From b3b18f97f876b25e92010d4a6d7b132ea20edd98 Mon Sep 17 00:00:00 2001 From: donoban Date: Wed, 7 Mar 2018 16:37:44 -0500 Subject: [PATCH 1/3] Wrong init var to bool and missing call to total_seconds() fix https://github.com/QubesOS/qubes-issues/issues/3661 --- qubes/firewall.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/qubes/firewall.py b/qubes/firewall.py index 99b56868..4cd47e3e 100644 --- a/qubes/firewall.py +++ b/qubes/firewall.py @@ -556,7 +556,7 @@ class Firewall(object): def save(self): '''Save firewall rules to a file''' firewall_conf = os.path.join(self.vm.dir_path, self.vm.firewall_conf) - nearest_expire = False + nearest_expire = None xml_root = lxml.etree.Element('firewall', version=str(2)) @@ -595,7 +595,7 @@ class Firewall(object): # necessary must be the same as time module; calculate delay and # use call_later instead expire_when = nearest_expire - datetime.datetime.now() - loop.call_later(expire_when, self._expire_rules) + loop.call_later(expire_when.total_seconds(), self._expire_rules) def qdb_entries(self, addr_family=None): '''Return firewall settings serialized for QubesDB entries From 6e8e48e32d54c832aabb1a0578587b5e6da0df2b Mon Sep 17 00:00:00 2001 From: donoban Date: Wed, 7 Mar 2018 16:40:07 -0500 Subject: [PATCH 2/3] Avoid UTC datetime utcfromtimestamp() does not seems reliable and qubes-manager uses local time --- qubes/firewall.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/qubes/firewall.py b/qubes/firewall.py index 4cd47e3e..74a93685 100644 --- a/qubes/firewall.py +++ b/qubes/firewall.py @@ -204,7 +204,7 @@ class SpecialTarget(RuleChoice): class Expire(RuleOption): def __init__(self, untrusted_value): super(Expire, self).__init__(untrusted_value) - self.datetime = datetime.datetime.utcfromtimestamp(int(untrusted_value)) + self.datetime = datetime.datetime.fromtimestamp(int(untrusted_value)) @property def rule(self): @@ -216,7 +216,7 @@ class Expire(RuleOption): @property def expired(self): - return self.datetime < datetime.datetime.utcnow() + return self.datetime < datetime.datetime.now() class Comment(RuleOption): From 39d904ea824337dceb9db444e71290a6dc0ba667 Mon Sep 17 00:00:00 2001 From: donoban Date: Thu, 8 Mar 2018 05:25:42 -0500 Subject: [PATCH 3/3] Removed self.rules != old_rules After lot of testing it does not work properly. Could do something more sophisticated but since calling save() is safe and probably lightweigth it is not worth probably. --- qubes/firewall.py | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/qubes/firewall.py b/qubes/firewall.py index 74a93685..dbf2a9e3 100644 --- a/qubes/firewall.py +++ b/qubes/firewall.py @@ -546,12 +546,10 @@ class Firewall(object): def _expire_rules(self): '''Function called to reload expired rules''' - old_rules = self.rules self.load() - if self.rules != old_rules: - # this will both save rules skipping those expired and trigger - # QubesDB update; and possibly schedule another timer - self.save() + # this will both save rules skipping those expired and trigger + # QubesDB update; and possibly schedule another timer + self.save() def save(self): '''Save firewall rules to a file'''