The /etc/xen/vif-route-qubes script is not utilising systemd, which means the script can potentially run before the antispoof nftables chains have been configured, which would result in the script exiting prematurely. Not ordering around systemd also means these interfaces might be set up before network-pre which makes it impossible for a firewall to be configured prior.
Would the Qubes project accept a PR that moves this script to a systemd service?
Maybe @marmarek might know?
Thanks.
That might be better addressed to the qubes-devel mailing list.
That has been discussed already:
https://groups.google.com/d/msgid/qubes-devel/Z-FCxFlseccFUIgs%40mail-itl
That might be better addressed to the qubes-devel mailing list.
Do the developers check here as well? It’s much easier to create accounts on the forum. If you are on the mailing list yourself can you send this URL?
That has been discussed already:
Thanks. That’s helpful information, but not exactly what I’m asking. That’s about the qubes firewall not being ordered before network-pre, but somebody can still create their own firewall that is ordered before network-pre. For the /etc/xen/vif-route-qubes vif interfaces, these aren’t even in systemd at all. It’s not possible to modify this oneself, it needs to be put into Qubes repositories. I will create a PR but only if it is something the project wants.
Without talking to the developers I don’t know if they decided not to do this for some reason in the first place.
It’s much easier to create accounts on the forum. If you are on the mailing list yourself can you send this URL?
No need to create any account on the ML. Just use it. Marek has always given useful feedback there.
Temporary emails require JavaScript and make signing up with VPNs difficult.
If you also want an answer to this question and a PR that improves Qubes, would you be able to send it yourself?
Temporary emails require JavaScript
FWIW, this forum also uses JS, so does GitHub (where you would supposedly file that PR).
Why would you need temporary email or signing up?
If you also want an answer to this question and a PR that improves Qubes, would you be able to send it yourself?
Too complicated.