Too many firewall rules leads to: Error starting VM: (0, 'Error')

[iuriguilherme]

EDIT: This trace is irrelevant. See comment 4. The only relevant thing is the number of firewall rules of the AppVM, it has a 35 rules cap.

---

Steps:

• AppVM previously known as work-somename;
• Another work AppVM did existed (the one created at install), it was renamed to work-clone;
• AppVM work-somename renamed to work;
• The AppVM refused starting and raised Error starting VM 'work': (0, 'Error');
• AppVM work renamed to work-personal;
• AppVM work-clone renamed back to work;
• Error persisted;
• AppVM work-personal renamed back to work-somename;
• Error persisted;

When I try to start the AppVM in any way, it is left with a gray led in the QubesManager, it can't be stopped or paused, only started. When I try to start it for the second time, the led turns to yellow and now I can either pause or stop the AppVM.

After I do this with this particular AppVM, whenever I try to start any other AppVM, the same error occurs, therefore rendering the system unusable.

That was the github VM, I had to login here from a DispVM.

I have not tried the cli manager, only the graphical QubesManager and the KDE menu.

EDIT: removing irrelevant, long logs (please use gist/attach next time)

[iuriguilherme]

[SOLVED] not really, see next comment below

I have removed entries using top level domain .se from the AppVM's firewall and the error vanished.

Not closing this issue because it seems that this is serious, how come the firewall rules wreck the entire system? (From an end user's perspective)

[iuriguilherme]

Now there seems to be nothing to do with the .se top level domain.

I have added new .org rules to the firewall and the same error applies, and now it seems to be about adding too much entries, taking into account all entries of all AppVMs.

Erasing a whole firewall rules from another VM (was about 20 entries) seemed to "solve" for now. Unless I need those rules again.

[iuriguilherme]

I'm wrong yet again.

This seem to happen when I try to save the AppVM's firewall rules with more than 35 entries.

[marmarek]

What Qubes version are you using? I guess R2, right?

[marmarek]

Hmm, or maybe R3.0. In which case it would be similar to this:
https://groups.google.com/d/msgid/qubes-users/55CF8DF8.8050505%40riseup.net

[marmarek]

If that's the case, I see two things here:

• lack of clear indication of firewall rules count limit (bug)
• too low limit (feature request)

[iuriguilherme]

@marmarek
It's R3.

[3hhh]

Still valid in 3.2.

Steps to reproduce:

1. Create a ProxyVM.
2. Add 40 firewall entries via Qubes VM manager or directly via firewall.xml (I just tested it with different IPs and Port 443/TCP), defaults all disallowed.
3. Start the VM (works).
4. Stop the VM, add another rule.
5. Start the VM (doesn't work, aforementioned error occurs).

[marmarek]

This is already fixed for Qubes 4.0. The fix is not feasible for backport (it's incompatible change). The limitation is already documented.

[andrewdavidwong]

Reopening due to #4018.

[qubesos-bot]

Automated announcement from builder-github

The package qubes-core-dom0-4.0.33-1.fc25 has been pushed to the r4.0 testing repository for dom0.
To test this update, please install it with the following command:

sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing

Changes included in this update

[qubesos-bot]

Automated announcement from builder-github

The package qubes-core-dom0-4.0.37-1.fc25 has been pushed to the r4.0 stable repository for dom0.
To install this update, please use the standard update command:

sudo qubes-dom0-update

Or update dom0 via Qubes Manager.

Changes included in this update