCtl):
         return [*self.__base_cmd, "address", ("add" if direct else "del"), self.__cidr, "dev", self.__iface]
 
 
+class IptablesAllowEstRelCtl(BaseCtl):
+    def __init__(self, base_cmd: list[str], iface: str) -> None:
+        self.__base_cmd = base_cmd
+        self.__iface = iface
+
+    def get_command(self, direct: bool) -> list[str]:
+        return [
+            *self.__base_cmd,
+            ("-A" if direct else "-D"), "INPUT", "-i", self.__iface,
+            "-m", "state", "--state", "ESTABLISHED,RELATED", "-j", "ACCEPT",
+        ]
+
+
 class IptablesDropAllCtl(BaseCtl):
     def __init__(self, base_cmd: list[str], iface: str) -> None:
         self.__base_cmd = base_cmd