Re: [qubes-users] nftables vs iptables
On 10/10/2018 01:47 PM, David Hobach wrote: On 10/10/18 3:33 PM, unman wrote: On Wed, Oct 10, 2018 at 03:17:47PM +0200, Illidan Pornrage wrote: On 10/10/18 3:14 PM, unman wrote: On Tue, Oct 09, 2018 at 09:18:22PM +0300, Ivan Mitev wrote: On 10/9/18 7:44 PM, mfreemon wrote: On 10/8/18 10:56 AM, mfreemon wrote: On 10/2/18 2:25 AM, Ivan Mitev wrote: On 10/2/18 1:32 AM, Chris Laprise wrote: On 10/01/2018 05:48 PM, mfreemon wrote: On 1/11/18 3:01 PM, Chris Laprise wrote: > On 01/10/2018 03:47 PM, Connor Page wrote: >> The official templates use nftables so shouldn’t be mixed with iptables. I didn’t have time to learn about nftables, so just removed nftables package from debian 9 template. YMMV. > > Hmmm, I was just thinking how Qubes' own guest scripts still use > iptables even in fedora-26. > > IIUC, iptables and nft are two different interfaces to netfilter. I > don't know if it really matters, at least for the R4.0 window. I'd > prefer to put the syntax change (for docs) off until a later release. I was recently thrown by the mix of both nftables and iptables in R4. The qubes docs don't clarify much. The qubes firewall scripts use nft. Most of the discussion on the qubes website documentation is about iptables, but there are also a few mentions of nft. The upgrade instructions (going from R3.2 to R4) did not mention converting rules from iptables to nftables. It looks like other related projects (one example is qubes-tunnel) is using iptables. Just reading a few things and trying to come up to speed, I get the impression that nftables and iptables should not both by used at the same time. Even if technically possible (i.e. both sets of rules applied correctly), it strikes me as not a great idea to maintain packet filtering rules in two different ways. What is the best practice recommendation on this (for R4, Fedora 28 template)? Are we to be using, exclusively, nftables in R4? The last I read about this (for 4.0) is that nftables is used in Fedora Qubes code, but Debian Qubes is still using iptables. That still appears to be the case since nftables is not installed in my debian-9 templates. I've submitted qubes-tunnel to Qubes with iptables commands only, with the intention to transition to nftables (or that other new interface in Linux, name escapes me just now) for Qubes 4.1. Someone who is just starting a project might be better off going with nftables. ... until yet another packet filtering mechanism replaces nftables (in that case, bpfilter [1]). I understand the rationale behind using nftables [2] but given how it is widespread (hint: close to 0 even amongst seasoned sysadmins) IMHO it wasn't worth it. The OP's post confirms there's quite some confusion about how it interacts with iptables, and the official documentation is far from helpful. I'm quite proficient with iptables and networking in general but it took me half an hour to understand how to tweak Qubes' nftables rules last time I wanted to change something in the firewall, while I would have done that task in less than one minute with iptables. I could have spent a few hours learning nftables to improve the official doc but at my age I prefer to spend time learning tech that significantly improves things (eg. Qubes OS over standard linux distribution) over loosing time learning stuff that is only marginally better. Anyway - I digress :) [1] https://old.lwn.net/Articles/747551/ [2] https://github.com/QubesOS/qubes-issues/issues/1815#issuecomment-245109500 I'm concerned about the confusion and unnecessary complexity here. Network packet filtering is certainly (one of) those features that software such Qubes needs to be solid on (in both design approach and implementation detail). Is the Qubes team confident in the current situation, such that users of Qubes should not be concerned? nb. This is not meant to be a criticism at all. I very much appreciate the hard (and complicated) work going into Qubes. I'm just looking to understand the current situation better so as to judge whether my concern is warranted or not. As an example: I'm wanting to enable some specific network traffic between two qubes. The docs say to use iptables (https://www.qubes-os.org/doc/firewall/#enabling-networking-between-two-qubes). qubes-firewall-user-script also specifies iptables rules. But qvm-firewall implements the rules it manages using nftables. So the firewall VMs have both iptables rules and nftables rules in effect. And these are different sets of rules. It's not that the iptables command and the nft command are just two user interfaces showing the same packet filtering rules. They are different packet filtering rules. This seems like a receipt for disaster. Is this the wrong forum for this discussion? Should this be on qubes-devel, or an issue in qubes-issues at https://github.com/QubesOS/qubes-issues/issues? You'll
Re: [qubes-users] nftables vs iptables
On 10/10/18 3:33 PM, unman wrote: On Wed, Oct 10, 2018 at 03:17:47PM +0200, Illidan Pornrage wrote: On 10/10/18 3:14 PM, unman wrote: On Tue, Oct 09, 2018 at 09:18:22PM +0300, Ivan Mitev wrote: On 10/9/18 7:44 PM, mfreemon wrote: On 10/8/18 10:56 AM, mfreemon wrote: On 10/2/18 2:25 AM, Ivan Mitev wrote: On 10/2/18 1:32 AM, Chris Laprise wrote: On 10/01/2018 05:48 PM, mfreemon wrote: On 1/11/18 3:01 PM, Chris Laprise wrote: > On 01/10/2018 03:47 PM, Connor Page wrote: >> The official templates use nftables so shouldn’t be mixed with iptables. I didn’t have time to learn about nftables, so just removed nftables package from debian 9 template. YMMV. > > Hmmm, I was just thinking how Qubes' own guest scripts still use > iptables even in fedora-26. > > IIUC, iptables and nft are two different interfaces to netfilter. I > don't know if it really matters, at least for the R4.0 window. I'd > prefer to put the syntax change (for docs) off until a later release. I was recently thrown by the mix of both nftables and iptables in R4. The qubes docs don't clarify much. The qubes firewall scripts use nft. Most of the discussion on the qubes website documentation is about iptables, but there are also a few mentions of nft. The upgrade instructions (going from R3.2 to R4) did not mention converting rules from iptables to nftables. It looks like other related projects (one example is qubes-tunnel) is using iptables. Just reading a few things and trying to come up to speed, I get the impression that nftables and iptables should not both by used at the same time. Even if technically possible (i.e. both sets of rules applied correctly), it strikes me as not a great idea to maintain packet filtering rules in two different ways. What is the best practice recommendation on this (for R4, Fedora 28 template)? Are we to be using, exclusively, nftables in R4? The last I read about this (for 4.0) is that nftables is used in Fedora Qubes code, but Debian Qubes is still using iptables. That still appears to be the case since nftables is not installed in my debian-9 templates. I've submitted qubes-tunnel to Qubes with iptables commands only, with the intention to transition to nftables (or that other new interface in Linux, name escapes me just now) for Qubes 4.1. Someone who is just starting a project might be better off going with nftables. ... until yet another packet filtering mechanism replaces nftables (in that case, bpfilter [1]). I understand the rationale behind using nftables [2] but given how it is widespread (hint: close to 0 even amongst seasoned sysadmins) IMHO it wasn't worth it. The OP's post confirms there's quite some confusion about how it interacts with iptables, and the official documentation is far from helpful. I'm quite proficient with iptables and networking in general but it took me half an hour to understand how to tweak Qubes' nftables rules last time I wanted to change something in the firewall, while I would have done that task in less than one minute with iptables. I could have spent a few hours learning nftables to improve the official doc but at my age I prefer to spend time learning tech that significantly improves things (eg. Qubes OS over standard linux distribution) over loosing time learning stuff that is only marginally better. Anyway - I digress :) [1] https://old.lwn.net/Articles/747551/ [2] https://github.com/QubesOS/qubes-issues/issues/1815#issuecomment-245109500 I'm concerned about the confusion and unnecessary complexity here. Network packet filtering is certainly (one of) those features that software such Qubes needs to be solid on (in both design approach and implementation detail). Is the Qubes team confident in the current situation, such that users of Qubes should not be concerned? nb. This is not meant to be a criticism at all. I very much appreciate the hard (and complicated) work going into Qubes. I'm just looking to understand the current situation better so as to judge whether my concern is warranted or not. As an example: I'm wanting to enable some specific network traffic between two qubes. The docs say to use iptables (https://www.qubes-os.org/doc/firewall/#enabling-networking-between-two-qubes). qubes-firewall-user-script also specifies iptables rules. But qvm-firewall implements the rules it manages using nftables. So the firewall VMs have both iptables rules and nftables rules in effect. And these are different sets of rules. It's not that the iptables command and the nft command are just two user interfaces showing the same packet filtering rules. They are different packet filtering rules. This seems like a receipt for disaster. Is this the wrong forum for this discussion? Should this be on qubes-devel, or an issue in qubes-issues at https://github.com/QubesOS/qubes-issues/issues? You'll definitely get more visibility on qubes-devel. FWIW I'm not concerned about the complexity itself:
Re: [qubes-users] nftables vs iptables
On 10/10/18 4:14 PM, unman wrote: On Tue, Oct 09, 2018 at 09:18:22PM +0300, Ivan Mitev wrote: On 10/9/18 7:44 PM, mfreemon wrote: On 10/8/18 10:56 AM, mfreemon wrote: On 10/2/18 2:25 AM, Ivan Mitev wrote: On 10/2/18 1:32 AM, Chris Laprise wrote: On 10/01/2018 05:48 PM, mfreemon wrote: On 1/11/18 3:01 PM, Chris Laprise wrote: > On 01/10/2018 03:47 PM, Connor Page wrote: >> The official templates use nftables so shouldn’t be mixed with iptables. I didn’t have time to learn about nftables, so just removed nftables package from debian 9 template. YMMV. > > Hmmm, I was just thinking how Qubes' own guest scripts still use > iptables even in fedora-26. > > IIUC, iptables and nft are two different interfaces to netfilter. I > don't know if it really matters, at least for the R4.0 window. I'd > prefer to put the syntax change (for docs) off until a later release. I was recently thrown by the mix of both nftables and iptables in R4. The qubes docs don't clarify much. The qubes firewall scripts use nft. Most of the discussion on the qubes website documentation is about iptables, but there are also a few mentions of nft. The upgrade instructions (going from R3.2 to R4) did not mention converting rules from iptables to nftables. It looks like other related projects (one example is qubes-tunnel) is using iptables. Just reading a few things and trying to come up to speed, I get the impression that nftables and iptables should not both by used at the same time. Even if technically possible (i.e. both sets of rules applied correctly), it strikes me as not a great idea to maintain packet filtering rules in two different ways. What is the best practice recommendation on this (for R4, Fedora 28 template)? Are we to be using, exclusively, nftables in R4? The last I read about this (for 4.0) is that nftables is used in Fedora Qubes code, but Debian Qubes is still using iptables. That still appears to be the case since nftables is not installed in my debian-9 templates. I've submitted qubes-tunnel to Qubes with iptables commands only, with the intention to transition to nftables (or that other new interface in Linux, name escapes me just now) for Qubes 4.1. Someone who is just starting a project might be better off going with nftables. ... until yet another packet filtering mechanism replaces nftables (in that case, bpfilter [1]). I understand the rationale behind using nftables [2] but given how it is widespread (hint: close to 0 even amongst seasoned sysadmins) IMHO it wasn't worth it. The OP's post confirms there's quite some confusion about how it interacts with iptables, and the official documentation is far from helpful. I'm quite proficient with iptables and networking in general but it took me half an hour to understand how to tweak Qubes' nftables rules last time I wanted to change something in the firewall, while I would have done that task in less than one minute with iptables. I could have spent a few hours learning nftables to improve the official doc but at my age I prefer to spend time learning tech that significantly improves things (eg. Qubes OS over standard linux distribution) over loosing time learning stuff that is only marginally better. Anyway - I digress :) [1] https://old.lwn.net/Articles/747551/ [2] https://github.com/QubesOS/qubes-issues/issues/1815#issuecomment-245109500 I'm concerned about the confusion and unnecessary complexity here. Network packet filtering is certainly (one of) those features that software such Qubes needs to be solid on (in both design approach and implementation detail). Is the Qubes team confident in the current situation, such that users of Qubes should not be concerned? nb. This is not meant to be a criticism at all. I very much appreciate the hard (and complicated) work going into Qubes. I'm just looking to understand the current situation better so as to judge whether my concern is warranted or not. As an example: I'm wanting to enable some specific network traffic between two qubes. The docs say to use iptables (https://www.qubes-os.org/doc/firewall/#enabling-networking-between-two-qubes). qubes-firewall-user-script also specifies iptables rules. But qvm-firewall implements the rules it manages using nftables. So the firewall VMs have both iptables rules and nftables rules in effect. And these are different sets of rules. It's not that the iptables command and the nft command are just two user interfaces showing the same packet filtering rules. They are different packet filtering rules. This seems like a receipt for disaster. Is this the wrong forum for this discussion? Should this be on qubes-devel, or an issue in qubes-issues at https://github.com/QubesOS/qubes-issues/issues? You'll definitely get more visibility on qubes-devel. FWIW I'm not concerned about the complexity itself: I trust the Qubes devs not to mess up. IMHO the problem is that people proficient with iptables are not
Re: [qubes-users] nftables vs iptables
On Wed, Oct 10, 2018 at 03:17:47PM +0200, Illidan Pornrage wrote: > On 10/10/18 3:14 PM, unman wrote: > > On Tue, Oct 09, 2018 at 09:18:22PM +0300, Ivan Mitev wrote: > > > > > > > > > On 10/9/18 7:44 PM, mfreemon wrote: > > > > On 10/8/18 10:56 AM, mfreemon wrote: > > > > > On 10/2/18 2:25 AM, Ivan Mitev wrote: > > > > > > On 10/2/18 1:32 AM, Chris Laprise wrote: > > > > > > > On 10/01/2018 05:48 PM, mfreemon wrote: > > > > > > > > On 1/11/18 3:01 PM, Chris Laprise wrote: > > > > > > > > > On 01/10/2018 03:47 PM, Connor Page wrote: > > > > > > > > >> The official templates use nftables so shouldn’t be mixed > > > > > > > > with > > > > > > > > iptables. I didn’t have time to learn about nftables, so just > > > > > > > > removed > > > > > > > > nftables package from debian 9 template. YMMV. > > > > > > > > > > > > > > > > > > Hmmm, I was just thinking how Qubes' own guest scripts > > > > > > > > still use > > > > > > > > > iptables even in fedora-26. > > > > > > > > > > > > > > > > > > IIUC, iptables and nft are two different interfaces > > > > > > > > to netfilter. I > > > > > > > > > don't know if it really matters, at least for the R4.0 > > > > > > > > window. I'd > > > > > > > > > prefer to put the syntax change (for docs) off until > > > > > > > > a later release. > > > > > > > > > > > > > > > > I was recently thrown by the mix of both nftables and iptables > > > > > > > > in R4. > > > > > > > > > > > > > > > > The qubes docs don't clarify much. The qubes firewall scripts > > > > > > > > use > > > > > > > > nft. Most of the discussion on the qubes website documentation > > > > > > > > is > > > > > > > > about iptables, but there are also a few mentions of nft. The > > > > > > > > upgrade > > > > > > > > instructions (going from R3.2 to R4) did not mention converting > > > > > > > > rules > > > > > > > > from iptables to nftables. It looks like other related > > > > > > > > projects (one > > > > > > > > example is qubes-tunnel) is using iptables. > > > > > > > > > > > > > > > > Just reading a few things and trying to come up to speed, I get > > > > > > > > the > > > > > > > > impression that nftables and iptables should not both by used > > > > > > > > at the > > > > > > > > same time. Even if technically possible (i.e. both sets of > > > > > > > > rules > > > > > > > > applied correctly), it strikes me as not a great idea to > > > > > > > > maintain > > > > > > > > packet filtering rules in two different ways. > > > > > > > > > > > > > > > > What is the best practice recommendation on this (for R4, > > > > > > > > Fedora 28 > > > > > > > > template)? Are we to be using, exclusively, nftables in R4? > > > > > > > > > > > > > > The last I read about this (for 4.0) is that nftables is used in > > > > > > > Fedora > > > > > > > Qubes code, but Debian Qubes is still using iptables. That > > > > > > > still appears > > > > > > > to be the case since nftables is not installed in my > > > > > > > debian-9 templates. > > > > > > > > > > > > > > I've submitted qubes-tunnel to Qubes with iptables commands only, > > > > > > > with > > > > > > > the intention to transition to nftables (or that other new > > > > > > > interface in > > > > > > > Linux, name escapes me just now) for Qubes 4.1. Someone who is > > > > > > > just > > > > > > > starting a project might be better off going with nftables. > > > > > > > > > > > > ... until yet another packet filtering mechanism replaces nftables > > > > > > (in > > > > > > that case, bpfilter [1]). > > > > > > > > > > > > I understand the rationale behind using nftables [2] but given how > > > > > > it is > > > > > > widespread (hint: close to 0 even amongst seasoned sysadmins) IMHO > > > > > > it > > > > > > wasn't worth it. The OP's post confirms there's quite some confusion > > > > > > about how it interacts with iptables, and the official > > > > > > documentation is > > > > > > far from helpful. > > > > > > I'm quite proficient with iptables and networking in general but it > > > > > > took > > > > > > me half an hour to understand how to tweak Qubes' nftables rules > > > > > > last > > > > > > time I wanted to change something in the firewall, while I would > > > > > > have > > > > > > done that task in less than one minute with iptables. I could have > > > > > > spent > > > > > > a few hours learning nftables to improve the official doc but at my > > > > > > age > > > > > > I prefer to spend time learning tech that significantly improves > > > > > > things > > > > > > (eg. Qubes OS over standard linux distribution) over loosing time > > > > > > learning stuff that is only marginally better. > > > > > > Anyway - I digress :) > > > > > > > > > > > > [1] https://old.lwn.net/Articles/747551/ > > > > > > [2] > > > > > > https://github.com/QubesOS/qubes-issues/issues/1815#issuecomment-245109500 > > > > > > > > > > > > > > > > I'm concerned about the confusion and unnecessary complexity here. > > > >
Re: [qubes-users] nftables vs iptables
On 10/10/18 3:14 PM, unman wrote: On Tue, Oct 09, 2018 at 09:18:22PM +0300, Ivan Mitev wrote: On 10/9/18 7:44 PM, mfreemon wrote: On 10/8/18 10:56 AM, mfreemon wrote: On 10/2/18 2:25 AM, Ivan Mitev wrote: On 10/2/18 1:32 AM, Chris Laprise wrote: On 10/01/2018 05:48 PM, mfreemon wrote: On 1/11/18 3:01 PM, Chris Laprise wrote: > On 01/10/2018 03:47 PM, Connor Page wrote: >> The official templates use nftables so shouldn’t be mixed with iptables. I didn’t have time to learn about nftables, so just removed nftables package from debian 9 template. YMMV. > > Hmmm, I was just thinking how Qubes' own guest scripts still use > iptables even in fedora-26. > > IIUC, iptables and nft are two different interfaces to netfilter. I > don't know if it really matters, at least for the R4.0 window. I'd > prefer to put the syntax change (for docs) off until a later release. I was recently thrown by the mix of both nftables and iptables in R4. The qubes docs don't clarify much. The qubes firewall scripts use nft. Most of the discussion on the qubes website documentation is about iptables, but there are also a few mentions of nft. The upgrade instructions (going from R3.2 to R4) did not mention converting rules from iptables to nftables. It looks like other related projects (one example is qubes-tunnel) is using iptables. Just reading a few things and trying to come up to speed, I get the impression that nftables and iptables should not both by used at the same time. Even if technically possible (i.e. both sets of rules applied correctly), it strikes me as not a great idea to maintain packet filtering rules in two different ways. What is the best practice recommendation on this (for R4, Fedora 28 template)? Are we to be using, exclusively, nftables in R4? The last I read about this (for 4.0) is that nftables is used in Fedora Qubes code, but Debian Qubes is still using iptables. That still appears to be the case since nftables is not installed in my debian-9 templates. I've submitted qubes-tunnel to Qubes with iptables commands only, with the intention to transition to nftables (or that other new interface in Linux, name escapes me just now) for Qubes 4.1. Someone who is just starting a project might be better off going with nftables. ... until yet another packet filtering mechanism replaces nftables (in that case, bpfilter [1]). I understand the rationale behind using nftables [2] but given how it is widespread (hint: close to 0 even amongst seasoned sysadmins) IMHO it wasn't worth it. The OP's post confirms there's quite some confusion about how it interacts with iptables, and the official documentation is far from helpful. I'm quite proficient with iptables and networking in general but it took me half an hour to understand how to tweak Qubes' nftables rules last time I wanted to change something in the firewall, while I would have done that task in less than one minute with iptables. I could have spent a few hours learning nftables to improve the official doc but at my age I prefer to spend time learning tech that significantly improves things (eg. Qubes OS over standard linux distribution) over loosing time learning stuff that is only marginally better. Anyway - I digress :) [1] https://old.lwn.net/Articles/747551/ [2] https://github.com/QubesOS/qubes-issues/issues/1815#issuecomment-245109500 I'm concerned about the confusion and unnecessary complexity here. Network packet filtering is certainly (one of) those features that software such Qubes needs to be solid on (in both design approach and implementation detail). Is the Qubes team confident in the current situation, such that users of Qubes should not be concerned? nb. This is not meant to be a criticism at all. I very much appreciate the hard (and complicated) work going into Qubes. I'm just looking to understand the current situation better so as to judge whether my concern is warranted or not. As an example: I'm wanting to enable some specific network traffic between two qubes. The docs say to use iptables (https://www.qubes-os.org/doc/firewall/#enabling-networking-between-two-qubes). qubes-firewall-user-script also specifies iptables rules. But qvm-firewall implements the rules it manages using nftables. So the firewall VMs have both iptables rules and nftables rules in effect. And these are different sets of rules. It's not that the iptables command and the nft command are just two user interfaces showing the same packet filtering rules. They are different packet filtering rules. This seems like a receipt for disaster. Is this the wrong forum for this discussion? Should this be on qubes-devel, or an issue in qubes-issues at https://github.com/QubesOS/qubes-issues/issues? You'll definitely get more visibility on qubes-devel. FWIW I'm not concerned about the complexity itself: I trust the Qubes devs not to mess up. IMHO the problem is that people proficient with iptables are not willing
Re: [qubes-users] nftables vs iptables
On 10/9/18 8:18 PM, Ivan Mitev wrote: On 10/9/18 7:44 PM, mfreemon wrote: On 10/8/18 10:56 AM, mfreemon wrote: On 10/2/18 2:25 AM, Ivan Mitev wrote: On 10/2/18 1:32 AM, Chris Laprise wrote: On 10/01/2018 05:48 PM, mfreemon wrote: On 1/11/18 3:01 PM, Chris Laprise wrote: > On 01/10/2018 03:47 PM, Connor Page wrote: >> The official templates use nftables so shouldn’t be mixed with iptables. I didn’t have time to learn about nftables, so just removed nftables package from debian 9 template. YMMV. > > Hmmm, I was just thinking how Qubes' own guest scripts still use > iptables even in fedora-26. > > IIUC, iptables and nft are two different interfaces to netfilter. I > don't know if it really matters, at least for the R4.0 window. I'd > prefer to put the syntax change (for docs) off until a later release. I was recently thrown by the mix of both nftables and iptables in R4. The qubes docs don't clarify much. The qubes firewall scripts use nft. Most of the discussion on the qubes website documentation is about iptables, but there are also a few mentions of nft. The upgrade instructions (going from R3.2 to R4) did not mention converting rules from iptables to nftables. It looks like other related projects (one example is qubes-tunnel) is using iptables. Just reading a few things and trying to come up to speed, I get the impression that nftables and iptables should not both by used at the same time. Even if technically possible (i.e. both sets of rules applied correctly), it strikes me as not a great idea to maintain packet filtering rules in two different ways. What is the best practice recommendation on this (for R4, Fedora 28 template)? Are we to be using, exclusively, nftables in R4? The last I read about this (for 4.0) is that nftables is used in Fedora Qubes code, but Debian Qubes is still using iptables. That still appears to be the case since nftables is not installed in my debian-9 templates. I've submitted qubes-tunnel to Qubes with iptables commands only, with the intention to transition to nftables (or that other new interface in Linux, name escapes me just now) for Qubes 4.1. Someone who is just starting a project might be better off going with nftables. ... until yet another packet filtering mechanism replaces nftables (in that case, bpfilter [1]). I understand the rationale behind using nftables [2] but given how it is widespread (hint: close to 0 even amongst seasoned sysadmins) IMHO it wasn't worth it. The OP's post confirms there's quite some confusion about how it interacts with iptables, and the official documentation is far from helpful. I'm quite proficient with iptables and networking in general but it took me half an hour to understand how to tweak Qubes' nftables rules last time I wanted to change something in the firewall, while I would have done that task in less than one minute with iptables. I could have spent a few hours learning nftables to improve the official doc but at my age I prefer to spend time learning tech that significantly improves things (eg. Qubes OS over standard linux distribution) over loosing time learning stuff that is only marginally better. Anyway - I digress :) [1] https://old.lwn.net/Articles/747551/ [2] https://github.com/QubesOS/qubes-issues/issues/1815#issuecomment-245109500 I'm concerned about the confusion and unnecessary complexity here. Network packet filtering is certainly (one of) those features that software such Qubes needs to be solid on (in both design approach and implementation detail). Is the Qubes team confident in the current situation, such that users of Qubes should not be concerned? nb. This is not meant to be a criticism at all. I very much appreciate the hard (and complicated) work going into Qubes. I'm just looking to understand the current situation better so as to judge whether my concern is warranted or not. As an example: I'm wanting to enable some specific network traffic between two qubes. The docs say to use iptables (https://www.qubes-os.org/doc/firewall/#enabling-networking-between-two-qubes). qubes-firewall-user-script also specifies iptables rules. But qvm-firewall implements the rules it manages using nftables. So the firewall VMs have both iptables rules and nftables rules in effect. And these are different sets of rules. It's not that the iptables command and the nft command are just two user interfaces showing the same packet filtering rules. They are different packet filtering rules. This seems like a receipt for disaster. Is this the wrong forum for this discussion? Should this be on qubes-devel, or an issue in qubes-issues at https://github.com/QubesOS/qubes-issues/issues? You'll definitely get more visibility on qubes-devel. FWIW I'm not concerned about the complexity itself: I trust the Qubes devs not to mess up. IMHO the problem is that people proficient with iptables are not willing to spend time learning
Re: [qubes-users] nftables vs iptables
On Tue, Oct 09, 2018 at 09:18:22PM +0300, Ivan Mitev wrote: > > > On 10/9/18 7:44 PM, mfreemon wrote: > > On 10/8/18 10:56 AM, mfreemon wrote: > > > On 10/2/18 2:25 AM, Ivan Mitev wrote: > > > > On 10/2/18 1:32 AM, Chris Laprise wrote: > > > > > On 10/01/2018 05:48 PM, mfreemon wrote: > > > > > > On 1/11/18 3:01 PM, Chris Laprise wrote: > > > > > > > On 01/10/2018 03:47 PM, Connor Page wrote: > > > > > > >> The official templates use nftables so shouldn’t be mixed with > > > > > > iptables. I didn’t have time to learn about nftables, so just > > > > > > removed > > > > > > nftables package from debian 9 template. YMMV. > > > > > > > > > > > > > > Hmmm, I was just thinking how Qubes' own guest scripts still use > > > > > > > iptables even in fedora-26. > > > > > > > > > > > > > > IIUC, iptables and nft are two different interfaces > > > > > > to netfilter. I > > > > > > > don't know if it really matters, at least for the R4.0 window. > > > > > > I'd > > > > > > > prefer to put the syntax change (for docs) off until > > > > > > a later release. > > > > > > > > > > > > I was recently thrown by the mix of both nftables and iptables in > > > > > > R4. > > > > > > > > > > > > The qubes docs don't clarify much. The qubes firewall scripts use > > > > > > nft. Most of the discussion on the qubes website documentation is > > > > > > about iptables, but there are also a few mentions of nft. The > > > > > > upgrade > > > > > > instructions (going from R3.2 to R4) did not mention converting > > > > > > rules > > > > > > from iptables to nftables. It looks like other related projects > > > > > > (one > > > > > > example is qubes-tunnel) is using iptables. > > > > > > > > > > > > Just reading a few things and trying to come up to speed, I get the > > > > > > impression that nftables and iptables should not both by used at the > > > > > > same time. Even if technically possible (i.e. both sets of rules > > > > > > applied correctly), it strikes me as not a great idea to maintain > > > > > > packet filtering rules in two different ways. > > > > > > > > > > > > What is the best practice recommendation on this (for R4, Fedora 28 > > > > > > template)? Are we to be using, exclusively, nftables in R4? > > > > > > > > > > The last I read about this (for 4.0) is that nftables is used in > > > > > Fedora > > > > > Qubes code, but Debian Qubes is still using iptables. That > > > > > still appears > > > > > to be the case since nftables is not installed in my > > > > > debian-9 templates. > > > > > > > > > > I've submitted qubes-tunnel to Qubes with iptables commands only, with > > > > > the intention to transition to nftables (or that other new interface > > > > > in > > > > > Linux, name escapes me just now) for Qubes 4.1. Someone who is just > > > > > starting a project might be better off going with nftables. > > > > > > > > ... until yet another packet filtering mechanism replaces nftables (in > > > > that case, bpfilter [1]). > > > > > > > > I understand the rationale behind using nftables [2] but given how it is > > > > widespread (hint: close to 0 even amongst seasoned sysadmins) IMHO it > > > > wasn't worth it. The OP's post confirms there's quite some confusion > > > > about how it interacts with iptables, and the official documentation is > > > > far from helpful. > > > > I'm quite proficient with iptables and networking in general but it took > > > > me half an hour to understand how to tweak Qubes' nftables rules last > > > > time I wanted to change something in the firewall, while I would have > > > > done that task in less than one minute with iptables. I could have spent > > > > a few hours learning nftables to improve the official doc but at my age > > > > I prefer to spend time learning tech that significantly improves things > > > > (eg. Qubes OS over standard linux distribution) over loosing time > > > > learning stuff that is only marginally better. > > > > Anyway - I digress :) > > > > > > > > [1] https://old.lwn.net/Articles/747551/ > > > > [2] > > > > https://github.com/QubesOS/qubes-issues/issues/1815#issuecomment-245109500 > > > > > > > > > > I'm concerned about the confusion and unnecessary complexity here. > > > > > > Network packet filtering is certainly (one of) those features that > > > software such Qubes needs to be solid on (in both design approach > > > and implementation detail). > > > > > > Is the Qubes team confident in the current situation, such that > > > users of Qubes should not be concerned? > > > > > > nb. This is not meant to be a criticism at all. I very much > > > appreciate the hard (and complicated) work going into Qubes. I'm > > > just looking to understand the current situation better so as to > > > judge whether my concern is warranted or not. > > > > > > As an example: I'm wanting to enable some specific network traffic > > between two qubes. The docs say to use iptables > >
Re: [qubes-users] nftables vs iptables
On Monday, October 1, 2018 4:32 PM, Chris Laprise wrote: > I've submitted qubes-tunnel to Qubes with iptables commands only, with > the intention to transition to nftables (or that other new interface in > Linux, name escapes me just now) for Qubes 4.1. I guess you mean BPF (Berkeley Packet Filter). -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/h4m5HXxy0LpeW92e2R0ZdfpFDUA04H-5J7f5E_WpUY121foawKFep0dJ6mdgOzx5jpJKHGRLnH0hGevy9hdWJjhQFCwGyuWNtfed5Vg1dsw%3D%40protonmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] nftables vs iptables
On 10/9/18 7:44 PM, mfreemon wrote: On 10/8/18 10:56 AM, mfreemon wrote: On 10/2/18 2:25 AM, Ivan Mitev wrote: On 10/2/18 1:32 AM, Chris Laprise wrote: On 10/01/2018 05:48 PM, mfreemon wrote: On 1/11/18 3:01 PM, Chris Laprise wrote: > On 01/10/2018 03:47 PM, Connor Page wrote: >> The official templates use nftables so shouldn’t be mixed with iptables. I didn’t have time to learn about nftables, so just removed nftables package from debian 9 template. YMMV. > > Hmmm, I was just thinking how Qubes' own guest scripts still use > iptables even in fedora-26. > > IIUC, iptables and nft are two different interfaces to netfilter. I > don't know if it really matters, at least for the R4.0 window. I'd > prefer to put the syntax change (for docs) off until a later release. I was recently thrown by the mix of both nftables and iptables in R4. The qubes docs don't clarify much. The qubes firewall scripts use nft. Most of the discussion on the qubes website documentation is about iptables, but there are also a few mentions of nft. The upgrade instructions (going from R3.2 to R4) did not mention converting rules from iptables to nftables. It looks like other related projects (one example is qubes-tunnel) is using iptables. Just reading a few things and trying to come up to speed, I get the impression that nftables and iptables should not both by used at the same time. Even if technically possible (i.e. both sets of rules applied correctly), it strikes me as not a great idea to maintain packet filtering rules in two different ways. What is the best practice recommendation on this (for R4, Fedora 28 template)? Are we to be using, exclusively, nftables in R4? The last I read about this (for 4.0) is that nftables is used in Fedora Qubes code, but Debian Qubes is still using iptables. That still appears to be the case since nftables is not installed in my debian-9 templates. I've submitted qubes-tunnel to Qubes with iptables commands only, with the intention to transition to nftables (or that other new interface in Linux, name escapes me just now) for Qubes 4.1. Someone who is just starting a project might be better off going with nftables. ... until yet another packet filtering mechanism replaces nftables (in that case, bpfilter [1]). I understand the rationale behind using nftables [2] but given how it is widespread (hint: close to 0 even amongst seasoned sysadmins) IMHO it wasn't worth it. The OP's post confirms there's quite some confusion about how it interacts with iptables, and the official documentation is far from helpful. I'm quite proficient with iptables and networking in general but it took me half an hour to understand how to tweak Qubes' nftables rules last time I wanted to change something in the firewall, while I would have done that task in less than one minute with iptables. I could have spent a few hours learning nftables to improve the official doc but at my age I prefer to spend time learning tech that significantly improves things (eg. Qubes OS over standard linux distribution) over loosing time learning stuff that is only marginally better. Anyway - I digress :) [1] https://old.lwn.net/Articles/747551/ [2] https://github.com/QubesOS/qubes-issues/issues/1815#issuecomment-245109500 I'm concerned about the confusion and unnecessary complexity here. Network packet filtering is certainly (one of) those features that software such Qubes needs to be solid on (in both design approach and implementation detail). Is the Qubes team confident in the current situation, such that users of Qubes should not be concerned? nb. This is not meant to be a criticism at all. I very much appreciate the hard (and complicated) work going into Qubes. I'm just looking to understand the current situation better so as to judge whether my concern is warranted or not. As an example: I'm wanting to enable some specific network traffic between two qubes. The docs say to use iptables (https://www.qubes-os.org/doc/firewall/#enabling-networking-between-two-qubes). qubes-firewall-user-script also specifies iptables rules. But qvm-firewall implements the rules it manages using nftables. So the firewall VMs have both iptables rules and nftables rules in effect. And these are different sets of rules. It's not that the iptables command and the nft command are just two user interfaces showing the same packet filtering rules. They are different packet filtering rules. This seems like a receipt for disaster. Is this the wrong forum for this discussion? Should this be on qubes-devel, or an issue in qubes-issues at https://github.com/QubesOS/qubes-issues/issues? You'll definitely get more visibility on qubes-devel. FWIW I'm not concerned about the complexity itself: I trust the Qubes devs not to mess up. IMHO the problem is that people proficient with iptables are not willing to spend time learning yet another packet filter tool when iptables works
Re: [qubes-users] nftables vs iptables
On 10/9/18 11:44 AM, mfreemon wrote: On 10/8/18 10:56 AM, mfreemon wrote: On 10/2/18 2:25 AM, Ivan Mitev wrote: On 10/2/18 1:32 AM, Chris Laprise wrote: On 10/01/2018 05:48 PM, mfreemon wrote: On 1/11/18 3:01 PM, Chris Laprise wrote: > On 01/10/2018 03:47 PM, Connor Page wrote: >> The official templates use nftables so shouldn’t be mixed with iptables. I didn’t have time to learn about nftables, so just removed nftables package from debian 9 template. YMMV. > > Hmmm, I was just thinking how Qubes' own guest scripts still use > iptables even in fedora-26. > > IIUC, iptables and nft are two different interfaces to netfilter. I > don't know if it really matters, at least for the R4.0 window. I'd > prefer to put the syntax change (for docs) off until a later release. I was recently thrown by the mix of both nftables and iptables in R4. The qubes docs don't clarify much. The qubes firewall scripts use nft. Most of the discussion on the qubes website documentation is about iptables, but there are also a few mentions of nft. The upgrade instructions (going from R3.2 to R4) did not mention converting rules from iptables to nftables. It looks like other related projects (one example is qubes-tunnel) is using iptables. Just reading a few things and trying to come up to speed, I get the impression that nftables and iptables should not both by used at the same time. Even if technically possible (i.e. both sets of rules applied correctly), it strikes me as not a great idea to maintain packet filtering rules in two different ways. What is the best practice recommendation on this (for R4, Fedora 28 template)? Are we to be using, exclusively, nftables in R4? The last I read about this (for 4.0) is that nftables is used in Fedora Qubes code, but Debian Qubes is still using iptables. That still appears to be the case since nftables is not installed in my debian-9 templates. I've submitted qubes-tunnel to Qubes with iptables commands only, with the intention to transition to nftables (or that other new interface in Linux, name escapes me just now) for Qubes 4.1. Someone who is just starting a project might be better off going with nftables. ... until yet another packet filtering mechanism replaces nftables (in that case, bpfilter [1]). I understand the rationale behind using nftables [2] but given how it is widespread (hint: close to 0 even amongst seasoned sysadmins) IMHO it wasn't worth it. The OP's post confirms there's quite some confusion about how it interacts with iptables, and the official documentation is far from helpful. I'm quite proficient with iptables and networking in general but it took me half an hour to understand how to tweak Qubes' nftables rules last time I wanted to change something in the firewall, while I would have done that task in less than one minute with iptables. I could have spent a few hours learning nftables to improve the official doc but at my age I prefer to spend time learning tech that significantly improves things (eg. Qubes OS over standard linux distribution) over loosing time learning stuff that is only marginally better. Anyway - I digress :) [1] https://old.lwn.net/Articles/747551/ [2] https://github.com/QubesOS/qubes-issues/issues/1815#issuecomment-245109500 I'm concerned about the confusion and unnecessary complexity here. Network packet filtering is certainly (one of) those features that software such Qubes needs to be solid on (in both design approach and implementation detail). Is the Qubes team confident in the current situation, such that users of Qubes should not be concerned? nb. This is not meant to be a criticism at all. I very much appreciate the hard (and complicated) work going into Qubes. I'm just looking to understand the current situation better so as to judge whether my concern is warranted or not. As an example: I'm wanting to enable some specific network traffic between two qubes. The docs say to use iptables (https://www.qubes-os.org/doc/firewall/#enabling-networking-between-two-qubes). qubes-firewall-user-script also specifies iptables rules. But qvm-firewall implements the rules it manages using nftables. So the firewall VMs have both iptables rules and nftables rules in effect. And these are different sets of rules. It's not that the iptables command and the nft command are just two user interfaces showing the same packet filtering rules. They are different packet filtering rules. This seems like a receipt for disaster. Is this the wrong forum for this discussion? Should this be on qubes-devel, or an issue in qubes-issues at https://github.com/QubesOS/qubes-issues/issues? s/receipt/recipe/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to
Re: [qubes-users] nftables vs iptables
On 10/8/18 10:56 AM, mfreemon wrote: On 10/2/18 2:25 AM, Ivan Mitev wrote: On 10/2/18 1:32 AM, Chris Laprise wrote: On 10/01/2018 05:48 PM, mfreemon wrote: On 1/11/18 3:01 PM, Chris Laprise wrote: > On 01/10/2018 03:47 PM, Connor Page wrote: >> The official templates use nftables so shouldn’t be mixed with iptables. I didn’t have time to learn about nftables, so just removed nftables package from debian 9 template. YMMV. > > Hmmm, I was just thinking how Qubes' own guest scripts still use > iptables even in fedora-26. > > IIUC, iptables and nft are two different interfaces to netfilter. I > don't know if it really matters, at least for the R4.0 window. I'd > prefer to put the syntax change (for docs) off until a later release. I was recently thrown by the mix of both nftables and iptables in R4. The qubes docs don't clarify much. The qubes firewall scripts use nft. Most of the discussion on the qubes website documentation is about iptables, but there are also a few mentions of nft. The upgrade instructions (going from R3.2 to R4) did not mention converting rules from iptables to nftables. It looks like other related projects (one example is qubes-tunnel) is using iptables. Just reading a few things and trying to come up to speed, I get the impression that nftables and iptables should not both by used at the same time. Even if technically possible (i.e. both sets of rules applied correctly), it strikes me as not a great idea to maintain packet filtering rules in two different ways. What is the best practice recommendation on this (for R4, Fedora 28 template)? Are we to be using, exclusively, nftables in R4? The last I read about this (for 4.0) is that nftables is used in Fedora Qubes code, but Debian Qubes is still using iptables. That still appears to be the case since nftables is not installed in my debian-9 templates. I've submitted qubes-tunnel to Qubes with iptables commands only, with the intention to transition to nftables (or that other new interface in Linux, name escapes me just now) for Qubes 4.1. Someone who is just starting a project might be better off going with nftables. ... until yet another packet filtering mechanism replaces nftables (in that case, bpfilter [1]). I understand the rationale behind using nftables [2] but given how it is widespread (hint: close to 0 even amongst seasoned sysadmins) IMHO it wasn't worth it. The OP's post confirms there's quite some confusion about how it interacts with iptables, and the official documentation is far from helpful. I'm quite proficient with iptables and networking in general but it took me half an hour to understand how to tweak Qubes' nftables rules last time I wanted to change something in the firewall, while I would have done that task in less than one minute with iptables. I could have spent a few hours learning nftables to improve the official doc but at my age I prefer to spend time learning tech that significantly improves things (eg. Qubes OS over standard linux distribution) over loosing time learning stuff that is only marginally better. Anyway - I digress :) [1] https://old.lwn.net/Articles/747551/ [2] https://github.com/QubesOS/qubes-issues/issues/1815#issuecomment-245109500 I'm concerned about the confusion and unnecessary complexity here. Network packet filtering is certainly (one of) those features that software such Qubes needs to be solid on (in both design approach and implementation detail). Is the Qubes team confident in the current situation, such that users of Qubes should not be concerned? nb. This is not meant to be a criticism at all. I very much appreciate the hard (and complicated) work going into Qubes. I'm just looking to understand the current situation better so as to judge whether my concern is warranted or not. As an example: I'm wanting to enable some specific network traffic between two qubes. The docs say to use iptables (https://www.qubes-os.org/doc/firewall/#enabling-networking-between-two-qubes). qubes-firewall-user-script also specifies iptables rules. But qvm-firewall implements the rules it manages using nftables. So the firewall VMs have both iptables rules and nftables rules in effect. And these are different sets of rules. It's not that the iptables command and the nft command are just two user interfaces showing the same packet filtering rules. They are different packet filtering rules. This seems like a receipt for disaster. Is this the wrong forum for this discussion? Should this be on qubes-devel, or an issue in qubes-issues at https://github.com/QubesOS/qubes-issues/issues? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit
Re: [qubes-users] nftables vs iptables
On 10/2/18 2:25 AM, Ivan Mitev wrote: On 10/2/18 1:32 AM, Chris Laprise wrote: On 10/01/2018 05:48 PM, mfreemon wrote: On 1/11/18 3:01 PM, Chris Laprise wrote: > On 01/10/2018 03:47 PM, Connor Page wrote: >> The official templates use nftables so shouldn’t be mixed with iptables. I didn’t have time to learn about nftables, so just removed nftables package from debian 9 template. YMMV. > > Hmmm, I was just thinking how Qubes' own guest scripts still use > iptables even in fedora-26. > > IIUC, iptables and nft are two different interfaces to netfilter. I > don't know if it really matters, at least for the R4.0 window. I'd > prefer to put the syntax change (for docs) off until a later release. I was recently thrown by the mix of both nftables and iptables in R4. The qubes docs don't clarify much. The qubes firewall scripts use nft. Most of the discussion on the qubes website documentation is about iptables, but there are also a few mentions of nft. The upgrade instructions (going from R3.2 to R4) did not mention converting rules from iptables to nftables. It looks like other related projects (one example is qubes-tunnel) is using iptables. Just reading a few things and trying to come up to speed, I get the impression that nftables and iptables should not both by used at the same time. Even if technically possible (i.e. both sets of rules applied correctly), it strikes me as not a great idea to maintain packet filtering rules in two different ways. What is the best practice recommendation on this (for R4, Fedora 28 template)? Are we to be using, exclusively, nftables in R4? The last I read about this (for 4.0) is that nftables is used in Fedora Qubes code, but Debian Qubes is still using iptables. That still appears to be the case since nftables is not installed in my debian-9 templates. I've submitted qubes-tunnel to Qubes with iptables commands only, with the intention to transition to nftables (or that other new interface in Linux, name escapes me just now) for Qubes 4.1. Someone who is just starting a project might be better off going with nftables. ... until yet another packet filtering mechanism replaces nftables (in that case, bpfilter [1]). I understand the rationale behind using nftables [2] but given how it is widespread (hint: close to 0 even amongst seasoned sysadmins) IMHO it wasn't worth it. The OP's post confirms there's quite some confusion about how it interacts with iptables, and the official documentation is far from helpful. I'm quite proficient with iptables and networking in general but it took me half an hour to understand how to tweak Qubes' nftables rules last time I wanted to change something in the firewall, while I would have done that task in less than one minute with iptables. I could have spent a few hours learning nftables to improve the official doc but at my age I prefer to spend time learning tech that significantly improves things (eg. Qubes OS over standard linux distribution) over loosing time learning stuff that is only marginally better. Anyway - I digress :) [1] https://old.lwn.net/Articles/747551/ [2] https://github.com/QubesOS/qubes-issues/issues/1815#issuecomment-245109500 I'm concerned about the confusion and unnecessary complexity here. Network packet filtering is certainly (one of) those features that software such Qubes needs to be solid on (in both design approach and implementation detail). Is the Qubes team confident in the current situation, such that users of Qubes should not be concerned? nb. This is not meant to be a criticism at all. I very much appreciate the hard (and complicated) work going into Qubes. I'm just looking to understand the current situation better so as to judge whether my concern is warranted or not. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/730fa03d-d105-ab76-6297-21039ebb584a%40zoho.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] nftables vs iptables
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 10/1/18 11:48 PM, mfreemon wrote: > What is the best practice recommendation on this (for R4, Fedora > 28 template)? Are we to be using, exclusively, nftables in R4? The intended benefit was that in case of nftables qubes firewall not needed to be reloaded all the time. But: until nftables is not a complete iptables replacement, Qubes is still needs iptables too. My personal opinion that this mixed setup causing more confusion, and do not provide any real benefits at all. - -- Zrubi -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEmAe1Y2qfQjTIsHwdVjGlenYHFQ0FAluzQnQACgkQVjGlenYH FQ20CQ//X1uSjJbzce00spcrL/tGtXZaYfP6BGlfzyExTPmdZlQB4TwtjCpe65MM kaH5iUuw51FWeZgPbvn3Sk09QJQYwCbYuVzBl2+XpEky5ltFPqnRvpIe+HaSIeCM YJwG4jrnss8uzWS04gJtvdOOB01dLe1HnckIvuU+QQk0aJuke9YqZmrdfl1vlAa9 iJ3+MYYIpBwEbXBcI0riBwLqUK7FqqmL39v1UFqx39IioS2q9XO1kO3RAhupwsre Jxg781Z+6qbXdmE9lztF4CpNPccHcx+gtKBv4XthS8aqP40FVGvAaoAU4bKCedQC HrI3Y8ZjcsE1kSQxkf3bHDWX6Q12lKbZC7HWfjGe3J6akgGKTIjkNfx8mbrG5/7N 1Os3OhBCJ4i4R+WEpCunyVPsZlc2CJM0SnKDXgTCWUKRPL0bZW6rm9MjvwJqBP/w oV8vgR0JMNExMg+kSb5AsFdSKeaPu4sDmOhw3PwYRwNsluNxCTlwtLmyBQZDSiCV xTH3gjD/Qaf+A9EBD4qt2Ie3d/FpvYhUQlor/PoRRZeJe5dkA1CLT6fUQv6lMwUY o3tIdiR3w8fyKtlQK62FunBu7yjt7CiMJB3KWY4C1G9lonnJQdcxOV64IBJMUPLI V3nKirJmAhvekT7HwTvsKqgsOSebD9K385rboyntdjsmBq45jQk= =vNfP -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d9e016ed-3066-e219-6d9a-4837fe7f50ee%40zrubi.hu. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] nftables vs iptables
On 10/2/18 1:32 AM, Chris Laprise wrote: > On 10/01/2018 05:48 PM, mfreemon wrote: >> On 1/11/18 3:01 PM, Chris Laprise wrote: >> > On 01/10/2018 03:47 PM, Connor Page wrote: >> >> The official templates use nftables so shouldn’t be mixed with >> iptables. I didn’t have time to learn about nftables, so just removed >> nftables package from debian 9 template. YMMV. >> >> >> > >> > Hmmm, I was just thinking how Qubes' own guest scripts still use >> > iptables even in fedora-26. >> > >> > IIUC, iptables and nft are two different interfaces to netfilter. I >> > don't know if it really matters, at least for the R4.0 window. I'd >> > prefer to put the syntax change (for docs) off until a later release. >> >> I was recently thrown by the mix of both nftables and iptables in R4. >> >> The qubes docs don't clarify much. The qubes firewall scripts use >> nft. Most of the discussion on the qubes website documentation is >> about iptables, but there are also a few mentions of nft. The upgrade >> instructions (going from R3.2 to R4) did not mention converting rules >> from iptables to nftables. It looks like other related projects (one >> example is qubes-tunnel) is using iptables. >> >> Just reading a few things and trying to come up to speed, I get the >> impression that nftables and iptables should not both by used at the >> same time. Even if technically possible (i.e. both sets of rules >> applied correctly), it strikes me as not a great idea to maintain >> packet filtering rules in two different ways. >> >> What is the best practice recommendation on this (for R4, Fedora 28 >> template)? Are we to be using, exclusively, nftables in R4? > > The last I read about this (for 4.0) is that nftables is used in Fedora > Qubes code, but Debian Qubes is still using iptables. That still appears > to be the case since nftables is not installed in my debian-9 templates. > > I've submitted qubes-tunnel to Qubes with iptables commands only, with > the intention to transition to nftables (or that other new interface in > Linux, name escapes me just now) for Qubes 4.1. Someone who is just > starting a project might be better off going with nftables. ... until yet another packet filtering mechanism replaces nftables (in that case, bpfilter [1]). I understand the rationale behind using nftables [2] but given how it is widespread (hint: close to 0 even amongst seasoned sysadmins) IMHO it wasn't worth it. The OP's post confirms there's quite some confusion about how it interacts with iptables, and the official documentation is far from helpful. I'm quite proficient with iptables and networking in general but it took me half an hour to understand how to tweak Qubes' nftables rules last time I wanted to change something in the firewall, while I would have done that task in less than one minute with iptables. I could have spent a few hours learning nftables to improve the official doc but at my age I prefer to spend time learning tech that significantly improves things (eg. Qubes OS over standard linux distribution) over loosing time learning stuff that is only marginally better. Anyway - I digress :) [1] https://old.lwn.net/Articles/747551/ [2] https://github.com/QubesOS/qubes-issues/issues/1815#issuecomment-245109500 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/038dbfeb-9bbc-2bd5-2a96-06c761d54a52%40maa.bz. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] nftables vs iptables
On 10/01/2018 05:48 PM, mfreemon wrote: On 1/11/18 3:01 PM, Chris Laprise wrote: > On 01/10/2018 03:47 PM, Connor Page wrote: >> The official templates use nftables so shouldn’t be mixed with iptables. I didn’t have time to learn about nftables, so just removed nftables package from debian 9 template. YMMV. >> > > Hmmm, I was just thinking how Qubes' own guest scripts still use > iptables even in fedora-26. > > IIUC, iptables and nft are two different interfaces to netfilter. I > don't know if it really matters, at least for the R4.0 window. I'd > prefer to put the syntax change (for docs) off until a later release. I was recently thrown by the mix of both nftables and iptables in R4. The qubes docs don't clarify much. The qubes firewall scripts use nft. Most of the discussion on the qubes website documentation is about iptables, but there are also a few mentions of nft. The upgrade instructions (going from R3.2 to R4) did not mention converting rules from iptables to nftables. It looks like other related projects (one example is qubes-tunnel) is using iptables. Just reading a few things and trying to come up to speed, I get the impression that nftables and iptables should not both by used at the same time. Even if technically possible (i.e. both sets of rules applied correctly), it strikes me as not a great idea to maintain packet filtering rules in two different ways. What is the best practice recommendation on this (for R4, Fedora 28 template)? Are we to be using, exclusively, nftables in R4? The last I read about this (for 4.0) is that nftables is used in Fedora Qubes code, but Debian Qubes is still using iptables. That still appears to be the case since nftables is not installed in my debian-9 templates. I've submitted qubes-tunnel to Qubes with iptables commands only, with the intention to transition to nftables (or that other new interface in Linux, name escapes me just now) for Qubes 4.1. Someone who is just starting a project might be better off going with nftables. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7a160df8-414a-721a-569c-f7c540b5a0e8%40posteo.net. For more options, visit https://groups.google.com/d/optout.
[qubes-users] nftables vs iptables
On 1/11/18 3:01 PM, Chris Laprise wrote: > On 01/10/2018 03:47 PM, Connor Page wrote: >> The official templates use nftables so shouldn’t be mixed with iptables. I didn’t have time to learn about nftables, so just removed nftables package from debian 9 template. YMMV. >> > > Hmmm, I was just thinking how Qubes' own guest scripts still use > iptables even in fedora-26. > > IIUC, iptables and nft are two different interfaces to netfilter. I > don't know if it really matters, at least for the R4.0 window. I'd > prefer to put the syntax change (for docs) off until a later release. I was recently thrown by the mix of both nftables and iptables in R4. The qubes docs don't clarify much. The qubes firewall scripts use nft. Most of the discussion on the qubes website documentation is about iptables, but there are also a few mentions of nft. The upgrade instructions (going from R3.2 to R4) did not mention converting rules from iptables to nftables. It looks like other related projects (one example is qubes-tunnel) is using iptables. Just reading a few things and trying to come up to speed, I get the impression that nftables and iptables should not both by used at the same time. Even if technically possible (i.e. both sets of rules applied correctly), it strikes me as not a great idea to maintain packet filtering rules in two different ways. What is the best practice recommendation on this (for R4, Fedora 28 template)? Are we to be using, exclusively, nftables in R4? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/15321f4d-255d-23ac-2283-90571bee996e%40zoho.com. For more options, visit https://groups.google.com/d/optout.
