qubes-firewall: signal service readiness only after initial scripts

qubes-firewall.service have Before=qubes-network.service. The latter enable ip_forwarding. Make sure the ordering cover not only service fork, but all its startup sequence, including initial rules and user scripts. Reported-by: @tasket
2018-04-20 16:38:25 +02:00 · 2018-04-20 16:38:25 +02:00 · f6dc28106b
commit f6dc28106b
parent c278d56bea
2 changed files with 18 additions and 0 deletions
--- a/qubesagent/firewall.py
+++ b/qubesagent/firewall.py
@ -54,6 +54,22 @@ class FirewallWorker(object):
        '''Create appropriate chains/tables'''
        raise NotImplementedError

+    def sd_notify(self, state):
+        '''Send notification to systemd, if available'''
+        # based on sdnotify python module
+        if not 'NOTIFY_SOCKET' in os.environ:
+            return
+        addr = os.environ['NOTIFY_SOCKET']
+        if addr[0] == '@':
+            addr = '\0' + addr[1:]
+        try:
+            sock = socket.socket(socket.AF_UNIX, socket.SOCK_DGRAM)
+            sock.connect(addr)
+            sock.sendall(state.encode())
+        except:
+            # generally ignore error on systemd notification
+            pass
+
    def cleanup(self):
        '''Remove tables/chains - reverse work done by init'''
        raise NotImplementedError
@ -155,6 +171,7 @@ class FirewallWorker(object):
        self.init()
        self.run_firewall_dir()
        self.run_user_script()
+        self.sd_notify('READY=1')
        # initial load
        for source_addr in self.list_targets():
            self.handle_addr(source_addr)
--- a/vm-systemd/qubes-firewall.service
+++ b/vm-systemd/qubes-firewall.service
@ -5,6 +5,7 @@ After=qubes-iptables.service
 Before=qubes-network.service

 [Service]
+Type=notify
 ExecStart=/usr/sbin/qubes-firewall

 [Install]