> An idea: Debian don't have nftables installed by default, so
> qubes-firewal fallback to iptables. But not on Fedora - there nftables
> is used. This applies to both sys-net and sys-firewall.
> A quick test:
> 1. List rules:
>     nft list table ip qubes-firewall
> 2. Add rule accepting traffic from eth0:
>     nft add rule ip qubes-firewall forward meta iifname eth0 accept
> - --
> Best Regards,
> Marek Marczykowski-Górecki
> Invisible Things Lab
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?

That did it!
Thanks so much for the quick resolve.

This was my results from `nft list table ip qubes-firewall`
table ip qubes-firewall {
        chain forward {
                type filter hook forward priority 0; policy drop;
                ct state established,related accept
                ip saddr jump qbs-10-137-0-6

        chain qbs-10-137-0-6 {
`nft add rule ip qubes-firewall forward meta iifname eth0 accept`
adds `iifname eth0 accept` to the bottom of chain forward

Is it intended that fedora uses both iptables and nft?
Are there any security implications for allowing iifname eth0 accept (in my 
case for fedora-26, ens5)?

You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
To post to this group, send email to
To view this discussion on the web visit
For more options, visit

Reply via email to