-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Sun, Mar 23, 2025 at 11:32:52AM -0000, qubist wrote: > On Sun, 23 Mar 2025 06:40:23 +0000 'skiinglasso2' via qubes-devel wrote: > > > There's a bug in qubes-firewall.service. It should pull in and be > > ordered before network-pre.target such that the firewall rules are > > guaranteed to be in place before the network is raised. > > How do you detect the leak? > > According to the same link you refer to, there is no established > network connectivity before network-online.target which starts after > network.target: > > user@sys-firewall:~ > systemctl cat network-online.target | grep After > After=network.target > > qubes-firewall.service starts before network.target, i.e. even earlier: > > user@sys-firewall:~ > systemctl cat qubes-firewall.service | grep Before > Before=qubes-network.service > user@sys-firewall:~ > systemctl cat qubes-network.service | grep Before > Before=network.target > user@sys-firewall:~ > systemctl cat network.target | grep After > After=network-pre.target > > I don't know if it is not possible (or necessary) to have it > Before=network-pre.target because the virtual interfaces (vif*) are > part of the nft rules. (See /etc/xen/scripts/vif-route-qubes)
There is one more missing piece above: qubes-firewall.service is ordered before qubes-network.service. And it's only the latter that enables IP forwarding. So, at any point before that, no network traffic is forwarded. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmfgkFsACgkQ24/THMrX 1yyxbwf+OonjRYcDdVcUP6RM5W6Ne0w3wT5O0yjKIzwsbAJH0dOmZecQQEvhFbga 4TwM0Sq4psTfovvZGs/8HeX8xnkvKa27bf4X1FSoj4N8006UhXysJD4xBONE/6S+ IqTNXkOrJYTB57eX50Mm+qwPDx5CPIaNEqA81NxamZ12KoTbKnhgQn5+QwmgRfwP JAmB60pKEJClH2jIQTF/D/iWY9DAdkz/kuF3gHy6Xt2LdRQqygy7qYw3Q7584j3T ZXme1Lg2dAFtKtutaH6uBencVTRgn9pI9ValQj8SF84n57HaUtR12dip3HuVn9d3 8DrordnUStLZaCOaQmdJAqbeTFdf2Q== =lsTH -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/qubes-devel/Z-CQW6hg1bP7UCLN%40mail-itl.
