Mullvad OpenVPN nftables

This tutorial shows how to configure Mullvad OpenVPN with Qubes using the Debian 12 template. In the “Add DNS hijacking rules” section they set up iptables that prevent any data from downstream Qubes going anywhere other than the tunnel. This does not work in Qubes 4.2, because of the switch to nftables. I tried translating the rules to nftables using iptables-translate, but that doesn’t work, because the tables coming out of the translation don’t exist.

I tried various tutorials to understand how nftables works, but I can’t grasp how it works. There also doesn’t seem to be much documentation on how nftables is set up in Qubes, yet.

Does anyone know how to write the iptables rules from the tutorial using nftables?

Not a direct answer to your question, only a Community Guide on the topic of the transtion from iptables to nftables:

You don’t say which documentaion you’ve reviewed, so may or not have seen it @okiyama, but if you haven’t I think one advantage of this one is that it was written with Qubes OS in mind.

Thanks, I saw that already, unfortunately, there are not many details collected there yet. The closest information I found related to VPNs is this: Replace iptables with nftables by 1cho1ce · Pull Request #71 · tasket/Qubes-vpn-support · GitHub
That seems to be very close to what I need to do, but it’s not entirely clear how it works. It uses interface groups, but they are not defined in /etc/group/iproute2 as they usually are. I assume Qubes defines these somehow when a new interface is created. It seems lo is 0, downstream is 1 and upstream is 2. But I couldn’t find out yet where exactly they get defined.

The groups are set in this file: