ext/core_features: add handling 'qubes-firewall' feature request

VM (template) can announce whether it support enforcing firewall rules
or not.

Fixes QubesOS/qubes-issues#2003

qubes/ext/core_features.py

@@ -32,7 +32,7 @@ def qubes_features_request(self, vm, event, untrusted_features):
             return
 
         requested_features = {}
-        for feature in ('qrexec', 'gui'):
+        for feature in ('qrexec', 'gui', 'qubes-firewall'):
             untrusted_value = untrusted_features.get(feature, None)
             if untrusted_value in ('1', '0'):
                 requested_features[feature] = bool(int(untrusted_value))
@@ -50,6 +50,11 @@ def qubes_features_request(self, vm, event, untrusted_features):
             if feature in requested_features and feature not in vm.features:
                 vm.features[feature] = requested_features[feature]
 
+        # those features can be freely enabled or disabled by template
+        for feature in ('qubes-firewall',):
+            if feature in requested_features:
+                vm.features[feature] = requested_features[feature]
+
         if not qrexec_before and vm.features.get('qrexec', False):
             # if this is the first time qrexec was advertised, now can finish
             #  template setup