From 6c33652ed45a6abac14ed3b34100dc54c3f5cf9a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Mon, 5 Feb 2018 16:27:52 +0100
Subject: [PATCH] qubes-firewall: call firewall-user-script at service startup

Call it just after creating base chains in iptables/nftables. This allow
the user to modify how those rules are plugged in, add custom rules at
beginning/end etc.

Fixes QubesOS/qubes-issues#3260
---
 qubesagent/firewall.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/qubesagent/firewall.py b/qubesagent/firewall.py
index 7e36f7f..6145804 100755
--- a/qubesagent/firewall.py
+++ b/qubesagent/firewall.py
@@ -62,6 +62,13 @@ class FirewallWorker(object):
         '''Apply rules in given source address'''
         raise NotImplementedError
 
+    def run_user_script(self):
+        '''Run user script in /rw/config'''
+        user_script_path = '/rw/config/qubes-firewall-user-script'
+        if os.path.isfile(user_script_path) and \
+                os.access(user_script_path, os.X_OK):
+            subprocess.call([user_script_path])
+
     def read_rules(self, target):
         '''Read rules from QubesDB and return them as a list of dicts'''
         entries = self.qdb.multiread('/qubes-firewall/{}/'.format(target))
@@ -133,6 +140,7 @@ class FirewallWorker(object):
     def main(self):
         self.terminate_requested = False
         self.init()
+        self.run_user_script()
         # initial load
         for source_addr in self.list_targets():
             self.handle_addr(source_addr)