Page MenuHomePhabricator
Create Task
Maniphest T875

fix fail closed mechanism
Open, NormalPublic
Actions

Description

i.e. do not start networking if whonix-firewall.service fails to load.

Currently disabled since it breaks networking on whonix-firewall package upgrades.

Details

Impact
Normal

Event Timeline

Patrick triaged this task as Normal priority.Nov 17 2018, 5:12 AM
Patrick created this task.
Herald added a project: Whonix. · View Herald TranscriptNov 17 2018, 5:12 AM
Herald added a subscriber: entr0py. · View Herald Transcript
Patrick removed a project: Whonix 15.Dec 7 2018, 10:59 AM
madaidan added a subscriber: madaidan.May 10 2019, 4:19 PM

Maybe disable it just for package upgrades?

You could edit whonix-firewall to disable the fail closed mechanism if an apt upgrade is running then after, it could re-enable it.

You'd probably want something like:

disable_fail_closed {
  ## Check if apt is being used to update.
  if ps aux | grep "apt \-\-upgrade"; then

    ## Disables fail closed mechanism.
    sed -i 's/After=whonix-firewall.service/#After=whonix-firewall.service/' /lib/systemd/system/networking.service.d/30_whonix-gw-firewall-fail-closed.conf
    sed -i 's/Requires=whonix-firewall.service/#After=whonix-firewall.service/' /lib/systemd/system/networking.service.d/30_whonix-gw-firewall-fail-closed.conf
  fi

  ## Checks if apt is not being used to update.
  if ! ps aux | grep "apt \-\-upgrade"; then

    ## Enables fail closed mechanism.
    sed -i 's/#After=whonix-firewall.service/After=whonix-firewall.service/' /lib/systemd/system/networking.service.d/30_whonix-gw-firewall-fail-closed.conf
    sed -i 's/#Requires=whonix-firewall.service/After=whonix-firewall.service/' /lib/systemd/system/networking.service.d/30_whonix-gw-firewall-fail-closed.conf
  fi
}

Detection of other ways of updating like --dist-upgrade will obviously need to be added.

Patrick added a comment.May 12 2019, 10:55 AM

Seems quite hacky. What's the root cause for failing?

madaidan added a comment.May 12 2019, 12:14 PM

Seems quite hacky. What's the root cause for failing?

Probably, when the package is getting updated, it disables the firewall for a minute so it can apply the updates and the fail closed mechanism kicks in.

I can't think of any other way to fix this.

Patrick added a comment.Jun 14 2019, 11:21 AM
In T875#18470, @madaidan wrote:

Seems quite hacky. What's the root cause for failing?

Probably, when the package is getting updated, it disables the firewall for a minute so it can apply the updates and the fail closed mechanism kicks in.

I don't think anything Debian does would modify any iptables rules nor Whonix ships any code to disable the firewall. So "disables the firewall for a minute" is non-existing. Would be bad if that happened.

madaidan added a comment.Jun 20 2019, 8:26 PM

I don't think anything Debian does would modify any iptables rules nor Whonix ships any code to disable the firewall. So "disables the firewall for a minute" is non-existing. Would be bad if that happened.

Maybe we should ask upstream about this then. I can't think of any other way this might happen.

Whonix OLD Issue Tracker · PLEASE DO NOT POST NEW TICKETS HERE · OLD Issue Tracker - Unread Notifications · OLD Issue Tracker - Feed · OLD Issue Tracker - Open Issues · NEW Issue Tracker · Homepage · Blog · Forum · Legal · Imprint · Privacy Policy · Terms of Use · Disclaimer