From dae1ac670ee0f2769ad950833f96d2e445c52d3c Mon Sep 17 00:00:00 2001 From: 3np <3np@example.com> Date: Thu, 19 Jun 2025 01:04:23 +0000 Subject: [PATCH 1/2] qubes-core-agent: remove conflict with firewalld --- debian/control | 1 - rpm_spec/core-agent.spec.in | 1 - 2 files changed, 2 deletions(-) diff --git a/debian/control b/debian/control index c4df62c83..6b0a5769a 100644 --- a/debian/control +++ b/debian/control @@ -79,7 +79,6 @@ Recommends: xterm Conflicts: qubes-core-agent-linux, - firewalld, qubes-core-vm-sysvinit, qubes-gui-agent (<< 4.1.6-1), pulseaudio-qubes (<< 4.2.0-1), diff --git a/rpm_spec/core-agent.spec.in b/rpm_spec/core-agent.spec.in index 4ab1c835f..d722e0170 100644 --- a/rpm_spec/core-agent.spec.in +++ b/rpm_spec/core-agent.spec.in @@ -125,7 +125,6 @@ Vendor: Invisible Things Lab License: GPL URL: https://www.qubes-os.org -Conflicts: firewalld Requires: xdg-utils Requires: qubes-utils >= 3.1.3 Requires: qubes-utils-libs >= 4.3.1 From bd9945faac253a3f51cf17f5e9e2acfeb92d72f0 Mon Sep 17 00:00:00 2001 From: 3np <3np@example.com> Date: Thu, 19 Jun 2025 03:39:51 +0000 Subject: [PATCH 2/2] disable firewalld by default - service enabled via /var/run/qubes-service/firewalld - start after qubes-firewall for deterministic startup --- Makefile | 1 + debian/qubes-core-agent.install | 1 + rpm_spec/core-agent.spec.in | 1 + vm-systemd/75-qubes-vm.preset | 1 + vm-systemd/firewalld.service.d/30_qubes.conf | 3 +++ 5 files changed, 7 insertions(+) create mode 100644 vm-systemd/firewalld.service.d/30_qubes.conf diff --git a/Makefile b/Makefile index c6774d1e8..71161d4ba 100644 --- a/Makefile +++ b/Makefile @@ -46,6 +46,7 @@ SYSTEM_DROPINS += cups.service cups-browsed.service cups.path cups.socket ModemM SYSTEM_DROPINS += getty@tty.service serial-getty@.service SYSTEM_DROPINS += tmp.mount SYSTEM_DROPINS += org.cups.cupsd.service org.cups.cupsd.path org.cups.cupsd.socket +SYSTEM_DROPINS += firewalld.service SYSTEM_DROPINS += systemd-random-seed.service SYSTEM_DROPINS += tor.service tor@default.service SYSTEM_DROPINS += systemd-timesyncd.service diff --git a/debian/qubes-core-agent.install b/debian/qubes-core-agent.install index 78748c234..0fd563b1d 100644 --- a/debian/qubes-core-agent.install +++ b/debian/qubes-core-agent.install @@ -82,6 +82,7 @@ lib/systemd/system/cups.service.d/30_qubes.conf lib/systemd/system/cups.socket.d/30_qubes.conf lib/systemd/system/cups-browsed.service.d/30_qubes.conf lib/systemd/system/exim4.service.d/30_qubes.conf +lib/systemd/system/firewalld.service.d/30_qubes.conf lib/systemd/system/getty@tty.service.d/30_qubes.conf lib/systemd/system/netfilter-persistent.service.d/30_qubes.conf lib/systemd/system/org.cups.cupsd.path.d/30_qubes.conf diff --git a/rpm_spec/core-agent.spec.in b/rpm_spec/core-agent.spec.in index d722e0170..26daaf10c 100644 --- a/rpm_spec/core-agent.spec.in +++ b/rpm_spec/core-agent.spec.in @@ -1298,6 +1298,7 @@ The Qubes core startup configuration for SystemD init. %_unitdir/org.cups.cupsd.socket.d/30_qubes.conf %dir %_unitdir/org.cups.cupsd.path.d %_unitdir/org.cups.cupsd.path.d/30_qubes.conf +%_unitdir/firewalld.service.d/30_qubes.conf %_unitdir/getty@tty.service.d/30_qubes.conf %_unitdir/ModemManager.service.d/30_qubes.conf %_unitdir/NetworkManager.service.d/30_qubes.conf diff --git a/vm-systemd/75-qubes-vm.preset b/vm-systemd/75-qubes-vm.preset index db019da48..48b333857 100644 --- a/vm-systemd/75-qubes-vm.preset +++ b/vm-systemd/75-qubes-vm.preset @@ -34,6 +34,7 @@ disable avahi.service disable avahi-daemon.service disable avahi-daemon.socket +disable firewalld.service # Fedora only services disable rpcbind.service diff --git a/vm-systemd/firewalld.service.d/30_qubes.conf b/vm-systemd/firewalld.service.d/30_qubes.conf new file mode 100644 index 000000000..90eb1731c --- /dev/null +++ b/vm-systemd/firewalld.service.d/30_qubes.conf @@ -0,0 +1,3 @@ +[Unit] +ConditionPathExists=/var/run/qubes-service/firewalld +After=qubes-firewall.service