network: prevent IP spoofing on upstream (eth0) interface

Currently there is just one anti-spoofing firewall rule ensuring packets
coming through vif+ interfaces have the right source address. Add
another rule ensuring that addresses that belongs to VMs behind those
vif+ interface do not appear on other interfaces (specifically eth0, but
also physical ones).

Normally it wouldn't be an issue because of rp_filter (doing the same
based on route table), default DROP in FORWARD chain and also conntrack
(the need to guess exact port numbers and sequence numbers). But it
appears all three mechanisms are ineffective in some cases:
 - rp_filter in many distributions (including Fedora and Debian) was
 switched to Loose Mode, which doesn't verify exact interface
 - there is a rule in FORWARD table allowing established connections and
 conntrack does not keep track of input/output interfaces
 - CVE-2019-14899 allows to guess all the data needed to inject packets

Reported-by: Demi M. Obenour <demiobenour@gmail.com>

network/vif-route-qubes

@@ -129,7 +129,10 @@ if [ "${ip}" ]; then
         else
             ipt=iptables-restore
         fi
-        echo -e "*raw\\n$iptables_cmd -i ${vif} ! -s ${addr} -j DROP\\nCOMMIT" | \
+        printf '%s\n' "*raw" \
+            "$iptables_cmd -i ${vif} ! -s ${addr} -j DROP" \
+            "$iptables_cmd ! -i vif+ -s ${addr} -j DROP" \
+            "COMMIT" | \
             ${cmdprefix} $ipt --noflush $ipt_arg
     done
     # if no IPv6 is assigned, block all IPv6 traffic on that interface