update_connected_ips: reload nftables using one command

Get rid of race condition between flushing the chains
and adding new rules.

qubesagent/firewall.py

@@ -515,22 +515,20 @@ class NftablesWorker(FirewallWorker):
         family_name = ('ip6' if family == 6 else 'ip')
         table = 'qubes-firewall'
 
-        self.run_nft((
+        nft_input = (
             'flush chain {family_name} {table} prerouting\n'
             'flush chain {family_name} {table} postrouting\n'
-        ).format(family_name=family_name, table=table))
+        ).format(family_name=family_name, table=table)
 
         ips = self.get_connected_ips(family)
-        if not ips:
-            return
-
+        if ips:
             addr = '{' + ', '.join(ips) + '}'
             irule = 'iifname != "vif*" {family_name} saddr {addr} drop\n'.format(
                 family_name=family_name, addr=addr)
             orule = 'oifname != "vif*" {family_name} daddr {addr} drop\n'.format(
                 family_name=family_name, addr=addr)
 
-        nft_input = (
+            nft_input += (
                 'table {family_name} {table} {{\n'
                 '  chain prerouting {{\n'
                 '    {irule}'
@@ -545,6 +543,7 @@ class NftablesWorker(FirewallWorker):
                 irule=irule,
                 orule=orule,
             )
+
         self.run_nft(nft_input)
 
     def prepare_rules(self, chain, rules, family):

qubesagent/test_firewall.py

@@ -553,8 +553,7 @@ class TestNftablesWorker(TestCase):
 
         self.assertEqual(self.obj.loaded_rules, [
             'flush chain ip qubes-firewall prerouting\n'
-            'flush chain ip qubes-firewall postrouting\n',
-
+            'flush chain ip qubes-firewall postrouting\n'
             'table ip qubes-firewall {\n'
             '  chain prerouting {\n'
             '    iifname != "vif*" ip saddr {10.137.0.1, 10.137.0.2} drop\n'