rpm: improve setting iptables rules

Instead of overriding /etc/sysconfig/ip{,6}tables, store qubes rules in /etc/sysconfig/iptables.qubes and configure the service to use that file instead. This will prevent conflict on that file and also handle upgrades. (cherry picked from commit 0382f84eae) Conflicts: rpm_spec/core-vm.spec
2015-06-19 09:42:55 +02:00 · 2015-06-19 09:42:55 +02:00 · 556293a8a2
commit 556293a8a2
parent 8ceff72810
1 changed files with 23 additions and 17 deletions
--- a/rpm_spec/core-vm.spec
+++ b/rpm_spec/core-vm.spec
@ -137,10 +137,8 @@ for f in ModemManager.service NetworkManager.service \
    cp $RPM_BUILD_ROOT/usr/lib/qubes/init/$f $RPM_BUILD_ROOT/etc/systemd/system/
 done

-%if %{fedora} < 21
-cp -p $RPM_BUILD_ROOT/usr/lib/qubes/init/iptables $RPM_BUILD_ROOT/etc/sysconfig/iptables
-cp -p $RPM_BUILD_ROOT/usr/lib/qubes/init/ip6tables $RPM_BUILD_ROOT/etc/sysconfig/ip6tables
-%endif
+cp -p $RPM_BUILD_ROOT/usr/lib/qubes/init/iptables $RPM_BUILD_ROOT/etc/sysconfig/iptables.qubes
+cp -p $RPM_BUILD_ROOT/usr/lib/qubes/init/ip6tables $RPM_BUILD_ROOT/etc/sysconfig/ip6tables.qubes

 %triggerin -- initscripts
 if [ -e /etc/init/serial.conf ]; then
@ -151,6 +149,25 @@ fi
 sed -i '/^\(Not\|Only\)ShowIn/d' /etc/xdg/autostart/pulseaudio.desktop
 echo 'NotShowIn=QUBES;' >> /etc/xdg/autostart/pulseaudio.desktop

+%triggerin -- iptables
+if ! grep -q IPTABLES_DATA /etc/sysconfig/iptables-config; then
+    cat <<EOF >>/etc/sysconfig/iptables-config
+
+### Automatically added by Qubes:
+# Override default rules location on Qubes
+IPTABLES_DATA=/etc/sysconfig/iptables.qubes
+EOF
+fi
+
+if ! grep -q IP6TABLES_DATA /etc/sysconfig/ip6tables-config; then
+    cat <<EOF >>/etc/sysconfig/ip6tables-config
+
+### Automatically added by Qubes:
+# Override default rules location on Qubes
+IP6TABLES_DATA=/etc/sysconfig/ip6tables.qubes
+EOF
+fi
+
 %post

 # disable some Upstart services
@ -258,15 +275,6 @@ if ! grep -rq "^/etc/hostname$" "${PROTECTED_FILE_LIST}" 2>/dev/null; then
    done
 fi

-# Copy ip(|6)tables into place if they do not already exist in filesystem.
-# This prevents conflict with iptables-service
-if [ ! -f '/etc/sysconfig/iptables' ]; then
-  cp -p /usr/lib/qubes/init/iptables /etc/sysconfig/iptables
-fi
-if [ ! -f '/etc/sysconfig/ip6tables' ]; then
-  cp -p /usr/lib/qubes/init/ip6tables /etc/sysconfig/ip6tables
-fi
-
 %if %{fedora} >= 20
 # Make sure there is a default locale set so gnome-terminal will start
 if [ ! -e /etc/locale.conf ] || ! grep -q LANG /etc/locale.conf; then
@ -387,10 +395,8 @@ rm -f %{name}-%{version}
 %config(noreplace) /etc/qubes-rpc/qubes.GetImageRGBA
 %config(noreplace) /etc/qubes-rpc/qubes.SetDateTime
 %config(noreplace) /etc/sudoers.d/qubes
-%if %{fedora} < 21
-%config(noreplace) /etc/sysconfig/iptables
-%config(noreplace) /etc/sysconfig/ip6tables
-%endif
+%config(noreplace) /etc/sysconfig/iptables.qubes
+%config(noreplace) /etc/sysconfig/ip6tables.qubes
 /usr/lib/qubes/init/iptables
 /usr/lib/qubes/init/ip6tables
 %config(noreplace) /etc/tinyproxy/filter-updates