/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

qubes-nmhook should update DNS DNAT rules after a VPN disconnects #3955

Open
mattmccutchen opened this Issue Jun 3, 2018 · 1 comment

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  Release 4.0 updates
3 participants
@mattmccutchen @tasket @andrewdavidwong
@mattmccutchen

mattmccutchen commented Jun 3, 2018
edited
Edited 1 time
  • @mattmccutchen mattmccutchen edited Jun 3, 2018 (most recent)
  • @mattmccutchen mattmccutchen created Jun 3, 2018

Qubes OS version:

R4.0

Affected component(s):

qubes-core-agent-network-manager

Steps to reproduce the behavior:

  1. In the NetVM, use NetworkManager to connect to a VPN that specifies its own DNS servers.
  2. Disconnect from the VPN.
  3. Try to browse to a web site from an AppVM.

Expected behavior:

In step 2, qubes-nmhook calls qubes-setup-dnat-to-ns to change the DNAT rules back to the non-VPN DNS servers, and step 3 succeeds.

Actual behavior:

In step 2, qubes-nmhook does not call qubes-setup-dnat-to-ns, and step 3 tries to use the VPN's DNS servers, which may fail.

General notes:

The following sequence of calls was made to qubes-nmhook when I connected and disconnected my VPN:

vpn0 vpn-up
vpn0 up
vpn0 vpn-down
vpn0 down

So maybe it would be sufficient to check for an action of up or vpn-down.

A workaround is to disconnect and reconnect the underlying network interface.

Related issues:

#3135

@andrewdavidwong andrewdavidwong added bug C: core labels Jun 3, 2018

@andrewdavidwong andrewdavidwong added this to the Release 4.0 updates milestone Jun 3, 2018

@tasket

This comment has been minimized.

Show comment
Hide comment
@tasket

tasket Jun 8, 2018

Note:

It appears the disconnection behavior for qubes-core-agent-network-manager hasn't been considered until now, because there is no scripted down action.

In contrast, qubes-tunnel and related VPN handlers are written with the expectation that any transition to a 'down' state must leave all traffic blocked. In this configuration the solution for an appVM that moves between clearnet and tunnel (not advisable in many use cases) is to change the appVM's netvm setting as needed.

Suggest keeping this in mind when the Network Manager 'down' action is implemented, as its probably best to remain consistent and block traffic on 'down' for security reasons... at least as the default behavior.

tasket commented Jun 8, 2018

Note:

It appears the disconnection behavior for qubes-core-agent-network-manager hasn't been considered until now, because there is no scripted down action.

In contrast, qubes-tunnel and related VPN handlers are written with the expectation that any transition to a 'down' state must leave all traffic blocked. In this configuration the solution for an appVM that moves between clearnet and tunnel (not advisable in many use cases) is to change the appVM's netvm setting as needed.

Suggest keeping this in mind when the Network Manager 'down' action is implemented, as its probably best to remain consistent and block traffic on 'down' for security reasons... at least as the default behavior.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment