Hello,
Sorry for the late reply.
While everything cli related is almost ready, I am having some issues on the actual implementation of the iptables/nft rules. I see that in the current state, it seems like Qubes is using both as also stated in [1].
However, in the core-agent-linux source code, if the 'nft' binary is available  that is the only one that gets invoked. Furthermore, there are differences on the iptables backend depending on templates as reported in [2].
I am a bit stuck in understanding which rule to put where in order to have consistency across templates and between iptables/nft, also because if I blindly implement the rules suggested in [1] they will not actually work since most of the time iptables is not invoked at all.
I also checked [3], however it is very similar to the instructions in [1] which leads to the same problems.
Are we able to write working nft forwarding rules without invoking iptables at all? If yes, could you heml me determine which ones?

You can see in [4] how I organized the forwarding mechanism. All the necessary information, as well as ipv4/ipv6 support should already be in the 'prepare_forward_rules' function meaning that only the actual building syntax is left.

For simplicity you can look at the other changes at [5] and at [6].

Cheers
Giulio


[1] - https://www.qubes-os.org/doc/firewall/
[2] - https://github.com/QubesOS/qubes-issues/issues/5031
[3] - https://gist.github.com/fepitre/941d7161ae1150d90e15f778027e3248
[4] - https://github.com/lsd-cat/qubes-core-agent-linux/compare/f24ca2c..3e944af
[5] - https://github.com/lsd-cat/qubes-core-admin/compare/6a1570b..6e3e250
[6] - https://github.com/lsd-cat/qubes-core-admin-client/compare/1a2ce72..a17853b