On Wed, Oct 10, 2018 at 03:17:47PM +0200, Illidan Pornrage wrote: > On 10/10/18 3:14 PM, unman wrote: > > On Tue, Oct 09, 2018 at 09:18:22PM +0300, Ivan Mitev wrote: > > > > > > > > > On 10/9/18 7:44 PM, mfreemon wrote: > > > > On 10/8/18 10:56 AM, mfreemon wrote: > > > > > On 10/2/18 2:25 AM, Ivan Mitev wrote: > > > > > > On 10/2/18 1:32 AM, Chris Laprise wrote: > > > > > > > On 10/01/2018 05:48 PM, mfreemon wrote: > > > > > > > > On 1/11/18 3:01 PM, Chris Laprise wrote: > > > > > > > > > On 01/10/2018 03:47 PM, Connor Page wrote: > > > > > > > > >> The official templates use nftables so shouldn’t be mixed > > > > > > > > with > > > > > > > > iptables. I didn’t have time to learn about nftables, so just > > > > > > > > removed > > > > > > > > nftables package from debian 9 template. YMMV. > > > > > > > > > > > > > > > > > > Hmmm, I was just thinking how Qubes' own guest scripts > > > > > > > > still use > > > > > > > > > iptables even in fedora-26. > > > > > > > > > > > > > > > > > > IIUC, iptables and nft are two different interfaces > > > > > > > > to netfilter. I > > > > > > > > > don't know if it really matters, at least for the R4.0 > > > > > > > > window. I'd > > > > > > > > > prefer to put the syntax change (for docs) off until > > > > > > > > a later release. > > > > > > > > > > > > > > > > I was recently thrown by the mix of both nftables and iptables > > > > > > > > in R4. > > > > > > > > > > > > > > > > The qubes docs don't clarify much. The qubes firewall scripts > > > > > > > > use > > > > > > > > nft. Most of the discussion on the qubes website documentation > > > > > > > > is > > > > > > > > about iptables, but there are also a few mentions of nft. The > > > > > > > > upgrade > > > > > > > > instructions (going from R3.2 to R4) did not mention converting > > > > > > > > rules > > > > > > > > from iptables to nftables. It looks like other related > > > > > > > > projects (one > > > > > > > > example is qubes-tunnel) is using iptables. > > > > > > > > > > > > > > > > Just reading a few things and trying to come up to speed, I get > > > > > > > > the > > > > > > > > impression that nftables and iptables should not both by used > > > > > > > > at the > > > > > > > > same time. Even if technically possible (i.e. both sets of > > > > > > > > rules > > > > > > > > applied correctly), it strikes me as not a great idea to > > > > > > > > maintain > > > > > > > > packet filtering rules in two different ways. > > > > > > > > > > > > > > > > What is the best practice recommendation on this (for R4, > > > > > > > > Fedora 28 > > > > > > > > template)? Are we to be using, exclusively, nftables in R4? > > > > > > > > > > > > > > The last I read about this (for 4.0) is that nftables is used in > > > > > > > Fedora > > > > > > > Qubes code, but Debian Qubes is still using iptables. That > > > > > > > still appears > > > > > > > to be the case since nftables is not installed in my > > > > > > > debian-9 templates. > > > > > > > > > > > > > > I've submitted qubes-tunnel to Qubes with iptables commands only, > > > > > > > with > > > > > > > the intention to transition to nftables (or that other new > > > > > > > interface in > > > > > > > Linux, name escapes me just now) for Qubes 4.1. Someone who is > > > > > > > just > > > > > > > starting a project might be better off going with nftables. > > > > > > > > > > > > ... until yet another packet filtering mechanism replaces nftables > > > > > > (in > > > > > > that case, bpfilter [1]). > > > > > > > > > > > > I understand the rationale behind using nftables [2] but given how > > > > > > it is > > > > > > widespread (hint: close to 0 even amongst seasoned sysadmins) IMHO > > > > > > it > > > > > > wasn't worth it. The OP's post confirms there's quite some confusion > > > > > > about how it interacts with iptables, and the official > > > > > > documentation is > > > > > > far from helpful. > > > > > > I'm quite proficient with iptables and networking in general but it > > > > > > took > > > > > > me half an hour to understand how to tweak Qubes' nftables rules > > > > > > last > > > > > > time I wanted to change something in the firewall, while I would > > > > > > have > > > > > > done that task in less than one minute with iptables. I could have > > > > > > spent > > > > > > a few hours learning nftables to improve the official doc but at my > > > > > > age > > > > > > I prefer to spend time learning tech that significantly improves > > > > > > things > > > > > > (eg. Qubes OS over standard linux distribution) over loosing time > > > > > > learning stuff that is only marginally better. > > > > > > Anyway - I digress :) > > > > > > > > > > > > [1] https://old.lwn.net/Articles/747551/ > > > > > > [2] > > > > > > https://github.com/QubesOS/qubes-issues/issues/1815#issuecomment-245109500 > > > > > > > > > > > > > > > > I'm concerned about the confusion and unnecessary complexity here. > > > > > > > > > > Network packet filtering is certainly (one of) those features that > > > > > software such Qubes needs to be solid on (in both design approach > > > > > and implementation detail). > > > > > > > > > > Is the Qubes team confident in the current situation, such that > > > > > users of Qubes should not be concerned? > > > > > > > > > > nb. This is not meant to be a criticism at all. I very much > > > > > appreciate the hard (and complicated) work going into Qubes. I'm > > > > > just looking to understand the current situation better so as to > > > > > judge whether my concern is warranted or not. > > > > > > > > > > > > As an example: I'm wanting to enable some specific network traffic > > > > between two qubes. The docs say to use iptables > > > > (https://www.qubes-os.org/doc/firewall/#enabling-networking-between-two-qubes). > > > > qubes-firewall-user-script also specifies iptables rules. But > > > > qvm-firewall implements the rules it manages using nftables. So the > > > > firewall VMs have both iptables rules and nftables rules in effect. And > > > > these are different sets of rules. It's not that the iptables command > > > > and the nft command are just two user interfaces showing the same packet > > > > filtering rules. They are different packet filtering rules. This seems > > > > like a receipt for disaster. > > > > > > > > Is this the wrong forum for this discussion? Should this be on > > > > qubes-devel, or an issue in qubes-issues at > > > > https://github.com/QubesOS/qubes-issues/issues? > > > > > > You'll definitely get more visibility on qubes-devel. > > > > > > FWIW I'm not concerned about the complexity itself: I trust the Qubes devs > > > not to mess up. > > > IMHO the problem is that people proficient with iptables are not willing > > > to > > > spend time learning yet another packet filter tool when iptables works for > > > 99.99% of the cases (+, as others pointed out, nftables is still not > > > feature > > > complete wrt. iptables). For those users - an overwhelming majority - > > > Qubes' > > > nftables firewall is a black box that is difficult to > > > understand/tweak/debug. > > > > > > > I think this is the problem. I remember stalwarts hanging on to ipchains > > for similar reasons. (I speak as someone who has clung on to iptables for > > far too long.) > > It seems to me that the few features lacking in nftables are only of > > interest to people who are fully capable of learning a new tool. The > > extras that nft brings completely outweigh the deficiencies. > > nft provides tools to translate your iptables rules in to the new > > syntax, so there's really no excuse for not diving in. Even if you have > > minimal time, you can write your iptables rules and then translate them > > to nft. > > > > Qubes tries to provide a straightforward experience for relatively > > inexperienced users, and the nft/iptables mix per distribution is a > > compromise to that end. > > > > The docs need to be updated to provide nft rules throughout. > > > > > > ^ So do I need to set rules in both or just one of them? >
I dont recommend mixing them for clarity. I would use nft throughout. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20181010133342.vsbqc6hrf2rvok4m%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
