-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Tue, Oct 24, 2017 at 01:02:53AM -0400, Chris Laprise wrote: > In trying to adapt VPN scripts to Qubes R4.0 I've found the > qubes-firewall-user-script has been renamed to qubes-ip-change-hook
No, qubes-ip-change-hook was always there. But yes, qubes-firewall-user-script is gone. See below. > and it > no longer seems to run every time qubes-firewall is restarted. Causing IP > changes when starting/stopping dependant appVMs (and adding firewall rules > in settings GUI) also appears to trigger neither the script nor the familiar > FORWARD re-building process. > > The new behavior doesn't seem to be documented yet, so I have two questions: > > 1. Is there any erase-and-rebuild process remaining in R4 for the FORWARD > chain? No, new firewall rules are added to separate chain (QBS-FORWARD), and FORWARD itself is not regenerated. You can freely add your rules before or after those automatic and qubes-firewall will not touch them. If you have ntfabltes installed (Fedora), qubes-firewall will use that instead and create entirely separate table, so you can even easier use own rules. > 2. What is the recommended way to modify iptables before forwarding is > enabled at startup, and subsequently during normal runtime? Either add own startup script, order before network.target. Or modify /etc/qubes/iptables.rules. If you don't care about ordering, you can use /rw/config/rc.local. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJZ7s7RAAoJENuP0xzK19csU9wH/iXkceCcj1m2WbB6lKI1+MEK IuS307CTDTiDSyQWDz5MoZl/5M6zojb2ljAT1/xSbVz75tTA5T0ZLnTp9uWJKPZt 8l81bdTNyIqzHEhvzHrB8LMK7pZhfcWHm4Y9AblxUAf/OzKqUVhyPFFnUSfYdLnC LDRsQVliFviQQ2pzRg0iyCsko9MiPoor2V5UfcFjrieV90IU1D12YXt1iPW6eGSQ bjOYhBc1dAOgkwUtqF/x9u9RYUJ4HmiV5WVwlFdshCKtgji+ekAOavo1g/NQ/KKO eaviuM8hSJLmVNzuRWhEjzeGUd4nbjMnGSoY5m7yrgQ4kAXCVuICMtg9CmU6ga8= =fDkX -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To post to this group, send email to qubes-devel@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20171024113651.GY1045%40mail-itl. For more options, visit https://groups.google.com/d/optout.
