Closed marmarek closed 1 year ago
Can we just ditch xtables entirely in favor of nftables?
That is an option in R4.1 - I think all the distributions we care about there already have nftables. Do you want to do it for this script specifically?
But, I'd like one thing first: find a decent nft CLI cheatsheet and link it in https://www.qubes-os.org/doc/firewall/ (or write a short own version there). It's syntax and error reporting is IMHO very user unfriendly - some example:
# nft list
Error: syntax error, unexpected newline
list
^
# nft list table
Error: syntax error, unexpected newline, expecting string
list table
^
it doesn't tell you what can/should be there. --help
is useless there too. You need to open lengthy manual and scroll to the relevant section.
That is an option in R4.1 - I think all the distributions we care about there already have nftables. Do you want to do it for this script specifically?
Perhaps. That is actually not the area where nftables would be the biggest win, though. I really want to use nftables netdev rules for anti-spoofing protection, as they should be faster and can provide better protection (like dropping all ARP traffic).
But, I'd like one thing first: find a decent nft CLI cheatsheet and link it in https://www.qubes-os.org/doc/firewall/ (or write a short own version there). It's syntax and error reporting is IMHO very user unfriendly - some example:
# nft list Error: syntax error, unexpected newline list ^ # nft list table Error: syntax error, unexpected newline, expecting string list table ^
it doesn't tell you what can/should be there.
--help
is useless there too. You need to open lengthy manual and scroll to the relevant section.
Looks like yacc-generated parser output, sadly.
This issue is being closed because:
If anyone believes that this issue should be reopened and reassigned to an active milestone, please leave a brief comment. (For example, if a bug still affects Qubes OS 4.1, then the comment "Affects 4.1" will suffice.)
Observation
openQA test in scenario qubesos-4.1-pull-requests-x86_64-system_tests_network@64bit fails in VmNetworking_fedora-33
Test suite description
Reproducible
Fails since (at least) Build 2021050903-4.1
Expected result
Last good: 2021042904-4.1 (or more recent)
Further details
Always latest result in this scenario: latest