network: use own iptables service instead of repurposing existing one

There were multiple problems with reusing existing one:
 - need to sync with upstream changes (configuration path etc)
 - conflicts resolution on updates
 - lack of iptables --wait, which causes firewall fail to load sometimes

QubesOS/qubes-issues#1067

Makefile

@@ -79,6 +79,7 @@ install-systemd:
 	install -m 0644 vm-systemd/75-qubes-vm.preset $(DESTDIR)$(SYSLIBDIR)/systemd/system-preset/
 	install -m 0644 vm-systemd/qubes-core.conf $(DESTDIR)$(SYSLIBDIR)/modules-load.d/
 	install -m 0644 vm-systemd/qubes-misc.conf $(DESTDIR)$(SYSLIBDIR)/modules-load.d/
+	install -m 0755 network/qubes-iptables $(DESTDIR)$(LIBDIR)/qubes/init/
 
 install-sysvinit:
 	install -d $(DESTDIR)/etc/init.d
@@ -91,6 +92,7 @@ install-sysvinit:
 	install vm-init.d/qubes-updates-proxy $(DESTDIR)/etc/init.d/
 	install -D vm-init.d/qubes-core.modules $(DESTDIR)/etc/sysconfig/modules/qubes-core.modules
 	install -D vm-init.d/qubes-misc.modules $(DESTDIR)/etc/sysconfig/modules/qubes-misc.modules
+	install network/qubes-iptables $(DESTDIR)/etc/init.d/
 
 install-rh: install-systemd install-systemd-dropins install-sysvinit
 	install -D -m 0644 misc/qubes-r3.repo $(DESTDIR)/etc/yum.repos.d/qubes-r3.repo
@@ -114,9 +116,6 @@ install-rh: install-systemd install-systemd-dropins install-sysvinit
 	install -D -m 0644 misc/serial.conf $(DESTDIR)/usr/share/qubes/serial.conf
 	install -D misc/qubes-serial-login $(DESTDIR)/$(SBINDIR)/qubes-serial-login
 
-	install -m 0400 -D network/iptables $(DESTDIR)/usr/lib/qubes/init/iptables
-	install -m 0400 -D network/ip6tables $(DESTDIR)/usr/lib/qubes/init/ip6tables
-
 install-common:
 	install -m 0644 -D misc/fstab $(DESTDIR)/etc/fstab
 
@@ -162,6 +161,9 @@ install-common:
 	install -d $(DESTDIR)/etc/xdg/autostart
 	install -m 0755 network/show-hide-nm-applet.sh $(DESTDIR)$(LIBDIR)/qubes/show-hide-nm-applet.sh
 	install -m 0644 network/show-hide-nm-applet.desktop $(DESTDIR)/etc/xdg/autostart/00-qubes-show-hide-nm-applet.desktop
+	install -m 0400 -D network/iptables $(DESTDIR)/etc/qubes/iptables.rules
+	install -m 0400 -D network/ip6tables $(DESTDIR)/etc/qubes/ip6tables.rules
+
 
 	install -d $(DESTDIR)/$(SBINDIR)
 	install network/qubes-firewall $(DESTDIR)/$(SBINDIR)/
@@ -213,8 +215,6 @@ install-deb: install-common install-systemd install-systemd-dropins
 	mkdir -p $(DESTDIR)/etc/apt/sources.list.d
 	sed -e "s/@DIST@/`lsb_release -cs`/" misc/qubes-r3.list.in > $(DESTDIR)/etc/apt/sources.list.d/qubes-r3.list
 	install -D -m 644 misc/qubes-archive-keyring.gpg $(DESTDIR)/etc/apt/trusted.gpg.d/qubes-archive-keyring.gpg
-	install -D -m 644 network/iptables $(DESTDIR)/etc/iptables/rules.v4
-	install -D -m 644 network/ip6tables $(DESTDIR)/etc/iptables/rules.v6
 	install -D -m 644 network/00notify-hook $(DESTDIR)/etc/apt/apt.conf.d/00notify-hook
 	install -d $(DESTDIR)/etc/sysctl.d
 	install -m 644 network/80-qubes.conf $(DESTDIR)/etc/sysctl.d/

network/qubes-iptables

@@ -0,0 +1,59 @@
+#!/bin/bash
+#
+# qubes-iptables	Start Qubes base iptables firewall
+#
+# chkconfig: 2345 08 92
+# description:	Loads iptables firewall
+#
+# config: /etc/qubes/iptables.rules
+# config: /etc/qubes/ip6tables.rules
+#
+### BEGIN INIT INFO
+# Provides: iptables
+# Required-Start:
+# Required-Stop:
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: Loads Qubes base iptables firewall
+# Description: Loads Qubes base iptables firewall
+### END INIT INFO
+
+IPTABLES=iptables
+IPTABLES_DATA_DIR=/etc/qubes
+
+if [ ! -x /sbin/$IPTABLES ]; then
+    echo $"${IPTABLES}: /sbin/$IPTABLES does not exist."
+    exit 5
+fi
+
+start() {
+    ipt=$1
+    IPTABLES_DATA=$IPTABLES_DATA_DIR/${ipt}.rules
+    CMD=$ipt
+    # Do not start if there is no config file.
+    [ ! -f "$IPTABLES_DATA" ] && return 6
+
+    echo -n $"${CMD}: Applying firewall rules: "
+
+    $CMD-restore $IPTABLES_DATA
+    if [ $? -eq 0 ]; then
+        echo OK
+    else
+        echo FAIL; return 1
+    fi
+    
+    return $ret
+}
+
+case "$1" in
+    start)
+	start iptables && start ip6tables
+	RETVAL=$?
+	;;
+    *)
+	echo $"Usage: ${IPTABLES} start"
+	RETVAL=2
+	;;
+esac
+
+exit $RETVAL

rpm_spec/core-vm.spec

@@ -37,7 +37,6 @@ Requires:   yum-plugin-post-transaction-actions
 Requires:   NetworkManager >= 0.8.1-1
 %if %{fedora} >= 18
 # Fedora >= 18 defaults to firewalld, which isn't supported nor needed by Qubes
-Requires:   iptables-services
 Conflicts:  firewalld
 %endif
 Requires:	/usr/bin/mimeopen
@@ -120,9 +119,6 @@ usermod -L user
 (cd qrexec; make install DESTDIR=$RPM_BUILD_ROOT)
 make install-vm DESTDIR=$RPM_BUILD_ROOT
 
-cp -p $RPM_BUILD_ROOT/usr/lib/qubes/init/iptables $RPM_BUILD_ROOT/etc/sysconfig/iptables.qubes
-cp -p $RPM_BUILD_ROOT/usr/lib/qubes/init/ip6tables $RPM_BUILD_ROOT/etc/sysconfig/ip6tables.qubes
-
 %triggerin -- initscripts
 if [ -e /etc/init/serial.conf ]; then
 	cp /usr/share/qubes/serial.conf /etc/init/serial.conf
@@ -131,25 +127,6 @@ fi
 %triggerin -- pulseaudio-module-x11
 /usr/bin/qubes-desktop-file-install --force --dir /var/lib/qubes/xdg/autostart --remove-show-in --add-not-show-in X-QUBES /etc/xdg/autostart/pulseaudio.desktop
 
-%triggerin -- iptables
-if ! grep -q IPTABLES_DATA /etc/sysconfig/iptables-config; then
-    cat <<EOF >>/etc/sysconfig/iptables-config
-
-### Automatically added by Qubes:
-# Override default rules location on Qubes
-IPTABLES_DATA=/etc/sysconfig/iptables.qubes
-EOF
-fi
-
-if ! grep -q IP6TABLES_DATA /etc/sysconfig/ip6tables-config; then
-    cat <<EOF >>/etc/sysconfig/ip6tables-config
-
-### Automatically added by Qubes:
-# Override default rules location on Qubes
-IP6TABLES_DATA=/etc/sysconfig/ip6tables.qubes
-EOF
-fi
-
 %post
 
 # disable some Upstart services
@@ -203,16 +180,6 @@ EOF
     fi
 fi
 
-# Make sure that /etc/sysconfig/ip(|6)tables exists. Otherwise iptales.service
-# would not start (even when configured to use another configuration file.
-if [ ! -e '/etc/sysconfig/iptables' ]; then
-  ln -s iptables.qubes /etc/sysconfig/iptables
-fi
-if [ ! -e '/etc/sysconfig/ip6tables' ]; then
-  ln -s ip6tables.qubes /etc/sysconfig/ip6tables
-fi
-
-
 # ensure that hostname resolves to 127.0.0.1 resp. ::1 and that /etc/hosts is
 # in the form expected by qubes-sysinit.sh
 if ! grep -rq "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
@@ -357,10 +324,8 @@ rm -f %{name}-%{version}
 %config(noreplace) /etc/qubes-rpc/qubes.GetImageRGBA
 %config(noreplace) /etc/qubes-rpc/qubes.SetDateTime
 %config(noreplace) /etc/sudoers.d/qubes
-%config(noreplace) /etc/sysconfig/iptables.qubes
-%config(noreplace) /etc/sysconfig/ip6tables.qubes
-/usr/lib/qubes/init/iptables
-/usr/lib/qubes/init/ip6tables
+%config(noreplace) /etc/qubes/iptables.rules
+%config(noreplace) /etc/qubes/ip6tables.rules
 %config(noreplace) /etc/tinyproxy/filter-updates
 %config(noreplace) /etc/tinyproxy/tinyproxy-updates.conf
 %config(noreplace) /etc/udev/rules.d/50-qubes-misc.rules
@@ -451,6 +416,7 @@ The Qubes core startup configuration for SysV init (or upstart).
 /etc/init.d/qubes-core-netvm
 /etc/init.d/qubes-firewall
 /etc/init.d/qubes-netwatcher
+/etc/init.d/qubes-iptables
 /etc/init.d/qubes-updates-proxy
 /etc/init.d/qubes-qrexec-agent
 /etc/sysconfig/modules/qubes-core.modules
@@ -476,8 +442,6 @@ done
 chkconfig rsyslog on
 chkconfig haldaemon on
 chkconfig messagebus on
-chkconfig iptables on
-chkconfig ip6tables on
 chkconfig --add qubes-core || echo "WARNING: Cannot add service qubes-core!"
 chkconfig qubes-core on || echo "WARNING: Cannot enable service qubes-core!"
 chkconfig --add qubes-core-netvm || echo "WARNING: Cannot add service qubes-core-netvm!"
@@ -488,6 +452,8 @@ chkconfig --add qubes-firewall || echo "WARNING: Cannot add service qubes-firewa
 chkconfig qubes-firewall on || echo "WARNING: Cannot enable service qubes-firewall!"
 chkconfig --add qubes-netwatcher || echo "WARNING: Cannot add service qubes-netwatcher!"
 chkconfig qubes-netwatcher on || echo "WARNING: Cannot enable service qubes-netwatcher!"
+chkconfig --add qubes-iptables || echo "WARNING: Cannot add service qubes-iptables!"
+chkconfig qubes-iptables on || echo "WARNING: Cannot enable service qubes-iptables!"
 chkconfig --add qubes-updates-proxy || echo "WARNING: Cannot add service qubes-updates-proxy!"
 chkconfig qubes-updates-proxy on || echo "WARNING: Cannot enable service qubes-updates-proxy!"
 chkconfig --add qubes-qrexec-agent || echo "WARNING: Cannot add service qubes-qrexec-agent!"
@@ -531,6 +497,7 @@ The Qubes core startup configuration for SystemD init.
 /lib/systemd/system/qubes-mount-home.service
 /lib/systemd/system/qubes-netwatcher.service
 /lib/systemd/system/qubes-network.service
+/lib/systemd/system/qubes-iptables.service
 /lib/systemd/system/qubes-sysinit.service
 /lib/systemd/system/qubes-update-check.service
 /lib/systemd/system/qubes-update-check.timer
@@ -542,6 +509,7 @@ The Qubes core startup configuration for SystemD init.
 %dir /usr/lib/qubes/init
 /usr/lib/qubes/init/prepare-dvm.sh
 /usr/lib/qubes/init/network-proxy-setup.sh
+/usr/lib/qubes/init/qubes-iptables
 /usr/lib/qubes/init/misc-post.sh
 /usr/lib/qubes/init/misc-post-stop.sh
 /usr/lib/qubes/init/mount-home.sh
@@ -565,11 +533,14 @@ if [ $1 -eq 1 ]; then
 else
     services="qubes-dvm qubes-misc-post qubes-firewall qubes-mount-home"
     services="$services qubes-netwatcher qubes-network qubes-sysinit"
-    services="$services qubes-updates-proxy qubes-qrexec-agent"
+    services="$services qubes-iptables qubes-updates-proxy qubes-qrexec-agent"
     for srv in $services; do
         /bin/systemctl --no-reload preset $srv.service
     done
     /bin/systemctl --no-reload preset qubes-update-check.timer
+    # Upgrade path - now qubes-iptables is used instead
+    /bin/systemctl --no-reload preset iptables.service
+    /bin/systemctl --no-reload preset ip6tables.service
 fi
 
 # Set default "runlevel"

vm-systemd/75-qubes-vm.preset

@@ -42,6 +42,8 @@ disable fedora-storage-init.service
 disable fedora-storage-init-late.service
 disable hwclock-load.service
 disable ipmi.service
+disable iptables.service
+disable ip6tables.service
 disable irqbalance.service
 disable mcelog.service
 disable mdmonitor-takeover.service
@@ -68,7 +70,6 @@ enable qubes-mount-home.service
 enable qubes-firewall.service
 enable qubes-netwatcher.service
 enable qubes-meminfo-writer.service
-enable iptables.service
-enable ip6tables.service
+enable qubes-iptables.service
 enable haveged.service
 enable chronyd.service

vm-systemd/qubes-iptables.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Qubes base firewall settings
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/lib/qubes/init/qubes-iptables start
+StandardOutput=syslog
+StandardError=syslog
+
+[Install]
+WantedBy=basic.target

vm-systemd/qubes-network.service

@@ -2,7 +2,7 @@
 Description=Qubes network forwarding setup
 ConditionPathExists=/var/run/qubes-service/qubes-network
 Before=network.target
-After=iptables.service
+After=qubes-iptables.service
 
 [Service]
 Type=oneshot

vm-systemd/qubes-updates-proxy.service

@@ -2,7 +2,7 @@
 Description=Qubes updates proxy (tinyproxy)
 ConditionPathExists=|/var/run/qubes-service/qubes-yum-proxy
 ConditionPathExists=|/var/run/qubes-service/qubes-updates-proxy
-After=iptables.service
+After=qubes-iptables.service
 
 [Service]
 ExecStartPre=/usr/bin/install -d --owner tinyproxy --group tinyproxy /var/run/tinyproxy