From 0caa7fcf75a7521b47a5652df4e3b0ef772ee2e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Thu, 12 Nov 2020 00:53:48 +0100 Subject: [PATCH] network: stop IP forwarding before disabling firewall Stop IP forwarding when stopping qubes-network service (which initially enables it). This makes ordering against qubes-firewall safe - firewall is applied before allowing IP forward and then is removed when IP forward is already disabled. Fixes QubesOS/qubes-issues#5599 --- debian/qubes-core-agent-networking.install | 1 + rpm_spec/core-agent.spec.in | 1 + vm-systemd/network-proxy-stop.sh | 7 +++++++ vm-systemd/qubes-network.service | 1 + 4 files changed, 10 insertions(+) create mode 100755 vm-systemd/network-proxy-stop.sh diff --git a/debian/qubes-core-agent-networking.install b/debian/qubes-core-agent-networking.install index 7f371ef..8c63f10 100644 --- a/debian/qubes-core-agent-networking.install +++ b/debian/qubes-core-agent-networking.install @@ -13,6 +13,7 @@ lib/systemd/system/qubes-iptables.service lib/systemd/system/qubes-network.service lib/systemd/system/qubes-updates-proxy.service usr/lib/qubes/init/network-proxy-setup.sh +usr/lib/qubes/init/network-proxy-stop.sh usr/lib/qubes/init/qubes-iptables usr/lib/qubes/iptables-updates-proxy usr/lib/qubes/qubes-setup-dnat-to-ns diff --git a/rpm_spec/core-agent.spec.in b/rpm_spec/core-agent.spec.in index 0ec54e0..3e663d3 100644 --- a/rpm_spec/core-agent.spec.in +++ b/rpm_spec/core-agent.spec.in @@ -799,6 +799,7 @@ rm -f %{name}-%{version} /lib/systemd/system/qubes-network.service /lib/systemd/system/qubes-updates-proxy.service /usr/lib/qubes/init/network-proxy-setup.sh +/usr/lib/qubes/init/network-proxy-stop.sh /usr/lib/qubes/init/qubes-iptables /usr/lib/qubes/iptables-updates-proxy /usr/lib/qubes/qubes-setup-dnat-to-ns diff --git a/vm-systemd/network-proxy-stop.sh b/vm-systemd/network-proxy-stop.sh new file mode 100755 index 0000000..4ef924e --- /dev/null +++ b/vm-systemd/network-proxy-stop.sh @@ -0,0 +1,7 @@ +#!/bin/sh + +echo 0 > /proc/sys/net/ipv4/ip_forward +# disable also IPv6 forwarding, if IPv6 applicable +if [ -w /proc/sys/net/ipv6/conf/all/forwarding ]; then + echo 0 > /proc/sys/net/ipv6/conf/all/forwarding +fi diff --git a/vm-systemd/qubes-network.service b/vm-systemd/qubes-network.service index c5aa410..5281bf1 100644 --- a/vm-systemd/qubes-network.service +++ b/vm-systemd/qubes-network.service @@ -8,6 +8,7 @@ After=network-pre.target qubes-iptables.service Type=oneshot RemainAfterExit=yes ExecStart=/usr/lib/qubes/init/network-proxy-setup.sh +ExecStop=/usr/lib/qubes/init/network-proxy-stop.sh [Install] WantedBy=multi-user.target