diff --git a/Makefile b/Makefile index 17d7276..3429fc5 100644 --- a/Makefile +++ b/Makefile @@ -67,6 +67,9 @@ ifeq ($(shell lsb_release -is), Debian) # Wheezy Dropins # Disable sysinit 'network-manager.service' since systemd 'NetworkManager.service' is already installed DROPINS += $(strip $(if $(filter wheezy, $(shell lsb_release -cs)), network-manager.service,)) + + # handled by qubes-iptables service now + DROPINS += netfilter-persistent.service endif install-systemd-dropins: @@ -83,6 +86,7 @@ install-systemd: install -m 0644 vm-systemd/75-qubes-vm.preset $(DESTDIR)$(SYSLIBDIR)/systemd/system-preset/ install -m 0644 vm-systemd/qubes-core.conf $(DESTDIR)$(SYSLIBDIR)/modules-load.d/ install -m 0644 vm-systemd/qubes-misc.conf $(DESTDIR)$(SYSLIBDIR)/modules-load.d/ + install -m 0755 network/qubes-iptables $(DESTDIR)$(LIBDIR)/qubes/init/ install-sysvinit: install -d $(DESTDIR)/etc/init.d @@ -95,6 +99,7 @@ install-sysvinit: install vm-init.d/qubes-updates-proxy $(DESTDIR)/etc/init.d/ install -D vm-init.d/qubes-core.modules $(DESTDIR)/etc/sysconfig/modules/qubes-core.modules install -D vm-init.d/qubes-misc.modules $(DESTDIR)/etc/sysconfig/modules/qubes-misc.modules + install network/qubes-iptables $(DESTDIR)/etc/init.d/ install-rh: install-systemd install-systemd-dropins install-sysvinit install -D -m 0644 misc/qubes-r3.repo $(DESTDIR)/etc/yum.repos.d/qubes-r3.repo @@ -117,9 +122,6 @@ install-rh: install-systemd install-systemd-dropins install-sysvinit install -D -m 0644 misc/serial.conf $(DESTDIR)/usr/share/qubes/serial.conf install -D misc/qubes-serial-login $(DESTDIR)/$(SBINDIR)/qubes-serial-login - install -m 0400 -D network/iptables $(DESTDIR)/usr/lib/qubes/init/iptables - install -m 0400 -D network/ip6tables $(DESTDIR)/usr/lib/qubes/init/ip6tables - install-common: $(MAKE) -C autostart-dropins install install -m 0644 -D misc/fstab $(DESTDIR)/etc/fstab @@ -167,6 +169,9 @@ install-common: install -d $(DESTDIR)/etc/xdg/autostart install -m 0755 network/show-hide-nm-applet.sh $(DESTDIR)$(LIBDIR)/qubes/show-hide-nm-applet.sh install -m 0644 network/show-hide-nm-applet.desktop $(DESTDIR)/etc/xdg/autostart/00-qubes-show-hide-nm-applet.desktop + install -m 0400 -D network/iptables $(DESTDIR)/etc/qubes/iptables.rules + install -m 0400 -D network/ip6tables $(DESTDIR)/etc/qubes/ip6tables.rules + install -d $(DESTDIR)/$(SBINDIR) install network/qubes-firewall $(DESTDIR)/$(SBINDIR)/ @@ -226,8 +231,6 @@ install-deb: install-common install-systemd install-systemd-dropins mkdir -p $(DESTDIR)/etc/apt/sources.list.d sed -e "s/@DIST@/`lsb_release -cs`/" misc/qubes-r3.list.in > $(DESTDIR)/etc/apt/sources.list.d/qubes-r3.list install -D -m 644 misc/qubes-archive-keyring.gpg $(DESTDIR)/etc/apt/trusted.gpg.d/qubes-archive-keyring.gpg - install -D -m 644 network/iptables $(DESTDIR)/etc/iptables/rules.v4 - install -D -m 644 network/ip6tables $(DESTDIR)/etc/iptables/rules.v6 install -D -m 644 network/00notify-hook $(DESTDIR)/etc/apt/apt.conf.d/00notify-hook install -d $(DESTDIR)/etc/sysctl.d install -m 644 network/80-qubes.conf $(DESTDIR)/etc/sysctl.d/ diff --git a/debian/control b/debian/control index 4fcd83a..459d96f 100644 --- a/debian/control +++ b/debian/control @@ -18,7 +18,6 @@ Depends: init-system-helpers, initscripts, iptables, - iptables-persistent, librsvg2-bin, libvchan-xen, locales, diff --git a/network/qubes-iptables b/network/qubes-iptables new file mode 100755 index 0000000..d759df3 --- /dev/null +++ b/network/qubes-iptables @@ -0,0 +1,59 @@ +#!/bin/bash +# +# qubes-iptables Start Qubes base iptables firewall +# +# chkconfig: 2345 08 92 +# description: Loads iptables firewall +# +# config: /etc/qubes/iptables.rules +# config: /etc/qubes/ip6tables.rules +# +### BEGIN INIT INFO +# Provides: iptables +# Required-Start: +# Required-Stop: +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Loads Qubes base iptables firewall +# Description: Loads Qubes base iptables firewall +### END INIT INFO + +IPTABLES=iptables +IPTABLES_DATA_DIR=/etc/qubes + +if [ ! -x /sbin/$IPTABLES ]; then + echo $"${IPTABLES}: /sbin/$IPTABLES does not exist." + exit 5 +fi + +start() { + ipt=$1 + IPTABLES_DATA=$IPTABLES_DATA_DIR/${ipt}.rules + CMD=$ipt + # Do not start if there is no config file. + [ ! -f "$IPTABLES_DATA" ] && return 6 + + echo -n $"${CMD}: Applying firewall rules: " + + $CMD-restore $IPTABLES_DATA + if [ $? -eq 0 ]; then + echo OK + else + echo FAIL; return 1 + fi + + return $ret +} + +case "$1" in + start) + start iptables && start ip6tables + RETVAL=$? + ;; + *) + echo $"Usage: ${IPTABLES} start" + RETVAL=2 + ;; +esac + +exit $RETVAL diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec index 0c7f3f0..1417449 100644 --- a/rpm_spec/core-vm.spec +++ b/rpm_spec/core-vm.spec @@ -37,7 +37,6 @@ Requires: yum-plugin-post-transaction-actions Requires: NetworkManager >= 0.8.1-1 %if %{fedora} >= 18 # Fedora >= 18 defaults to firewalld, which isn't supported nor needed by Qubes -Requires: iptables-services Conflicts: firewalld %endif Requires: /usr/bin/mimeopen @@ -122,33 +121,11 @@ usermod -L user (cd qrexec; make install DESTDIR=$RPM_BUILD_ROOT) make install-vm DESTDIR=$RPM_BUILD_ROOT -cp -p $RPM_BUILD_ROOT/usr/lib/qubes/init/iptables $RPM_BUILD_ROOT/etc/sysconfig/iptables.qubes -cp -p $RPM_BUILD_ROOT/usr/lib/qubes/init/ip6tables $RPM_BUILD_ROOT/etc/sysconfig/ip6tables.qubes - %triggerin -- initscripts if [ -e /etc/init/serial.conf ]; then cp /usr/share/qubes/serial.conf /etc/init/serial.conf fi -%triggerin -- iptables -if ! grep -q IPTABLES_DATA /etc/sysconfig/iptables-config; then - cat <>/etc/sysconfig/iptables-config - -### Automatically added by Qubes: -# Override default rules location on Qubes -IPTABLES_DATA=/etc/sysconfig/iptables.qubes -EOF -fi - -if ! grep -q IP6TABLES_DATA /etc/sysconfig/ip6tables-config; then - cat <>/etc/sysconfig/ip6tables-config - -### Automatically added by Qubes: -# Override default rules location on Qubes -IP6TABLES_DATA=/etc/sysconfig/ip6tables.qubes -EOF -fi - %post # disable some Upstart services @@ -198,16 +175,6 @@ EOF fi fi -# Make sure that /etc/sysconfig/ip(|6)tables exists. Otherwise iptales.service -# would not start (even when configured to use another configuration file. -if [ ! -e '/etc/sysconfig/iptables' ]; then - ln -s iptables.qubes /etc/sysconfig/iptables -fi -if [ ! -e '/etc/sysconfig/ip6tables' ]; then - ln -s ip6tables.qubes /etc/sysconfig/ip6tables -fi - - # ensure that hostname resolves to 127.0.0.1 resp. ::1 and that /etc/hosts is # in the form expected by qubes-sysinit.sh if ! grep -rq "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then @@ -356,10 +323,8 @@ rm -f %{name}-%{version} %config /etc/qubes/autostart/*.desktop.d/30_qubes.conf %config(noreplace) /etc/sudoers.d/qubes %config(noreplace) /etc/sudoers.d/qt_x11_no_mitshm -%config(noreplace) /etc/sysconfig/iptables.qubes -%config(noreplace) /etc/sysconfig/ip6tables.qubes -/usr/lib/qubes/init/iptables -/usr/lib/qubes/init/ip6tables +%config(noreplace) /etc/qubes/iptables.rules +%config(noreplace) /etc/qubes/ip6tables.rules %config(noreplace) /etc/tinyproxy/filter-updates %config(noreplace) /etc/tinyproxy/tinyproxy-updates.conf %config(noreplace) /etc/udev/rules.d/50-qubes-misc.rules @@ -450,6 +415,7 @@ The Qubes core startup configuration for SysV init (or upstart). /etc/init.d/qubes-core-netvm /etc/init.d/qubes-firewall /etc/init.d/qubes-netwatcher +/etc/init.d/qubes-iptables /etc/init.d/qubes-updates-proxy /etc/init.d/qubes-qrexec-agent /etc/sysconfig/modules/qubes-core.modules @@ -475,8 +441,6 @@ done chkconfig rsyslog on chkconfig haldaemon on chkconfig messagebus on -chkconfig iptables on -chkconfig ip6tables on chkconfig --add qubes-core || echo "WARNING: Cannot add service qubes-core!" chkconfig qubes-core on || echo "WARNING: Cannot enable service qubes-core!" chkconfig --add qubes-core-netvm || echo "WARNING: Cannot add service qubes-core-netvm!" @@ -487,6 +451,8 @@ chkconfig --add qubes-firewall || echo "WARNING: Cannot add service qubes-firewa chkconfig qubes-firewall on || echo "WARNING: Cannot enable service qubes-firewall!" chkconfig --add qubes-netwatcher || echo "WARNING: Cannot add service qubes-netwatcher!" chkconfig qubes-netwatcher on || echo "WARNING: Cannot enable service qubes-netwatcher!" +chkconfig --add qubes-iptables || echo "WARNING: Cannot add service qubes-iptables!" +chkconfig qubes-iptables on || echo "WARNING: Cannot enable service qubes-iptables!" chkconfig --add qubes-updates-proxy || echo "WARNING: Cannot add service qubes-updates-proxy!" chkconfig qubes-updates-proxy on || echo "WARNING: Cannot enable service qubes-updates-proxy!" chkconfig --add qubes-qrexec-agent || echo "WARNING: Cannot add service qubes-qrexec-agent!" @@ -530,6 +496,7 @@ The Qubes core startup configuration for SystemD init. /lib/systemd/system/qubes-mount-home.service /lib/systemd/system/qubes-netwatcher.service /lib/systemd/system/qubes-network.service +/lib/systemd/system/qubes-iptables.service /lib/systemd/system/qubes-sysinit.service /lib/systemd/system/qubes-update-check.service /lib/systemd/system/qubes-update-check.timer @@ -541,6 +508,7 @@ The Qubes core startup configuration for SystemD init. %dir /usr/lib/qubes/init /usr/lib/qubes/init/prepare-dvm.sh /usr/lib/qubes/init/network-proxy-setup.sh +/usr/lib/qubes/init/qubes-iptables /usr/lib/qubes/init/misc-post.sh /usr/lib/qubes/init/misc-post-stop.sh /usr/lib/qubes/init/mount-home.sh @@ -565,11 +533,14 @@ if [ $1 -eq 1 ]; then else services="qubes-dvm qubes-misc-post qubes-firewall qubes-mount-home" services="$services qubes-netwatcher qubes-network qubes-sysinit" - services="$services qubes-updates-proxy qubes-qrexec-agent" + services="$services qubes-iptables qubes-updates-proxy qubes-qrexec-agent" for srv in $services; do /bin/systemctl --no-reload preset $srv.service done /bin/systemctl --no-reload preset qubes-update-check.timer + # Upgrade path - now qubes-iptables is used instead + /bin/systemctl --no-reload preset iptables.service + /bin/systemctl --no-reload preset ip6tables.service fi # Set default "runlevel" diff --git a/vm-systemd/75-qubes-vm.preset b/vm-systemd/75-qubes-vm.preset index af03f06..bbf812b 100644 --- a/vm-systemd/75-qubes-vm.preset +++ b/vm-systemd/75-qubes-vm.preset @@ -42,6 +42,8 @@ disable fedora-storage-init.service disable fedora-storage-init-late.service disable hwclock-load.service disable ipmi.service +disable iptables.service +disable ip6tables.service disable irqbalance.service disable mcelog.service disable mdmonitor-takeover.service @@ -68,7 +70,6 @@ enable qubes-mount-home.service enable qubes-firewall.service enable qubes-netwatcher.service enable qubes-meminfo-writer.service -enable iptables.service -enable ip6tables.service +enable qubes-iptables.service enable haveged.service enable chronyd.service diff --git a/vm-systemd/netfilter-persistent.service.d/30_qubes.conf b/vm-systemd/netfilter-persistent.service.d/30_qubes.conf new file mode 100644 index 0000000..f71617f --- /dev/null +++ b/vm-systemd/netfilter-persistent.service.d/30_qubes.conf @@ -0,0 +1,2 @@ +[Unit] +ConditionPathExists=/var/run/qubes-service/netfilter-persistent diff --git a/vm-systemd/qubes-iptables.service b/vm-systemd/qubes-iptables.service new file mode 100644 index 0000000..065347d --- /dev/null +++ b/vm-systemd/qubes-iptables.service @@ -0,0 +1,12 @@ +[Unit] +Description=Qubes base firewall settings + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/lib/qubes/init/qubes-iptables start +StandardOutput=syslog +StandardError=syslog + +[Install] +WantedBy=basic.target diff --git a/vm-systemd/qubes-network.service b/vm-systemd/qubes-network.service index 6a90a59..b159441 100644 --- a/vm-systemd/qubes-network.service +++ b/vm-systemd/qubes-network.service @@ -2,7 +2,7 @@ Description=Qubes network forwarding setup ConditionPathExists=/var/run/qubes-service/qubes-network Before=network.target -After=iptables.service +After=qubes-iptables.service [Service] Type=oneshot diff --git a/vm-systemd/qubes-updates-proxy.service b/vm-systemd/qubes-updates-proxy.service index cb88922..c89a785 100644 --- a/vm-systemd/qubes-updates-proxy.service +++ b/vm-systemd/qubes-updates-proxy.service @@ -2,7 +2,7 @@ Description=Qubes updates proxy (tinyproxy) ConditionPathExists=|/var/run/qubes-service/qubes-yum-proxy ConditionPathExists=|/var/run/qubes-service/qubes-updates-proxy -After=iptables.service +After=qubes-iptables.service [Service] ExecStartPre=/usr/bin/install -d --owner tinyproxy --group tinyproxy /var/run/tinyproxy