On Sun, 23 Mar 2025 06:40:23 +0000 'skiinglasso2' via qubes-devel wrote: > There's a bug in qubes-firewall.service. It should pull in and be > ordered before network-pre.target such that the firewall rules are > guaranteed to be in place before the network is raised.
How do you detect the leak? According to the same link you refer to, there is no established network connectivity before network-online.target which starts after network.target: user@sys-firewall:~ > systemctl cat network-online.target | grep After After=network.target qubes-firewall.service starts before network.target, i.e. even earlier: user@sys-firewall:~ > systemctl cat qubes-firewall.service | grep Before Before=qubes-network.service user@sys-firewall:~ > systemctl cat qubes-network.service | grep Before Before=network.target user@sys-firewall:~ > systemctl cat network.target | grep After After=network-pre.target I don't know if it is not possible (or necessary) to have it Before=network-pre.target because the virtual interfaces (vif*) are part of the nft rules. (See /etc/xen/scripts/vif-route-qubes) -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/qubes-devel/20250323113252.37e449f8%40localhost.
