Home Explore Help
Sign In
Qubes
/
gsoc
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Added nft tracing guide, added info about iptables in destination qube

Giulio 2 years ago
parent
a70b65d39b
commit
2252d47f99
1 changed files with 24 additions and 0 deletions
Split View Show Diff Stats
  1. 24 0
      Readme.md

+ 24 - 0
Readme.md
View File 

@@ -179,6 +179,13 @@ building the correct syntax for iptables or nft and the actual execution
 
 
 Steps 1-3 are completed and needs the automated test. Step 4 has still some issues but it is in its final stages. 5 will be worked on in the following weeks, since it is mandatory before merging anything. 6 can come at a later stage.
 
 
+### Known Issues
 
+Currently, in the destination Qube, such as the `personal` or `work`, or any other qube that does not provide networking, the systemd unit `qubes-firewall` is not started by default. Currently, each domain of this kind has a set of predefined `iptables` rules that will be deprecated as soon as the full switch to `nft` is completed. In the meantime, in order to use the port forwarding succesfully, it is necessary to drop such rules and thus stop the service with:
 
+
 
+```
 
+sudo systemctl stop qubes-iptables
 
+```
 
+
 
 ### Required rules
 
 #### External
 
 The iptables backend in the firewall worker is being deprecated. If the `nft` binary is available on the target Qubes, iptables will be never involved. Thus, only `nft` rules are relevant in this context.
 
@@ -313,3 +320,20 @@ The required setup involves:
 
  * First, run once `backup.sh` and pay attention to never run it again in order to recover from broken states (breaking qubesd, `qvm-run` will stop working and it will be hard to recover)
 
  * Run `update.sh` to automatically pull changes from the Windows host. `qubesd` is restarted within the same script.
 
  * In case of issues, run `restore.sh` and investigate the previous errors
 
+
 
+### Nft Debugging
 
+To debug rules with `nft`, it is necessary to add a trace rule to each relevant table-chain:
 
+
 
+```
 
+nft add rule qubes-firewall forward meta nftrace 1
 
+nft add rule qubes-firewall prerouting meta nftrace 1
 
+nft add rule qubes-firewall postrouting meta nftrace 1
 
+nft add rule qubes-firewall-forward postrouting meta nftrace 1
 
+nft add rule qubes-firewall-forward postrouting meta nftrace 1
 
+```
 
+
 
+Then, the rule processing log can be monitored running:
 
+
 
+```
 
+nft monitor trace
 
+```