Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign upfirewall rules should be removed for a VM that is shutdown #164
Comments
marmarek
assigned
rootkovska
Mar 8, 2015
marmarek
added this to the Release 1 Beta 1 milestone
Mar 8, 2015
marmarek
added
bug
C: core
P: major
labels
Mar 8, 2015
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
|
Modified by joanna on 31 Mar 2011 10:17 UTC |
marmarek
unassigned
rootkovska
Mar 8, 2015
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
marmarek
Mar 8, 2015
Member
Comment by rafal on 31 Mar 2011 10:54 UTC
xid should never be reused. It increases for each created domain.
In fact, in a few places we rely on it.
Anyway, fw rules for nonexistent vif just waste resources, and should be removed. The tiny issue is how to do this.
The only relevant piece of code that will be triggered when a domain is shutdown, is the hotplug script
/etc/xen/scripts/vif-route-qubes. Correct me if I am wrong.
This script could parse fw rules and remove any that include -i vifX.0. But this is ugly.
The better way would be to change write_iptables_xenstore_entry() so that instead adding every rule directly to the FORWARD chain, it would create a chain RULES_FOR_VIFX.0. BTW, it would make the rules more readable. Then, when vifX.0 goes down, vif-route-qubes could just delete this chain and the reference to it in FORWARD - this would be constant command.
Let me know if this is correct.
|
Comment by rafal on 31 Mar 2011 10:54 UTC |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
marmarek
Mar 8, 2015
Member
Comment by rafal on 31 Mar 2011 10:57 UTC
One more thing - would the rules be automatically corrected after any domain start ? It seems so; write_iptables_xenstore_entry() rebuilds each rules. In such case, I would not touch it at all.
|
Comment by rafal on 31 Mar 2011 10:57 UTC |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
marmarek
Mar 8, 2015
Member
Comment by smoku on 31 Mar 2011 11:08 UTC
Yes. That's the idea - after any domain start ALL the rules are rebuilt, so things fix automagically.
If we care about rules for non existant domains, we may add the rebuild to the domain shutdown event too.
|
Comment by smoku on 31 Mar 2011 11:08 UTC |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
marmarek
Mar 8, 2015
Member
Comment by rafal on 31 Mar 2011 11:28 UTC
There is no spoon Ctrl-W "domain shutdown event".
Thus, I would simply let these stale rules remain until a new domain is started.
|
Comment by rafal on 31 Mar 2011 11:28 UTC |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
marmarek
Mar 8, 2015
Member
Comment by joanna on 31 Mar 2011 11:38 UTC
There is no spoon Ctrl-W
Gee, what editor are you using? ;)
Thus, I would simply let these stale rules remain until a new domain is started.
But they are not disappearing, are they?
|
Comment by joanna on 31 Mar 2011 11:38 UTC
Gee, what editor are you using? ;)
|
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
marmarek
Mar 8, 2015
Member
Comment by smoku on 31 Mar 2011 14:21 UTC
Replying to rafal:
There is no spoon Ctrl-W "domain shutdown event".
Yet qubes-manager is able to "gray out" domains that stopped working.
Replying to joanna:
But they are not disappearing, are they?
They will disappear once any other domain is started.
|
Comment by smoku on 31 Mar 2011 14:21 UTC
Yet qubes-manager is able to "gray out" domains that stopped working. Replying to joanna:
They will disappear once any other domain is started. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
marmarek
Mar 8, 2015
Member
Comment by joanna on 31 Mar 2011 14:25 UTC
We use polling in qubes-manager...
|
Comment by joanna on 31 Mar 2011 14:25 UTC |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
marmarek
Mar 8, 2015
Member
Comment by joanna on 3 Apr 2011 09:23 UTC
#171 might be a side effect of this, especially when user starts and stops VMs frequently. For this reason I increase the priority of this ticket.
|
Comment by joanna on 3 Apr 2011 09:23 UTC |
marmarek
added
P: critical
and removed
P: major
labels
Mar 8, 2015
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
|
Modified by joanna on 3 Apr 2011 23:24 UTC |
marmarek
self-assigned this
Mar 8, 2015
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
marmarek
Mar 8, 2015
Member
Comment by rafal on 4 Apr 2011 15:31 UTC
joanna> But they are not disappearing, are they?
smoku> They will disappear once any other domain is started.
Works for me - as expected, the rules disappear after any domain start, which is good enough; isn't it ?
If you still experience the problem, please provide detailed reproduction scenario.
|
Comment by rafal on 4 Apr 2011 15:31 UTC Works for me - as expected, the rules disappear after any domain start, which is good enough; isn't it ? If you still experience the problem, please provide detailed reproduction scenario. |
marmarek commentedMar 8, 2015
Reported by joanna on 29 Mar 2011 14:32 UTC
Currently the iptables rules remain enforced after I shutdown the VM for which they were created. This might get us into troubles when the user start another VM that will be assigned the same xid (so same vif interface in proxyvm).
Migrated-From: https://wiki.qubes-os.org/ticket/164