Account for changes in Qubes 4 firewall #14
Conversation
|
Fixed the extra '/' in path. |
|
I'm testing it both in qubes 3.2 and 4.0 and I'm failing to make it work. To be fair, it's not new, I see the same problem with the current version of bitmask-root. In proxyVMs all the connections get blocked when I turn on the VPN, I can't reach any host. I works fine if is not a proxyVM. I starting experiencing this problem few weeks ago, but I haven't found the time yet to debug it. @tasket does it work fine for you? |
| not os.path.isdir(os.path.dirname(QUBES_FW_SCRIPT)): | ||
| os.makedirs(os.path.dirname(QUBES_FW_SCRIPT)) | ||
| if QUBES_VER == 3 and os.path.exists(QUBES_FW_SCRIPT): | ||
| os.rename(QUBES_FW_SCRIPT, QUBES_FW_SCRIPT + ".bak") |
There was a problem hiding this comment.
Isn't the second run of bitmask going to rewrite the .bak file with the bitmask modified one? Maybe you could check if there is no .bak file and only do the rename if so? Does this make sense? Or am I missing something?
There was a problem hiding this comment.
It will overwrite only in the case that the current QUBES_FW_SCRIPT is not bitmask-generated (outer if block). But checking here as you suggest is also a good idea.
Adapt to changes in Qubes 4.0 firewall service (one fix and one enhancement) that affect the bitmask code.
As a result,
qubes-ip-change-hookshould no longer be used here, andqubes-firewall-user-scriptavoided in favor of a role-based entry90_tunnel-restrictin qubes-firewall.d.Note that Qubes 4.0 is now at release candidate 5 stage, and project leader has indicated this is probably the final rc before release.