New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
qubes-firewall-user-script is ignored #3260
Comments
I ran into this, also. Workaround: You can use /rw/config/qubes-ip-change-hook instead if all you need is for it to run once before forwarding is switched on. |
Thanks, that works, I can use |
@na-- Keep in mind that rc.local isn't synchronized with qubes-firewall, so there may be a time gap between network availability and execution of a script from rc.local. Using qubes-ip-change-hook removes the gap. |
Oh, I totally misread your previous post, for some reason I thought |
IIRC @marmarek said something to the effect that 'qubes-firewall-user-script' is supposed to work (so this issue is a valid bug). But I'd say there is also a bug-like lack of clarity at this point in how the feature is expected to work, esp since the filename 'qubes-ip-change-hook' implies that it gets re-run on each change (which it currently does not). The behavior and the filename needs to be reviewed. For the workaround, it depends on how you're trying to use the firewall. For example, the VPN doc script doesn't have to be re-run if the FORWARD chain isn't getting re-built. I've been testing it in R4rc2 and seems OK. |
Previously qubes-firewall overwritten all the rules in FORWARD chain at each firewall change, so it was necessary to apply custom rules each time. Now qubes-firewall:
How this should affect calling |
Unless advised otherwise, I'm going to implement this approach. |
When I checked over a week ago, there was nothing written in python or *sh in R4 that called qubes-firewall-user-script. So there is that. Apparently in its place is qubes-ip-change-hook. This descriptive name suggests it will run each time there is an IP address change (such as when downstream vifs are added/removed or when the upstream netvm for the vm is changed). In theory this could be really nice to have, in addition to call once before IP forward. You could even have the same script do both by passing options like |
Yes, this bug is legitimate, the scripts currently is not called at all. I'm evaluating here what should be the correct fix.
This script is called when netvm is changed (which in Qubes 3.x caused IP change on eth0). But, in Qubes 4.0, VM's IP does no longer depend on its netvm, so the name is misleading now... |
@marmarek - Is there any update on how this will finally behave in 4.0? People are looking for a VPN solution on Qubes 4.0 and I'd like to address that soon while also addressing some of the issues doc/vpn.md has in general. |
See #3260 (comment) and #3260 (comment). Are you ok with this? |
@marmarek - That looks OK, similar to current behavior. But the actual qubes-firewall-user-script didn't work at startup the last time I checked; I have to use qubes-ip-change-hook instead. I also have code out there that symlinks one to the other... :) |
Call it just after creating base chains in iptables/nftables. This allow the user to modify how those rules are plugged in, add custom rules at beginning/end etc. Fixes QubesOS/qubes-issues#3260
@marmarek not sure I understood your fix, a hook is required so that user can be notified when downstream system connects (new vifXX.0). This will allow rules specific to that qube to be added. |
That's correct. But there are already rules preventing IP spoofing (see |
OK understood. However I believe 2 hooks are required and maybe the file names should reflect on the reason for the trigger rather than the purpose of the script (i.e. after-first-qubes-firewall-update and after-each-qubes-firewall-update or whatever is the event which trigger the call on your side). From my side, I still need a hook to get notified when a new AppVM starts. I have about 30 VMs, not all started, and need the behaviour of the firewall to adapt to which "lab" (set of machines) I have running. I also have some "route add" commands in the script that would only be accepted as valid if the machine is up. |
Automated announcement from builder-github The package
|
Automated announcement from builder-github The package
|
Automated announcement from builder-github The component
|
Automated announcement from builder-github The package
|
Automated announcement from builder-github The package
|
Reopening due to apparent regression reported in #8521. |
This can actually be closed again; I misunderstood what this mechanism is supposed to do due to outdated community guides...I just tested and the script is called on VM start if the qubes-firewall service is enabled, so it works as it should as per marmarek's comments in this issue thread. |
Qubes OS version:
R 4.0 RC2
Affected TemplateVMs:
all
Steps to reproduce the behavior:
Try to set up a leak-proof VPN as described here or add some firwall rules as described here
Expected behavior:
/rw/config/qubes-firewall-user-script
is called when there are changes in the rulesActual behavior:
/rw/config/qubes-firewall-user-script
is totally ignoredGeneral notes:
I think this is the commit that killed it and I don't see any replacement that offers similar functions. Not sure if the new firewall architecture precludes something like it or not, but it seems that this is the place where such a hook should be added?
Related issues:
#1815
The text was updated successfully, but these errors were encountered: