Merge commit '66b3e628f2bf0ec8f23b0b42484d014e5cad23bf' into conntrack-purge

debian/qubes-core-agent-networking.install

@@ -11,8 +11,12 @@ etc/xen/scripts/vif-route-qubes
 lib/systemd/system/qubes-firewall.service
 lib/systemd/system/qubes-iptables.service
 lib/systemd/system/qubes-network.service
+lib/systemd/system/qubes-network-uplink.service
+lib/systemd/system/qubes-network-uplink@.service
 lib/systemd/system/qubes-updates-proxy.service
 usr/lib/qubes/init/network-proxy-setup.sh
+usr/lib/qubes/init/network-proxy-stop.sh
+usr/lib/qubes/init/network-uplink-wait.sh
 usr/lib/qubes/init/qubes-iptables
 usr/lib/qubes/iptables-updates-proxy
 usr/lib/qubes/qubes-setup-dnat-to-ns

init/functions

@@ -118,7 +118,7 @@ umount_retry() {
 
 get_mac_from_iface() {
     local iface="$1"
-    local mac
+    local mac=
     if [ "x$iface" != "x" ] && [ -e "/sys/class/net/$iface" ]; then
         mac="$(cat "/sys/class/net/$iface/address")"
     fi
@@ -127,7 +127,7 @@ get_mac_from_iface() {
 
 get_iface_from_mac() {
     local mac="$1"
-    local iface
+    local iface=
     if [ "x$mac" != "x" ]; then
         iface="$(ip -o link | grep -i "$mac" | awk '{print $2}' | cut -d ':' -f1)"
     fi
@@ -141,7 +141,7 @@ get_qubes_managed_iface() {
     qubes_iface="$(get_iface_from_mac "$mac")"
     if [ "x$qubes_iface" != "x" ]; then
         echo "$qubes_iface"
-    else
+    elif [ -e /sys/class/net/eth0 ]; then
         echo eth0
     fi
 }

network/ip6tables-enabled

@@ -26,6 +26,7 @@ COMMIT
 -A INPUT -m state --state INVALID -j DROP
 -A INPUT -i lo -j ACCEPT
 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT ! -i vif+ -p udp -s fe80::/64 -d fe80::/64 --dport 546 -j ACCEPT
 -A INPUT -i vif+ -p icmpv6 --icmpv6-type router-advertisement -j DROP
 -A INPUT -i vif+ -p icmpv6 --icmpv6-type redirect -j DROP
 -A INPUT -i vif+ -p icmpv6 -j ACCEPT

network/setup-ip

@@ -173,67 +173,80 @@ qubes_ip_change_hook() {
 
 have_qubesdb || exit 0
 
-if [ -n "$INTERFACE" ]; then
-    if [ "$ACTION" == "add" ]; then
-        MAC="$(get_mac_from_iface "$INTERFACE")"
-        if [ -n "$MAC" ]; then
-            ip="$(/usr/bin/qubesdb-read "/net-config/$MAC/ip" 2> /dev/null)" || ip=
-            ip6="$(/usr/bin/qubesdb-read "/net-config/$MAC/ip6" 2> /dev/null)" || ip6=
-            netmask="$(/usr/bin/qubesdb-read "/net-config/$MAC/netmask" 2> /dev/null)" || netmask=
-            netmask6="$(/usr/bin/qubesdb-read "/net-config/$MAC/netmask6" 2> /dev/null)" || netmask6=
-            gateway="$(/usr/bin/qubesdb-read "/net-config/$MAC/gateway" 2> /dev/null)" || gateway=
-            gateway6="$(/usr/bin/qubesdb-read "/net-config/$MAC/gateway6" 2> /dev/null)" || gateway6=
-
-            # Handle legacy values
-            LEGACY_MAC="$(/usr/bin/qubesdb-read /qubes-mac 2> /dev/null)" || LEGACY_MAC=
-            if [ "$MAC" == "$LEGACY_MAC" ] || [ -z "$LEGACY_MAC" ]; then
-                if [ -z "$ip" ]; then
-                    ip="$(/usr/bin/qubesdb-read /qubes-ip 2> /dev/null)" || ip=
-                fi
-                if [ -z "$ip6" ]; then
-                    ip6="$(/usr/bin/qubesdb-read /qubes-ip6 2> /dev/null)" || ip6=
-                fi
-                if [ -z "$gateway" ]; then
-                    gateway="$(/usr/bin/qubesdb-read /qubes-gateway 2> /dev/null)" || gateway=
-                fi
-                if [ -z "$gateway6" ]; then
-                    gateway6="$(/usr/bin/qubesdb-read /qubes-gateway6 2> /dev/null)" || gateway6=
-                fi
-            fi
+ACTION="$1"
+INTERFACE="$2"
 
-            if [ -z "$netmask" ]; then
-                netmask="255.255.255.255"
+if [ -z "$INTERFACE" ]; then
+    echo "Missing INTERFACE argument" >&2
+    exit 1
+fi
+
+if [ "$ACTION" == "add" ]; then
+    MAC="$(get_mac_from_iface "$INTERFACE")"
+    if [ -n "$MAC" ]; then
+        ip="$(/usr/bin/qubesdb-read "/net-config/$MAC/ip" 2> /dev/null)" || ip=
+        ip6="$(/usr/bin/qubesdb-read "/net-config/$MAC/ip6" 2> /dev/null)" || ip6=
+        netmask="$(/usr/bin/qubesdb-read "/net-config/$MAC/netmask" 2> /dev/null)" || netmask=
+        netmask6="$(/usr/bin/qubesdb-read "/net-config/$MAC/netmask6" 2> /dev/null)" || netmask6=
+        gateway="$(/usr/bin/qubesdb-read "/net-config/$MAC/gateway" 2> /dev/null)" || gateway=
+        gateway6="$(/usr/bin/qubesdb-read "/net-config/$MAC/gateway6" 2> /dev/null)" || gateway6=
+
+        # Handle legacy values
+        LEGACY_MAC="$(/usr/bin/qubesdb-read /qubes-mac 2> /dev/null)" || LEGACY_MAC=
+        if [ "$MAC" == "$LEGACY_MAC" ] || [ -z "$LEGACY_MAC" ]; then
+            if [ -z "$ip" ]; then
+                ip="$(/usr/bin/qubesdb-read /qubes-ip 2> /dev/null)" || ip=
+            fi
+            if [ -z "$ip6" ]; then
+                ip6="$(/usr/bin/qubesdb-read /qubes-ip6 2> /dev/null)" || ip6=
+            fi
+            if [ -z "$gateway" ]; then
+                gateway="$(/usr/bin/qubesdb-read /qubes-gateway 2> /dev/null)" || gateway=
             fi
-            if [ -z "$netmask6" ]; then
-                netmask6="128"
+            if [ -z "$gateway6" ]; then
+                gateway6="$(/usr/bin/qubesdb-read /qubes-gateway6 2> /dev/null)" || gateway6=
             fi
+        fi
 
-            primary_dns=$(/usr/bin/qubesdb-read /qubes-primary-dns 2>/dev/null) || primary_dns=
-            secondary_dns=$(/usr/bin/qubesdb-read /qubes-secondary-dns 2>/dev/null) || secondary_dns=
+        if [ -z "$netmask" ]; then
+            netmask="255.255.255.255"
+        fi
+        if [ -z "$netmask6" ]; then
+            netmask6="128"
+        fi
 
-            if [ -n "$ip" ]; then
-                /sbin/ethtool -K "$INTERFACE" sg off
-                /sbin/ethtool -K "$INTERFACE" tx off
+        primary_dns=$(/usr/bin/qubesdb-read /qubes-primary-dns 2>/dev/null) || primary_dns=
+        secondary_dns=$(/usr/bin/qubesdb-read /qubes-secondary-dns 2>/dev/null) || secondary_dns=
 
-                # If NetworkManager is enabled, let it configure the network
-                if qsvc network-manager && [ -e /usr/bin/nmcli ]; then
-                    configure_network_nm "$MAC" "$INTERFACE" "$ip" "$ip6" "$netmask" "$netmask6" "$gateway" "$gateway6" "$primary_dns" "$secondary_dns"
-                else
-                    configure_network "$MAC" "$INTERFACE" "$ip" "$ip6" "$netmask" "$netmask6" "$gateway" "$gateway6" "$primary_dns" "$secondary_dns"
-                fi
+        if [ -n "$ip" ]; then
+            /sbin/ethtool -K "$INTERFACE" sg off
+            /sbin/ethtool -K "$INTERFACE" tx off
 
-                network=$(qubesdb-read /qubes-netvm-network 2>/dev/null) || network=
-                if [ -n "$network" ]; then
-                    if ! qsvc disable-dns-server; then
-                        configure_qubes_ns
-                    fi
-                    qubes_ip_change_hook
+            # If NetworkManager is enabled, let it configure the network
+            if qsvc network-manager && [ -e /usr/bin/nmcli ]; then
+                configure_network_nm "$MAC" "$INTERFACE" "$ip" "$ip6" "$netmask" "$netmask6" "$gateway" "$gateway6" "$primary_dns" "$secondary_dns"
+            else
+                configure_network "$MAC" "$INTERFACE" "$ip" "$ip6" "$netmask" "$netmask6" "$gateway" "$gateway6" "$primary_dns" "$secondary_dns"
+            fi
+
+            network=$(qubesdb-read /qubes-netvm-network 2>/dev/null) || network=
+            if [ -n "$network" ]; then
+                if ! qsvc disable-dns-server; then
+                    configure_qubes_ns
                 fi
+                qubes_ip_change_hook
             fi
         fi
-    elif [ "$ACTION" == "remove" ]; then
-        # If exists, we delete NetworkManager configuration file to prevent duplicate entries
-        nm_config="/etc/NetworkManager/system-connections/qubes-uplink-$INTERFACE"
-        rm -rf "$nm_config"
     fi
+elif [ "$ACTION" == "remove" ]; then
+    # make sure network is disabled, especially on shutdown, to prevent
+    # leaks when firewall will get stopped too
+    ip link set "$INTERFACE" down 2>/dev/null || :
+
+    # If exists, we delete NetworkManager configuration file to prevent duplicate entries
+    nm_config="/etc/NetworkManager/system-connections/qubes-uplink-$INTERFACE"
+    rm -rf "$nm_config"
+else
+    echo "Invalid action '$ACTION'" >&2
+    exit 1
 fi

network/udev-qubes-network.rules

@@ -1,5 +1,5 @@
 # old udev has ENV{ID_NET_DRIVER}
-SUBSYSTEMS=="xen", KERNEL=="eth*", ACTION=="add", ENV{ID_NET_DRIVER}=="vif", RUN+="/usr/lib/qubes/setup-ip"
-SUBSYSTEMS=="net", KERNEL=="eth*", ACTION=="remove", ENV{ID_NET_DRIVER}=="vif", RUN+="/usr/lib/qubes/setup-ip"
+SUBSYSTEMS=="xen", KERNEL=="eth*", ACTION=="add", ENV{ID_NET_DRIVER}=="vif", ENV{SYSTEMD_WANTS}+="qubes-network-uplink@%k.service"
+SUBSYSTEMS=="net", KERNEL=="eth*", ACTION=="remove", ENV{ID_NET_DRIVER}=="vif", ENV{SYSTEMD_WANTS}+="qubes-network-uplink@%k.service"
 # new udev has DRIVERS
-SUBSYSTEMS=="xen", KERNEL=="eth*", ACTION=="add", DRIVERS=="vif", RUN+="/usr/lib/qubes/setup-ip"
+SUBSYSTEMS=="xen", KERNEL=="eth*", ACTION=="add", DRIVERS=="vif", ENV{SYSTEMD_WANTS}+="qubes-network-uplink@%k.service"

rpm_spec/core-agent.spec.in

@@ -797,8 +797,12 @@ rm -f %{name}-%{version}
 /lib/systemd/system/qubes-firewall.service
 /lib/systemd/system/qubes-iptables.service
 /lib/systemd/system/qubes-network.service
+/lib/systemd/system/qubes-network-uplink.service
+/lib/systemd/system/qubes-network-uplink@.service
 /lib/systemd/system/qubes-updates-proxy.service
 /usr/lib/qubes/init/network-proxy-setup.sh
+/usr/lib/qubes/init/network-proxy-stop.sh
+/usr/lib/qubes/init/network-uplink-wait.sh
 /usr/lib/qubes/init/qubes-iptables
 /usr/lib/qubes/iptables-updates-proxy
 /usr/lib/qubes/qubes-setup-dnat-to-ns

vm-systemd/75-qubes-vm.preset

@@ -91,6 +91,7 @@ enable qubes-update-check.timer
 enable qubes-misc-post.service
 enable qubes-updates-proxy.service
 enable qubes-network.service
+enable qubes-network-uplink.service
 enable qubes-qrexec-agent.service
 enable qubes-mount-dirs.service
 enable qubes-rootfs-resize.service

vm-systemd/NetworkManager.service.d/30_qubes.conf

@@ -4,6 +4,8 @@ ConditionPathExists=/var/run/qubes-service/network-manager
 After=qubes-mount-dirs.service
 # For /var/run/qubes-service
 After=qubes-sysinit.service
+# For configuration of qubes-provided interfaces
+After=qubes-network-uplink.service
 
 [Service]
 ExecStartPre=/usr/lib/qubes/network-manager-prepare-conf-dir

vm-systemd/misc-post.sh

@@ -11,15 +11,6 @@ if [ -n "$(ls -A /usr/local/lib 2>/dev/null)" ] || \
     ldconfig
 fi
 
-# Set IP address again (besides action in udev rules); this is needed by
-# DispVM (to override DispVM-template IP) and in case when qubes-ip was
-# called by udev before loading evtchn kernel module - in which case
-# qubesdb-read fails
-QUBES_MANAGED_IFACE="$(get_qubes_managed_iface)"
-if [ "x$QUBES_MANAGED_IFACE" != "x" ]; then
-INTERFACE="$QUBES_MANAGED_IFACE" ACTION="add" /usr/lib/qubes/setup-ip
-fi
-
 if [ -x /rw/config/rc.local ] ; then
     /rw/config/rc.local
 fi

vm-systemd/network-proxy-stop.sh

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+echo 0 > /proc/sys/net/ipv4/ip_forward
+# disable also IPv6 forwarding, if IPv6 applicable
+if [ -w /proc/sys/net/ipv6/conf/all/forwarding ]; then
+    echo 0 > /proc/sys/net/ipv6/conf/all/forwarding
+fi

vm-systemd/network-uplink-wait.sh

@@ -0,0 +1,16 @@
+#!/bin/sh
+
+# Source Qubes library.
+# shellcheck source=init/functions
+. /usr/lib/qubes/init/functions
+
+# Setup IP address at specific time of system boot, instead of asynchronously
+# by udev
+QUBES_MANAGED_IFACE="$(get_qubes_managed_iface)"
+if [ "x$QUBES_MANAGED_IFACE" != "x" ]; then
+    # systemd does not support conditional After= dependencies, nor a tool to
+    # just wait for the unit to be activated
+    # if the network interface is expected, use `systemctl start` to wait for
+    # it to be started - it would be started by udev (SYSTEMD_WANTS) anyway
+    systemctl start "qubes-network-uplink@$QUBES_MANAGED_IFACE.service"
+fi

vm-systemd/qubes-early-vm-config.service

@@ -1,7 +1,7 @@
 [Unit]
 Description=Early Qubes VM settings
 DefaultDependencies=no
-Before=sysinit.target
+Before=sysinit.target network-pre.target
 After=local-fs.target qubes-db.service
 
 [Service]

vm-systemd/qubes-network-uplink.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=Qubes network uplink wait
+Before=network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/lib/qubes/init/network-uplink-wait.sh
+
+[Install]
+WantedBy=multi-user.target

vm-systemd/qubes-network-uplink@.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=Qubes network uplink (%i) setup
+After=network-pre.target qubes-iptables.service
+After=sys-subsystem-net-devices-%i.device
+BindsTo=sys-subsystem-net-devices-%i.device
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/lib/qubes/setup-ip add "%i"
+ExecStop=/usr/lib/qubes/setup-ip remove "%i"

vm-systemd/qubes-network.service

@@ -8,6 +8,7 @@ After=network-pre.target qubes-iptables.service
 Type=oneshot
 RemainAfterExit=yes
 ExecStart=/usr/lib/qubes/init/network-proxy-setup.sh
+ExecStop=/usr/lib/qubes/init/network-proxy-stop.sh
 
 [Install]
 WantedBy=multi-user.target