Prevent it from modyfying Whonix firewall rules.
How is it started at the moment?
/usr/lib/qubes/qubes-setup-dnat-to-ns gets started through two ways.
qubes-network.service -> /usr/lib/qubes/init/network-proxy-setup.sh -> /usr/lib/qubes/qubes-setup-dnat-to-ns
No problem. qubes-whonix-network.service replaces qubes-network.service through a systemd alias.
qubes-misc-post.service -> /usr/lib/qubes/init/misc-post.sh -> /usr/lib/qubes/setup-ip -> /usr/lib/qubes/qubes-setup-dnat-to-ns
While experimenting with blacklisting conntrack (T468), qubes-misc-post.service blocked forwever - which prevented qrexec from starting - we probably should add systemd timeouts to systemd units (?) - 'iptables-restore -n' did permanently fail to obtain a lock.
The easiest would be to config-package-dev displace /usr/lib/qubes/qubes-setup-dnat-to-ns with a dummy script in the qubes-whonix package. Does that sound good or is there a better solution?