/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

4.0rc1 qubesdb-write -c watch doesn't support recursive watching #3063

Closed
3hhh opened this Issue Aug 30, 2017 · 2 comments

Comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@3hhh @marmarek
@3hhh

3hhh commented Aug 30, 2017

Whilst implementing a custom qubes firewall for #3051 I noticed that qubesdb-write -c watch cannot detect changes to any subnodes of /qubes-firewall inside a proxyVM, but only to single subnodes as described in https://www.qubes-os.org/doc/vm-interface/:

/qubes-firewall/SOURCE_IP - base tree under which rules are placed. All rules there should be applied to filter traffic coming from SOURCE_IP. This can be either IPv4 or IPv6 address. Dom0 will do an empty write to this top level entry after finishing rules update, so VM can setup a watch here to trigger rules reload.

This is rather inconvenient as all changes to the firewall in 3.2 could be detected by watching the single /qubes-iptables node.

So for now users can stick to the 3.2 solution, but once this is removed from 4.0, they'll have to do some polling of all rules at specific intervals.

Feature Request: Adding an option to watch recursively might solve this once and for all. If this is not considered to have sufficient performance, updating a single key for all firewall changes should also be fine.
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Aug 30, 2017

Member

Add trailing slash to watch the whole subtree:

qubesdb-watch /qubes-firewall/

Note that you'll need to check what path was modified, since it will catch also every individual rule modification. See here:
https://github.com/QubesOS/qubes-core-agent-linux/blob/0fabc54aad63512165357cf0b0997d19c84d210c/qubesagent/firewall.py#L133-L152
Member

marmarek commented Aug 30, 2017
edited
Edited 1 time
  • @marmarek marmarek edited Aug 30, 2017 (most recent)

Add trailing slash to watch the whole subtree:

qubesdb-watch /qubes-firewall/

Note that you'll need to check what path was modified, since it will catch also every individual rule modification. See here:
https://github.com/QubesOS/qubes-core-agent-linux/blob/0fabc54aad63512165357cf0b0997d19c84d210c/qubesagent/firewall.py#L133-L152

@marmarek marmarek closed this Aug 30, 2017

@3hhh

This comment has been minimized.

Show comment
Hide comment
@3hhh

3hhh Aug 31, 2017

Thanks for the clarification and hint!

Just tested it and yes, you were of course correct!

3hhh commented Aug 31, 2017

Thanks for the clarification and hint!

Just tested it and yes, you were of course correct!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment