On 1/11/18 3:01 PM, Chris Laprise wrote:
> On 01/10/2018 03:47 PM, Connor Page wrote:
>> The official templates use nftables so shouldn’t be mixed with iptables. I didn’t have time to learn about nftables, so just removed nftables package from debian 9 template. YMMV.
>>
>
> Hmmm, I was just thinking how Qubes' own guest scripts still use
> iptables even in fedora-26.
>
> IIUC, iptables and nft are two different interfaces to netfilter. I
> don't know if it really matters, at least for the R4.0 window. I'd
> prefer to put the syntax change (for docs) off until a later release.

I was recently thrown by the mix of both nftables and iptables in R4.

The qubes docs don't clarify much. The qubes firewall scripts use nft. Most of the discussion on the qubes website documentation is about iptables, but there are also a few mentions of nft. The upgrade instructions (going from R3.2 to R4) did not mention converting rules from iptables to nftables. It looks like other related projects (one example is qubes-tunnel) is using iptables.

Just reading a few things and trying to come up to speed, I get the impression that nftables and iptables should not both by used at the same time. Even if technically possible (i.e. both sets of rules applied correctly), it strikes me as not a great idea to maintain packet filtering rules in two different ways.

What is the best practice recommendation on this (for R4, Fedora 28 template)? Are we to be using, exclusively, nftables in R4?


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/15321f4d-255d-23ac-2283-90571bee996e%40zoho.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to