On 1/11/18 3:01 PM, Chris Laprise wrote:
> On 01/10/2018 03:47 PM, Connor Page wrote:
>> The official templates use nftables so shouldn’t be mixed with
iptables. I didn’t have time to learn about nftables, so just removed
nftables package from debian 9 template. YMMV.
>>
>
> Hmmm, I was just thinking how Qubes' own guest scripts still use
> iptables even in fedora-26.
>
> IIUC, iptables and nft are two different interfaces to netfilter. I
> don't know if it really matters, at least for the R4.0 window. I'd
> prefer to put the syntax change (for docs) off until a later release.
I was recently thrown by the mix of both nftables and iptables in R4.
The qubes docs don't clarify much. The qubes firewall scripts use nft.
Most of the discussion on the qubes website documentation is about
iptables, but there are also a few mentions of nft. The upgrade
instructions (going from R3.2 to R4) did not mention converting rules
from iptables to nftables. It looks like other related projects (one
example is qubes-tunnel) is using iptables.
Just reading a few things and trying to come up to speed, I get the
impression that nftables and iptables should not both by used at the
same time. Even if technically possible (i.e. both sets of rules
applied correctly), it strikes me as not a great idea to maintain packet
filtering rules in two different ways.
What is the best practice recommendation on this (for R4, Fedora 28
template)? Are we to be using, exclusively, nftables in R4?
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/15321f4d-255d-23ac-2283-90571bee996e%40zoho.com.
For more options, visit https://groups.google.com/d/optout.
