/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

It's impossible to set firewall policy and rules atomically #2869

Closed
marmarek opened this Issue Jun 26, 2017 · 1 comment

Comments

Assignees

@marmarek marmarek

Labels
Projects
None yet
Milestone
  Release 4.0
2 participants
@marmarek @qubesos-bot
@marmarek
Member

marmarek commented Jun 26, 2017

Sometimes it's useful to update firewall rules while VM is running. In this case, it's important to atomically set the firewall - especially when VM have some traffic filtered, it should not have access to those targets also during loading new firewall.
Having separate policy (default action) and actual rules makes it hard.
Safer alternative: always have policy "drop" and optionally put "always allow" rule at the end.

@marmarek marmarek added C: core enhancement P: major labels Jun 26, 2017

@marmarek marmarek added this to the Release 4.0 milestone Jun 26, 2017

@marmarek marmarek self-assigned this Jun 26, 2017

marmarek added a commit to QubesOS/qubes-doc that referenced this issue Jun 26, 2017

@marmarek
admin-api: remove separate methods for firewall policy 
QubesOS/qubes-issues#2869
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: F32894BE9684938A Learn about signing commits
9cd7cee

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Jun 26, 2017

@marmarek
api/admin: firewall-related methods 
In the end firewall is implemented as .Get and .Set rules, with policy
statically set to 'drop'. This way allow atomic firewall updates.

Since we already have appropriate firewall format handling in
qubes.firewall module - reuse it from there, but adjust the code to be
prepared for potentially malicious input. And also mark such variables
with untrusted_ prefix.

There is also third method: .Reload - which cause firewall reload
without making any change.

QubesOS/qubes-issues#2622
Fixes QubesOS/qubes-issues#2869
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
Loading status checks…
0200fda

marmarek added a commit to marmarek/qubes-core-admin-client that referenced this issue Jun 26, 2017

@marmarek
firewall: drop GetPolicy/SetPolicy calls 
Firewall policy is now hardcoded to 'drop'. Keep the property, so anyone
trying to assign it will get an exception

QubesOS/qubes-issues#2869
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
7294a43

marmarek added a commit to marmarek/qubes-core-admin-client that referenced this issue Jun 26, 2017

@marmarek
tools: remove policy handling from qvm-firewall tool 
Follow the API removal

QubesOS/qubes-issues#2869
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
10cc38e

@marmarek marmarek closed this in marmarek/qubes-core-admin@842efb5 Jul 4, 2017

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Jul 4, 2017

Automated announcement from builder-github

The package qubes-core-dom0-4.0.1-1.fc25 has been pushed to the r4.0 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update

qubesos-bot commented Jul 4, 2017

Automated announcement from builder-github

The package qubes-core-dom0-4.0.1-1.fc25 has been pushed to the r4.0 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update

@qubesos-bot qubesos-bot added the r4.0-dom0-cur-test label Jul 4, 2017

@qubesos-bot qubesos-bot referenced this issue in QubesOS/updates-status Jul 4, 2017

Closed

core-admin v4.0.1 (r4.0) #100

marmarek added a commit to marmarek/qubes-core-admin-client that referenced this issue Jul 5, 2017

@marmarek
firewall: drop GetPolicy/SetPolicy calls 
Firewall policy is now hardcoded to 'drop'. Keep the property, so anyone
trying to assign it will get an exception

QubesOS/qubes-issues#2869
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
942e122

marmarek added a commit to marmarek/qubes-core-admin-client that referenced this issue Jul 5, 2017

@marmarek
tools: remove policy handling from qvm-firewall tool 
Follow the API removal

QubesOS/qubes-issues#2869
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
627aebf

@qubesos-bot qubesos-bot referenced this issue in QubesOS/updates-status Jul 5, 2017

Closed

core-admin-client v4.0.1 (r4.0) #116

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment