Page MenuHomePhabricator

whonix_firewall should add the --wait option to iptables statements
Closed, ResolvedPublic

Description

iptables on Debian Jessie support the --wait option which will wait for lock to be released on xtable if another process is currently has a lock on it. This can also prevent any race conditions.

I received a whonix_firewall failure due to this error; only once that I have noticed, but it would most likely be best form to update the whonix_firewall to use the --wait option

From http://manpages.debian.org/cgi-bin/man.cgi?&query=iptables

-w, --wait
       Wait for the xtables lock.  To prevent multiple instances of the
       program from running concurrently, an attempt will  be  made  to
       obtain  an  exclusive  lock  at launch.  By default, the program
       will exit if the lock cannot be obtained.  This option will make
       the program wait until the exclusive lock can be obtained.

Details

Impact
High

Event Timeline

nrgaway created this task.Jun 6 2015, 11:11 AM
nrgaway updated the task description. (Show Details)
nrgaway raised the priority of this task from to High.
nrgaway added a project: Whonix 11.
nrgaway set Impact to High.
nrgaway added subscribers: nrgaway, Patrick.

Just happened again when booting... I have to to detect it now

Jun 06 13:42:52 host systemd[1]: Started Qubes Whonix firewall updater.
Jun 06 13:42:52 host enable-firewall[1052]: OK: Loading Whonix firewall...
Jun 06 13:42:52 host enable-firewall[1052]: OK: TOR_USER: 106
Jun 06 13:42:52 host enable-firewall[1052]: OK: CLEARNET_USER: 1001
Jun 06 13:42:52 host enable-firewall[1052]: OK: USER_USER: 1000
Jun 06 13:42:52 host enable-firewall[1052]: OK: ROOT_USER: 0
Jun 06 13:42:52 host enable-firewall[1052]: Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
Jun 06 13:42:52 host enable-firewall[1052]: ##################################################
Jun 06 13:42:52 host enable-firewall[1052]: Whonix firewall script failed!
Jun 06 13:42:52 host enable-firewall[1052]: ##################################################
Patrick updated the task description. (Show Details)Jun 6 2015, 3:53 PM
Patrick claimed this task.

Do we want to just use a single command at the beginning of /usr/bin/whonix_firewall to do the waiting or do we want to add --wait to each and every invocation of iptables?

I am working on a solution. Here are some bits. Might be sufficient to imagine what I am doing.

[ -n "$iptables_cmd" ] || iptables_cmd="iptables --wait"
[ -n "$ip6tables_cmd" ] || ip6tables_cmd="ip6tables --wait"

iptables -P INPUT DROP -> $iptables_cmd -P INPUT DROP etc.

Still testing. There will a git diff soon.

Check this out.

use iptables --wait - https://phabricator.whonix.org/T344:
https://github.com/Whonix/whonix-gw-firewall/commit/6ba2bb28ee5d65d4c6786329b31a81a6b7122d65

use iptables --wait - https://phabricator.whonix.org/T344:
https://github.com/nrgaway/qubes-whonix/pull/9

Patrick changed the task status from Open to Review.Jun 6 2015, 5:25 PM

Included in:

  • whonix-gw-firewall 1.4-1
  • whonix-ws-firewall 1.3-1
  • Whonix 11.0.0.2.6-developers-only

Your PR will not merge as I made too many changes today. I already changed the qubes-whonix code to use --wait (https://github.com/nrgaway/qubes-whonix/blob/Whonix11/usr/lib/qubes-whonix/init/whonix-firewall-plugin.sh

The --wait in enable-firewall was a hack to skirt around the issue which did not work which I will remove now you have --wait in whonix_firewall

Do you think it is still worth while to change whonix-firewall-plugin to use the variable you set up, or just leave it like is?

In T344#5337, @nrgaway wrote:

Your PR will not merge as I made too many changes today. I already changed the qubes-whonix code to use --wait (https://github.com/nrgaway/qubes-whonix/blob/Whonix11/usr/lib/qubes-whonix/init/whonix-firewall-plugin.sh

The --wait in enable-firewall was a hack to skirt around the issue which did not work which I will remove now you have --wait in whonix_firewall

Alright.

Do you think it is still worth while to change whonix-firewall-plugin to use the variable you set up, or just leave it like is?

Probably fine to leave it as is.


Please close this if you consider this solved.

Patrick closed this task as Resolved.Aug 19 2015, 7:26 PM