Modify VM packages to:
- do not conflicts
- starts services if its VM type need it
Added core-proxyvm (firewall) and core-commonvm (common parts) packages.
Unfortunately, config files layout changes with NM version; therefore
require >= 0.8.1-1.
This should also prevent NM from messing with VIF interfaces on suspend/resume.
Plus:
- dedicated chain for DNAT to nameservers
- prevent intervm networking. Can be conveniently overriden in necessary cases
by inserting ACCEPT clauses (per VM, probably) at the top of FORWARD
qubes_setup_dnat_to_ns script sets up DNAT rules for DNS traffic; it is
triggered by dhclient or NetworkManager, and manually (in case there is
a static resolv.conf).
Put IP-dependent rules in qubes-core, after local ip is known. It could be
further improved by introducing custom chains, to enable iptables save.
Restrict FORWARD.