On 10/10/18 3:33 PM, unman wrote:
On Wed, Oct 10, 2018 at 03:17:47PM +0200, Illidan Pornrage wrote:On 10/10/18 3:14 PM, unman wrote:On Tue, Oct 09, 2018 at 09:18:22PM +0300, Ivan Mitev wrote:On 10/9/18 7:44 PM, mfreemon wrote:On 10/8/18 10:56 AM, mfreemon wrote:On 10/2/18 2:25 AM, Ivan Mitev wrote:On 10/2/18 1:32 AM, Chris Laprise wrote:On 10/01/2018 05:48 PM, mfreemon wrote:On 1/11/18 3:01 PM, Chris Laprise wrote: > On 01/10/2018 03:47 PM, Connor Page wrote: >> The official templates use nftables so shouldn’t be mixed with iptables. I didn’t have time to learn about nftables, so just removed nftables package from debian 9 template. YMMV. > > Hmmm, I was just thinking how Qubes' own guest scripts still use > iptables even in fedora-26. > > IIUC, iptables and nft are two different interfaces to netfilter. I > don't know if it really matters, at least for the R4.0 window. I'd > prefer to put the syntax change (for docs) off until a later release. I was recently thrown by the mix of both nftables and iptables in R4. The qubes docs don't clarify much. The qubes firewall scripts use nft. Most of the discussion on the qubes website documentation is about iptables, but there are also a few mentions of nft. The upgrade instructions (going from R3.2 to R4) did not mention converting rules from iptables to nftables. It looks like other related projects (one example is qubes-tunnel) is using iptables. Just reading a few things and trying to come up to speed, I get the impression that nftables and iptables should not both by used at the same time. Even if technically possible (i.e. both sets of rules applied correctly), it strikes me as not a great idea to maintain packet filtering rules in two different ways. What is the best practice recommendation on this (for R4, Fedora 28 template)? Are we to be using, exclusively, nftables in R4?The last I read about this (for 4.0) is that nftables is used in Fedora Qubes code, but Debian Qubes is still using iptables. That still appears to be the case since nftables is not installed in my debian-9 templates. I've submitted qubes-tunnel to Qubes with iptables commands only, with the intention to transition to nftables (or that other new interface in Linux, name escapes me just now) for Qubes 4.1. Someone who is just starting a project might be better off going with nftables.... until yet another packet filtering mechanism replaces nftables (in that case, bpfilter [1]). I understand the rationale behind using nftables [2] but given how it is widespread (hint: close to 0 even amongst seasoned sysadmins) IMHO it wasn't worth it. The OP's post confirms there's quite some confusion about how it interacts with iptables, and the official documentation is far from helpful. I'm quite proficient with iptables and networking in general but it took me half an hour to understand how to tweak Qubes' nftables rules last time I wanted to change something in the firewall, while I would have done that task in less than one minute with iptables. I could have spent a few hours learning nftables to improve the official doc but at my age I prefer to spend time learning tech that significantly improves things (eg. Qubes OS over standard linux distribution) over loosing time learning stuff that is only marginally better. Anyway - I digress :) [1] https://old.lwn.net/Articles/747551/ [2] https://github.com/QubesOS/qubes-issues/issues/1815#issuecomment-245109500I'm concerned about the confusion and unnecessary complexity here. Network packet filtering is certainly (one of) those features that software such Qubes needs to be solid on (in both design approach and implementation detail). Is the Qubes team confident in the current situation, such that users of Qubes should not be concerned? nb. This is not meant to be a criticism at all. I very much appreciate the hard (and complicated) work going into Qubes. I'm just looking to understand the current situation better so as to judge whether my concern is warranted or not.As an example: I'm wanting to enable some specific network traffic between two qubes. The docs say to use iptables (https://www.qubes-os.org/doc/firewall/#enabling-networking-between-two-qubes). qubes-firewall-user-script also specifies iptables rules. But qvm-firewall implements the rules it manages using nftables. So the firewall VMs have both iptables rules and nftables rules in effect. And these are different sets of rules. It's not that the iptables command and the nft command are just two user interfaces showing the same packet filtering rules. They are different packet filtering rules. This seems like a receipt for disaster. Is this the wrong forum for this discussion? Should this be on qubes-devel, or an issue in qubes-issues at https://github.com/QubesOS/qubes-issues/issues?You'll definitely get more visibility on qubes-devel. FWIW I'm not concerned about the complexity itself: I trust the Qubes devs not to mess up. IMHO the problem is that people proficient with iptables are not willing to spend time learning yet another packet filter tool when iptables works for 99.99% of the cases (+, as others pointed out, nftables is still not feature complete wrt. iptables). For those users - an overwhelming majority - Qubes' nftables firewall is a black box that is difficult to understand/tweak/debug.I think this is the problem. I remember stalwarts hanging on to ipchains for similar reasons. (I speak as someone who has clung on to iptables for far too long.) It seems to me that the few features lacking in nftables are only of interest to people who are fully capable of learning a new tool. The extras that nft brings completely outweigh the deficiencies. nft provides tools to translate your iptables rules in to the new syntax, so there's really no excuse for not diving in. Even if you have minimal time, you can write your iptables rules and then translate them to nft. Qubes tries to provide a straightforward experience for relatively inexperienced users, and the nft/iptables mix per distribution is a compromise to that end. The docs need to be updated to provide nft rules throughout.^ So do I need to set rules in both or just one of them?I dont recommend mixing them for clarity. I would use nft throughout.
If I recall correctly (and this is what https://github.com/QubesOS/qubes-issues/issues/1815#issuecomment-245109500 states, too), nftables were introduced in order to *not be used manually*. I.e. all users should stick to the GUI, qvm-firewall and iptables wherever possible. That also explains why there's still a lot more documentation on iptables topics apart from the historical reason.
Since the Qubes firewall is inherently dynamic (rules added and removed whenever VMs are started and stopped), user scripts sometimes did interfere with the dynamic changes resulting in unusable rules or even security issues. Or simply the question "why did my custom rule xyz disappear?". So all of these dynamic changes went to nftables in 4.0 and the iptables rules should remain pretty static during the runtime of a Qubes system.
I added qubes-devel for clarification in case my statement above is imprecise or plain wrong.
Anyway admittedly I also consider that design decision not perfect asa) NATting with 2 firewalls can get weird if you're not 100% sure which one is applied first. I second the aforementioned opinion in the qubes devs' skills though, i.e. I guess this was thought through.
b) It adds overall complexity, i.e. adds to the chance of having a bug. c) Some special stuff might still have to go to nftables.Regarding the overall iptables vs nftables syntax discussion I honestly don't see the point as pretty much all recent kernel firewall backends support the iptables syntax for backwards compatibility anyway.
KR David -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/3e96756f-1a7b-79bc-baa2-a81968eaddf3%40hackingthe.net. For more options, visit https://groups.google.com/d/optout.
smime.p7s
Description: S/MIME Cryptographic Signature
