Page MenuHomePhabricator

prevent running /usr/lib/qubes/qubes-setup-dnat-to-ns in Qubes-Whonix to stop it from modifying firewall rules
Closed, ResolvedPublic

Description

Why?
Prevent it from modyfying Whonix firewall rules.

How is it started at the moment?
/usr/lib/qubes/qubes-setup-dnat-to-ns gets started through two ways.

  • 1)

qubes-network.service -> /usr/lib/qubes/init/network-proxy-setup.sh -> /usr/lib/qubes/qubes-setup-dnat-to-ns
No problem. qubes-whonix-network.service replaces qubes-network.service through a systemd alias.

  • 2)

qubes-misc-post.service -> /usr/lib/qubes/init/misc-post.sh -> /usr/lib/qubes/setup-ip -> /usr/lib/qubes/qubes-setup-dnat-to-ns

Spotted how?
While experimenting with blacklisting conntrack (T468), qubes-misc-post.service blocked forwever - which prevented qrexec from starting - we probably should add systemd timeouts to systemd units (?) - 'iptables-restore -n' did permanently fail to obtain a lock.

Solution
The easiest would be to config-package-dev displace /usr/lib/qubes/qubes-setup-dnat-to-ns with a dummy script in the qubes-whonix package. Does that sound good or is there a better solution?

Details

Impact
Normal

Event Timeline

Patrick created this task.Apr 23 2016, 8:13 PM

Yes, I think replacing /usr/lib/qubes/qubes-setup-dnat-to-ns is an option for now. It may not be required in Qubes 4.0, as we will simplify network layout. I think we'll manage to get rid of DNAT for DNS in ProxyVMs.

'iptables-restore -n' did permanently fail to obtain a lock

How is that possible? Isn't it iptables-restore bug?

In T502#8900, @marmarek wrote:

Yes, I think replacing /usr/lib/qubes/qubes-setup-dnat-to-ns is an option for now.

Will do.

'iptables-restore -n' did permanently fail to obtain a lock

How is that possible? Isn't it iptables-restore bug?

Also iptables --wait -t nat -F can never obtain a lock. I am no longer sure disabling the conntrack module is a sane idea. Even iptables --list causes the module to load. I saw a suggestion of disabling protocol specific parsers but not blacklisting the whole module. Perhaps the kernel is not well tested with such modules blacklisted.

Patrick closed this task as Resolved.Apr 26 2016, 5:04 PM
Patrick claimed this task.
Patrick updated the task description. (Show Details)Jul 11 2016, 5:44 PM