diff --git a/Readme.md b/Readme.md index 4333a0d..2fa2104 100644 --- a/Readme.md +++ b/Readme.md @@ -179,6 +179,13 @@ building the correct syntax for iptables or nft and the actual execution Steps 1-3 are completed and needs the automated test. Step 4 has still some issues but it is in its final stages. 5 will be worked on in the following weeks, since it is mandatory before merging anything. 6 can come at a later stage. +### Known Issues +Currently, in the destination Qube, such as the `personal` or `work`, or any other qube that does not provide networking, the systemd unit `qubes-firewall` is not started by default. Currently, each domain of this kind has a set of predefined `iptables` rules that will be deprecated as soon as the full switch to `nft` is completed. In the meantime, in order to use the port forwarding succesfully, it is necessary to drop such rules and thus stop the service with: + +``` +sudo systemctl stop qubes-iptables +``` + ### Required rules #### External The iptables backend in the firewall worker is being deprecated. If the `nft` binary is available on the target Qubes, iptables will be never involved. Thus, only `nft` rules are relevant in this context. @@ -313,3 +320,20 @@ The required setup involves: * First, run once `backup.sh` and pay attention to never run it again in order to recover from broken states (breaking qubesd, `qvm-run` will stop working and it will be hard to recover) * Run `update.sh` to automatically pull changes from the Windows host. `qubesd` is restarted within the same script. * In case of issues, run `restore.sh` and investigate the previous errors + +### Nft Debugging +To debug rules with `nft`, it is necessary to add a trace rule to each relevant table-chain: + +``` +nft add rule qubes-firewall forward meta nftrace 1 +nft add rule qubes-firewall prerouting meta nftrace 1 +nft add rule qubes-firewall postrouting meta nftrace 1 +nft add rule qubes-firewall-forward postrouting meta nftrace 1 +nft add rule qubes-firewall-forward postrouting meta nftrace 1 +``` + +Then, the rule processing log can be monitored running: + +``` +nft monitor trace +``` \ No newline at end of file