Network doesn't work with AppVMs

[maxp...@gmail.com]

Hi everyone,

I use Qubes R4 since its release and, until a few days ago, I had no network problem. Today, it's impossible from my AppVMs to get any connection. Everything seem to work well until sys-firewall : if I use traceroute or ping in VM's terminal, I have a network access. It also appears that the network connection works for updating TemplateVMs and Dom0. Rebooting AppVMs or the computer doesn't fix the issue.

Had some people got this issue ?

[donoban]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Do you run fedora-27? I had same problem today after upgrading some
packages on fedora-27 template and rebooting whole machine. Since I
didn't have time to analyze the problem I changed sys-net and
sys-firewall to fedora-26 again and it worked.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEznLCgPSfWTT+LPrmFBMQ2OPtCKUFAlsNmJcACgkQFBMQ2OPt
CKWg5Q/+Mhb2ns9FuRk0BqzGaWyL2CsDxBDpyBuvJqLCQRyJISawuVlJ0XqAl8+6
yEaEeec5KtZwWv388wMAigktiZLjobdBcfssxRrrYd8hrXQbh2GL7qEs/4Y5Zys3
qwu8plGDhOuRP64PuTn4RZdRCH8Rf8Exd2wAD3K6Jvq92e9xHB8rd/khGo5kYaj2
Uzm1PXhxRLSj+QWsPHtlWDdObgFeTPn3ok0VGG+VP+jLyktpijet7ElKQzKqLyhU
HI+LAbHc21LUPvvRkdX/FHbaykF3uGJYxfXRzymm1Hfj/iwRmPdYpW8f66G5wJwx
UOyXCNwGWOlwypV6pCFQJTxgt9OqTLSxMfh2M+ve/WskYDYdXnWicOWT7jn5p+ZO
3SPK1h3v5QUNkN1dF194HnIRfb2xjW9bfzGlSZiYUuqhljArpDjTyN0mlAP+NvlY
URm0lfvW9jwxLTnh8H+PLefDchy16dOpbDP60BIjbi5bLDcHUaNLqUUlZe8Ay/Lz
w59AdwRqjZcrCkMsUn6VgP71YKpIxeWPbnVTJ7GiEoHL+30w8raUgKqvGyoTw/VM
MijXj28ZuDtZfaoCS4UdkhDTDFXBH1LCMrnUvdmea3eG0pw6Xhar10ABED1gseF8
I/k1S3fXswRf7PhlLk2nwXRLP9Z9kVyKuCmkskzn8OtJuzAo4Wg=
=vIjI
-----END PGP SIGNATURE-----

[Chris Laprise]

On 05/29/2018 02:14 PM, donoban wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 05/29/18 13:45, maxp...@gmail.com wrote:
>> Hi everyone,
>>
>> I use Qubes R4 since its release and, until a few days ago, I had
>> no network problem. Today, it's impossible from my AppVMs to get
>> any connection. Everything seem to work well until sys-firewall :
>> if I use traceroute or ping in VM's terminal, I have a network
>> access. It also appears that the network connection works for
>> updating TemplateVMs and Dom0. Rebooting AppVMs or the computer
>> doesn't fix the issue.
>>
>> Had some people got this issue ?
>
> Do you run fedora-27? I had same problem today after upgrading some
> packages on fedora-27 template and rebooting whole machine. Since I
> didn't have time to analyze the problem I changed sys-net and
> sys-firewall to fedora-26 again and it worked.

Do an 'iptables -L -t nat' in sys-firewall. As I'm experiencing in f28,
you may find all the chains empty. This leaves the VM unable to forward
packets properly.

I'd suggest moving to debian-9 for the time being.

--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

[799]

donoban <don...@riseup.net> schrieb am Di., 29. Mai 2018, 20:14:

Do you run fedora-27? I had same problem today after upgrading some
packages on fedora-27 template and rebooting whole machine. Since I
didn't have time to analyze the problem I changed sys-net and
sys-firewall to fedora-26 again and it worked.

Just because I am curious:

what would be a reason to use Fedora 27 instead of Fedora 28?

I have rebuild all my templates from scratch based on closed fedora-28-minimal templates.

[799]

[donoban]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 05/29/18 21:02, 799 wrote:
> Just because I am curious: what would be a reason to use Fedora 27
> instead of Fedora 28?
>
> I have rebuild all my templates from scratch based on closed
> fedora-28-minimal templates.
>

it is not a very thoughtful question. I just wanted to upgrade last
weekend before reaching the 26 EOL and I tought that upgrading from
26->27 would be less problematic.

I don't think there is much difference between 27 or 28 but I don't
know too much about fedora release cycles.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEznLCgPSfWTT+LPrmFBMQ2OPtCKUFAlsNq2AACgkQFBMQ2OPt
CKXGahAAjxhz9Cp5VNRkmkPjDdG1oeFxClH29Asfi3cBPsWq5S9EkIsGKpn2FkNj
C6FPbVHoVC/ZtD3urMEZab/FiZbcJVYE4XynTPzFLQHqL9g/maA5KzFn2XCg59oI
MspVc/N9IcgnSCnHXSRKZrd/qXcY0uPYqjogqaIhPsAaZs9p1hGLDxLYAjpl684r
HkXJcimst8DZ11wlTTxV32eJ9+coSWO/QYYFTuoX+H1zxOpuxnIp/m//yD295BLm
73rXohAuKsaALK3GDYnPT9VvvqAswpljpW3sCsPAgNqeIeDuIVswtouftAYIjWTd
eIJI0SOY43CBAN7lU+54Tos1KPBd/MN0t4glZq0f0Nloj4p5zCzBul9wwHWIvnyd
l329KLByCK1lJzo8njzoki5RqNV7vERpWktaHb2OX23vB5IWv9r+PEHhTdxZQwL9
2doYmYKKjDQHpIO8h4DJoqYPwhdug/LBqoA6r6a3SLgS6dqczpJJ/tvYhLioy3s7
5c5vCRZiMUwc+Eyocn/uMcWsMjOOJwcwRkIo2T7/uTm4iJ9+SFlHq5EweSLycDy+
qzvjhXp4FhEJaWm7YB+DU6ZFO4Jfq8wCQAkvrm9h4pCD/8xhqBaepYKHwivaN/OU
2/RhUvMFtgaS0xqSHNxUZuYoGHwim4bJAtI+oaRa5N5LqM3xBU4=
=NnFo
-----END PGP SIGNATURE-----

[donoban]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 05/29/18 21:34, donoban wrote:> it is not a very thoughtful question.

I mean that I didn't think too much about it.

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEznLCgPSfWTT+LPrmFBMQ2OPtCKUFAlsNrREACgkQFBMQ2OPt
CKVSbBAAk0ggNbY+V7pQ6k5XvB8VC9Sqjnr1ob/OiqFgGNNJ0q8/RI7WBlAu85BD
+BbRyLVTQ9EKBga9SzZ2agqnRGsmK/sYps0jQJRAJI6JbDfmnDbzTtCj56Pa4028
jKxLRB/IoCF4NcAGYUcZXS2cRmETURbtEMbttNhhx9Q0KLSx5qh+utJE5IiTNhkC
T7Wig5tU+GkzUTQxgBf1zqgKsJ8olXGdqi4t80+oQDbK0B1ganNrh+/XUWsgFK0O
csGFnKInDz2HnjUZTgIgWOo55GpATbbwYvzt72OB4qbozuyYGAuVvL1AY4cp35D9
blb8xuh29Z5Omr9YeJnmmgs+axoxhbUp2JzfTEDMH0VBj+UesoC83ytU3O32WRj8
fct+RPt/g0iBPKko11Bn0OI24H/FCEwVcmO1IgOf8RLbQT1ewtvAHt6d3qsKmlJj
KjJhFlWKe9RamXOKlGAuiZdJ+8ynKBWHhs/gYRkhBKTkISnBxAVqcMOh/ddQ0mW1
+UmmOrmuAJS4pBsszAG0vnrMvTMrEXc/8YNpKlWht730Y4zFg3U2NOuanflUgWtF
XRZ8UkelvjUxUubJzXDOId8/s1Cx/buXdAticpKgWgvnEdnZ9C+a1Ux6CQDNLZw6
MU+fDf8pVFptB4AJYWaCwQJS32TcUI6y93PvRqGN2BNAGn2vcmU=
=lTFr
-----END PGP SIGNATURE-----

[get]

вторник, 29 мая 2018 г., 14:45:05 UTC+3 пользователь maxp...@gmail.com написал:

> Hi everyone,
>
> I use Qubes R4 since its release and, until a few days ago, I had no network problem. Today, it's impossible from my AppVMs to get any connection. Everything seem to work well until sys-firewall : if I use traceroute or ping in VM's terminal, I have a network access. It also appears that the network connection works for updating TemplateVMs and Dom0. Rebooting AppVMs or the computer doesn't fix the issue.
>
> Had some people got this issue ?

It is Fedora troubles. You can kick off Fedora and switch to Debian/Void (more stable).

[pon...@keemail.me]

3. Jun 2018 11:59 by turb...@gmail.com:

App networking even doesn't work here with Debian 9 + 10, and tasket's brilliant qubes-vpn, and his qubes-tunnel.service. Sys-whonix/Tor via sys-net is fine.

Working/examining (on) it. ;)

Best regards, p b

[donoban]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

As a workaround I edited file '/usr/lib/qubes/init/qubes-iptables' in
fedora template.

Replace line 47:
CMD_ARGS=--wait
with
CMD_ARGS=--wait 0



-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEznLCgPSfWTT+LPrmFBMQ2OPtCKUFAlsTyskACgkQFBMQ2OPt
CKWOSg//YdepomBqS/FthgUFofnwW3JtQf6KAoTS3Jcqbx8iBhGOE2dE2dAWeyWW
d2cnm2Yt46zkI1X8C6j7jovYF7K6meJXtgGmlcmbVTpiYcDvmpvThC99OxxYgHxw
ty6gzSpPECs/4UJ6MggSJwKOV23I/k7b/5amgu4oUf+7/kx6A1LtaQfeY+GBN4qO
7c4BbHYxg1mJDvDCrmGNyXSAP5IjEILo8V2+960oWbFxfnw3VG2S0Alh5DGimB96
4x3gSkJ6njMF0KjriyM1lDw/wohHqoh7jON3WChKvJnlTRhyhVbvWuM0hNTzH0wL
QSIdxR8XnwDWaLsHN5uVCV6R1T3HdgGRmEzOjbL/1+N853Mp3+BZbYuFXq7S6DBw
F2OxBjv4Ku08Ik/nBBGlDofXFo1XLtw339WfDpeJJQck/gFmzqU+nZg5kuk4EdOg
jtKpVI98Q7O34mOVRSk8zY88ELNjVAOhF3u3WKGy6PyOxDW+l0UcZYvr2DyzNW8F
45TkPDHXszlaZe+PesuIYGpNg7G+su6/vizyXzmmMT932GuiIPqs48CnWAdKZDZP
AXyyiwNlTaybUEADBHoR4i+O+CyX1qS1acoiIqi7KN9ogzzO+KeGVOOIls/VuZ3P
uQ2WzxKNaOs4G2gr5kHD7aAfx5ifWh7mJv290EdqMOSMDFCnZVQ=
=Oshq
-----END PGP SIGNATURE-----

[Elias Mårtenson]

Thank you. This solved it for me.

What was odd was that after I had this problem, switching back to Fedora-26 templates (or even Debian-9) didn't work.

I even created completely new sys-net and sys-firewall VM's based on fedora-26, and it still didn't work.

Changing CMD_ARGS as per your recommendation on the fedora-28 template worked beautifully though. However, I put quotes around --wait 0, like so:

CMD_ARGS="--wait 0"

Because I'm pretty sure that if you don't, it will try to run the a named “0”.

Regards,
Elias

[Chris Laprise]

Note that "wait 0" is not equivalent to the syntax the devs tried to use
(which aims to wait indefinitely), and may cause future failures
whenever boot timings change for the template.

The accepted fix is described here,
https://github.com/QubesOS/qubes-issues/issues/3939#issuecomment-393622376

Its already being pushed to the current-testing repositories.

[Elias Mårtenson]

On Tuesday, 5 June 2018 12:54:23 UTC+8, Chris Laprise wrote:
> On 06/04/2018 11:44 PM, Elias Mårtenson wrote:
> > Thank you. This solved it for me.
> >
> > What was odd was that after I had this problem, switching back to Fedora-26 templates (or even Debian-9) didn't work.
> >
> > I even created completely new sys-net and sys-firewall VM's based on fedora-26, and it still didn't work.
> >
> > Changing CMD_ARGS as per your recommendation on the fedora-28 template worked beautifully though. However, I put quotes around --wait 0, like so:
> >
> > CMD_ARGS="--wait 0"
> >
> > Because I'm pretty sure that if you don't, it will try to run the a named “0”.
> >
> > Regards,
> > Elias
> >
>
> Note that "wait 0" is not equivalent to the syntax the devs tried to use
> (which aims to wait indefinitely), and may cause future failures
> whenever boot timings change for the template.
>
> The accepted fix is described here,
> https://github.com/QubesOS/qubes-issues/issues/3939#issuecomment-393622376
>
> Its already being pushed to the current-testing repositories.

Thank you. Will the new, and better, version be automatically applied once the fix hits mainstream or will there be some issues due to the fact that I made this modification?

[donoban]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 06/05/18 13:06, Elias Mårtenson wrote:
> On Tuesday, 5 June 2018 12:54:23 UTC+8, Chris Laprise wrote:
>> On 06/04/2018 11:44 PM, Elias Mårtenson wrote:
>>> Thank you. This solved it for me.
>>>
>>> What was odd was that after I had this problem, switching back
>>> to Fedora-26 templates (or even Debian-9) didn't work.
>>>
>>> I even created completely new sys-net and sys-firewall VM's
>>> based on fedora-26, and it still didn't work.
>>>
>>> Changing CMD_ARGS as per your recommendation on the fedora-28
>>> template worked beautifully though. However, I put quotes
>>> around --wait 0, like so:
>>>
>>> CMD_ARGS="--wait 0"
>>>
>>> Because I'm pretty sure that if you don't, it will try to run
>>> the a named “0”.

Well, maybe you are right. I've just tried and worked so I commented.
I also tested firewall rules were working fine.

>> Note that "wait 0" is not equivalent to the syntax the devs tried
>> to use (which aims to wait indefinitely), and may cause future
>> failures whenever boot timings change for the template.
>>
>> The accepted fix is described here,
>> https://github.com/QubesOS/qubes-issues/issues/3939#issuecomment-3936
22376
>>
>>
>>
Its already being pushed to the current-testing repositories.
>
> Thank you. Will the new, and better, version be automatically
> applied once the fix hits mainstream or will there be some issues
> due to the fact that I made this modification?
>

When you upgrade the file will be overwritten so you shouldn't worry.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEznLCgPSfWTT+LPrmFBMQ2OPtCKUFAlsWnZQACgkQFBMQ2OPt
CKU3xRAAq+2LZBZHm8U2busGIHIYW90R3kCsudOUoDL7y42BF5hUeVeY50tbPcoB
Y33aVmyP0pIsEUUfAjgXn369Q5LrPILk4Do0qle9B6ioTb6i90IhW2wjHuBuO8wH
ZZ19pwksuW0GGId7tSdkYGrBpxO1eg/FJ04ElaWrpNJA2lcSWE6qawK0MpDzt2uy
k2YAtU2zl1Iemj5SZhGqbylHae4nMoYKsNBu7VqJpmcZWGsUmsgV5BMVXn3auDg/
/dC19kg7bxIm4nd/ayTyZqVr6v+7TWJtlxAg8EHnVlcKOFd1GZou+ebdNhy3ksOK
mqzqcduvtpdtCM9bd5k7fkTl/2rVva/+5m3poWW5QPDsGdSEZlXuU3PeQD/buw5c
3ZPy8kISTcIDAYhOjsCP/pl1mKAZtlD73Bndjn91K9hGhdbEZ4GegDlzZJoWKY2L
S64obujBnRfBNVz+/Mwo29J39ZZL6Rn2rT9Ix/054pBJLS+D67P9O8rtUWUBQ/V4
6WmtS1FfdBSxAEOsMvSKYLe5YZVY779/9y3PK/+ieaJpTjVrX06mvdgWIwtejvTe
Cg/3R7KCagO/Z6orIiIt5keXLPu/upEiAIztnJ9r5lQ5qBEugqMw3jpIFEochipB
DCQ8pv0B1ImQzyc9rgCQn/qyF8HfcVA35d+MJEV0+RubJ8ElqXE=
=3KEp
-----END PGP SIGNATURE-----

[donoban]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 06/05/18 16:26, donoban wrote:
>>>> CMD_ARGS="--wait 0"
>>>>
>>>> Because I'm pretty sure that if you don't, it will try to
>>>> run the a named “0”.
>
> Well, maybe you are right. I've just tried and worked so I
> commented. I also tested firewall rules were working fine.
>

I've just tested it and yes you are right. I hope the suggestion
didn't cause problems to anybody.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEznLCgPSfWTT+LPrmFBMQ2OPtCKUFAlsWn9oACgkQFBMQ2OPt
CKWRaxAAtkJx3gD3D21qdOdaICCvW5D3LG1/p7mt+FOvpqUEzBN5kn9npvmOZkn2
3KnjITf7/cA4VZCqfQF3o0KypimQCT68rKkGysXU1PHYCi1GcL+XpBisZiHO/qcr
Woq1lMZf2N7uu6ry2UAAYLDDRBN+T4e4dn8hjRAo00oWzESFUn4uY41cUQyXbS6A
INlS+OdY0VxfUE+pVStof4u4uW4Y9er/H+ljQ9t6xvtQF+BN1Fm5YEZcDcXqodnl
aj8a2LaVRZAmN6lN03ZVx8cD5r/lorGKG6AFJ7c20tRRmg9+wgmhbl3gE2iQeGYs
NwEuDaSPoqC9N7ccGq7gJkxKm0/PFwHvmgi6KFaDsc3vvJzQoz42ob0G4jPYkRJQ
G4M9pFig34EnVyEHTFyfyDRumKmWTJ8smYc+63ynwxl7lQA1dPuy/sDgPJUimLkO
OrJwdUbaE8AJ8dGEpmuaF0OBFUz0PIPAqYkYtaMOXfeD9YDZikpndMjpyztIWI1i
DdbaFM2CCPvBPXS4qN3McEmFU+JvkRhisRv25rFShAZkYvtiv6SGtZPNWc3GruJ0
iFQVNy8NhQawc7BsmLUn4Rqh0M5D/DqJBsUBe4aeKRAE7Z4jwVuKKErj6/GQKgXL
nNv8Ui1+ZbgbB1QbeUwqG+XMAVY9CLDGi3/JjYDwjt6H/EGSVpg=
=Lk6Q
-----END PGP SIGNATURE-----