yum-proxy: use iptables-restore to set firewall rules

Simple iptables sometimes returns EBUSY.

Makefile

@@ -103,6 +103,7 @@ install-vm:
 	install -m 0400 -D network/ip6tables $(DESTDIR)/etc/sysconfig/ip6tables
 	install -m 0644 -D network/tinyproxy-qubes-yum.conf $(DESTDIR)/etc/tinyproxy/tinyproxy-qubes-yum.conf
 	install -m 0644 -D network/filter-qubes-yum $(DESTDIR)/etc/tinyproxy/filter-qubes-yum
+	install -m 0755 -D network/iptables-yum-proxy $(DESTDIR)/usr/lib/qubes/iptables-yum-proxy
 
 	install -d $(DESTDIR)/etc/yum.conf.d
 	touch $(DESTDIR)/etc/yum.conf.d/qubes-proxy.conf

network/iptables-yum-proxy

@@ -0,0 +1,17 @@
+#!/bin/sh
+
+if [ "$1" == "start" ]; then
+    CMD="-I"
+else
+    # Remove rules
+    CMD="-D"
+fi
+
+cat <<__EOF__ | iptables-restore -n
+*filter
+$CMD INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT
+COMMIT
+*nat
+$CMD PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT
+COMMIT
+__EOF__

rpm_spec/core-vm.spec

@@ -323,6 +323,7 @@ rm -f %{name}-%{version}
 /usr/lib/qubes/setup-ip
 /usr/lib/qubes/vm-file-editor
 /usr/lib/qubes/wrap-in-html-if-url.sh
+/usr/lib/qubes/iptables-yum-proxy
 /usr/lib/yum-plugins/yum-qubes-hooks.py*
 /usr/sbin/qubes-firewall
 /usr/sbin/qubes-netwatcher

vm-systemd/qubes-yum-proxy.service

@@ -5,11 +5,9 @@ After=iptables.service
 
 [Service]
 ExecStartPre=/usr/bin/install -d --owner tinyproxy --group tinyproxy /var/run/tinyproxy
-ExecStartPre=/sbin/iptables -I INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT
-ExecStartPre=/sbin/iptables -t nat -A PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT
+ExecStartPre=/usr/lib/qubes/iptables-yum-proxy start
 ExecStart=/usr/sbin/tinyproxy -d -c /etc/tinyproxy/tinyproxy-qubes-yum.conf
-ExecStopPost=/sbin/iptables -t nat -D PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT
-ExecStopPost=/sbin/iptables -D INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT
+ExecStopPost=/usr/lib/qubes/iptables-yum-proxy stop
 
 [Install]
 WantedBy=multi-user.target