/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

4.0rc1 VM Settings window fails to load with error: FirewallModifiedOutsideError: it does not add up #3020

Closed
seandilda opened this Issue Aug 13, 2017 · 4 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  Release 4.0
5 participants
@seandilda @marmarek @kitambi @pugege @marmarta
@seandilda

seandilda commented Aug 13, 2017

Qubes OS version (e.g., R3.2):

4.0rc1

Affected TemplateVMs (e.g., fedora-23, if applicable):

fedora-25

Expected behavior:

When clicking on 'VM Settings', the vm settings window should appear.

Actual behavior:

A window with the title 'Houson, we have a problem...' appears with the error message:

FirewallModifiedOutsideError: it does not add up
at line 9
of file /usr/bin/qubes-vm-settings

Expanding the details shows:

----
line: raise FirewallModifiedOutsideError('it does not add up')
func: get_firewall_conf
line no.: 288
file: /usr/lib/python3.5/site-packages/qubesmanager/firewall.py
----
line: conf = self.get_firewall_conf(vm)
func: set_vm
line no.: 331
file: /usr/lib/python3.5/site-packages/qubesmanager/firewall.py
----
line: model.set_vm(vm)
func: __init__
line no.: 98
file: /usr/lib/python3.5/site-packages/qubesmanager/settings.py
----
line: settings_window = VMSettingsWindow(vm, qapp, args.tab)
func: main
line no.: 999
file: /usr/lib/python3.5/site-packages/qubesmanager/settings.py
----
line: load_entry_point('qubesmanager==4.0.4', 'console_scripts', 'qubes-vm-settings')()
func: <module>
line no.: 9
file: /usr/bin/qubes-vm-settings

The firewall.xml for the VM is:

<firewall version="2">
  <rules>
    <rule>
      <properties>
        <property name="action">accept</property>
        <property name="dsthost">10.0.0.0/8</property>
      </properties>
    </rule>
    <rule>
      <properties>
        <property name="action">accept</property>
        <property name="specialtarget">dns</property>
      </properties>
    </rule>
  </rules>
</firewall>

Steps to reproduce the behavior:

Edit a VM's firewalls in the UI, select 'Deny network access except...', select 'Allow DNS queries', add '10.0.0.0/8' with protocol of 'any'.

Close and try to open the VM settings window again.

General notes:

Related issues:
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Aug 13, 2017

Member

As a workaround there is qvm-firewall tool...
Member

marmarek commented Aug 13, 2017

As a workaround there is qvm-firewall tool...

@marmarek marmarek added bug C: qubes-manager P: major labels Aug 13, 2017

@marmarek marmarek added this to the Release 4.0 milestone Aug 13, 2017

@kitambi

This comment has been minimized.

Show comment
Hide comment
@kitambi

kitambi Aug 18, 2017

It appears that the trigger for this is actually the "Allow DNS Queries" checkbox. If you use qvm-firewall to remove the "special target" rule, then you're able to open the manager without this recurring. I was unable to check the "Allow connections to Updates Proxy" in my AppVM. I'm unsure of whether this just doesn't apply to AppVMs or if there's a bug selecting it, but the dialog disappears with rules added when OK is selected (and when qubes-vm-settings is reopened, the checkbox is empty).

kitambi commented Aug 18, 2017

It appears that the trigger for this is actually the "Allow DNS Queries" checkbox. If you use qvm-firewall to remove the "special target" rule, then you're able to open the manager without this recurring. I was unable to check the "Allow connections to Updates Proxy" in my AppVM. I'm unsure of whether this just doesn't apply to AppVMs or if there's a bug selecting it, but the dialog disappears with rules added when OK is selected (and when qubes-vm-settings is reopened, the checkbox is empty).
@pugege

This comment has been minimized.

Show comment
Hide comment
@pugege

pugege Sep 2, 2017

Unable to access VM settings of restored appvms from R3.2 because of this persistent
error. Disabling the DNS box in those appvms before 3.2 backup did not correct the issue. Will this problem be addressed in the upcoming 4.0-rc2? Was unable to qvm-firewall appvm del, the "special target" rule. Kindly advise the specific cli required to accomplish the work around.
Thanks

pugege commented Sep 2, 2017

Unable to access VM settings of restored appvms from R3.2 because of this persistent
error. Disabling the DNS box in those appvms before 3.2 backup did not correct the issue. Will this problem be addressed in the upcoming 4.0-rc2? Was unable to qvm-firewall appvm del, the "special target" rule. Kindly advise the specific cli required to accomplish the work around.
Thanks

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Oct 16, 2017

@marmarek
firewall: skip expired rules 
Expired rules are skipped while loading the firewall. Do that also when
such rules expired after loading the firewall. This applies to both
Admin API and actually applying the rules (sending them to appropriate
VM).

Related QubesOS/qubes-issues#3020
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
cf61468

marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Oct 21, 2017

@marmarek
firewall: skip expired rules 
Expired rules are skipped while loading the firewall. Do that also when
such rules expired after loading the firewall. This applies to both
Admin API and actually applying the rules (sending them to appropriate
VM).

Related QubesOS/qubes-issues#3020
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
27b96cc

@qubesos-bot qubesos-bot referenced this issue in QubesOS/updates-status Oct 21, 2017

Closed

core-admin v4.0.11 (r4.0) #284

@marmarta

This comment has been minimized.

Show comment
Hide comment
@marmarta

marmarta Nov 17, 2017

Fixed in QubesOS/qubes-manager@dd990c0 - now, an error in firewall does not error out the whole settings window; furthermore, reading existing rules and writing rules have been also been improved.

marmarta commented Nov 17, 2017

Fixed in QubesOS/qubes-manager@dd990c0 - now, an error in firewall does not error out the whole settings window; furthermore, reading existing rules and writing rules have been also been improved.

@marmarta marmarta closed this Nov 17, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment