Page MenuHomePhabricator
Create Task
Maniphest T344

whonix_firewall should add the --wait option to iptables statements
Closed, ResolvedPublic
Actions

Description

iptables on Debian Jessie support the --wait option which will wait for lock to be released on xtable if another process is currently has a lock on it. This can also prevent any race conditions.

I received a whonix_firewall failure due to this error; only once that I have noticed, but it would most likely be best form to update the whonix_firewall to use the --wait option

From http://manpages.debian.org/cgi-bin/man.cgi?&query=iptables

-w, --wait
       Wait for the xtables lock.  To prevent multiple instances of the
       program from running concurrently, an attempt will  be  made  to
       obtain  an  exclusive  lock  at launch.  By default, the program
       will exit if the lock cannot be obtained.  This option will make
       the program wait until the exclusive lock can be obtained.

Details

Impact
High

Event Timeline

nrgaway created this task.Jun 6 2015, 9:11 AM
nrgaway raised the priority of this task from to High.
nrgaway updated the task description. (Show Details)
nrgaway added a project: Whonix 11.
nrgaway set Impact to High.
nrgaway added subscribers: nrgaway, Patrick.
Herald added a project: Whonix. · View Herald TranscriptJun 6 2015, 9:11 AM
Herald added subscribers: troubadour, WhonixQubes. · View Herald Transcript
nrgaway added a comment.Jun 6 2015, 1:47 PM

Just happened again when booting... I have to to detect it now

Jun 06 13:42:52 host systemd[1]: Started Qubes Whonix firewall updater.
Jun 06 13:42:52 host enable-firewall[1052]: OK: Loading Whonix firewall...
Jun 06 13:42:52 host enable-firewall[1052]: OK: TOR_USER: 106
Jun 06 13:42:52 host enable-firewall[1052]: OK: CLEARNET_USER: 1001
Jun 06 13:42:52 host enable-firewall[1052]: OK: USER_USER: 1000
Jun 06 13:42:52 host enable-firewall[1052]: OK: ROOT_USER: 0
Jun 06 13:42:52 host enable-firewall[1052]: Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Jun 06 13:42:52 host enable-firewall[1052]: ##################################################
Jun 06 13:42:52 host enable-firewall[1052]: Whonix firewall script failed!
Jun 06 13:42:52 host enable-firewall[1052]: ##################################################
Patrick added a subscriber: HulaHoop.Jun 6 2015, 1:51 PM
Patrick claimed this task.Jun 6 2015, 1:53 PM
Patrick updated the task description. (Show Details)
Patrick added projects: whonix-gw-firewall, whonix-ws-firewall.
Patrick added a comment.Jun 6 2015, 2:01 PM

Do we want to just use a single command at the beginning of /usr/bin/whonix_firewall to do the waiting or do we want to add --wait to each and every invocation of iptables?

Patrick added a comment.Jun 6 2015, 2:11 PM

I am working on a solution. Here are some bits. Might be sufficient to imagine what I am doing.

[ -n "$iptables_cmd" ] || iptables_cmd="iptables --wait"
[ -n "$ip6tables_cmd" ] || ip6tables_cmd="ip6tables --wait"

iptables -P INPUT DROP -> $iptables_cmd -P INPUT DROP etc.

Still testing. There will a git diff soon.

Patrick added a comment.Jun 6 2015, 2:26 PM

Check this out.

use iptables --wait - https://phabricator.whonix.org/T344:
https://github.com/Whonix/whonix-gw-firewall/commit/6ba2bb28ee5d65d4c6786329b31a81a6b7122d65

Patrick added a comment.Jun 6 2015, 2:35 PM

use iptables --wait - https://phabricator.whonix.org/T344:
https://github.com/Whonix/whonix-ws-firewall/commit/a0e494dea43032f4b84f1790b4dfd87586d4843f

Patrick added a comment.Jun 6 2015, 3:21 PM

use iptables --wait - https://phabricator.whonix.org/T344:
https://github.com/nrgaway/qubes-whonix/pull/9

Patrick changed the task status from Open to Review.Jun 6 2015, 3:25 PM

Included in:

  • whonix-gw-firewall 1.4-1
  • whonix-ws-firewall 1.3-1
  • Whonix 11.0.0.2.6-developers-only
nrgaway added a comment.Jun 6 2015, 4:55 PM

Your PR will not merge as I made too many changes today. I already changed the qubes-whonix code to use --wait (https://github.com/nrgaway/qubes-whonix/blob/Whonix11/usr/lib/qubes-whonix/init/whonix-firewall-plugin.sh

The --wait in enable-firewall was a hack to skirt around the issue which did not work which I will remove now you have --wait in whonix_firewall

Do you think it is still worth while to change whonix-firewall-plugin to use the variable you set up, or just leave it like is?

nrgaway added a project: qubes-whonix 11.Jun 6 2015, 4:56 PM
Patrick added a comment.Jun 7 2015, 3:36 AM
In T344#5337, @nrgaway wrote:

Your PR will not merge as I made too many changes today. I already changed the qubes-whonix code to use --wait (https://github.com/nrgaway/qubes-whonix/blob/Whonix11/usr/lib/qubes-whonix/init/whonix-firewall-plugin.sh

The --wait in enable-firewall was a hack to skirt around the issue which did not work which I will remove now you have --wait in whonix_firewall

Alright.

Do you think it is still worth while to change whonix-firewall-plugin to use the variable you set up, or just leave it like is?

Probably fine to leave it as is.

Please close this if you consider this solved.

Patrick closed this task as Resolved.Aug 19 2015, 5:26 PM
Whonix OLD Issue Tracker · PLEASE DO NOT POST NEW TICKETS HERE · OLD Issue Tracker - Unread Notifications · OLD Issue Tracker - Feed · OLD Issue Tracker - Open Issues · NEW Issue Tracker · Homepage · Blog · Forum · Legal · Imprint · Privacy Policy · Terms of Use · Disclaimer