From f6dc28106b6153aa0c3b302afe7872e8b3820104 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Fri, 20 Apr 2018 16:38:25 +0200 Subject: [PATCH] qubes-firewall: signal service readiness only after initial scripts qubes-firewall.service have Before=qubes-network.service. The latter enable ip_forwarding. Make sure the ordering cover not only service fork, but all its startup sequence, including initial rules and user scripts. Reported-by: @tasket --- qubesagent/firewall.py | 17 +++++++++++++++++ vm-systemd/qubes-firewall.service | 1 + 2 files changed, 18 insertions(+) diff --git a/qubesagent/firewall.py b/qubesagent/firewall.py index 11d70c0..ff977fb 100755 --- a/qubesagent/firewall.py +++ b/qubesagent/firewall.py @@ -54,6 +54,22 @@ class FirewallWorker(object): '''Create appropriate chains/tables''' raise NotImplementedError + def sd_notify(self, state): + '''Send notification to systemd, if available''' + # based on sdnotify python module + if not 'NOTIFY_SOCKET' in os.environ: + return + addr = os.environ['NOTIFY_SOCKET'] + if addr[0] == '@': + addr = '\0' + addr[1:] + try: + sock = socket.socket(socket.AF_UNIX, socket.SOCK_DGRAM) + sock.connect(addr) + sock.sendall(state.encode()) + except: + # generally ignore error on systemd notification + pass + def cleanup(self): '''Remove tables/chains - reverse work done by init''' raise NotImplementedError @@ -155,6 +171,7 @@ class FirewallWorker(object): self.init() self.run_firewall_dir() self.run_user_script() + self.sd_notify('READY=1') # initial load for source_addr in self.list_targets(): self.handle_addr(source_addr) diff --git a/vm-systemd/qubes-firewall.service b/vm-systemd/qubes-firewall.service index 3fb725c..b98745f 100644 --- a/vm-systemd/qubes-firewall.service +++ b/vm-systemd/qubes-firewall.service @@ -5,6 +5,7 @@ After=qubes-iptables.service Before=qubes-network.service [Service] +Type=notify ExecStart=/usr/sbin/qubes-firewall [Install]