/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nftable dropping related traffic #3406

Closed
xaki23 opened this Issue Dec 18, 2017 · 9 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  Release 4.0
3 participants
@xaki23 @qubesos-bot @andrewdavidwong
@xaki23

xaki23 commented Dec 18, 2017
edited by andrewdavidwong
Edited 1 time
  • @andrewdavidwong andrewdavidwong edited Dec 18, 2017 (most recent)

Qubes OS version:

R4-RC3

Affected TemplateVMs:

sys-net and sys-firewall based on fedora 25+26

Steps to reproduce the behavior:

  1. have a qubes R4-RC3 on an internet link with reduced mtu (vpn, pppoe)
  2. try to send more than 1500 byte tcp from a vm behind stock net/fw vms
  3. get a real headache of bughunting for a day
  4. realize nftable qubes-firewall forward only allows established back in, but not related

Expected behavior:

nftable forward rules allow same states as iptables rules: established,related

Actual behavior:

nftable drops related traffic (like icmp used in pmtu discovery)

General notes:

debugging help:
log all packets that fall off the nft fwd chain, just before they hit the default drop policy.

# nft add rule qubes-firewall forward log

current deployed workaround (in both netvm+fwvm):

# nft insert rule qubes-firewall forward ct state related accept

Related issues:

@andrewdavidwong andrewdavidwong added bug C: core labels Dec 18, 2017

@andrewdavidwong andrewdavidwong added this to the Release 4.0 milestone Dec 18, 2017

marmarek added a commit to marmarek/qubes-core-agent-linux that referenced this issue Dec 29, 2017

@marmarek
firewall: allow also related traffic 
This include ICMP error messages for allowed traffic.

Fixes QubesOS/qubes-issues#3406
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
9d002d2

@marmarek marmarek closed this in QubesOS/qubes-core-agent-linux@c324b16 Jan 5, 2018

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Jan 12, 2018

Automated announcement from builder-github

The package core-agent-linux has been pushed to the r4.0 testing repository for the CentOS centos7 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

qubesos-bot commented Jan 12, 2018

Automated announcement from builder-github

The package core-agent-linux has been pushed to the r4.0 testing repository for the CentOS centos7 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update
@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Jan 12, 2018

Automated announcement from builder-github

The package qubes-core-agent_4.0.16-1+deb8u1 has been pushed to the r4.0 testing repository for the Debian jessie template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing jessie-testing, then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

qubesos-bot commented Jan 12, 2018

Automated announcement from builder-github

The package qubes-core-agent_4.0.16-1+deb8u1 has been pushed to the r4.0 testing repository for the Debian jessie template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing jessie-testing, then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@qubesos-bot qubesos-bot added r4.0-centos7-cur-test r4.0-jessie-cur-test labels Jan 12, 2018

This was referenced Jan 12, 2018

Closed
Closed
@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Jan 12, 2018

Automated announcement from builder-github

The package qubes-core-agent_4.0.16-1+deb9u1 has been pushed to the r4.0 testing repository for the Debian stretch template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing stretch-testing, then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

qubesos-bot commented Jan 12, 2018

Automated announcement from builder-github

The package qubes-core-agent_4.0.16-1+deb9u1 has been pushed to the r4.0 testing repository for the Debian stretch template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing stretch-testing, then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@qubesos-bot qubesos-bot added the r4.0-stretch-cur-test label Jan 12, 2018

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Jan 12, 2018

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-4.0.16-1.fc24 has been pushed to the r4.0 testing repository for the Fedora fc24 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

qubesos-bot commented Jan 12, 2018

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-4.0.16-1.fc24 has been pushed to the r4.0 testing repository for the Fedora fc24 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

@qubesos-bot qubesos-bot added the r4.0-fc24-cur-test label Jan 12, 2018

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Jan 12, 2018

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-4.0.16-1.fc25 has been pushed to the r4.0 testing repository for the Fedora fc25 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

qubesos-bot commented Jan 12, 2018

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-4.0.16-1.fc25 has been pushed to the r4.0 testing repository for the Fedora fc25 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

@qubesos-bot qubesos-bot added the r4.0-fc25-cur-test label Jan 12, 2018

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Jan 12, 2018

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-4.0.16-1.fc26 has been pushed to the r4.0 testing repository for the Fedora fc26 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

qubesos-bot commented Jan 12, 2018

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-4.0.16-1.fc26 has been pushed to the r4.0 testing repository for the Fedora fc26 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

@qubesos-bot qubesos-bot added the r4.0-fc26-cur-test label Jan 12, 2018

@qubesos-bot qubesos-bot added r4.0-jessie-stable and removed r4.0-jessie-cur-test labels Feb 6, 2018

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Feb 6, 2018

Automated announcement from builder-github

The package qubes-core-agent_4.0.20-1+deb9u1 has been pushed to the r4.0 stable repository for the Debian template.
To install this update, please use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

qubesos-bot commented Feb 6, 2018

Automated announcement from builder-github

The package qubes-core-agent_4.0.20-1+deb9u1 has been pushed to the r4.0 stable repository for the Debian template.
To install this update, please use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@qubesos-bot qubesos-bot added r4.0-stretch-stable r4.0-fc24-stable r4.0-fc25-stable and removed r4.0-stretch-cur-test r4.0-fc24-cur-test r4.0-fc25-cur-test labels Feb 6, 2018

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Feb 6, 2018

Automated announcement from builder-github

The component core-agent-linux (including package python2-dnf-plugins-qubes-hooks-4.0.20-1.fc26) has been pushed to the r4.0 stable repository for the Fedora template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

qubesos-bot commented Feb 6, 2018

Automated announcement from builder-github

The component core-agent-linux (including package python2-dnf-plugins-qubes-hooks-4.0.20-1.fc26) has been pushed to the r4.0 stable repository for the Fedora template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

@qubesos-bot qubesos-bot added r4.0-fc26-stable and removed r4.0-fc26-cur-test labels Feb 6, 2018

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Feb 6, 2018

Automated announcement from builder-github

The package core-agent-linux has been pushed to the r4.0 stable repository for the Fedora centos7 template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

qubesos-bot commented Feb 6, 2018

Automated announcement from builder-github

The package core-agent-linux has been pushed to the r4.0 stable repository for the Fedora centos7 template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

@qubesos-bot qubesos-bot added r4.0-centos7-stable and removed r4.0-centos7-cur-test labels Feb 6, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment