From f66a494cc2e5e84a19c4abe2d8f6516265457926 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Thu, 12 Nov 2020 00:47:05 +0100
Subject: [PATCH 1/8] Allow DHCPv6 replies on uplink interface, if ipv6 is
 enabled

Fixes QubesOS/qubes-issues#5886
---
 network/ip6tables-enabled | 1 +
 1 file changed, 1 insertion(+)

diff --git a/network/ip6tables-enabled b/network/ip6tables-enabled
index fc5aec1..d2e4a56 100644
--- a/network/ip6tables-enabled
+++ b/network/ip6tables-enabled
@@ -26,6 +26,7 @@ COMMIT
 -A INPUT -m state --state INVALID -j DROP
 -A INPUT -i lo -j ACCEPT
 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT ! -i vif+ -p udp -s fe80::/64 -d fe80::/64 --dport 546 -j ACCEPT
 -A INPUT -i vif+ -p icmpv6 --icmpv6-type router-advertisement -j DROP
 -A INPUT -i vif+ -p icmpv6 --icmpv6-type redirect -j DROP
 -A INPUT -i vif+ -p icmpv6 -j ACCEPT

From 0caa7fcf75a7521b47a5652df4e3b0ef772ee2e1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Thu, 12 Nov 2020 00:53:48 +0100
Subject: [PATCH 2/8] network: stop IP forwarding before disabling firewall

Stop IP forwarding when stopping qubes-network service (which initially
enables it). This makes ordering against qubes-firewall safe - firewall
is applied before allowing IP forward and then is removed when IP
forward is already disabled.

Fixes QubesOS/qubes-issues#5599
---
 debian/qubes-core-agent-networking.install | 1 +
 rpm_spec/core-agent.spec.in                | 1 +
 vm-systemd/network-proxy-stop.sh           | 7 +++++++
 vm-systemd/qubes-network.service           | 1 +
 4 files changed, 10 insertions(+)
 create mode 100755 vm-systemd/network-proxy-stop.sh

diff --git a/debian/qubes-core-agent-networking.install b/debian/qubes-core-agent-networking.install
index 7f371ef..8c63f10 100644
--- a/debian/qubes-core-agent-networking.install
+++ b/debian/qubes-core-agent-networking.install
@@ -13,6 +13,7 @@ lib/systemd/system/qubes-iptables.service
 lib/systemd/system/qubes-network.service
 lib/systemd/system/qubes-updates-proxy.service
 usr/lib/qubes/init/network-proxy-setup.sh
+usr/lib/qubes/init/network-proxy-stop.sh
 usr/lib/qubes/init/qubes-iptables
 usr/lib/qubes/iptables-updates-proxy
 usr/lib/qubes/qubes-setup-dnat-to-ns
diff --git a/rpm_spec/core-agent.spec.in b/rpm_spec/core-agent.spec.in
index 0ec54e0..3e663d3 100644
--- a/rpm_spec/core-agent.spec.in
+++ b/rpm_spec/core-agent.spec.in
@@ -799,6 +799,7 @@ rm -f %{name}-%{version}
 /lib/systemd/system/qubes-network.service
 /lib/systemd/system/qubes-updates-proxy.service
 /usr/lib/qubes/init/network-proxy-setup.sh
+/usr/lib/qubes/init/network-proxy-stop.sh
 /usr/lib/qubes/init/qubes-iptables
 /usr/lib/qubes/iptables-updates-proxy
 /usr/lib/qubes/qubes-setup-dnat-to-ns
diff --git a/vm-systemd/network-proxy-stop.sh b/vm-systemd/network-proxy-stop.sh
new file mode 100755
index 0000000..4ef924e
--- /dev/null
+++ b/vm-systemd/network-proxy-stop.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+echo 0 > /proc/sys/net/ipv4/ip_forward
+# disable also IPv6 forwarding, if IPv6 applicable
+if [ -w /proc/sys/net/ipv6/conf/all/forwarding ]; then
+    echo 0 > /proc/sys/net/ipv6/conf/all/forwarding
+fi
diff --git a/vm-systemd/qubes-network.service b/vm-systemd/qubes-network.service
index c5aa410..5281bf1 100644
--- a/vm-systemd/qubes-network.service
+++ b/vm-systemd/qubes-network.service
@@ -8,6 +8,7 @@ After=network-pre.target qubes-iptables.service
 Type=oneshot
 RemainAfterExit=yes
 ExecStart=/usr/lib/qubes/init/network-proxy-setup.sh
+ExecStop=/usr/lib/qubes/init/network-proxy-stop.sh
 
 [Install]
 WantedBy=multi-user.target

From e344dcc4c90bcd5e04ec4f1c9a35c3a25dec8269 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Thu, 12 Nov 2020 01:14:10 +0100
Subject: [PATCH 3/8] Order qubes-early-vm-config.service before networking

Fixes QubesOS/qubes-issues#5570
---
 vm-systemd/qubes-early-vm-config.service | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/vm-systemd/qubes-early-vm-config.service b/vm-systemd/qubes-early-vm-config.service
index 36601b6..dddbc49 100644
--- a/vm-systemd/qubes-early-vm-config.service
+++ b/vm-systemd/qubes-early-vm-config.service
@@ -1,7 +1,7 @@
 [Unit]
 Description=Early Qubes VM settings
 DefaultDependencies=no
-Before=sysinit.target
+Before=sysinit.target network-pre.target
 After=local-fs.target qubes-db.service
 
 [Service]

From dd8de797e3bb0f60bdfc293228beb384242af352 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Thu, 12 Nov 2020 01:37:12 +0100
Subject: [PATCH 4/8] Move network uplink setup to a separate service

Previously, network uplink (eth0) was configured in two places:
 - udev (asynchronously)
 - qubes-misc-post.service - at the very end of the boot process

This caused multiple issues:
1. Depending on udev event processing (non-deterministic), network
   uplink could be enabled too early, for example before setting up
   firewall.
2. Again depending on udev processing, it can be enabled quite late in
   the boot process, after network.target is up and services assume
   network already configured. This for example causes qubes-firewall to
   fail DNS queries.
3. If udev happen try to enable enable networking even earlier, it may
   happend before qubesdb-daemon is started, in which case network setup
   fill fail. For this case, there was network re-setup in
   qubes-misc-post service - much later in the boot.

Fix the above by placing network uplink setup in a dedicated
qubes-network-uplink@${INTERFACE}.service unit ordered after
network-pre.target and pulled in by udev based on vif device existence,
to handle also dynamic network attach/detach.
Then, create qubes-network-uplink.service unit waiting for appropriate
interface-specific unit (if one is expected!) and order it before
network.target.

QubesOS/qubes-issues#5576
---
 debian/qubes-core-agent-networking.install |  3 +++
 network/setup-ip                           | 16 ++++++++++++++++
 network/udev-qubes-network.rules           |  6 +++---
 rpm_spec/core-agent.spec.in                |  3 +++
 vm-systemd/75-qubes-vm.preset              |  1 +
 vm-systemd/misc-post.sh                    |  9 ---------
 vm-systemd/network-uplink-wait.sh          | 16 ++++++++++++++++
 vm-systemd/qubes-network-uplink.service    | 11 +++++++++++
 vm-systemd/qubes-network-uplink@.service   | 11 +++++++++++
 9 files changed, 64 insertions(+), 12 deletions(-)
 create mode 100644 vm-systemd/network-uplink-wait.sh
 create mode 100644 vm-systemd/qubes-network-uplink.service
 create mode 100644 vm-systemd/qubes-network-uplink@.service

diff --git a/debian/qubes-core-agent-networking.install b/debian/qubes-core-agent-networking.install
index 8c63f10..c26f251 100644
--- a/debian/qubes-core-agent-networking.install
+++ b/debian/qubes-core-agent-networking.install
@@ -11,9 +11,12 @@ etc/xen/scripts/vif-route-qubes
 lib/systemd/system/qubes-firewall.service
 lib/systemd/system/qubes-iptables.service
 lib/systemd/system/qubes-network.service
+lib/systemd/system/qubes-network-uplink.service
+lib/systemd/system/qubes-network-uplink@.service
 lib/systemd/system/qubes-updates-proxy.service
 usr/lib/qubes/init/network-proxy-setup.sh
 usr/lib/qubes/init/network-proxy-stop.sh
+usr/lib/qubes/init/network-uplink-wait.sh
 usr/lib/qubes/init/qubes-iptables
 usr/lib/qubes/iptables-updates-proxy
 usr/lib/qubes/qubes-setup-dnat-to-ns
diff --git a/network/setup-ip b/network/setup-ip
index 35e9fba..fd2db18 100755
--- a/network/setup-ip
+++ b/network/setup-ip
@@ -173,6 +173,14 @@ qubes_ip_change_hook() {
 
 have_qubesdb || exit 0
 
+ACTION="$1"
+INTERFACE="$2"
+
+if [ -z "$INTERFACE" ]; then
+    echo "Missing INTERFACE argument" >&2
+    exit 1
+fi
+
 if [ -n "$INTERFACE" ]; then
     if [ "$ACTION" == "add" ]; then
         MAC="$(get_mac_from_iface "$INTERFACE")"
@@ -232,8 +240,16 @@ if [ -n "$INTERFACE" ]; then
             fi
         fi
     elif [ "$ACTION" == "remove" ]; then
+        # make sure network is disabled, especially on shutdown, to prevent
+        # leaks when firewall will get stopped too
+        ip link set "$INTERFACE" down 2>/dev/null || :
+
         # If exists, we delete NetworkManager configuration file to prevent duplicate entries
         nm_config="/etc/NetworkManager/system-connections/qubes-uplink-$INTERFACE"
         rm -rf "$nm_config"
+    else
+        echo "Invalid action '$ACTION'" >&2
+        exit 1
     fi
+
 fi
diff --git a/network/udev-qubes-network.rules b/network/udev-qubes-network.rules
index 0ae83b2..fde5fe9 100644
--- a/network/udev-qubes-network.rules
+++ b/network/udev-qubes-network.rules
@@ -1,5 +1,5 @@
 # old udev has ENV{ID_NET_DRIVER}
-SUBSYSTEMS=="xen", KERNEL=="eth*", ACTION=="add", ENV{ID_NET_DRIVER}=="vif", RUN+="/usr/lib/qubes/setup-ip"
-SUBSYSTEMS=="net", KERNEL=="eth*", ACTION=="remove", ENV{ID_NET_DRIVER}=="vif", RUN+="/usr/lib/qubes/setup-ip"
+SUBSYSTEMS=="xen", KERNEL=="eth*", ACTION=="add", ENV{ID_NET_DRIVER}=="vif", ENV{SYSTEMD_WANTS}+="qubes-network-uplink@%k.service"
+SUBSYSTEMS=="net", KERNEL=="eth*", ACTION=="remove", ENV{ID_NET_DRIVER}=="vif", ENV{SYSTEMD_WANTS}+="qubes-network-uplink@%k.service"
 # new udev has DRIVERS
-SUBSYSTEMS=="xen", KERNEL=="eth*", ACTION=="add", DRIVERS=="vif", RUN+="/usr/lib/qubes/setup-ip"
+SUBSYSTEMS=="xen", KERNEL=="eth*", ACTION=="add", DRIVERS=="vif", ENV{SYSTEMD_WANTS}+="qubes-network-uplink@%k.service"
diff --git a/rpm_spec/core-agent.spec.in b/rpm_spec/core-agent.spec.in
index 3e663d3..17720ab 100644
--- a/rpm_spec/core-agent.spec.in
+++ b/rpm_spec/core-agent.spec.in
@@ -797,9 +797,12 @@ rm -f %{name}-%{version}
 /lib/systemd/system/qubes-firewall.service
 /lib/systemd/system/qubes-iptables.service
 /lib/systemd/system/qubes-network.service
+/lib/systemd/system/qubes-network-uplink.service
+/lib/systemd/system/qubes-network-uplink@.service
 /lib/systemd/system/qubes-updates-proxy.service
 /usr/lib/qubes/init/network-proxy-setup.sh
 /usr/lib/qubes/init/network-proxy-stop.sh
+/usr/lib/qubes/init/network-uplink-wait.sh
 /usr/lib/qubes/init/qubes-iptables
 /usr/lib/qubes/iptables-updates-proxy
 /usr/lib/qubes/qubes-setup-dnat-to-ns
diff --git a/vm-systemd/75-qubes-vm.preset b/vm-systemd/75-qubes-vm.preset
index a2f6cd8..c0fcbe3 100644
--- a/vm-systemd/75-qubes-vm.preset
+++ b/vm-systemd/75-qubes-vm.preset
@@ -91,6 +91,7 @@ enable qubes-update-check.timer
 enable qubes-misc-post.service
 enable qubes-updates-proxy.service
 enable qubes-network.service
+enable qubes-network-uplink.service
 enable qubes-qrexec-agent.service
 enable qubes-mount-dirs.service
 enable qubes-rootfs-resize.service
diff --git a/vm-systemd/misc-post.sh b/vm-systemd/misc-post.sh
index f284efd..1ffaae0 100755
--- a/vm-systemd/misc-post.sh
+++ b/vm-systemd/misc-post.sh
@@ -11,15 +11,6 @@ if [ -n "$(ls -A /usr/local/lib 2>/dev/null)" ] || \
     ldconfig
 fi
 
-# Set IP address again (besides action in udev rules); this is needed by
-# DispVM (to override DispVM-template IP) and in case when qubes-ip was
-# called by udev before loading evtchn kernel module - in which case
-# qubesdb-read fails
-QUBES_MANAGED_IFACE="$(get_qubes_managed_iface)"
-if [ "x$QUBES_MANAGED_IFACE" != "x" ]; then
-INTERFACE="$QUBES_MANAGED_IFACE" ACTION="add" /usr/lib/qubes/setup-ip
-fi
-
 if [ -x /rw/config/rc.local ] ; then
     /rw/config/rc.local
 fi
diff --git a/vm-systemd/network-uplink-wait.sh b/vm-systemd/network-uplink-wait.sh
new file mode 100644
index 0000000..bb0bc34
--- /dev/null
+++ b/vm-systemd/network-uplink-wait.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+# Source Qubes library.
+# shellcheck source=init/functions
+. /usr/lib/qubes/init/functions
+
+# Setup IP address at specific time of system boot, instead of asynchronously
+# by udev
+QUBES_MANAGED_IFACE="$(get_qubes_managed_iface)"
+if [ "x$QUBES_MANAGED_IFACE" != "x" ]; then
+    # systemd does not support conditional After= dependencies, nor a tool to
+    # just wait for the unit to be activated
+    # if the network interface is expected, use `systemctl start` to wait for
+    # it to be started - it would be started by udev (SYSTEMD_WANTS) anyway
+    systemctl start "qubes-network-uplink@$QUBES_MANAGED_IFACE.service"
+fi
diff --git a/vm-systemd/qubes-network-uplink.service b/vm-systemd/qubes-network-uplink.service
new file mode 100644
index 0000000..acf8649
--- /dev/null
+++ b/vm-systemd/qubes-network-uplink.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Qubes network uplink wait
+Before=network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/lib/qubes/init/network-uplink-wait.sh
+
+[Install]
+WantedBy=multi-user.target
diff --git a/vm-systemd/qubes-network-uplink@.service b/vm-systemd/qubes-network-uplink@.service
new file mode 100644
index 0000000..74bf689
--- /dev/null
+++ b/vm-systemd/qubes-network-uplink@.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Qubes network uplink (%i) setup
+After=network-pre.target qubes-iptables.service
+After=sys-subsystem-net-devices-%i.device
+BindsTo=sys-subsystem-net-devices-%i.device
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/lib/qubes/setup-ip add "%i"
+ExecStop=/usr/lib/qubes/setup-ip remove "%i"

From 6aa2b89fba734305aa14d0a50833df414a722383 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Thu, 3 Dec 2020 20:51:49 +0100
Subject: [PATCH 5/8] Cleanup setup-ip script a bit

There is no longer a case where $INTERFACE is not set.
---
 network/setup-ip | 121 +++++++++++++++++++++++------------------------
 1 file changed, 59 insertions(+), 62 deletions(-)

diff --git a/network/setup-ip b/network/setup-ip
index fd2db18..07c8568 100755
--- a/network/setup-ip
+++ b/network/setup-ip
@@ -181,75 +181,72 @@ if [ -z "$INTERFACE" ]; then
     exit 1
 fi
 
-if [ -n "$INTERFACE" ]; then
-    if [ "$ACTION" == "add" ]; then
-        MAC="$(get_mac_from_iface "$INTERFACE")"
-        if [ -n "$MAC" ]; then
-            ip="$(/usr/bin/qubesdb-read "/net-config/$MAC/ip" 2> /dev/null)" || ip=
-            ip6="$(/usr/bin/qubesdb-read "/net-config/$MAC/ip6" 2> /dev/null)" || ip6=
-            netmask="$(/usr/bin/qubesdb-read "/net-config/$MAC/netmask" 2> /dev/null)" || netmask=
-            netmask6="$(/usr/bin/qubesdb-read "/net-config/$MAC/netmask6" 2> /dev/null)" || netmask6=
-            gateway="$(/usr/bin/qubesdb-read "/net-config/$MAC/gateway" 2> /dev/null)" || gateway=
-            gateway6="$(/usr/bin/qubesdb-read "/net-config/$MAC/gateway6" 2> /dev/null)" || gateway6=
+if [ "$ACTION" == "add" ]; then
+    MAC="$(get_mac_from_iface "$INTERFACE")"
+    if [ -n "$MAC" ]; then
+        ip="$(/usr/bin/qubesdb-read "/net-config/$MAC/ip" 2> /dev/null)" || ip=
+        ip6="$(/usr/bin/qubesdb-read "/net-config/$MAC/ip6" 2> /dev/null)" || ip6=
+        netmask="$(/usr/bin/qubesdb-read "/net-config/$MAC/netmask" 2> /dev/null)" || netmask=
+        netmask6="$(/usr/bin/qubesdb-read "/net-config/$MAC/netmask6" 2> /dev/null)" || netmask6=
+        gateway="$(/usr/bin/qubesdb-read "/net-config/$MAC/gateway" 2> /dev/null)" || gateway=
+        gateway6="$(/usr/bin/qubesdb-read "/net-config/$MAC/gateway6" 2> /dev/null)" || gateway6=
 
-            # Handle legacy values
-            LEGACY_MAC="$(/usr/bin/qubesdb-read /qubes-mac 2> /dev/null)" || LEGACY_MAC=
-            if [ "$MAC" == "$LEGACY_MAC" ] || [ -z "$LEGACY_MAC" ]; then
-                if [ -z "$ip" ]; then
-                    ip="$(/usr/bin/qubesdb-read /qubes-ip 2> /dev/null)" || ip=
-                fi
-                if [ -z "$ip6" ]; then
-                    ip6="$(/usr/bin/qubesdb-read /qubes-ip6 2> /dev/null)" || ip6=
-                fi
-                if [ -z "$gateway" ]; then
-                    gateway="$(/usr/bin/qubesdb-read /qubes-gateway 2> /dev/null)" || gateway=
-                fi
-                if [ -z "$gateway6" ]; then
-                    gateway6="$(/usr/bin/qubesdb-read /qubes-gateway6 2> /dev/null)" || gateway6=
-                fi
+        # Handle legacy values
+        LEGACY_MAC="$(/usr/bin/qubesdb-read /qubes-mac 2> /dev/null)" || LEGACY_MAC=
+        if [ "$MAC" == "$LEGACY_MAC" ] || [ -z "$LEGACY_MAC" ]; then
+            if [ -z "$ip" ]; then
+                ip="$(/usr/bin/qubesdb-read /qubes-ip 2> /dev/null)" || ip=
             fi
-
-            if [ -z "$netmask" ]; then
-                netmask="255.255.255.255"
+            if [ -z "$ip6" ]; then
+                ip6="$(/usr/bin/qubesdb-read /qubes-ip6 2> /dev/null)" || ip6=
             fi
-            if [ -z "$netmask6" ]; then
-                netmask6="128"
+            if [ -z "$gateway" ]; then
+                gateway="$(/usr/bin/qubesdb-read /qubes-gateway 2> /dev/null)" || gateway=
             fi
-
-            primary_dns=$(/usr/bin/qubesdb-read /qubes-primary-dns 2>/dev/null) || primary_dns=
-            secondary_dns=$(/usr/bin/qubesdb-read /qubes-secondary-dns 2>/dev/null) || secondary_dns=
-
-            if [ -n "$ip" ]; then
-                /sbin/ethtool -K "$INTERFACE" sg off
-                /sbin/ethtool -K "$INTERFACE" tx off
-
-                # If NetworkManager is enabled, let it configure the network
-                if qsvc network-manager && [ -e /usr/bin/nmcli ]; then
-                    configure_network_nm "$MAC" "$INTERFACE" "$ip" "$ip6" "$netmask" "$netmask6" "$gateway" "$gateway6" "$primary_dns" "$secondary_dns"
-                else
-                    configure_network "$MAC" "$INTERFACE" "$ip" "$ip6" "$netmask" "$netmask6" "$gateway" "$gateway6" "$primary_dns" "$secondary_dns"
-                fi
-
-                network=$(qubesdb-read /qubes-netvm-network 2>/dev/null) || network=
-                if [ -n "$network" ]; then
-                    if ! qsvc disable-dns-server; then
-                        configure_qubes_ns
-                    fi
-                    qubes_ip_change_hook
-                fi
+            if [ -z "$gateway6" ]; then
+                gateway6="$(/usr/bin/qubesdb-read /qubes-gateway6 2> /dev/null)" || gateway6=
             fi
         fi
-    elif [ "$ACTION" == "remove" ]; then
-        # make sure network is disabled, especially on shutdown, to prevent
-        # leaks when firewall will get stopped too
-        ip link set "$INTERFACE" down 2>/dev/null || :
 
-        # If exists, we delete NetworkManager configuration file to prevent duplicate entries
-        nm_config="/etc/NetworkManager/system-connections/qubes-uplink-$INTERFACE"
-        rm -rf "$nm_config"
-    else
-        echo "Invalid action '$ACTION'" >&2
-        exit 1
+        if [ -z "$netmask" ]; then
+            netmask="255.255.255.255"
+        fi
+        if [ -z "$netmask6" ]; then
+            netmask6="128"
+        fi
+
+        primary_dns=$(/usr/bin/qubesdb-read /qubes-primary-dns 2>/dev/null) || primary_dns=
+        secondary_dns=$(/usr/bin/qubesdb-read /qubes-secondary-dns 2>/dev/null) || secondary_dns=
+
+        if [ -n "$ip" ]; then
+            /sbin/ethtool -K "$INTERFACE" sg off
+            /sbin/ethtool -K "$INTERFACE" tx off
+
+            # If NetworkManager is enabled, let it configure the network
+            if qsvc network-manager && [ -e /usr/bin/nmcli ]; then
+                configure_network_nm "$MAC" "$INTERFACE" "$ip" "$ip6" "$netmask" "$netmask6" "$gateway" "$gateway6" "$primary_dns" "$secondary_dns"
+            else
+                configure_network "$MAC" "$INTERFACE" "$ip" "$ip6" "$netmask" "$netmask6" "$gateway" "$gateway6" "$primary_dns" "$secondary_dns"
+            fi
+
+            network=$(qubesdb-read /qubes-netvm-network 2>/dev/null) || network=
+            if [ -n "$network" ]; then
+                if ! qsvc disable-dns-server; then
+                    configure_qubes_ns
+                fi
+                qubes_ip_change_hook
+            fi
+        fi
     fi
+elif [ "$ACTION" == "remove" ]; then
+    # make sure network is disabled, especially on shutdown, to prevent
+    # leaks when firewall will get stopped too
+    ip link set "$INTERFACE" down 2>/dev/null || :
 
+    # If exists, we delete NetworkManager configuration file to prevent duplicate entries
+    nm_config="/etc/NetworkManager/system-connections/qubes-uplink-$INTERFACE"
+    rm -rf "$nm_config"
+else
+    echo "Invalid action '$ACTION'" >&2
+    exit 1
 fi

From 8a3cd3db1d3ec28d505ffbcb6d48ee2b6536a4a5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Fri, 4 Dec 2020 03:23:18 +0100
Subject: [PATCH 6/8] Make init/functions suitable for running with 'set -u'

Initialize local variables.
---
 init/functions | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/init/functions b/init/functions
index 2582b4d..b9c44c4 100644
--- a/init/functions
+++ b/init/functions
@@ -118,7 +118,7 @@ umount_retry() {
 
 get_mac_from_iface() {
     local iface="$1"
-    local mac
+    local mac=
     if [ "x$iface" != "x" ] && [ -e "/sys/class/net/$iface" ]; then
         mac="$(cat "/sys/class/net/$iface/address")"
     fi
@@ -127,7 +127,7 @@ get_mac_from_iface() {
 
 get_iface_from_mac() {
     local mac="$1"
-    local iface
+    local iface=
     if [ "x$mac" != "x" ]; then
         iface="$(ip -o link | grep -i "$mac" | awk '{print $2}' | cut -d ':' -f1)"
     fi

From 519e82b7c03f3a12cf05b142e38ca84ca70b7f09 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Fri, 4 Dec 2020 12:28:27 +0100
Subject: [PATCH 7/8] init/functions: do not guess 'eth0' as Qubes-managed
 interface

... if it doesn't exist.
The /qubes-mac qubesdb entry is present on Qubes 4.1, but not 4.0. It is
ok to depend on it here, but keep safer fallback if this code would need
to be backported.
---
 init/functions | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/init/functions b/init/functions
index b9c44c4..ba05485 100644
--- a/init/functions
+++ b/init/functions
@@ -141,7 +141,7 @@ get_qubes_managed_iface() {
     qubes_iface="$(get_iface_from_mac "$mac")"
     if [ "x$qubes_iface" != "x" ]; then
         echo "$qubes_iface"
-    else
+    elif [ -e /sys/class/net/eth0 ]; then
         echo eth0
     fi
 }

From 66b3e628f2bf0ec8f23b0b42484d014e5cad23bf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Sat, 5 Dec 2020 18:13:27 +0100
Subject: [PATCH 8/8] Order NetworkManager after qubes-network-uplink.service

Make sure NM config for uplink interface (eth0) is created before
starting NetworkManager itself. Otherwise NM helpfully will try to use
automatic DHCP configuration, which will fail and cause delays on
network start.
---
 vm-systemd/NetworkManager.service.d/30_qubes.conf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/vm-systemd/NetworkManager.service.d/30_qubes.conf b/vm-systemd/NetworkManager.service.d/30_qubes.conf
index 047cc22..5f598a1 100644
--- a/vm-systemd/NetworkManager.service.d/30_qubes.conf
+++ b/vm-systemd/NetworkManager.service.d/30_qubes.conf
@@ -4,6 +4,8 @@ ConditionPathExists=/var/run/qubes-service/network-manager
 After=qubes-mount-dirs.service
 # For /var/run/qubes-service
 After=qubes-sysinit.service
+# For configuration of qubes-provided interfaces
+After=qubes-network-uplink.service
 
 [Service]
 ExecStartPre=/usr/lib/qubes/network-manager-prepare-conf-dir