vpn and vif+ interface missing iptables rules

[brutsers]

Qubes OS version (e.g., R3.2):

R3.2

Affected TemplateVMs (e.g., fedora-23, if applicable):

fedora-25 (custom upgraded template)

---

Expected behavior:

To have the same iptables rules after each boot.

Actual behavior:

Missing iptables rules for the vif+ interface and as a result no connection allowed between
the appvm and proxyvm.

Steps to reproduce the behavior:

https://www.qubes-os.org/doc/vpn/
followed the exact guideline.

General notes:

https://www.qubes-os.org/doc/vpn/
followed the exact guideline and added the scripts as explained in the tutorial.
i will add output from the following commands, for both the good and bad boots:
iptables-save -c (file: iptables-good.txt iptables-bad.txt)
iptables -L FORWARD -n -v (file: ipforward-good.txt ipforward-bad.txt)

It is all seems related to the vif+ interface, but I have no clue how to troubleshoot this.
I already put out log of all the scripts, they execute exact the same on both startup.
iptables-good.txt
iptables-bad.txt
ipforward-good.txt
ipforward-bad.txt

---

Related issues:

[andrewdavidwong]

@tasket, can you help with this?

[andrewdavidwong]

@tasket, can you help with this?

[tasket]

@andrewdavidwong OK. I am installing fedora 25.

For now, workaround should be running fedora 24, debian 8 or debian 9.

[tasket]

@andrewdavidwong OK. I am installing fedora 25.

For now, workaround should be running fedora 24, debian 8 or debian 9.

[brutsers]

I have tested with fedora-24 official qubes template as well, the result is the same.
So you do not need to install v25 - also I do not know if this is machine independent, it looks like it, but not sure. As you can see from the files I attached, the rules for the vif+ interface are missing, I also do not know which process exactly that creates these rules (because they are not explicitly added by your scripts, right?).,

[brutsers]

I have tested with fedora-24 official qubes template as well, the result is the same.
So you do not need to install v25 - also I do not know if this is machine independent, it looks like it, but not sure. As you can see from the files I attached, the rules for the vif+ interface are missing, I also do not know which process exactly that creates these rules (because they are not explicitly added by your scripts, right?).,

[tasket]

The Fedora VPN VMs are booting and functioning OK on my system; I'm not able to reproduce the issue since yesterday. Weeks ago, I did have issues with Fedora VMs (VPN or not) and quickly switched back to using Debian. This issue is probably related to the intermittant blocking people have reported with Fedora 24...

https://groups.google.com/d/msgid/qubes-users/41b2609d-2324-f6ad-6bd5-2d57b28593d1%40qubes-os.org

So qubes-firewall seems to have problems operating in Fedora versions after 23. We may want to change this issue to encompass all of these blocking problems.

@brutsers Since this is a problem on both Fedora 24 & 25, does switching to a Debian template resolve it? Also, what kernel version is the VM running, and are there any extra packages or services?

[tasket]

The Fedora VPN VMs are booting and functioning OK on my system; I'm not able to reproduce the issue since yesterday. Weeks ago, I did have issues with Fedora VMs (VPN or not) and quickly switched back to using Debian. This issue is probably related to the intermittant blocking people have reported with Fedora 24...

https://groups.google.com/d/msgid/qubes-users/41b2609d-2324-f6ad-6bd5-2d57b28593d1%40qubes-os.org

So qubes-firewall seems to have problems operating in Fedora versions after 23. We may want to change this issue to encompass all of these blocking problems.

@brutsers Since this is a problem on both Fedora 24 & 25, does switching to a Debian template resolve it? Also, what kernel version is the VM running, and are there any extra packages or services?