Added nft tracing guide, added info about iptables in destination qube
This commit is contained in:
parent
a70b65d39b
commit
2252d47f99
24
Readme.md
24
Readme.md
@ -179,6 +179,13 @@ building the correct syntax for iptables or nft and the actual execution
|
|||||||
|
|
||||||
Steps 1-3 are completed and needs the automated test. Step 4 has still some issues but it is in its final stages. 5 will be worked on in the following weeks, since it is mandatory before merging anything. 6 can come at a later stage.
|
Steps 1-3 are completed and needs the automated test. Step 4 has still some issues but it is in its final stages. 5 will be worked on in the following weeks, since it is mandatory before merging anything. 6 can come at a later stage.
|
||||||
|
|
||||||
|
### Known Issues
|
||||||
|
Currently, in the destination Qube, such as the `personal` or `work`, or any other qube that does not provide networking, the systemd unit `qubes-firewall` is not started by default. Currently, each domain of this kind has a set of predefined `iptables` rules that will be deprecated as soon as the full switch to `nft` is completed. In the meantime, in order to use the port forwarding succesfully, it is necessary to drop such rules and thus stop the service with:
|
||||||
|
|
||||||
|
```
|
||||||
|
sudo systemctl stop qubes-iptables
|
||||||
|
```
|
||||||
|
|
||||||
### Required rules
|
### Required rules
|
||||||
#### External
|
#### External
|
||||||
The iptables backend in the firewall worker is being deprecated. If the `nft` binary is available on the target Qubes, iptables will be never involved. Thus, only `nft` rules are relevant in this context.
|
The iptables backend in the firewall worker is being deprecated. If the `nft` binary is available on the target Qubes, iptables will be never involved. Thus, only `nft` rules are relevant in this context.
|
||||||
@ -313,3 +320,20 @@ The required setup involves:
|
|||||||
* First, run once `backup.sh` and pay attention to never run it again in order to recover from broken states (breaking qubesd, `qvm-run` will stop working and it will be hard to recover)
|
* First, run once `backup.sh` and pay attention to never run it again in order to recover from broken states (breaking qubesd, `qvm-run` will stop working and it will be hard to recover)
|
||||||
* Run `update.sh` to automatically pull changes from the Windows host. `qubesd` is restarted within the same script.
|
* Run `update.sh` to automatically pull changes from the Windows host. `qubesd` is restarted within the same script.
|
||||||
* In case of issues, run `restore.sh` and investigate the previous errors
|
* In case of issues, run `restore.sh` and investigate the previous errors
|
||||||
|
|
||||||
|
### Nft Debugging
|
||||||
|
To debug rules with `nft`, it is necessary to add a trace rule to each relevant table-chain:
|
||||||
|
|
||||||
|
```
|
||||||
|
nft add rule qubes-firewall forward meta nftrace 1
|
||||||
|
nft add rule qubes-firewall prerouting meta nftrace 1
|
||||||
|
nft add rule qubes-firewall postrouting meta nftrace 1
|
||||||
|
nft add rule qubes-firewall-forward postrouting meta nftrace 1
|
||||||
|
nft add rule qubes-firewall-forward postrouting meta nftrace 1
|
||||||
|
```
|
||||||
|
|
||||||
|
Then, the rule processing log can be monitored running:
|
||||||
|
|
||||||
|
```
|
||||||
|
nft monitor trace
|
||||||
|
```
|
Loading…
Reference in New Issue
Block a user