|
@@ -179,6 +179,13 @@ building the correct syntax for iptables or nft and the actual execution
|
|
|
|
|
|
Steps 1-3 are completed and needs the automated test. Step 4 has still some issues but it is in its final stages. 5 will be worked on in the following weeks, since it is mandatory before merging anything. 6 can come at a later stage.
|
|
|
|
|
|
+### Known Issues
|
|
|
+Currently, in the destination Qube, such as the `personal` or `work`, or any other qube that does not provide networking, the systemd unit `qubes-firewall` is not started by default. Currently, each domain of this kind has a set of predefined `iptables` rules that will be deprecated as soon as the full switch to `nft` is completed. In the meantime, in order to use the port forwarding succesfully, it is necessary to drop such rules and thus stop the service with:
|
|
|
+
|
|
|
+```
|
|
|
+sudo systemctl stop qubes-iptables
|
|
|
+```
|
|
|
+
|
|
|
### Required rules
|
|
|
#### External
|
|
|
The iptables backend in the firewall worker is being deprecated. If the `nft` binary is available on the target Qubes, iptables will be never involved. Thus, only `nft` rules are relevant in this context.
|
|
@@ -313,3 +320,20 @@ The required setup involves:
|
|
|
* First, run once `backup.sh` and pay attention to never run it again in order to recover from broken states (breaking qubesd, `qvm-run` will stop working and it will be hard to recover)
|
|
|
* Run `update.sh` to automatically pull changes from the Windows host. `qubesd` is restarted within the same script.
|
|
|
* In case of issues, run `restore.sh` and investigate the previous errors
|
|
|
+
|
|
|
+### Nft Debugging
|
|
|
+To debug rules with `nft`, it is necessary to add a trace rule to each relevant table-chain:
|
|
|
+
|
|
|
+```
|
|
|
+nft add rule qubes-firewall forward meta nftrace 1
|
|
|
+nft add rule qubes-firewall prerouting meta nftrace 1
|
|
|
+nft add rule qubes-firewall postrouting meta nftrace 1
|
|
|
+nft add rule qubes-firewall-forward postrouting meta nftrace 1
|
|
|
+nft add rule qubes-firewall-forward postrouting meta nftrace 1
|
|
|
+```
|
|
|
+
|
|
|
+Then, the rule processing log can be monitored running:
|
|
|
+
|
|
|
+```
|
|
|
+nft monitor trace
|
|
|
+```
|