QubesOS / qubes-issues

The Qubes OS Project issue tracker
https://www.qubes-os.org/doc/issue-tracking/
538 stars 48 forks source link

qubes-setup-dnat-to-ns fails - use iptables -w #6631

Closed marmarek closed 1 year ago

marmarek commented 3 years ago

Observation

openQA test in scenario qubesos-4.1-pull-requests-x86_64-system_tests_network@64bit fails in VmNetworking_fedora-33

# test_212_custom_ip_firewall
# failure: 

Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/qubes/tests/integ/network.py", line 124, in run_netvm_cmd
    self.loop.run_until_complete(
  File "/usr/lib64/python3.8/asyncio/base_events.py", line 616, in run_until_complete
    return future.result()
  File "/usr/lib/python3.8/site-packages/qubes/vm/qubesvm.py", line 1551, in run_for_stdio
    raise subprocess.CalledProcessError(p.returncode,
subprocess.CalledProcessError: Command '/usr/lib/qubes/qubes-setup-dnat-to-ns' returned non-zero exit status 4.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/qubes/tests/integ/network.py", line 88, in setUp
    self.configure_netvm()
  File "/usr/lib/python3.8/site-packages/qubes/tests/integ/network.py", line 150, in configure_netvm
    run_netvm_cmd("/usr/lib/qubes/qubes-setup-dnat-to-ns")
  File "/usr/lib/python3.8/site-packages/qubes/tests/integ/network.py", line 127, in run_netvm_cmd
    self.fail("Command '%s' failed: %s%s" %
AssertionError: Command '/usr/lib/qubes/qubes-setup-dnat-to-ns' failed: Another app is currently holding the xtables lock. Perhaps you want to use the -w option?

# system-out: 

Test suite description

Reproducible

Fails since (at least) Build 2021050903-4.1

Expected result

Last good: 2021042904-4.1 (or more recent)

Further details

Always latest result in this scenario: latest

DemiMarie commented 3 years ago

Can we just ditch xtables entirely in favor of nftables?

marmarek commented 3 years ago

That is an option in R4.1 - I think all the distributions we care about there already have nftables. Do you want to do it for this script specifically?

But, I'd like one thing first: find a decent nft CLI cheatsheet and link it in https://www.qubes-os.org/doc/firewall/ (or write a short own version there). It's syntax and error reporting is IMHO very user unfriendly - some example:

# nft list 
Error: syntax error, unexpected newline
list
    ^
# nft  list table
Error: syntax error, unexpected newline, expecting string
list table
          ^

it doesn't tell you what can/should be there. --help is useless there too. You need to open lengthy manual and scroll to the relevant section.

DemiMarie commented 3 years ago

That is an option in R4.1 - I think all the distributions we care about there already have nftables. Do you want to do it for this script specifically?

Perhaps. That is actually not the area where nftables would be the biggest win, though. I really want to use nftables netdev rules for anti-spoofing protection, as they should be faster and can provide better protection (like dropping all ARP traffic).

But, I'd like one thing first: find a decent nft CLI cheatsheet and link it in https://www.qubes-os.org/doc/firewall/ (or write a short own version there). It's syntax and error reporting is IMHO very user unfriendly - some example:

# nft list 
Error: syntax error, unexpected newline
list
    ^
# nft  list table
Error: syntax error, unexpected newline, expecting string
list table
          ^

it doesn't tell you what can/should be there. --help is useless there too. You need to open lengthy manual and scroll to the relevant section.

Looks like yacc-generated parser output, sadly.

github-actions[bot] commented 1 year ago

This issue is being closed because:

If anyone believes that this issue should be reopened and reassigned to an active milestone, please leave a brief comment. (For example, if a bug still affects Qubes OS 4.1, then the comment "Affects 4.1" will suffice.)