On 10/9/18 7:44 PM, mfreemon wrote:
On 10/8/18 10:56 AM, mfreemon wrote:
On 10/2/18 2:25 AM, Ivan Mitev wrote:
On 10/2/18 1:32 AM, Chris Laprise wrote:
On 10/01/2018 05:48 PM, mfreemon wrote:
On 1/11/18 3:01 PM, Chris Laprise wrote:
> On 01/10/2018 03:47 PM, Connor Page wrote:
>> The official templates use nftables so shouldn’t be mixed with
iptables. I didn’t have time to learn about nftables, so just removed
nftables package from debian 9 template. YMMV.
> Hmmm, I was just thinking how Qubes' own guest scripts still use
> iptables even in fedora-26.
> IIUC, iptables and nft are two different interfaces to
> don't know if it really matters, at least for the R4.0 window. I'd
> prefer to put the syntax change (for docs) off until a later
I was recently thrown by the mix of both nftables and iptables in R4.
The qubes docs don't clarify much. The qubes firewall scripts use
nft. Most of the discussion on the qubes website documentation is
about iptables, but there are also a few mentions of nft. The upgrade
instructions (going from R3.2 to R4) did not mention converting rules
from iptables to nftables. It looks like other related projects (one
example is qubes-tunnel) is using iptables.
Just reading a few things and trying to come up to speed, I get the
impression that nftables and iptables should not both by used at the
same time. Even if technically possible (i.e. both sets of rules
applied correctly), it strikes me as not a great idea to maintain
packet filtering rules in two different ways.
What is the best practice recommendation on this (for R4, Fedora 28
template)? Are we to be using, exclusively, nftables in R4?
The last I read about this (for 4.0) is that nftables is used in Fedora
Qubes code, but Debian Qubes is still using iptables. That still
to be the case since nftables is not installed in my debian-9
I've submitted qubes-tunnel to Qubes with iptables commands only, with
the intention to transition to nftables (or that other new interface in
Linux, name escapes me just now) for Qubes 4.1. Someone who is just
starting a project might be better off going with nftables.
... until yet another packet filtering mechanism replaces nftables (in
that case, bpfilter ).
I understand the rationale behind using nftables  but given how it is
widespread (hint: close to 0 even amongst seasoned sysadmins) IMHO it
wasn't worth it. The OP's post confirms there's quite some confusion
about how it interacts with iptables, and the official documentation is
far from helpful.
I'm quite proficient with iptables and networking in general but it took
me half an hour to understand how to tweak Qubes' nftables rules last
time I wanted to change something in the firewall, while I would have
done that task in less than one minute with iptables. I could have spent
a few hours learning nftables to improve the official doc but at my age
I prefer to spend time learning tech that significantly improves things
(eg. Qubes OS over standard linux distribution) over loosing time
learning stuff that is only marginally better.
Anyway - I digress :)
I'm concerned about the confusion and unnecessary complexity here.
Network packet filtering is certainly (one of) those features that
software such Qubes needs to be solid on (in both design approach and
Is the Qubes team confident in the current situation, such that users
of Qubes should not be concerned?
nb. This is not meant to be a criticism at all. I very much
appreciate the hard (and complicated) work going into Qubes. I'm just
looking to understand the current situation better so as to judge
whether my concern is warranted or not.
As an example: I'm wanting to enable some specific network traffic
between two qubes. The docs say to use iptables
qubes-firewall-user-script also specifies iptables rules. But
qvm-firewall implements the rules it manages using nftables. So the
firewall VMs have both iptables rules and nftables rules in effect. And
these are different sets of rules. It's not that the iptables command
and the nft command are just two user interfaces showing the same packet
filtering rules. They are different packet filtering rules. This seems
like a receipt for disaster.
Is this the wrong forum for this discussion? Should this be on
qubes-devel, or an issue in qubes-issues at
You'll definitely get more visibility on qubes-devel.
FWIW I'm not concerned about the complexity itself: I trust the Qubes
devs not to mess up.
IMHO the problem is that people proficient with iptables are not willing
to spend time learning yet another packet filter tool when iptables
works for 99.99% of the cases (+, as others pointed out, nftables is
still not feature complete wrt. iptables). For those users - an
overwhelming majority - Qubes' nftables firewall is a black box that is
difficult to understand/tweak/debug.
You received this message because you are subscribed to the Google Groups
To unsubscribe from this group and stop receiving emails from it, send an email
To post to this group, send email to firstname.lastname@example.org.
To view this discussion on the web visit
For more options, visit https://groups.google.com/d/optout.