Rely exclusively on systemd-sysctl

This ensures that any Qubes-provided configuration can be overridden by
the user.

network/setup-ip

@@ -24,22 +24,6 @@ configure_network() {
     local gateway6="$8"
     local primary_dns="$9"
     local secondary_dns="${10}"
-    local i
-
-    for i in all "$INTERFACE"; do
-        echo 0 > "/proc/sys/net/ipv4/conf/$i/accept_source_route"
-        echo 0 > "/proc/sys/net/ipv4/conf/$i/accept_redirects"
-        echo 0 > "/proc/sys/net/ipv4/conf/$i/secure_redirects"
-        echo 0 > "/proc/sys/net/ipv4/conf/$i/send_redirects"
-        echo 1 > "/proc/sys/net/ipv4/conf/$i/drop_unicast_in_l2_multicast"
-        echo -1 > "/proc/sys/net/ipv6/conf/$i/accept_source_route"
-        echo 0 > "/proc/sys/net/ipv6/conf/$i/accept_redirects"
-        echo 0 > "/proc/sys/net/ipv6/conf/$i/accept_ra"
-        echo 0 > "/proc/sys/net/ipv6/conf/$i/accept_dad"
-        echo 0 > "/proc/sys/net/ipv6/conf/$i/autoconf"
-        echo 1 > "/proc/sys/net/ipv6/conf/$i/drop_unicast_in_l2_multicast"
-        echo 1 > "/proc/sys/net/ipv6/conf/$i/drop_unsolicited_na"
-    done
 
     /sbin/ip address add "$ip/$netmask" dev "$INTERFACE"
     if [ -n "$ip6" ]; then
@@ -238,6 +222,15 @@ if [ "$ACTION" == "add" ]; then
 
         primary_dns=$(/usr/bin/qubesdb-read /qubes-primary-dns 2>/dev/null) || primary_dns=
         secondary_dns=$(/usr/bin/qubesdb-read /qubes-secondary-dns 2>/dev/null) || secondary_dns=
+        /usr/lib/systemd/systemd-sysctl \
+            "--prefix=/net/ipv4/conf/all" \
+            "--prefix=/net/ipv4/neigh/all" \
+            "--prefix=/net/ipv6/conf/all" \
+            "--prefix=/net/ipv6/neigh/all" \
+            "--prefix=/net/ipv4/conf/$INTERFACE" \
+            "--prefix=/net/ipv4/neigh/$INTERFACE" \
+            "--prefix=/net/ipv6/conf/$INTERFACE" \
+            "--prefix=/net/ipv6/neigh/$INTERFACE"
 
         if [ -n "$ip" ]; then
             # If NetworkManager is enabled, let it configure the network

network/vif-route-qubes

@@ -147,21 +147,15 @@ case $- in
 esac
 
 # Harden against various attacks
-
-for i in all "$vif"; do
-    echo 0 > "/proc/sys/net/ipv4/conf/$i/accept_source_route"
-    echo 0 > "/proc/sys/net/ipv4/conf/$i/accept_redirects"
-    echo 0 > "/proc/sys/net/ipv4/conf/$i/secure_redirects"
-    echo 0 > "/proc/sys/net/ipv4/conf/$i/send_redirects"
-    echo 1 > "/proc/sys/net/ipv4/conf/$i/drop_unicast_in_l2_multicast"
-    echo -1 > "/proc/sys/net/ipv6/conf/$i/accept_source_route"
-    echo 0 > "/proc/sys/net/ipv6/conf/$i/accept_redirects"
-    echo 0 > "/proc/sys/net/ipv6/conf/$i/accept_ra"
-    echo 0 > "/proc/sys/net/ipv6/conf/$i/accept_dad"
-    echo 0 > "/proc/sys/net/ipv6/conf/$i/autoconf"
-    echo 1 > "/proc/sys/net/ipv6/conf/$i/drop_unicast_in_l2_multicast"
-    echo 1 > "/proc/sys/net/ipv6/conf/$i/drop_unsolicited_na"
-done
+/usr/lib/systemd/systemd-sysctl \
+    "--prefix=/net/ipv4/conf/all" \
+    "--prefix=/net/ipv4/neigh/all" \
+    "--prefix=/net/ipv6/conf/all" \
+    "--prefix=/net/ipv6/neigh/all" \
+    "--prefix=/net/ipv4/conf/$vif" \
+    "--prefix=/net/ipv4/neigh/$vif" \
+    "--prefix=/net/ipv6/conf/$vif" \
+    "--prefix=/net/ipv6/neigh/$vif"
 
 # add anti-spoofing rules before enabling the interface
 if [ "${ip}" ]; then