Added nft tracing guide, added info about iptables in destination qube

This commit is contained in:
Giulio 2021-08-20 12:17:14 +02:00
parent a70b65d39b
commit 2252d47f99

View File

@ -179,6 +179,13 @@ building the correct syntax for iptables or nft and the actual execution
Steps 1-3 are completed and needs the automated test. Step 4 has still some issues but it is in its final stages. 5 will be worked on in the following weeks, since it is mandatory before merging anything. 6 can come at a later stage. Steps 1-3 are completed and needs the automated test. Step 4 has still some issues but it is in its final stages. 5 will be worked on in the following weeks, since it is mandatory before merging anything. 6 can come at a later stage.
### Known Issues
Currently, in the destination Qube, such as the `personal` or `work`, or any other qube that does not provide networking, the systemd unit `qubes-firewall` is not started by default. Currently, each domain of this kind has a set of predefined `iptables` rules that will be deprecated as soon as the full switch to `nft` is completed. In the meantime, in order to use the port forwarding succesfully, it is necessary to drop such rules and thus stop the service with:
```
sudo systemctl stop qubes-iptables
```
### Required rules ### Required rules
#### External #### External
The iptables backend in the firewall worker is being deprecated. If the `nft` binary is available on the target Qubes, iptables will be never involved. Thus, only `nft` rules are relevant in this context. The iptables backend in the firewall worker is being deprecated. If the `nft` binary is available on the target Qubes, iptables will be never involved. Thus, only `nft` rules are relevant in this context.
@ -313,3 +320,20 @@ The required setup involves:
* First, run once `backup.sh` and pay attention to never run it again in order to recover from broken states (breaking qubesd, `qvm-run` will stop working and it will be hard to recover) * First, run once `backup.sh` and pay attention to never run it again in order to recover from broken states (breaking qubesd, `qvm-run` will stop working and it will be hard to recover)
* Run `update.sh` to automatically pull changes from the Windows host. `qubesd` is restarted within the same script. * Run `update.sh` to automatically pull changes from the Windows host. `qubesd` is restarted within the same script.
* In case of issues, run `restore.sh` and investigate the previous errors * In case of issues, run `restore.sh` and investigate the previous errors
### Nft Debugging
To debug rules with `nft`, it is necessary to add a trace rule to each relevant table-chain:
```
nft add rule qubes-firewall forward meta nftrace 1
nft add rule qubes-firewall prerouting meta nftrace 1
nft add rule qubes-firewall postrouting meta nftrace 1
nft add rule qubes-firewall-forward postrouting meta nftrace 1
nft add rule qubes-firewall-forward postrouting meta nftrace 1
```
Then, the rule processing log can be monitored running:
```
nft monitor trace
```