network: stop IP forwarding before disabling firewall

Stop IP forwarding when stopping qubes-network service (which initially enables it). This makes ordering against qubes-firewall safe - firewall is applied before allowing IP forward and then is removed when IP forward is already disabled. Fixes QubesOS/qubes-issues#5599
2020-11-12 00:53:48 +01:00 · 2020-11-12 00:53:48 +01:00 · 0caa7fcf75
commit 0caa7fcf75
parent f66a494cc2
4 changed files with 10 additions and 0 deletions
--- a/debian/qubes-core-agent-networking.install
+++ b/debian/qubes-core-agent-networking.install
@ -13,6 +13,7 @@ lib/systemd/system/qubes-iptables.service
 lib/systemd/system/qubes-network.service
 lib/systemd/system/qubes-updates-proxy.service
 usr/lib/qubes/init/network-proxy-setup.sh
+usr/lib/qubes/init/network-proxy-stop.sh
 usr/lib/qubes/init/qubes-iptables
 usr/lib/qubes/iptables-updates-proxy
 usr/lib/qubes/qubes-setup-dnat-to-ns
--- a/rpm_spec/core-agent.spec.in
+++ b/rpm_spec/core-agent.spec.in
@ -799,6 +799,7 @@ rm -f %{name}-%{version}
 /lib/systemd/system/qubes-network.service
 /lib/systemd/system/qubes-updates-proxy.service
 /usr/lib/qubes/init/network-proxy-setup.sh
+/usr/lib/qubes/init/network-proxy-stop.sh
 /usr/lib/qubes/init/qubes-iptables
 /usr/lib/qubes/iptables-updates-proxy
 /usr/lib/qubes/qubes-setup-dnat-to-ns
--- a/vm-systemd/network-proxy-stop.sh
+++ b/vm-systemd/network-proxy-stop.sh
@ -0,0 +1,7 @@
+#!/bin/sh
+
+echo 0 > /proc/sys/net/ipv4/ip_forward
+# disable also IPv6 forwarding, if IPv6 applicable
+if [ -w /proc/sys/net/ipv6/conf/all/forwarding ]; then
+    echo 0 > /proc/sys/net/ipv6/conf/all/forwarding
+fi
--- a/vm-systemd/qubes-network.service
+++ b/vm-systemd/qubes-network.service
@ -8,6 +8,7 @@ After=network-pre.target qubes-iptables.service
 Type=oneshot
 RemainAfterExit=yes
 ExecStart=/usr/lib/qubes/init/network-proxy-setup.sh
+ExecStop=/usr/lib/qubes/init/network-proxy-stop.sh

 [Install]
 WantedBy=multi-user.target