On Tue, Jan 01, 2019 at 09:09:48PM -0500, qubes-users-list - wrote:
> I'm trying to add a fair number (around 50?) firewall rules to a vm. I'm
> reading a directory of wireguard configs and trying to create a specific
> rule for each ip*port.
>
> After adding many rules, at a very consistent point, I get the following
> error:
>
> $ qvm-firewall <VMNAME> add --before 0 accept proto=udp dsthost=<HOST>
> dstports=<PORT>
> Got empty response from qubesd. See journalctl in dom0 for details.
>
> journalctl in dom0 says:
>
> unhandled exception while calling src=b'dom0' meth=b'admin.vm.firewall.Set'
> dest=b'<VMNAME>' arg=b'' len(untrusted_payload)=2417
> Traceback (most recent call last):
> File "/usr/lib/python3.5/site-packages/qubes/api/__init__.py", line 262,
> in respond
> untrusted_payload=untrusted_payload)
> File "/usr/lib64/python3.5/asyncio/futures.py", line 381, in __iter__
> yield self # This tells Task to wait for completion.
> File "/usr/lib64/python3.5/asyncio/tasks.py", line 310, in _wakeup
> future.result()
> File "/usr/lib64/python3.5/asyncio/futures.py", line 294, in result
> raise self._exception
> File "/usr/lib64/python3.5/asyncio/tasks.py", line 240, in _step
> result = coro.send(None)
> File "/usr/lib64/python3.5/asyncio/coroutines.py", line 210, in coro
> res = func(*args, **kw)
> File "/usr/lib/python3.5/site-packages/qubes/api/admin.py", line 1303, in
> vm_firewall_set
> self.dest.firewall.save()
> File "/usr/lib/python3.5/site-packages/qubes/firewall.py", line 588, in
> save
> self.vm.fire_event('firewall-changed')
> File "/usr/lib/python3.5/site-packages/qubes/events.py", line 198, in
> fire_event
> pre_event=pre_event)
> File "/usr/lib/python3.5/site-packages/qubes/events.py", line 166, in
> _fire_event
> effect = func(self, event, **kwargs)
> File "/usr/lib/python3.5/site-packages/qubes/ext/r3compatibility.py",
> line 79, in on_firewall_changed
> self.write_iptables_qubesdb_entry(vm.netvm)
> File "/usr/lib/python3.5/site-packages/qubes/ext/r3compatibility.py",
> line 158, in write_iptables_qubesdb_entry
> iptables)
> qubesdb.Error: (0, 'Error')
>
> The rule in question does show up in qvm-firewall <VMNAME> list, but I
> think the new rule doesn't actually get applied.
>
> As soon as I delete enough rules to not get the error, it feels like the
> rules are all properly applied again, but I didn't test this
> comprehensively yet.
>
> It feels like I've hit some size limit? From the backtrace it looks like
> the argument was an empty string: arg=b''. That seems suspect.
>
> Any pointers on where I could look in order to understand the issue better?
>
> Thanks in advance,
>
> Ralph
>
Which Qubes version are you using?
How many rules are you able to apply?
Have you looked at the docs?
https://www.qubes-os.org/doc/firewall
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/20190102024257.s2plx7ipmkydl3dk%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.
