On 10/10/18 3:33 PM, unman wrote:
On Wed, Oct 10, 2018 at 03:17:47PM +0200, Illidan Pornrage wrote:
On 10/10/18 3:14 PM, unman wrote:
On Tue, Oct 09, 2018 at 09:18:22PM +0300, Ivan Mitev wrote:


On 10/9/18 7:44 PM, mfreemon wrote:
On 10/8/18 10:56 AM, mfreemon wrote:
On 10/2/18 2:25 AM, Ivan Mitev wrote:
On 10/2/18 1:32 AM, Chris Laprise wrote:
On 10/01/2018 05:48 PM, mfreemon wrote:
On 1/11/18 3:01 PM, Chris Laprise wrote:
    > On 01/10/2018 03:47 PM, Connor Page wrote:
    >> The official templates use nftables so shouldn’t be mixed with
iptables. I didn’t have time to learn about nftables, so just removed
nftables package from debian 9 template. YMMV.
    >
    > Hmmm, I was just thinking how Qubes' own guest scripts still use
    > iptables even in fedora-26.
    >
    > IIUC, iptables and nft are two different interfaces
to netfilter. I
    > don't know if it really matters, at least for the R4.0 window. I'd
    > prefer to put the syntax change (for docs) off until
a later release.

I was recently thrown by the mix of both nftables and iptables in R4.

The qubes docs don't clarify much.  The qubes firewall scripts use
nft. Most of the discussion on the qubes website documentation is
about iptables, but there are also a few mentions of nft.  The upgrade
instructions (going from R3.2 to R4) did not mention converting rules
from iptables to nftables.  It looks like other related projects (one
example is qubes-tunnel) is using iptables.

Just reading a few things and trying to come up to speed, I get the
impression that nftables and iptables should not both by used at the
same time.  Even if technically possible (i.e. both sets of rules
applied correctly), it strikes me as not a great idea to maintain
packet filtering rules in two different ways.

What is the best practice recommendation on this (for R4, Fedora 28
template)?  Are we to be using, exclusively, nftables in R4?

The last I read about this (for 4.0) is that nftables is used in Fedora
Qubes code, but Debian Qubes is still using iptables. That
still appears
to be the case since nftables is not installed in my
debian-9 templates.

I've submitted qubes-tunnel to Qubes with iptables commands only, with
the intention to transition to nftables (or that other new interface in
Linux, name escapes me just now) for Qubes 4.1. Someone who is just
starting a project might be better off going with nftables.

... until yet another packet filtering mechanism replaces nftables (in
that case, bpfilter [1]).

I understand the rationale behind using nftables [2] but given how it is
widespread (hint: close to 0 even amongst seasoned sysadmins) IMHO it
wasn't worth it. The OP's post confirms there's quite some confusion
about how it interacts with iptables, and the official documentation is
far from helpful.
I'm quite proficient with iptables and networking in general but it took
me half an hour to understand how to tweak Qubes' nftables rules last
time I wanted to change something in the firewall, while I would have
done that task in less than one minute with iptables. I could have spent
a few hours learning nftables to improve the official doc but at my age
I prefer to spend time learning tech that significantly improves things
(eg. Qubes OS over standard linux distribution) over loosing time
learning stuff that is only marginally better.
Anyway - I digress :)

[1] https://old.lwn.net/Articles/747551/
[2]
https://github.com/QubesOS/qubes-issues/issues/1815#issuecomment-245109500


I'm concerned about the confusion and unnecessary complexity here.

Network packet filtering is certainly (one of) those features that
software such Qubes needs to be solid on (in both design approach
and implementation detail).

Is the Qubes team confident in the current situation, such that
users of Qubes should not be concerned?

nb.  This is not meant to be a criticism at all.  I very much
appreciate the hard (and complicated) work going into Qubes.  I'm
just looking to understand the current situation better so as to
judge whether my concern is warranted or not.


As an example:  I'm wanting to enable some specific network traffic
between two qubes.  The docs say to use iptables 
(https://www.qubes-os.org/doc/firewall/#enabling-networking-between-two-qubes).
   qubes-firewall-user-script also specifies iptables rules.  But
qvm-firewall implements the rules it manages using nftables.  So the
firewall VMs have both iptables rules and nftables rules in effect.  And
these are different sets of rules.  It's not that the iptables command
and the nft command are just two user interfaces showing the same packet
filtering rules.  They are different packet filtering rules.  This seems
like a receipt for disaster.

Is this the wrong forum for this discussion?  Should this be on
qubes-devel, or an issue in qubes-issues at
https://github.com/QubesOS/qubes-issues/issues?

You'll definitely get more visibility on qubes-devel.

FWIW I'm not concerned about the complexity itself: I trust the Qubes devs
not to mess up.
IMHO the problem is that people proficient with iptables are not willing to
spend time learning yet another packet filter tool when iptables works for
99.99% of the cases (+, as others pointed out, nftables is still not feature
complete wrt. iptables). For those users - an overwhelming majority - Qubes'
nftables firewall is a black box that is difficult to
understand/tweak/debug.


I think this is the problem. I remember stalwarts hanging on to ipchains
for similar reasons. (I speak as someone who has clung on to iptables for
far too long.)
It seems to me that the few features lacking in nftables are only of
interest to people who are fully capable of learning a new tool. The
extras that nft brings completely outweigh the deficiencies.
nft provides tools to translate your iptables rules in to the new
syntax, so there's really no excuse for not diving in. Even if you have
minimal time, you can write your iptables rules and then translate them
to nft.

Qubes tries to provide a straightforward experience for relatively
inexperienced users, and the nft/iptables mix per distribution is a
compromise to that end.

The docs need to be updated to provide nft rules throughout.




^ So do I need to set rules in both or just one of them?


I dont recommend mixing them for clarity.
I would use nft throughout.

If I recall correctly (and this is what https://github.com/QubesOS/qubes-issues/issues/1815#issuecomment-245109500 states, too), nftables were introduced in order to *not be used manually*. I.e. all users should stick to the GUI, qvm-firewall and iptables wherever possible. That also explains why there's still a lot more documentation on iptables topics apart from the historical reason.

Since the Qubes firewall is inherently dynamic (rules added and removed whenever VMs are started and stopped), user scripts sometimes did interfere with the dynamic changes resulting in unusable rules or even security issues. Or simply the question "why did my custom rule xyz disappear?". So all of these dynamic changes went to nftables in 4.0 and the iptables rules should remain pretty static during the runtime of a Qubes system.

I added qubes-devel for clarification in case my statement above is imprecise or plain wrong.

Anyway admittedly I also consider that design decision not perfect as
a) NATting with 2 firewalls can get weird if you're not 100% sure which one is applied first. I second the aforementioned opinion in the qubes devs' skills though, i.e. I guess this was thought through.
b) It adds overall complexity, i.e. adds to the chance of having a bug.
c) Some special stuff might still have to go to nftables.

Regarding the overall iptables vs nftables syntax discussion I honestly don't see the point as pretty much all recent kernel firewall backends support the iptables syntax for backwards compatibility anyway.

KR
David

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3e96756f-1a7b-79bc-baa2-a81968eaddf3%40hackingthe.net.
For more options, visit https://groups.google.com/d/optout.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to