Re: [qubes-users] Error when trying to add a lot of firewall rules
Ah! Thanks for pointing me at that bug. Yes, I'm running r4.0, but I am just completely wrong about being up to date. My qubes-core-dom0 package is only at 4.0.32-1, which is right before these fixes. It looks like I'm having some issues syncing with the qubes-dom0-current repo, and so hopefully once I figure that out I'll be all set. Thanks for your help! - Ralph On Wed, Jan 2, 2019 at 1:28 AM David Hobach wrote: > On 1/2/19 4:34 AM, qubes-users-list - wrote: > > Ah! I reread the docs, and it mentions a size limit 3k/~35-39 rules. > So I > > suspect that I'm hitting this limit. I was getting the error right in > that > > range. Thank you for pointing me at that. The docs point out rightly > that > > I can just put rules in the vm directly, so I'll go that route. > > > > For those curious, I'm running a fully up to date R4 > > > > The docs say "there is a 3 kB limit to the size of the iptables script". > > I'm curious as to where that limit comes from if anyone happens to know. > > Hmm yes unman wrote that doc part... > > But considering Marek's statement in > https://github.com/QubesOS/qubes-issues/issues/1570 : "This is already > fixed for Qubes 4.0. The fix is not feasible for backport (it's > incompatible change). The limitation is already documented." > > Are you running 4.0? Because if so, that is a bug and should cause #1570 > to be reopened. I cannot see the Qubes version from your post though. > > > > > > > On Tue, Jan 1, 2019 at 9:42 PM unman wrote: > > > >> On Tue, Jan 01, 2019 at 09:09:48PM -0500, qubes-users-list - wrote: > >>> I'm trying to add a fair number (around 50?) firewall rules to a vm. > I'm > >>> reading a directory of wireguard configs and trying to create a > specific > >>> rule for each ip*port. > >>> > >>> After adding many rules, at a very consistent point, I get the > following > >>> error: > >>> > >>> $ qvm-firewall add --before 0 accept proto=udp dsthost= > >>> dstports= > >>> Got empty response from qubesd. See journalctl in dom0 for details. > >>> > >>> journalctl in dom0 says: > >>> > >>> unhandled exception while calling src=b'dom0' > >> meth=b'admin.vm.firewall.Set' > >>> dest=b'' arg=b'' len(untrusted_payload)=2417 > >>> Traceback (most recent call last): > >>>File "/usr/lib/python3.5/site-packages/qubes/api/__init__.py", line > >> 262, > >>> in respond > >>> untrusted_payload=untrusted_payload) > >>>File "/usr/lib64/python3.5/asyncio/futures.py", line 381, in > __iter__ > >>> yield self # This tells Task to wait for completion. > >>>File "/usr/lib64/python3.5/asyncio/tasks.py", line 310, in _wakeup > >>> future.result() > >>>File "/usr/lib64/python3.5/asyncio/futures.py", line 294, in result > >>> raise self._exception > >>>File "/usr/lib64/python3.5/asyncio/tasks.py", line 240, in _step > >>> result = coro.send(None) > >>>File "/usr/lib64/python3.5/asyncio/coroutines.py", line 210, in coro > >>> res = func(*args, **kw) > >>>File "/usr/lib/python3.5/site-packages/qubes/api/admin.py", line > 1303, > >> in > >>> vm_firewall_set > >>> self.dest.firewall.save() > >>>File "/usr/lib/python3.5/site-packages/qubes/firewall.py", line > 588, in > >>> save > >>> self.vm.fire_event('firewall-changed') > >>>File "/usr/lib/python3.5/site-packages/qubes/events.py", line 198, > in > >>> fire_event > >>> pre_event=pre_event) > >>>File "/usr/lib/python3.5/site-packages/qubes/events.py", line 166, > in > >>> _fire_event > >>> effect = func(self, event, **kwargs) > >>>File > "/usr/lib/python3.5/site-packages/qubes/ext/r3compatibility.py", > >>> line 79, in on_firewall_changed > >>> self.write_iptables_qubesdb_entry(vm.netvm) > >>>File > "/usr/lib/python3.5/site-packages/qubes/ext/r3compatibility.py", > >>> line 158, in write_iptables_qubesdb_entry > >>> iptables) > >>> qubesdb.Error: (0, 'Error') > >>> > >>> The rule in question does show up in qvm-firewall list, but I > >>> think the new rule doesn't actually get applied. > >>> > >>> As soon as I delete enough rules to not get the error, it feels like > the > >>> rules are all properly applied again, but I didn't test this > >>> comprehensively yet. > >>> > >>> It feels like I've hit some size limit? From the backtrace it looks > like > >>> the argument was an empty string: arg=b''. That seems suspect. > >>> > >>> Any pointers on where I could look in order to understand the issue > >> better? > >>> > >>> Thanks in advance, > >>> > >>> Ralph > >>> > >> > >> Which Qubes version are you using? > >> How many rules are you able to apply? > >> Have you looked at the docs? > >> https://www.qubes-os.org/doc/firewall > >> > >> -- > >> You received this message because you are subscribed to the Google > Groups > >> "qubes-users" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to qubes-users+unsubscr...@googlegroups.com. > >> To post to this group, send email to
Re: [qubes-users] Error when trying to add a lot of firewall rules
On 1/2/19 4:34 AM, qubes-users-list - wrote: Ah! I reread the docs, and it mentions a size limit 3k/~35-39 rules. So I suspect that I'm hitting this limit. I was getting the error right in that range. Thank you for pointing me at that. The docs point out rightly that I can just put rules in the vm directly, so I'll go that route. For those curious, I'm running a fully up to date R4 The docs say "there is a 3 kB limit to the size of the iptables script". I'm curious as to where that limit comes from if anyone happens to know. Hmm yes unman wrote that doc part... But considering Marek's statement in https://github.com/QubesOS/qubes-issues/issues/1570 : "This is already fixed for Qubes 4.0. The fix is not feasible for backport (it's incompatible change). The limitation is already documented." Are you running 4.0? Because if so, that is a bug and should cause #1570 to be reopened. I cannot see the Qubes version from your post though. On Tue, Jan 1, 2019 at 9:42 PM unman wrote: On Tue, Jan 01, 2019 at 09:09:48PM -0500, qubes-users-list - wrote: I'm trying to add a fair number (around 50?) firewall rules to a vm. I'm reading a directory of wireguard configs and trying to create a specific rule for each ip*port. After adding many rules, at a very consistent point, I get the following error: $ qvm-firewall add --before 0 accept proto=udp dsthost= dstports= Got empty response from qubesd. See journalctl in dom0 for details. journalctl in dom0 says: unhandled exception while calling src=b'dom0' meth=b'admin.vm.firewall.Set' dest=b'' arg=b'' len(untrusted_payload)=2417 Traceback (most recent call last): File "/usr/lib/python3.5/site-packages/qubes/api/__init__.py", line 262, in respond untrusted_payload=untrusted_payload) File "/usr/lib64/python3.5/asyncio/futures.py", line 381, in __iter__ yield self # This tells Task to wait for completion. File "/usr/lib64/python3.5/asyncio/tasks.py", line 310, in _wakeup future.result() File "/usr/lib64/python3.5/asyncio/futures.py", line 294, in result raise self._exception File "/usr/lib64/python3.5/asyncio/tasks.py", line 240, in _step result = coro.send(None) File "/usr/lib64/python3.5/asyncio/coroutines.py", line 210, in coro res = func(*args, **kw) File "/usr/lib/python3.5/site-packages/qubes/api/admin.py", line 1303, in vm_firewall_set self.dest.firewall.save() File "/usr/lib/python3.5/site-packages/qubes/firewall.py", line 588, in save self.vm.fire_event('firewall-changed') File "/usr/lib/python3.5/site-packages/qubes/events.py", line 198, in fire_event pre_event=pre_event) File "/usr/lib/python3.5/site-packages/qubes/events.py", line 166, in _fire_event effect = func(self, event, **kwargs) File "/usr/lib/python3.5/site-packages/qubes/ext/r3compatibility.py", line 79, in on_firewall_changed self.write_iptables_qubesdb_entry(vm.netvm) File "/usr/lib/python3.5/site-packages/qubes/ext/r3compatibility.py", line 158, in write_iptables_qubesdb_entry iptables) qubesdb.Error: (0, 'Error') The rule in question does show up in qvm-firewall list, but I think the new rule doesn't actually get applied. As soon as I delete enough rules to not get the error, it feels like the rules are all properly applied again, but I didn't test this comprehensively yet. It feels like I've hit some size limit? From the backtrace it looks like the argument was an empty string: arg=b''. That seems suspect. Any pointers on where I could look in order to understand the issue better? Thanks in advance, Ralph Which Qubes version are you using? How many rules are you able to apply? Have you looked at the docs? https://www.qubes-os.org/doc/firewall -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190102024257.s2plx7ipmkydl3dk%40thirdeyesecurity.org . For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/cfa34648-fc69-b5d4-3b04-bd13fd79b996%40hackingthe.net. For more options, visit https://groups.google.com/d/optout. smime.p7s Description: S/MIME Cryptographic Signature
Re: [qubes-users] Error when trying to add a lot of firewall rules
Ah! I reread the docs, and it mentions a size limit 3k/~35-39 rules. So I suspect that I'm hitting this limit. I was getting the error right in that range. Thank you for pointing me at that. The docs point out rightly that I can just put rules in the vm directly, so I'll go that route. For those curious, I'm running a fully up to date R4 The docs say "there is a 3 kB limit to the size of the iptables script". I'm curious as to where that limit comes from if anyone happens to know. Cheers, Ralph On Tue, Jan 1, 2019 at 9:42 PM unman wrote: > On Tue, Jan 01, 2019 at 09:09:48PM -0500, qubes-users-list - wrote: > > I'm trying to add a fair number (around 50?) firewall rules to a vm. I'm > > reading a directory of wireguard configs and trying to create a specific > > rule for each ip*port. > > > > After adding many rules, at a very consistent point, I get the following > > error: > > > > $ qvm-firewall add --before 0 accept proto=udp dsthost= > > dstports= > > Got empty response from qubesd. See journalctl in dom0 for details. > > > > journalctl in dom0 says: > > > > unhandled exception while calling src=b'dom0' > meth=b'admin.vm.firewall.Set' > > dest=b'' arg=b'' len(untrusted_payload)=2417 > > Traceback (most recent call last): > > File "/usr/lib/python3.5/site-packages/qubes/api/__init__.py", line > 262, > > in respond > > untrusted_payload=untrusted_payload) > > File "/usr/lib64/python3.5/asyncio/futures.py", line 381, in __iter__ > > yield self # This tells Task to wait for completion. > > File "/usr/lib64/python3.5/asyncio/tasks.py", line 310, in _wakeup > > future.result() > > File "/usr/lib64/python3.5/asyncio/futures.py", line 294, in result > > raise self._exception > > File "/usr/lib64/python3.5/asyncio/tasks.py", line 240, in _step > > result = coro.send(None) > > File "/usr/lib64/python3.5/asyncio/coroutines.py", line 210, in coro > > res = func(*args, **kw) > > File "/usr/lib/python3.5/site-packages/qubes/api/admin.py", line 1303, > in > > vm_firewall_set > > self.dest.firewall.save() > > File "/usr/lib/python3.5/site-packages/qubes/firewall.py", line 588, in > > save > > self.vm.fire_event('firewall-changed') > > File "/usr/lib/python3.5/site-packages/qubes/events.py", line 198, in > > fire_event > > pre_event=pre_event) > > File "/usr/lib/python3.5/site-packages/qubes/events.py", line 166, in > > _fire_event > > effect = func(self, event, **kwargs) > > File "/usr/lib/python3.5/site-packages/qubes/ext/r3compatibility.py", > > line 79, in on_firewall_changed > > self.write_iptables_qubesdb_entry(vm.netvm) > > File "/usr/lib/python3.5/site-packages/qubes/ext/r3compatibility.py", > > line 158, in write_iptables_qubesdb_entry > > iptables) > > qubesdb.Error: (0, 'Error') > > > > The rule in question does show up in qvm-firewall list, but I > > think the new rule doesn't actually get applied. > > > > As soon as I delete enough rules to not get the error, it feels like the > > rules are all properly applied again, but I didn't test this > > comprehensively yet. > > > > It feels like I've hit some size limit? From the backtrace it looks like > > the argument was an empty string: arg=b''. That seems suspect. > > > > Any pointers on where I could look in order to understand the issue > better? > > > > Thanks in advance, > > > > Ralph > > > > Which Qubes version are you using? > How many rules are you able to apply? > Have you looked at the docs? > https://www.qubes-os.org/doc/firewall > > -- > You received this message because you are subscribed to the Google Groups > "qubes-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to qubes-users+unsubscr...@googlegroups.com. > To post to this group, send email to qubes-users@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/20190102024257.s2plx7ipmkydl3dk%40thirdeyesecurity.org > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAMVV%3Dfwe3dafA%3DCe3avc%2BJaZtA%2BJgJO4QaDfObVADkswk%2BxyXA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Error when trying to add a lot of firewall rules
On Tue, Jan 01, 2019 at 09:09:48PM -0500, qubes-users-list - wrote: > I'm trying to add a fair number (around 50?) firewall rules to a vm. I'm > reading a directory of wireguard configs and trying to create a specific > rule for each ip*port. > > After adding many rules, at a very consistent point, I get the following > error: > > $ qvm-firewall add --before 0 accept proto=udp dsthost= > dstports= > Got empty response from qubesd. See journalctl in dom0 for details. > > journalctl in dom0 says: > > unhandled exception while calling src=b'dom0' meth=b'admin.vm.firewall.Set' > dest=b'' arg=b'' len(untrusted_payload)=2417 > Traceback (most recent call last): > File "/usr/lib/python3.5/site-packages/qubes/api/__init__.py", line 262, > in respond > untrusted_payload=untrusted_payload) > File "/usr/lib64/python3.5/asyncio/futures.py", line 381, in __iter__ > yield self # This tells Task to wait for completion. > File "/usr/lib64/python3.5/asyncio/tasks.py", line 310, in _wakeup > future.result() > File "/usr/lib64/python3.5/asyncio/futures.py", line 294, in result > raise self._exception > File "/usr/lib64/python3.5/asyncio/tasks.py", line 240, in _step > result = coro.send(None) > File "/usr/lib64/python3.5/asyncio/coroutines.py", line 210, in coro > res = func(*args, **kw) > File "/usr/lib/python3.5/site-packages/qubes/api/admin.py", line 1303, in > vm_firewall_set > self.dest.firewall.save() > File "/usr/lib/python3.5/site-packages/qubes/firewall.py", line 588, in > save > self.vm.fire_event('firewall-changed') > File "/usr/lib/python3.5/site-packages/qubes/events.py", line 198, in > fire_event > pre_event=pre_event) > File "/usr/lib/python3.5/site-packages/qubes/events.py", line 166, in > _fire_event > effect = func(self, event, **kwargs) > File "/usr/lib/python3.5/site-packages/qubes/ext/r3compatibility.py", > line 79, in on_firewall_changed > self.write_iptables_qubesdb_entry(vm.netvm) > File "/usr/lib/python3.5/site-packages/qubes/ext/r3compatibility.py", > line 158, in write_iptables_qubesdb_entry > iptables) > qubesdb.Error: (0, 'Error') > > The rule in question does show up in qvm-firewall list, but I > think the new rule doesn't actually get applied. > > As soon as I delete enough rules to not get the error, it feels like the > rules are all properly applied again, but I didn't test this > comprehensively yet. > > It feels like I've hit some size limit? From the backtrace it looks like > the argument was an empty string: arg=b''. That seems suspect. > > Any pointers on where I could look in order to understand the issue better? > > Thanks in advance, > > Ralph > Which Qubes version are you using? How many rules are you able to apply? Have you looked at the docs? https://www.qubes-os.org/doc/firewall -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20190102024257.s2plx7ipmkydl3dk%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Error when trying to add a lot of firewall rules
I'm trying to add a fair number (around 50?) firewall rules to a vm. I'm reading a directory of wireguard configs and trying to create a specific rule for each ip*port. After adding many rules, at a very consistent point, I get the following error: $ qvm-firewall add --before 0 accept proto=udp dsthost= dstports= Got empty response from qubesd. See journalctl in dom0 for details. journalctl in dom0 says: unhandled exception while calling src=b'dom0' meth=b'admin.vm.firewall.Set' dest=b'' arg=b'' len(untrusted_payload)=2417 Traceback (most recent call last): File "/usr/lib/python3.5/site-packages/qubes/api/__init__.py", line 262, in respond untrusted_payload=untrusted_payload) File "/usr/lib64/python3.5/asyncio/futures.py", line 381, in __iter__ yield self # This tells Task to wait for completion. File "/usr/lib64/python3.5/asyncio/tasks.py", line 310, in _wakeup future.result() File "/usr/lib64/python3.5/asyncio/futures.py", line 294, in result raise self._exception File "/usr/lib64/python3.5/asyncio/tasks.py", line 240, in _step result = coro.send(None) File "/usr/lib64/python3.5/asyncio/coroutines.py", line 210, in coro res = func(*args, **kw) File "/usr/lib/python3.5/site-packages/qubes/api/admin.py", line 1303, in vm_firewall_set self.dest.firewall.save() File "/usr/lib/python3.5/site-packages/qubes/firewall.py", line 588, in save self.vm.fire_event('firewall-changed') File "/usr/lib/python3.5/site-packages/qubes/events.py", line 198, in fire_event pre_event=pre_event) File "/usr/lib/python3.5/site-packages/qubes/events.py", line 166, in _fire_event effect = func(self, event, **kwargs) File "/usr/lib/python3.5/site-packages/qubes/ext/r3compatibility.py", line 79, in on_firewall_changed self.write_iptables_qubesdb_entry(vm.netvm) File "/usr/lib/python3.5/site-packages/qubes/ext/r3compatibility.py", line 158, in write_iptables_qubesdb_entry iptables) qubesdb.Error: (0, 'Error') The rule in question does show up in qvm-firewall list, but I think the new rule doesn't actually get applied. As soon as I delete enough rules to not get the error, it feels like the rules are all properly applied again, but I didn't test this comprehensively yet. It feels like I've hit some size limit? From the backtrace it looks like the argument was an empty string: arg=b''. That seems suspect. Any pointers on where I could look in order to understand the issue better? Thanks in advance, Ralph -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAMVV%3Dfz_7U-GgCFP9_605PCsyVR0cjsO2viWT8_K%3DzwQD-SwKw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.