Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign upUpdates proxy fails to set iptables rules in ProxyVM #1555
Comments
marmarek
added
bug
C: core
P: major
labels
Dec 28, 2015
marmarek
added this to the Release 3.0 updates milestone
Dec 28, 2015
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
rustybird
Jun 8, 2016
There's a workaround for this in https://github.com/rustybird/qubes-updates-cache/blob/master/usr/lib/qubes/updates-cache-iptables that is kind of weird, but maybe good enough until the 4.0 firewall stuff is ready.
The file (with lines 11 and 22 changed) could be copied over to https://github.com/QubesOS/qubes-core-agent-linux/blob/master/network/iptables-updates-proxy because both commands use the same iptables rules and take the same "start"/"stop" arguments.
rustybird
commented
Jun 8, 2016
•
edited
Edited 1 time
-
rustybird
edited Jun 8, 2016 (most recent)
edited
-
Jun 8, 2016 (most recent)
|
There's a workaround for this in https://github.com/rustybird/qubes-updates-cache/blob/master/usr/lib/qubes/updates-cache-iptables that is kind of weird, but maybe good enough until the 4.0 firewall stuff is ready. The file (with lines 11 and 22 changed) could be copied over to https://github.com/QubesOS/qubes-core-agent-linux/blob/master/network/iptables-updates-proxy because both commands use the same iptables rules and take the same "start"/"stop" arguments. |
This was referenced Jul 12, 2016
marmarek
modified the milestones:
Release 3.0 updates,
Release 3.1 updates
Nov 19, 2016
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
tasket
Feb 6, 2017
Referencing the updates doc, the proxyVM I created to handle updates in front of my VPN VM doesn't work. Its as if the proxy service only works correctly in netVMs.
So I guess a fix didn't make it into the release and that section of the doc isn't valid?
tasket
commented
Feb 6, 2017
|
Referencing the updates doc, the proxyVM I created to handle updates in front of my VPN VM doesn't work. Its as if the proxy service only works correctly in netVMs. So I guess a fix didn't make it into the release and that section of the doc isn't valid? |
marmarek commentedDec 28, 2015
When updates proxy is started, it inserts two iptables rules:
nattable (redirect traffic directed to 10.137.255.254:8082 to the local process)filtertable to actually allow that traffic (INPUTchain)The second one is overwritten by
qubes-firewallservice (running only in ProxyVM).qubes-firewallrecreates all thefiltertable at each reload (basically when some VM is connected or disconnected from it). This means that updates proxy is pretty useless in ProxyVM.Thanks @hdevalence for the report.