Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

qubes-firewall crashed parsing conntrack output #9760

Closed
coyotebush opened this issue Feb 8, 2025 · 17 comments · Fixed by QubesOS/qubes-core-agent-linux#553
Closed

qubes-firewall crashed parsing conntrack output #9760

coyotebush opened this issue Feb 8, 2025 · 17 comments · Fixed by QubesOS/qubes-core-agent-linux#553
Labels
affects-4.2 This issue affects Qubes OS 4.2. C: core C: networking diagnosed Technical diagnosis has been performed (see issue comments). P: major Priority: major. Between "default" and "critical" in severity. pr submitted A pull request has been submitted for this issue. r4.2-stable r4.2-vm-bookworm-stable r4.2-vm-fc40-stable r4.2-vm-fc41-stable r4.2-vm-trixie-stable r4.3-vm-bookworm-cur-test r4.3-vm-fc40-cur-test r4.3-vm-fc41-cur-test r4.3-vm-trixie-cur-test

Comments

@coyotebush
Copy link

Qubes OS release

Qubes OS 4.2

Brief summary

Yesterday I was editing some firewall rules, then later noticed that newly launched qubes were unable to reach the internet. I discovered that the qubes-firewall service had crashed.

Steps to reproduce

  1. Update firewall rules in qube settings
  2. Probably some unlucky IO timing?

Expected behavior

Firewall keeps updating as rules are changed and new qubes are started.

Actual behavior

qubes-firewall crashed: found in sys-firewall journalctl -u qubes-firewall.service

Feb 07 14:52:47 sys-firewall python3[570]: detected unhandled Python exception in '/usr/bin/qubes-firewall'
Feb 07 14:52:47 sys-firewall qubes-firewall[570]: Traceback (most recent call last):
Feb 07 14:52:47 sys-firewall qubes-firewall[570]:   File "/usr/bin/qubes-firewall", line 5, in <module>
Feb 07 14:52:47 sys-firewall qubes-firewall[570]:     sys.exit(main())
Feb 07 14:52:47 sys-firewall qubes-firewall[570]:              ^^^^^^
Feb 07 14:52:47 sys-firewall qubes-firewall[570]:   File "/usr/lib/python3.12/site-packages/qubesagent/firewall.py", line 638, in main
Feb 07 14:52:47 sys-firewall qubes-firewall[570]:     worker.main()
Feb 07 14:52:47 sys-firewall qubes-firewall[570]:   File "/usr/lib/python3.12/site-packages/qubesagent/firewall.py", line 353, in main
Feb 07 14:52:47 sys-firewall qubes-firewall[570]:     self.handle_addr(source_addr)
Feb 07 14:52:47 sys-firewall qubes-firewall[570]:   File "/usr/lib/python3.12/site-packages/qubesagent/firewall.py", line 295, in handle_addr
Feb 07 14:52:47 sys-firewall qubes-firewall[570]:     self.apply_rules(addr, rules)
Feb 07 14:52:47 sys-firewall qubes-firewall[570]:   File "/usr/lib/python3.12/site-packages/qubesagent/firewall.py", line 598, in apply_rules
Feb 07 14:52:47 sys-firewall qubes-firewall[570]:     self.apply_rules_family(source, rules, 4)
Feb 07 14:52:47 sys-firewall qubes-firewall[570]:   File "/usr/lib/python3.12/site-packages/qubesagent/firewall.py", line 590, in apply_rules_family
Feb 07 14:52:47 sys-firewall qubes-firewall[570]:     is_blocked = self.is_blocked(rules, con, dns)
Feb 07 14:52:47 sys-firewall qubes-firewall[570]:                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 07 14:52:47 sys-firewall qubes-firewall[570]:   File "/usr/lib/python3.12/site-packages/qubesagent/firewall.py", line 254, in is_blocked
Feb 07 14:52:47 sys-firewall qubes-firewall[570]:     if int(con_dport) != 53 or not con_dst in dns_servers:
Feb 07 14:52:47 sys-firewall qubes-firewall[570]:        ^^^^^^^^^^^^^^
Feb 07 14:52:47 sys-firewall qubes-firewall[570]: ValueError: invalid literal for int() with base 10: '5conntrack'
Feb 07 14:52:47 sys-firewall systemd[1]: qubes-firewall.service: Main process exited, code=exited, status=1/FAILURE
Feb 07 14:52:47 sys-firewall systemd[1]: qubes-firewall.service: Failed with result 'exit-code'.

Additional information

If I followed the code correctly, it seems like qubes-firewall must have read dport=5conntrack in the output of conntrack. The only place "conntrack" normally appears in the output of conntrack is in the message conntrack v1.4.7 (conntrack-tools): ... printed to stderr before exiting. So that message probably ended up interleaved with normal output such as dport=53.

Two things look suspicious to me, and I'd be happy to change them if desired:

  1. stderr=subprocess.STDOUT combines stderr with stdout - but that risks interleaving like this, and probably nothing printed to stderr is usefully parseable anyway.
  2. The int() call has no ValueError handling - although a better handling isn't entirely obvious.
@coyotebush coyotebush added the P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. label Feb 8, 2025
@marmarek
Copy link
Member

marmarek commented Feb 8, 2025

stderr=subprocess.STDOUT combines stderr with stdout - but that risks interleaving like this, and probably nothing printed to stderr is usefully parseable anyway.

Indeed this looks to be a bad idea here...

@marmarek
Copy link
Member

marmarek commented Feb 8, 2025

On a more generic approach, that service could use automatic restart on failure

@Eric678
Copy link

Eric678 commented Feb 9, 2025

The universal qubes fix!

I just noticed this as my qubes-firewall table in sys-firewall stopped updating a week or so ago - been twiddling nftables manually since - not knowing how it was supposed to work. int() got 4conntrack in my case...

@andrewdavidwong andrewdavidwong added C: core needs diagnosis Requires technical diagnosis from developer. Replace with "diagnosed" or remove if otherwise closed. C: networking affects-4.2 This issue affects Qubes OS 4.2. labels Feb 9, 2025
@coyotebush
Copy link
Author

Two users in a week or so is less rare than I feared! I can send a PR this week for at least the stderr thing.

I first restarted just the service (systemctl restart qubes-firewall.service) after it crashed, and one effect I noticed is that the contents of nft list chain qubes-firewall forward ended up repeated. So automatic restarts could cause that chain to grow quite long, unless the service is also changed to clear the chain when it starts before appending to it.

@andrewdavidwong andrewdavidwong added P: major Priority: major. Between "default" and "critical" in severity. and removed P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. labels Feb 10, 2025
coyotebush added a commit to coyotebush/qubes-core-agent-linux that referenced this issue Feb 12, 2025
@coyotebush
qubes-firewall: Suppress extraneous conntrack output
207c424 
conntrack generally prints a status message to stderr before exiting,
which interferes with listing connections. Output from dropping
connections was unused.

Fixes QubesOS/qubes-issues#9760
@coyotebush
Copy link
Author

For interest: I started by logging lines containing "conntrack" in conntrack_get_connections. Given intersecting connections and rules, the line printed was reliably a combination of an output line and the status line (containing sport=591conntrack, src=conntrack, secctx=system_u:oconntrack, etc.)

@coyotebush coyotebush mentioned this issue Feb 12, 2025
Merged
marmarek added a commit to QubesOS/qubes-core-agent-linux that referenced this issue Feb 14, 2025
@marmarek
Merge remote-tracking branch 'origin/pr/553'
8248b98 
* origin/pr/553:
  qubes-firewall: Suppress extraneous conntrack output

Pull request description:

conntrack generally prints a status message to stderr before exiting, which interferes with listing connections. Output from dropping connections was unused.

Testing: developed within my `sys-firewall`, verified that `conntrack_get_connections` no longer observes lines containing "conntrack", and that connection dropping still works.

Fixes QubesOS/qubes-issues#9760
@andrewdavidwong andrewdavidwong added diagnosed Technical diagnosis has been performed (see issue comments). pr submitted A pull request has been submitted for this issue. and removed needs diagnosis Requires technical diagnosis from developer. Replace with "diagnosed" or remove if otherwise closed. labels Feb 14, 2025
marmarek pushed a commit to QubesOS/qubes-core-agent-linux that referenced this issue Feb 17, 2025
@coyotebush @marmarek
qubes-firewall: Suppress extraneous conntrack output
c197eb9 
conntrack generally prints a status message to stderr before exiting,
which interferes with listing connections. Output from dropping
connections was unused.

Fixes QubesOS/qubes-issues#9760

(cherry picked from commit d8fb353)
@qubesos-bot qubesos-bot mentioned this issue Feb 17, 2025
Closed
@qubesos-bot
Copy link

Automated announcement from builder-github

The package core-agent-linux has been pushed to the r4.3 testing repository for the Debian template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing bookworm-testing (or appropriate equivalent for your template version), then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The component core-agent-linux (including package core-agent-linux) has been pushed to the r4.3 testing repository for the Fedora template.
To test this update, please install it with the following command:

sudo dnf update --enablerepo=qubes-vm-r4.3-current-testing

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The package core-agent-linux has been pushed to the r4.3 testing repository for the Debian template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing trixie-testing (or appropriate equivalent for your template version), then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The component core-agent-linux (including package core-agent-linux) has been pushed to the r4.3 testing repository for the Fedora template.
To test this update, please install it with the following command:

sudo dnf update --enablerepo=qubes-vm-r4.3-current-testing

Changes included in this update

@qubesos-bot qubesos-bot mentioned this issue Feb 20, 2025
Closed
@qubesos-bot
Copy link

Automated announcement from builder-github

The component core-agent-linux (including package core-agent-linux) has been pushed to the r4.2 testing repository for the Fedora template.
To test this update, please install it with the following command:

sudo dnf update --enablerepo=qubes-vm-r4.2-current-testing

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The package core-agent-linux has been pushed to the r4.2 testing repository for the Debian template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing bookworm-testing (or appropriate equivalent for your template version), then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The component core-agent-linux (including package core-agent-linux) has been pushed to the r4.2 testing repository for the Fedora template.
To test this update, please install it with the following command:

sudo dnf update --enablerepo=qubes-vm-r4.2-current-testing

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The package core-agent-linux has been pushed to the r4.2 testing repository for the Debian template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing trixie-testing (or appropriate equivalent for your template version), then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The package core-agent-linux has been pushed to the r4.2 stable repository for the Debian template.
To install this update, please use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The package core-agent-linux has been pushed to the r4.2 stable repository for the Debian template.
To install this update, please use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The component core-agent-linux (including package core-agent-linux) has been pushed to the r4.2 stable repository for the Fedora template.
To install this update, please use the standard update command:

sudo dnf update

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The component core-agent-linux (including package core-agent-linux) has been pushed to the r4.2 stable repository for the Fedora template.
To install this update, please use the standard update command:

sudo dnf update

Changes included in this update

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
affects-4.2 This issue affects Qubes OS 4.2. C: core C: networking diagnosed Technical diagnosis has been performed (see issue comments). P: major Priority: major. Between "default" and "critical" in severity. pr submitted A pull request has been submitted for this issue. r4.2-stable r4.2-vm-bookworm-stable r4.2-vm-fc40-stable r4.2-vm-fc41-stable r4.2-vm-trixie-stable r4.3-vm-bookworm-cur-test r4.3-vm-fc40-cur-test r4.3-vm-fc41-cur-test r4.3-vm-trixie-cur-test
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

qubes-firewall: Suppress extraneous conntrack output coyotebush/qubes-core-agent-linux
5 participants
@coyotebush @marmarek @andrewdavidwong @Eric678 @qubesos-bot