On Wed, Oct 10, 2018 at 03:17:47PM +0200, Illidan Pornrage wrote:
> On 10/10/18 3:14 PM, unman wrote:
> > On Tue, Oct 09, 2018 at 09:18:22PM +0300, Ivan Mitev wrote:
> > > 
> > > 
> > > On 10/9/18 7:44 PM, mfreemon wrote:
> > > > On 10/8/18 10:56 AM, mfreemon wrote:
> > > > > On 10/2/18 2:25 AM, Ivan Mitev wrote:
> > > > > > On 10/2/18 1:32 AM, Chris Laprise wrote:
> > > > > > > On 10/01/2018 05:48 PM, mfreemon wrote:
> > > > > > > > On 1/11/18 3:01 PM, Chris Laprise wrote:
> > > > > > > >    > On 01/10/2018 03:47 PM, Connor Page wrote:
> > > > > > > >    >> The official templates use nftables so shouldn’t be mixed 
> > > > > > > > with
> > > > > > > > iptables. I didn’t have time to learn about nftables, so just 
> > > > > > > > removed
> > > > > > > > nftables package from debian 9 template. YMMV.
> > > > > > > >    >
> > > > > > > >    > Hmmm, I was just thinking how Qubes' own guest scripts 
> > > > > > > > still use
> > > > > > > >    > iptables even in fedora-26.
> > > > > > > >    >
> > > > > > > >    > IIUC, iptables and nft are two different interfaces
> > > > > > > > to netfilter. I
> > > > > > > >    > don't know if it really matters, at least for the R4.0 
> > > > > > > > window. I'd
> > > > > > > >    > prefer to put the syntax change (for docs) off until
> > > > > > > > a later release.
> > > > > > > > 
> > > > > > > > I was recently thrown by the mix of both nftables and iptables 
> > > > > > > > in R4.
> > > > > > > > 
> > > > > > > > The qubes docs don't clarify much.  The qubes firewall scripts 
> > > > > > > > use
> > > > > > > > nft. Most of the discussion on the qubes website documentation 
> > > > > > > > is
> > > > > > > > about iptables, but there are also a few mentions of nft.  The 
> > > > > > > > upgrade
> > > > > > > > instructions (going from R3.2 to R4) did not mention converting 
> > > > > > > > rules
> > > > > > > > from iptables to nftables.  It looks like other related 
> > > > > > > > projects (one
> > > > > > > > example is qubes-tunnel) is using iptables.
> > > > > > > > 
> > > > > > > > Just reading a few things and trying to come up to speed, I get 
> > > > > > > > the
> > > > > > > > impression that nftables and iptables should not both by used 
> > > > > > > > at the
> > > > > > > > same time.  Even if technically possible (i.e. both sets of 
> > > > > > > > rules
> > > > > > > > applied correctly), it strikes me as not a great idea to 
> > > > > > > > maintain
> > > > > > > > packet filtering rules in two different ways.
> > > > > > > > 
> > > > > > > > What is the best practice recommendation on this (for R4, 
> > > > > > > > Fedora 28
> > > > > > > > template)?  Are we to be using, exclusively, nftables in R4?
> > > > > > > 
> > > > > > > The last I read about this (for 4.0) is that nftables is used in 
> > > > > > > Fedora
> > > > > > > Qubes code, but Debian Qubes is still using iptables. That
> > > > > > > still appears
> > > > > > > to be the case since nftables is not installed in my
> > > > > > > debian-9 templates.
> > > > > > > 
> > > > > > > I've submitted qubes-tunnel to Qubes with iptables commands only, 
> > > > > > > with
> > > > > > > the intention to transition to nftables (or that other new 
> > > > > > > interface in
> > > > > > > Linux, name escapes me just now) for Qubes 4.1. Someone who is 
> > > > > > > just
> > > > > > > starting a project might be better off going with nftables.
> > > > > > 
> > > > > > ... until yet another packet filtering mechanism replaces nftables 
> > > > > > (in
> > > > > > that case, bpfilter [1]).
> > > > > > 
> > > > > > I understand the rationale behind using nftables [2] but given how 
> > > > > > it is
> > > > > > widespread (hint: close to 0 even amongst seasoned sysadmins) IMHO 
> > > > > > it
> > > > > > wasn't worth it. The OP's post confirms there's quite some confusion
> > > > > > about how it interacts with iptables, and the official 
> > > > > > documentation is
> > > > > > far from helpful.
> > > > > > I'm quite proficient with iptables and networking in general but it 
> > > > > > took
> > > > > > me half an hour to understand how to tweak Qubes' nftables rules 
> > > > > > last
> > > > > > time I wanted to change something in the firewall, while I would 
> > > > > > have
> > > > > > done that task in less than one minute with iptables. I could have 
> > > > > > spent
> > > > > > a few hours learning nftables to improve the official doc but at my 
> > > > > > age
> > > > > > I prefer to spend time learning tech that significantly improves 
> > > > > > things
> > > > > > (eg. Qubes OS over standard linux distribution) over loosing time
> > > > > > learning stuff that is only marginally better.
> > > > > > Anyway - I digress :)
> > > > > > 
> > > > > > [1] https://old.lwn.net/Articles/747551/
> > > > > > [2]
> > > > > > https://github.com/QubesOS/qubes-issues/issues/1815#issuecomment-245109500
> > > > > > 
> > > > > 
> > > > > I'm concerned about the confusion and unnecessary complexity here.
> > > > > 
> > > > > Network packet filtering is certainly (one of) those features that
> > > > > software such Qubes needs to be solid on (in both design approach
> > > > > and implementation detail).
> > > > > 
> > > > > Is the Qubes team confident in the current situation, such that
> > > > > users of Qubes should not be concerned?
> > > > > 
> > > > > nb.  This is not meant to be a criticism at all.  I very much
> > > > > appreciate the hard (and complicated) work going into Qubes.  I'm
> > > > > just looking to understand the current situation better so as to
> > > > > judge whether my concern is warranted or not.
> > > > 
> > > > 
> > > > As an example:  I'm wanting to enable some specific network traffic
> > > > between two qubes.  The docs say to use iptables 
> > > > (https://www.qubes-os.org/doc/firewall/#enabling-networking-between-two-qubes).
> > > >   qubes-firewall-user-script also specifies iptables rules.  But
> > > > qvm-firewall implements the rules it manages using nftables.  So the
> > > > firewall VMs have both iptables rules and nftables rules in effect.  And
> > > > these are different sets of rules.  It's not that the iptables command
> > > > and the nft command are just two user interfaces showing the same packet
> > > > filtering rules.  They are different packet filtering rules.  This seems
> > > > like a receipt for disaster.
> > > > 
> > > > Is this the wrong forum for this discussion?  Should this be on
> > > > qubes-devel, or an issue in qubes-issues at
> > > > https://github.com/QubesOS/qubes-issues/issues?
> > > 
> > > You'll definitely get more visibility on qubes-devel.
> > > 
> > > FWIW I'm not concerned about the complexity itself: I trust the Qubes devs
> > > not to mess up.
> > > IMHO the problem is that people proficient with iptables are not willing 
> > > to
> > > spend time learning yet another packet filter tool when iptables works for
> > > 99.99% of the cases (+, as others pointed out, nftables is still not 
> > > feature
> > > complete wrt. iptables). For those users - an overwhelming majority - 
> > > Qubes'
> > > nftables firewall is a black box that is difficult to
> > > understand/tweak/debug.
> > > 
> > 
> > I think this is the problem. I remember stalwarts hanging on to ipchains
> > for similar reasons. (I speak as someone who has clung on to iptables for
> > far too long.)
> > It seems to me that the few features lacking in nftables are only of
> > interest to people who are fully capable of learning a new tool. The
> > extras that nft brings completely outweigh the deficiencies.
> > nft provides tools to translate your iptables rules in to the new
> > syntax, so there's really no excuse for not diving in. Even if you have
> > minimal time, you can write your iptables rules and then translate them
> > to nft.
> > 
> > Qubes tries to provide a straightforward experience for relatively
> > inexperienced users, and the nft/iptables mix per distribution is a
> > compromise to that end.
> > 
> > The docs need to be updated to provide nft rules throughout.
> > 
> 
> 
> 
> ^ So do I need to set rules in both or just one of them?
> 

I dont recommend mixing them for clarity. 
I would use nft throughout.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20181010133342.vsbqc6hrf2rvok4m%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Reply via email to