Why does Qubes firewall separate IPv4 and IPv6?
10 views
Skip to first unread message
qubist
Mar 21, 2024, 11:03:43 AMMar 21
to qubes...@googlegroups.com
Hi,
Why does Qubes OS explicitly handle IPv4 and IPv6 through two separate nft tables (ip qubes and ip6 qubes), resulting in duplication of rules in these two tables?
Why does Qubes OS explicitly handle IPv4 and IPv6 through two separate nft tables (ip qubes and ip6 qubes), resulting in duplication of rules in these two tables?
Eric W. Biederman
Mar 23, 2024, 8:06:50 AMMar 23
to qubist, qubes...@googlegroups.com
qubist <qubist...@riseup.net> writes:
> Hi,
>
> Why does Qubes OS explicitly handle IPv4 and IPv6 through two separate nft tables (ip qubes and ip6 qubes), resulting in duplication of rules in these two tables?
I looked at something a while ago and at the time everything was based
> Hi,
>
> Why does Qubes OS explicitly handle IPv4 and IPv6 through two separate nft tables (ip qubes and ip6 qubes), resulting in duplication of rules in these two tables?
on iptables. To the point that nft table support was simply created by
something emulating iptables.
So I expect this is just historical where the code has not truly moved
beyond iptables.
Eric
unman
Mar 23, 2024, 9:05:44 AMMar 23
to Eric W. Biederman, qubist, qubes...@googlegroups.com
[quote]
I'm sure this is part of it.
However, the 4 and 6 rulesets are distinct and although they could be
merged to a single table, the result would not be any cleaner. While
there is some duplication, there are also distinctions.
Sometimes keeping separate tables allows for greater clarity.
--
I never presume to speak for the Qubes team.
When I comment in the mailing lists I speak for myself.
So I expect this is just historical where the code has not truly moved
beyond iptables.
[/quote]
beyond iptables.
I'm sure this is part of it.
However, the 4 and 6 rulesets are distinct and although they could be
merged to a single table, the result would not be any cleaner. While
there is some duplication, there are also distinctions.
Sometimes keeping separate tables allows for greater clarity.
--
I never presume to speak for the Qubes team.
When I comment in the mailing lists I speak for myself.
qubist
Mar 23, 2024, 3:55:45 PMMar 23
to qubes...@googlegroups.com
On Sat, 23 Mar 2024 13:05:39 +0000 'unman' via qubes-devel wrote:
> However, the 4 and 6 rulesets are distinct and although they could be
> merged to a single table, the result would not be any cleaner. While
> there is some duplication, there are also distinctions.
> Sometimes keeping separate tables allows for greater clarity.
I am not quite sure what you mean by cleaner and greater clarity.
> However, the 4 and 6 rulesets are distinct and although they could be
> merged to a single table, the result would not be any cleaner. While
> there is some duplication, there are also distinctions.
> Sometimes keeping separate tables allows for greater clarity.
Compare the 2 files I am attaching.
separate.nft - as it is currently in Qubes
single.nft - a quick attempt to merge them into a single inet table
separate - 133 lines
single - 82 lines
I have not made any performance comparison but in regards to
simplicity, single.nft looks simpler to me. Perhaps it can be optimized
even more, e.g. dropping invalid packets in early in prerouting hook
instead of letting them to input.
What do you think? Has any optimization been considered?
Marek Marczykowski-Górecki
Mar 25, 2024, 7:45:23 AMMar 25
to qubist, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
A single table is surely shorter, but TBH I'm not sure if it's clearer.
Some rules needs to be duplicated for v4 and v6, some don't. IMO the main
advantage of the single table approach is purely port-based rules (UDP
or TCP), but the default firewall doesn't have many of them. They may be
relevant for custom-input chain (but not always - sometimes you might
want to use IP address in those too), and rarely for custom-forward.
In any case, changing it now is not an option. It would mean changing
the API for custom rules, which was a huge pain for users migrating to
R4.2, and we are not going to do that _again_ now.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmYBY80ACgkQ24/THMrX
1yzebgf/dkFXbsl7FYfgeqPEJTZ/HMPWieXum7vI06FpuLlHncPMhbJ833prtAvK
CIZF/iEEOsngyiGT0VaH45NO3H4QBDftikwDQ3eB91+qJ792zcmaiuOj9LYStka4
XdsMhCbZsH8PeVfU36z7DGlZZ0lay1dAgqH4lVYu+LAA55mNFB6CqHLKq/APnrk9
Iopuz8m7AA8yEQ4lrAvYtFY3OpKQpKv0VZhDTtrILj0io7JdTzWNAbD0EFJmr7po
YW3j+kuRCTEUK0c4wD00mU5ZAytEdjgZuKQSTnfbEbrzOxSOvY+6E5a4B+SnqA0D
BciowS1par9BQDTZUsKnYPUIa0qySg==
=CtoI
-----END PGP SIGNATURE-----
Hash: SHA256
Some rules needs to be duplicated for v4 and v6, some don't. IMO the main
advantage of the single table approach is purely port-based rules (UDP
or TCP), but the default firewall doesn't have many of them. They may be
relevant for custom-input chain (but not always - sometimes you might
want to use IP address in those too), and rarely for custom-forward.
In any case, changing it now is not an option. It would mean changing
the API for custom rules, which was a huge pain for users migrating to
R4.2, and we are not going to do that _again_ now.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmYBY80ACgkQ24/THMrX
1yzebgf/dkFXbsl7FYfgeqPEJTZ/HMPWieXum7vI06FpuLlHncPMhbJ833prtAvK
CIZF/iEEOsngyiGT0VaH45NO3H4QBDftikwDQ3eB91+qJ792zcmaiuOj9LYStka4
XdsMhCbZsH8PeVfU36z7DGlZZ0lay1dAgqH4lVYu+LAA55mNFB6CqHLKq/APnrk9
Iopuz8m7AA8yEQ4lrAvYtFY3OpKQpKv0VZhDTtrILj0io7JdTzWNAbD0EFJmr7po
YW3j+kuRCTEUK0c4wD00mU5ZAytEdjgZuKQSTnfbEbrzOxSOvY+6E5a4B+SnqA0D
BciowS1par9BQDTZUsKnYPUIa0qySg==
=CtoI
-----END PGP SIGNATURE-----
qubist
Mar 25, 2024, 8:34:38 AMMar 25
to qubes...@googlegroups.com
On Mon, 25 Mar 2024 12:45:17 +0100 Marek Marczykowski-Górecki wrote:
> IMO the main advantage of the single table approach is purely
> port-based rules (UDP or TCP), but the default firewall doesn't have
> many of them. They may be relevant for custom-input chain (but not
> always - sometimes you might want to use IP address in those too),
> and rarely for custom-forward.
What do you mean? Using an IP address is possible in inet table too.
> IMO the main advantage of the single table approach is purely
> port-based rules (UDP or TCP), but the default firewall doesn't have
> many of them. They may be relevant for custom-input chain (but not
> always - sometimes you might want to use IP address in those too),
> and rarely for custom-forward.
Marek Marczykowski-Górecki
Mar 25, 2024, 8:48:15 AMMar 25
to qubist, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hash: SHA256
benefit of combined table is minimal.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
1ywrjAf/Uc7SvayVEarHjEKQ9bZDqCPp0+5bOYDFVhSgvLYzVjchku/teYehAtVJ
Pe1LMrdeawIDUk2va3VCldS5zpjEoABDG68a2e4AR3QSFbw3pT4QlpH/0FiTOD1j
aDjs2INgChAFi0hinw7oDt2H89IFc0ZQcFZhYhYR/3R8oZEJDoMAhazP4cAZnkI+
gaHCuptr0BP8nNVRsj6pjPLm779PD2821uF/jIKZIW+hTuG5xvmIQ9/d0XPvC6th
APbkUUzFOeII+D0sHO7F6/SlrBxMV6iqdoUwOG7sWKGUTW5FdgA92/OOOl6vGj8C
xllZmVSwKkMedB41HnMkS5eLHiB+IA==
=LcEW
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages