Page MenuHomePhorge

prevent running /usr/lib/qubes/qubes-setup-dnat-to-ns in Qubes-Whonix to stop it from modifying firewall rules
Closed, ResolvedPublic

Description

Why?
Prevent it from modyfying Whonix firewall rules.

How is it started at the moment?
/usr/lib/qubes/qubes-setup-dnat-to-ns gets started through two ways.

  • 1)

qubes-network.service -> /usr/lib/qubes/init/network-proxy-setup.sh -> /usr/lib/qubes/qubes-setup-dnat-to-ns
No problem. qubes-whonix-network.service replaces qubes-network.service through a systemd alias.

  • 2)

qubes-misc-post.service -> /usr/lib/qubes/init/misc-post.sh -> /usr/lib/qubes/setup-ip -> /usr/lib/qubes/qubes-setup-dnat-to-ns

Spotted how?
While experimenting with blacklisting conntrack (T468), qubes-misc-post.service blocked forwever - which prevented qrexec from starting - we probably should add systemd timeouts to systemd units (?) - 'iptables-restore -n' did permanently fail to obtain a lock.

Solution
The easiest would be to config-package-dev displace /usr/lib/qubes/qubes-setup-dnat-to-ns with a dummy script in the qubes-whonix package. Does that sound good or is there a better solution?

Details

Impact
Normal

Event Timeline

Yes, I think replacing /usr/lib/qubes/qubes-setup-dnat-to-ns is an option for now. It may not be required in Qubes 4.0, as we will simplify network layout. I think we'll manage to get rid of DNAT for DNS in ProxyVMs.

'iptables-restore -n' did permanently fail to obtain a lock

How is that possible? Isn't it iptables-restore bug?

In T502#8900, @marmarek wrote:

Yes, I think replacing /usr/lib/qubes/qubes-setup-dnat-to-ns is an option for now.

Will do.

'iptables-restore -n' did permanently fail to obtain a lock

How is that possible? Isn't it iptables-restore bug?

Also iptables --wait -t nat -F can never obtain a lock. I am no longer sure disabling the conntrack module is a sane idea. Even iptables --list causes the module to load. I saw a suggestion of disabling protocol specific parsers but not blacklisting the whole module. Perhaps the kernel is not well tested with such modules blacklisted.

Patrick claimed this task.