Information
ID: 502
PHID: PHID-TASK-ryz2nfu6dyfiw2vwypkb
Author: Patrick
Status at Migration Time: resolved
Priority at Migration Time: Normal
Description
Why?
Prevent it from modyfying Whonix firewall rules.
How is it started at the moment?
/usr/lib/qubes/qubes-setup-dnat-to-ns gets started through two ways.
qubes-network.service → /usr/lib/qubes/init/network-proxy-setup.sh → /usr/lib/qubes/qubes-setup-dnat-to-ns
No problem. qubes-whonix-network.service replaces qubes-network.service through a systemd alias.
qubes-misc-post.service → /usr/lib/qubes/init/misc-post.sh → /usr/lib/qubes/setup-ip → /usr/lib/qubes/qubes-setup-dnat-to-ns
Spotted how?
While experimenting with blacklisting conntrack (T468), qubes-misc-post.service blocked forwever - which prevented qrexec from starting - we probably should add systemd timeouts to systemd units (?) - ‘iptables-restore -n’ did permanently fail to obtain a lock.
Solution
The easiest would be to config-package-dev displace /usr/lib/qubes/qubes-setup-dnat-to-ns with a dummy script in the qubes-whonix package. Does that sound good or is there a better solution?
Comments
marmarek
2016-04-23 20:46:56 UTC
Patrick
2016-04-25 19:09:46 UTC
Patrick
2016-04-25 19:41:09 UTC
Patrick
2016-05-19 18:58:21 UTC