From 9b054275960d1d8798b4a24f281f6e61d7615ee8 Mon Sep 17 00:00:00 2001
From: Patrick Schleizer <adrelanos@riseup.net>
Date: Sun, 2 Aug 2015 21:44:51 +0200
Subject: [PATCH 1/3] removed iptables-persistent from Depends to improve
 usablity (avoid redundant debconf question)

---
 debian/control | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/debian/control b/debian/control
index ca3f1d3..9ce6e44 100644
--- a/debian/control
+++ b/debian/control
@@ -9,7 +9,7 @@ Vcs-Git: git://git.qubes-os.org/marmarek/core-agent-linux.git
 
 Package: qubes-core-agent
 Architecture: any
-Depends: qubes-utils (>= 3.0.1), libvchan-xen, xenstore-utils, iptables-persistent, xserver-xorg-video-dummy, xen-utils-common, ethtool, python2.7, python-gi, init-system-helpers, xdg-user-dirs, iptables, net-tools, initscripts, imagemagick, fakeroot, systemd, locales, sudo, dmsetup, psmisc, ncurses-term, xserver-xorg-core, x11-xserver-utils, xinit, ${shlibs:Depends}, ${misc:Depends}
+Depends: qubes-utils (>= 3.0.1), libvchan-xen, xenstore-utils, xserver-xorg-video-dummy, xen-utils-common, ethtool, python2.7, python-gi, init-system-helpers, xdg-user-dirs, iptables, net-tools, initscripts, imagemagick, fakeroot, systemd, locales, sudo, dmsetup, psmisc, ncurses-term, xserver-xorg-core, x11-xserver-utils, xinit, ${shlibs:Depends}, ${misc:Depends}
 Recommends: tinyproxy, gnome-themes-standard, xsettingsd, gnome-packagekit, chrony, ntpdate, network-manager (>= 0.8.1-1), network-manager-gnome, haveged, libnotify-bin, notify-osd, gnome-terminal, python-nautilus, yum, yum-utils
 Conflicts: qubes-core-agent-linux, firewalld, qubes-core-vm-sysvinit
 Description: Qubes core agent

From 65e9e4c72cbbd188cd5c83f5dab2d63acf5efd4f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Tue, 4 Aug 2015 17:15:01 +0200
Subject: [PATCH 2/3] network: use own iptables service instead of repurposing
 existing one

There were multiple problems with reusing existing one:
 - need to sync with upstream changes (configuration path etc)
 - conflicts resolution on updates
 - lack of iptables --wait, which causes firewall fail to load sometimes

QubesOS/qubes-issues#1067
---
 Makefile                               | 10 ++---
 network/qubes-iptables                 | 59 ++++++++++++++++++++++++++
 rpm_spec/core-vm.spec                  | 51 +++++-----------------
 vm-systemd/75-qubes-vm.preset          |  5 ++-
 vm-systemd/qubes-iptables.service      | 12 ++++++
 vm-systemd/qubes-network.service       |  2 +-
 vm-systemd/qubes-updates-proxy.service |  2 +-
 7 files changed, 92 insertions(+), 49 deletions(-)
 create mode 100755 network/qubes-iptables
 create mode 100644 vm-systemd/qubes-iptables.service

diff --git a/Makefile b/Makefile
index 1af2899..e0b2e95 100644
--- a/Makefile
+++ b/Makefile
@@ -79,6 +79,7 @@ install-systemd:
 	install -m 0644 vm-systemd/75-qubes-vm.preset $(DESTDIR)$(SYSLIBDIR)/systemd/system-preset/
 	install -m 0644 vm-systemd/qubes-core.conf $(DESTDIR)$(SYSLIBDIR)/modules-load.d/
 	install -m 0644 vm-systemd/qubes-misc.conf $(DESTDIR)$(SYSLIBDIR)/modules-load.d/
+	install -m 0755 network/qubes-iptables $(DESTDIR)$(LIBDIR)/qubes/init/
 
 install-sysvinit:
 	install -d $(DESTDIR)/etc/init.d
@@ -91,6 +92,7 @@ install-sysvinit:
 	install vm-init.d/qubes-updates-proxy $(DESTDIR)/etc/init.d/
 	install -D vm-init.d/qubes-core.modules $(DESTDIR)/etc/sysconfig/modules/qubes-core.modules
 	install -D vm-init.d/qubes-misc.modules $(DESTDIR)/etc/sysconfig/modules/qubes-misc.modules
+	install network/qubes-iptables $(DESTDIR)/etc/init.d/
 
 install-rh: install-systemd install-systemd-dropins install-sysvinit
 	install -D -m 0644 misc/qubes-r3.repo $(DESTDIR)/etc/yum.repos.d/qubes-r3.repo
@@ -114,9 +116,6 @@ install-rh: install-systemd install-systemd-dropins install-sysvinit
 	install -D -m 0644 misc/serial.conf $(DESTDIR)/usr/share/qubes/serial.conf
 	install -D misc/qubes-serial-login $(DESTDIR)/$(SBINDIR)/qubes-serial-login
 
-	install -m 0400 -D network/iptables $(DESTDIR)/usr/lib/qubes/init/iptables
-	install -m 0400 -D network/ip6tables $(DESTDIR)/usr/lib/qubes/init/ip6tables
-
 install-common:
 	install -m 0644 -D misc/fstab $(DESTDIR)/etc/fstab
 
@@ -162,6 +161,9 @@ install-common:
 	install -d $(DESTDIR)/etc/xdg/autostart
 	install -m 0755 network/show-hide-nm-applet.sh $(DESTDIR)$(LIBDIR)/qubes/show-hide-nm-applet.sh
 	install -m 0644 network/show-hide-nm-applet.desktop $(DESTDIR)/etc/xdg/autostart/00-qubes-show-hide-nm-applet.desktop
+	install -m 0400 -D network/iptables $(DESTDIR)/etc/qubes/iptables.rules
+	install -m 0400 -D network/ip6tables $(DESTDIR)/etc/qubes/ip6tables.rules
+
 
 	install -d $(DESTDIR)/$(SBINDIR)
 	install network/qubes-firewall $(DESTDIR)/$(SBINDIR)/
@@ -213,8 +215,6 @@ install-deb: install-common install-systemd install-systemd-dropins
 	mkdir -p $(DESTDIR)/etc/apt/sources.list.d
 	sed -e "s/@DIST@/`lsb_release -cs`/" misc/qubes-r3.list.in > $(DESTDIR)/etc/apt/sources.list.d/qubes-r3.list
 	install -D -m 644 misc/qubes-archive-keyring.gpg $(DESTDIR)/etc/apt/trusted.gpg.d/qubes-archive-keyring.gpg
-	install -D -m 644 network/iptables $(DESTDIR)/etc/iptables/rules.v4
-	install -D -m 644 network/ip6tables $(DESTDIR)/etc/iptables/rules.v6
 	install -D -m 644 network/00notify-hook $(DESTDIR)/etc/apt/apt.conf.d/00notify-hook
 	install -d $(DESTDIR)/etc/sysctl.d
 	install -m 644 network/80-qubes.conf $(DESTDIR)/etc/sysctl.d/
diff --git a/network/qubes-iptables b/network/qubes-iptables
new file mode 100755
index 0000000..d759df3
--- /dev/null
+++ b/network/qubes-iptables
@@ -0,0 +1,59 @@
+#!/bin/bash
+#
+# qubes-iptables	Start Qubes base iptables firewall
+#
+# chkconfig: 2345 08 92
+# description:	Loads iptables firewall
+#
+# config: /etc/qubes/iptables.rules
+# config: /etc/qubes/ip6tables.rules
+#
+### BEGIN INIT INFO
+# Provides: iptables
+# Required-Start:
+# Required-Stop:
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: Loads Qubes base iptables firewall
+# Description: Loads Qubes base iptables firewall
+### END INIT INFO
+
+IPTABLES=iptables
+IPTABLES_DATA_DIR=/etc/qubes
+
+if [ ! -x /sbin/$IPTABLES ]; then
+    echo $"${IPTABLES}: /sbin/$IPTABLES does not exist."
+    exit 5
+fi
+
+start() {
+    ipt=$1
+    IPTABLES_DATA=$IPTABLES_DATA_DIR/${ipt}.rules
+    CMD=$ipt
+    # Do not start if there is no config file.
+    [ ! -f "$IPTABLES_DATA" ] && return 6
+
+    echo -n $"${CMD}: Applying firewall rules: "
+
+    $CMD-restore $IPTABLES_DATA
+    if [ $? -eq 0 ]; then
+        echo OK
+    else
+        echo FAIL; return 1
+    fi
+    
+    return $ret
+}
+
+case "$1" in
+    start)
+	start iptables && start ip6tables
+	RETVAL=$?
+	;;
+    *)
+	echo $"Usage: ${IPTABLES} start"
+	RETVAL=2
+	;;
+esac
+
+exit $RETVAL
diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec
index 21a968f..aa97771 100644
--- a/rpm_spec/core-vm.spec
+++ b/rpm_spec/core-vm.spec
@@ -37,7 +37,6 @@ Requires:   yum-plugin-post-transaction-actions
 Requires:   NetworkManager >= 0.8.1-1
 %if %{fedora} >= 18
 # Fedora >= 18 defaults to firewalld, which isn't supported nor needed by Qubes
-Requires:   iptables-services
 Conflicts:  firewalld
 %endif
 Requires:	/usr/bin/mimeopen
@@ -120,9 +119,6 @@ usermod -L user
 (cd qrexec; make install DESTDIR=$RPM_BUILD_ROOT)
 make install-vm DESTDIR=$RPM_BUILD_ROOT
 
-cp -p $RPM_BUILD_ROOT/usr/lib/qubes/init/iptables $RPM_BUILD_ROOT/etc/sysconfig/iptables.qubes
-cp -p $RPM_BUILD_ROOT/usr/lib/qubes/init/ip6tables $RPM_BUILD_ROOT/etc/sysconfig/ip6tables.qubes
-
 %triggerin -- initscripts
 if [ -e /etc/init/serial.conf ]; then
 	cp /usr/share/qubes/serial.conf /etc/init/serial.conf
@@ -131,25 +127,6 @@ fi
 %triggerin -- pulseaudio-module-x11
 /usr/bin/qubes-desktop-file-install --force --dir /var/lib/qubes/xdg/autostart --remove-show-in --add-not-show-in X-QUBES /etc/xdg/autostart/pulseaudio.desktop
 
-%triggerin -- iptables
-if ! grep -q IPTABLES_DATA /etc/sysconfig/iptables-config; then
-    cat <<EOF >>/etc/sysconfig/iptables-config
-
-### Automatically added by Qubes:
-# Override default rules location on Qubes
-IPTABLES_DATA=/etc/sysconfig/iptables.qubes
-EOF
-fi
-
-if ! grep -q IP6TABLES_DATA /etc/sysconfig/ip6tables-config; then
-    cat <<EOF >>/etc/sysconfig/ip6tables-config
-
-### Automatically added by Qubes:
-# Override default rules location on Qubes
-IP6TABLES_DATA=/etc/sysconfig/ip6tables.qubes
-EOF
-fi
-
 %post
 
 # disable some Upstart services
@@ -203,16 +180,6 @@ EOF
     fi
 fi
 
-# Make sure that /etc/sysconfig/ip(|6)tables exists. Otherwise iptales.service
-# would not start (even when configured to use another configuration file.
-if [ ! -e '/etc/sysconfig/iptables' ]; then
-  ln -s iptables.qubes /etc/sysconfig/iptables
-fi
-if [ ! -e '/etc/sysconfig/ip6tables' ]; then
-  ln -s ip6tables.qubes /etc/sysconfig/ip6tables
-fi
-
-
 # ensure that hostname resolves to 127.0.0.1 resp. ::1 and that /etc/hosts is
 # in the form expected by qubes-sysinit.sh
 if ! grep -rq "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
@@ -357,10 +324,8 @@ rm -f %{name}-%{version}
 %config(noreplace) /etc/qubes-rpc/qubes.GetImageRGBA
 %config(noreplace) /etc/qubes-rpc/qubes.SetDateTime
 %config(noreplace) /etc/sudoers.d/qubes
-%config(noreplace) /etc/sysconfig/iptables.qubes
-%config(noreplace) /etc/sysconfig/ip6tables.qubes
-/usr/lib/qubes/init/iptables
-/usr/lib/qubes/init/ip6tables
+%config(noreplace) /etc/qubes/iptables.rules
+%config(noreplace) /etc/qubes/ip6tables.rules
 %config(noreplace) /etc/tinyproxy/filter-updates
 %config(noreplace) /etc/tinyproxy/tinyproxy-updates.conf
 %config(noreplace) /etc/udev/rules.d/50-qubes-misc.rules
@@ -451,6 +416,7 @@ The Qubes core startup configuration for SysV init (or upstart).
 /etc/init.d/qubes-core-netvm
 /etc/init.d/qubes-firewall
 /etc/init.d/qubes-netwatcher
+/etc/init.d/qubes-iptables
 /etc/init.d/qubes-updates-proxy
 /etc/init.d/qubes-qrexec-agent
 /etc/sysconfig/modules/qubes-core.modules
@@ -476,8 +442,6 @@ done
 chkconfig rsyslog on
 chkconfig haldaemon on
 chkconfig messagebus on
-chkconfig iptables on
-chkconfig ip6tables on
 chkconfig --add qubes-core || echo "WARNING: Cannot add service qubes-core!"
 chkconfig qubes-core on || echo "WARNING: Cannot enable service qubes-core!"
 chkconfig --add qubes-core-netvm || echo "WARNING: Cannot add service qubes-core-netvm!"
@@ -488,6 +452,8 @@ chkconfig --add qubes-firewall || echo "WARNING: Cannot add service qubes-firewa
 chkconfig qubes-firewall on || echo "WARNING: Cannot enable service qubes-firewall!"
 chkconfig --add qubes-netwatcher || echo "WARNING: Cannot add service qubes-netwatcher!"
 chkconfig qubes-netwatcher on || echo "WARNING: Cannot enable service qubes-netwatcher!"
+chkconfig --add qubes-iptables || echo "WARNING: Cannot add service qubes-iptables!"
+chkconfig qubes-iptables on || echo "WARNING: Cannot enable service qubes-iptables!"
 chkconfig --add qubes-updates-proxy || echo "WARNING: Cannot add service qubes-updates-proxy!"
 chkconfig qubes-updates-proxy on || echo "WARNING: Cannot enable service qubes-updates-proxy!"
 chkconfig --add qubes-qrexec-agent || echo "WARNING: Cannot add service qubes-qrexec-agent!"
@@ -531,6 +497,7 @@ The Qubes core startup configuration for SystemD init.
 /lib/systemd/system/qubes-mount-home.service
 /lib/systemd/system/qubes-netwatcher.service
 /lib/systemd/system/qubes-network.service
+/lib/systemd/system/qubes-iptables.service
 /lib/systemd/system/qubes-sysinit.service
 /lib/systemd/system/qubes-update-check.service
 /lib/systemd/system/qubes-update-check.timer
@@ -542,6 +509,7 @@ The Qubes core startup configuration for SystemD init.
 %dir /usr/lib/qubes/init
 /usr/lib/qubes/init/prepare-dvm.sh
 /usr/lib/qubes/init/network-proxy-setup.sh
+/usr/lib/qubes/init/qubes-iptables
 /usr/lib/qubes/init/misc-post.sh
 /usr/lib/qubes/init/misc-post-stop.sh
 /usr/lib/qubes/init/mount-home.sh
@@ -565,11 +533,14 @@ if [ $1 -eq 1 ]; then
 else
     services="qubes-dvm qubes-misc-post qubes-firewall qubes-mount-home"
     services="$services qubes-netwatcher qubes-network qubes-sysinit"
-    services="$services qubes-updates-proxy qubes-qrexec-agent"
+    services="$services qubes-iptables qubes-updates-proxy qubes-qrexec-agent"
     for srv in $services; do
         /bin/systemctl --no-reload preset $srv.service
     done
     /bin/systemctl --no-reload preset qubes-update-check.timer
+    # Upgrade path - now qubes-iptables is used instead
+    /bin/systemctl --no-reload preset iptables.service
+    /bin/systemctl --no-reload preset ip6tables.service
 fi
 
 # Set default "runlevel"
diff --git a/vm-systemd/75-qubes-vm.preset b/vm-systemd/75-qubes-vm.preset
index af03f06..bbf812b 100644
--- a/vm-systemd/75-qubes-vm.preset
+++ b/vm-systemd/75-qubes-vm.preset
@@ -42,6 +42,8 @@ disable fedora-storage-init.service
 disable fedora-storage-init-late.service
 disable hwclock-load.service
 disable ipmi.service
+disable iptables.service
+disable ip6tables.service
 disable irqbalance.service
 disable mcelog.service
 disable mdmonitor-takeover.service
@@ -68,7 +70,6 @@ enable qubes-mount-home.service
 enable qubes-firewall.service
 enable qubes-netwatcher.service
 enable qubes-meminfo-writer.service
-enable iptables.service
-enable ip6tables.service
+enable qubes-iptables.service
 enable haveged.service
 enable chronyd.service
diff --git a/vm-systemd/qubes-iptables.service b/vm-systemd/qubes-iptables.service
new file mode 100644
index 0000000..065347d
--- /dev/null
+++ b/vm-systemd/qubes-iptables.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Qubes base firewall settings
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/lib/qubes/init/qubes-iptables start
+StandardOutput=syslog
+StandardError=syslog
+
+[Install]
+WantedBy=basic.target
diff --git a/vm-systemd/qubes-network.service b/vm-systemd/qubes-network.service
index 6a90a59..b159441 100644
--- a/vm-systemd/qubes-network.service
+++ b/vm-systemd/qubes-network.service
@@ -2,7 +2,7 @@
 Description=Qubes network forwarding setup
 ConditionPathExists=/var/run/qubes-service/qubes-network
 Before=network.target
-After=iptables.service
+After=qubes-iptables.service
 
 [Service]
 Type=oneshot
diff --git a/vm-systemd/qubes-updates-proxy.service b/vm-systemd/qubes-updates-proxy.service
index cb88922..c89a785 100644
--- a/vm-systemd/qubes-updates-proxy.service
+++ b/vm-systemd/qubes-updates-proxy.service
@@ -2,7 +2,7 @@
 Description=Qubes updates proxy (tinyproxy)
 ConditionPathExists=|/var/run/qubes-service/qubes-yum-proxy
 ConditionPathExists=|/var/run/qubes-service/qubes-updates-proxy
-After=iptables.service
+After=qubes-iptables.service
 
 [Service]
 ExecStartPre=/usr/bin/install -d --owner tinyproxy --group tinyproxy /var/run/tinyproxy

From 3ccbde9a3ca4fee04b45822e3cbcc536ea01e976 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Sun, 9 Aug 2015 20:32:35 +0200
Subject: [PATCH 3/3] debian: disable netfilter-persistent.service

This is now handled by qubes-iptables.service

qubesos/qubes-issues#1067
---
 Makefile                                                | 3 +++
 vm-systemd/netfilter-persistent.service.d/30_qubes.conf | 2 ++
 2 files changed, 5 insertions(+)
 create mode 100644 vm-systemd/netfilter-persistent.service.d/30_qubes.conf

diff --git a/Makefile b/Makefile
index e0b2e95..d4344e1 100644
--- a/Makefile
+++ b/Makefile
@@ -63,6 +63,9 @@ ifeq ($(shell lsb_release -is), Debian)
     # Wheezy Dropins
     # Disable sysinit 'network-manager.service' since systemd 'NetworkManager.service' is already installed
     DROPINS += $(strip $(if $(filter wheezy, $(shell lsb_release -cs)), network-manager.service,))
+
+	# handled by qubes-iptables service now
+    DROPINS += netfilter-persistent.service
 endif
 
 install-systemd-dropins:
diff --git a/vm-systemd/netfilter-persistent.service.d/30_qubes.conf b/vm-systemd/netfilter-persistent.service.d/30_qubes.conf
new file mode 100644
index 0000000..f71617f
--- /dev/null
+++ b/vm-systemd/netfilter-persistent.service.d/30_qubes.conf
@@ -0,0 +1,2 @@
+[Unit]
+ConditionPathExists=/var/run/qubes-service/netfilter-persistent