Qubes Networking question

barto · July 8, 2024, 3:24pm

I have a question which bothered me for some time, and I really tried to find the answer by reading the documentation and cloning some git repos (at least for qubes-core and qubes-admin).

The question is: where are the (nft) interface groups defined? for example, group 9 seems to be “VPN interfaces”, and group 2 is used in rules like:

chain prerouting {
type filter hook prerouting priority raw; policy accept;
iifgroup 2 goto antispoof
ip saddr @downstream counter packets 0 bytes 0 drop
}

I looked initially in /etc/iproute2/groups in sys-firewall, but there’s only the default group (0) there.
Note that the @downstream set is clearly defined on sys-firewall.

apparatus · July 8, 2024, 3:41pm

github.com

QubesOS/qubes-core-agent-linux/blob/main/network/setup-ip#L42


      
              /sbin/ip -- neighbour replace to "$gateway" dev "$INTERFACE" \
                  lladdr "$netvm_mac" nud permanent
          fi
          if [ -n "$ip6" ]; then
              /sbin/ip -- address replace "$ip6/$netmask6" dev "$INTERFACE"
              if [ -n "$gateway6" ] && [[ "$custom" = false ]]; then
                  /sbin/ip -- neighbour replace to "$gateway6" dev "$INTERFACE" \
                      lladdr "$netvm_mac" nud permanent
              fi
          fi
          /sbin/ip link set dev "$INTERFACE" group 1 up
          
          if [ -n "$gateway" ]; then
              add_link_route "$gateway" "$INTERFACE"
              if [ -n "$gateway6" ] && ! echo "$gateway6" | grep -q "^fe80:"; then
                  add_link_route "$gateway6/$netmask6" "$INTERFACE"
              fi
              if ! qsvc disable-default-route ; then
                  add_default_route "$gateway" "$INTERFACE"
                  if [ -n "$gateway6" ]; then
                      add_default_route "$gateway6" "$INTERFACE"

github.com

QubesOS/qubes-core-agent-linux/blob/main/network/setup-ip#L99


      
              local primary_dns="$9"
              local secondary_dns="${10}"
              local custom="${11}"
          
              local prefix
              local prefix6
              local nm_config
              local ip4_nm_config
              local ip6_nm_config
              local uuid
              /sbin/ip link set dev "$INTERFACE" group 1
          
              prefix="$(get_prefix_from_subnet "$netmask")"
              prefix6="$netmask6"
              uuid="de85f79b-8c3d-405f-a652-${MAC//:/}"
              nm_config="/etc/NetworkManager/system-connections/qubes-uplink-$INTERFACE"
              cat > "$nm_config" <<__EOF__
          [802-3-ethernet]
          duplex=full
          
          [ethernet]

github.com

QubesOS/qubes-core-agent-linux/blob/main/network/vif-route-qubes#L231


      
                  fi
                  nft "$nftables_cmd element $ipt qubes allowed { \"$vif\" . $addr }
          $nftables_cmd element $ipt qubes downstream { $addr }"
              done
              # if no IPv6 is assigned, IPv6 traffic on the interface is
              # implicitly considered spoofed as there is no entry in the
              # "allowed" map
          fi
          
          if [ "$command" = "online" ]; then
              ip link set dev "${vif}" group 2 up
          fi
          
          if [ "${ip}" ]; then
              # If we've been given a list of IP addresses, then add routes from dom0 to
              # the guest using those addresses.
              for addr in ${ip};
              do
                  if [[ "$addr" = *:* ]] && [[ "$ipv6_disabled" != '0' ]]; then
                      log error "Cannot set IPv6 route to ${addr}, IPv6 disabled in the kernel"
                      continue

I think it was arbitrary choice by @1choice here:

github.com/tasket/Qubes-vpn-support

Replace iptables with nftables

tasket:master ← 1cho1ce:replace-iptables-with-nftables

opened 07:01PM - 25 May 23 UTC

1cho1ce

+153 -43

Qubes dropped iptables support and replaced it with nftables: https://github.co…m/QubesOS/qubes-core-agent-linux/commit/28b95535c7cbd15543c804e822c0e4c997f5966e This pull request replaces iptables with nftables. Removed `allow established input` rules from `proxy-firewall-restrict` since they are already present in nft tables ip/ip6 qubes. TODO: Need to think of a better way to check in `--check-firewall` in `qubes-vpn-setup` script if the forward drop rules are present (or `proxy-firewall-restrict` script finished successfully).

github.com/tasket/Qubes-vpn-support

Replace iptables with nftables

tasket:master ← 1cho1ce:replace-iptables-with-nftables

opened 07:01PM - 25 May 23 UTC

1cho1ce

+153 -43

Qubes dropped iptables support and replaced it with nftables: https://github.co…m/QubesOS/qubes-core-agent-linux/commit/28b95535c7cbd15543c804e822c0e4c997f5966e This pull request replaces iptables with nftables. Removed `allow established input` rules from `proxy-firewall-restrict` since they are already present in nft tables ip/ip6 qubes. TODO: Need to think of a better way to check in `--check-firewall` in `qubes-vpn-setup` script if the forward drop rules are present (or `proxy-firewall-restrict` script finished successfully).

And you can use any other unused group number instead of 9.

barto · July 8, 2024, 3:59pm

Thanks, @apparatus !