I recently noticed that nftables counter(forward chain) value in sys-firewall is unusually low compared to appvm(input+output) and sys-net(forward),under certain conditions.
(step to reproduce)
1.create output chain in appvm. (sudo nft add chain ip qubes output ‘{ type filter hook output priority filter; policy accept;}’)
2.insert counter at the top of every chain in nftables in sys-firewall,sys-net and appvm whose netvm is sys-firewall.
3.launch firefox in appvm and wait about 10 seconds.
4.close firefox.
5.Check counter values in 3 vms. (sudo nft list ruleset)
6.input chain counter + output chanin counter in appvm is about the same value as forward chain counter in sys-net.
7.forward chain counter value in sys-firewall is about one-tenth to one-thirtieth of sys-net forward chain counter,
and doesn’t look like any other chains have large counter value.
Instead of launching firefox,using ping 192.168.. -c 100 works fine,resulting in sys-firewall and sys-net having the same forward chain counter value.
nftables log has the simillar problem as counter(very few logs in forward chain in sys-firewall).
I also did tcpdump and 3 vms had (almost) the same contents.
Why does this happen only in sys-firewall? In above situation,where are packets going through in sys-firewall nftables?