From 8c9433fc005a5c376508699f0c96d4430af14d98 Mon Sep 17 00:00:00 2001
From: Marek Marczykowski <marmarek@invisiblethingslab.com>
Date: Mon, 5 Aug 2013 02:08:52 +0200
Subject: [PATCH] yum-proxy: use iptables-restore to set firewall rules

Simple iptables sometimes returns EBUSY.
---
 Makefile                           |  1 +
 network/iptables-yum-proxy         | 17 +++++++++++++++++
 rpm_spec/core-vm.spec              |  1 +
 vm-systemd/qubes-yum-proxy.service |  6 ++----
 4 files changed, 21 insertions(+), 4 deletions(-)
 create mode 100755 network/iptables-yum-proxy

diff --git a/Makefile b/Makefile
index 52477a4..b099384 100644
--- a/Makefile
+++ b/Makefile
@@ -103,6 +103,7 @@ install-vm:
 	install -m 0400 -D network/ip6tables $(DESTDIR)/etc/sysconfig/ip6tables
 	install -m 0644 -D network/tinyproxy-qubes-yum.conf $(DESTDIR)/etc/tinyproxy/tinyproxy-qubes-yum.conf
 	install -m 0644 -D network/filter-qubes-yum $(DESTDIR)/etc/tinyproxy/filter-qubes-yum
+	install -m 0755 -D network/iptables-yum-proxy $(DESTDIR)/usr/lib/qubes/iptables-yum-proxy
 
 	install -d $(DESTDIR)/etc/yum.conf.d
 	touch $(DESTDIR)/etc/yum.conf.d/qubes-proxy.conf
diff --git a/network/iptables-yum-proxy b/network/iptables-yum-proxy
new file mode 100755
index 0000000..eaaa4f0
--- /dev/null
+++ b/network/iptables-yum-proxy
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+if [ "$1" == "start" ]; then
+    CMD="-I"
+else
+    # Remove rules
+    CMD="-D"
+fi
+
+cat <<__EOF__ | iptables-restore -n
+*filter
+$CMD INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT
+COMMIT
+*nat
+$CMD PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT
+COMMIT
+__EOF__
diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec
index 1335a4e..3b10c52 100644
--- a/rpm_spec/core-vm.spec
+++ b/rpm_spec/core-vm.spec
@@ -323,6 +323,7 @@ rm -f %{name}-%{version}
 /usr/lib/qubes/setup-ip
 /usr/lib/qubes/vm-file-editor
 /usr/lib/qubes/wrap-in-html-if-url.sh
+/usr/lib/qubes/iptables-yum-proxy
 /usr/lib/yum-plugins/yum-qubes-hooks.py*
 /usr/sbin/qubes-firewall
 /usr/sbin/qubes-netwatcher
diff --git a/vm-systemd/qubes-yum-proxy.service b/vm-systemd/qubes-yum-proxy.service
index b03c34d..22381b3 100644
--- a/vm-systemd/qubes-yum-proxy.service
+++ b/vm-systemd/qubes-yum-proxy.service
@@ -5,11 +5,9 @@ After=iptables.service
 
 [Service]
 ExecStartPre=/usr/bin/install -d --owner tinyproxy --group tinyproxy /var/run/tinyproxy
-ExecStartPre=/sbin/iptables -I INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT
-ExecStartPre=/sbin/iptables -t nat -A PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT
+ExecStartPre=/usr/lib/qubes/iptables-yum-proxy start
 ExecStart=/usr/sbin/tinyproxy -d -c /etc/tinyproxy/tinyproxy-qubes-yum.conf
-ExecStopPost=/sbin/iptables -t nat -D PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT
-ExecStopPost=/sbin/iptables -D INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT
+ExecStopPost=/usr/lib/qubes/iptables-yum-proxy stop
 
 [Install]
 WantedBy=multi-user.target