Switch to nftables #407
Switch to nftables #407
Conversation
DemiMarie
force-pushed
the
nftables
branch
5 times, most recently
from
48a3f0d to
e727dc9
Compare
Codecov Report
@@ Coverage Diff @@
## main #407 +/- ##
==========================================
- Coverage 74.47% 71.03% -3.45%
==========================================
Files 3 3
Lines 615 466 -149
==========================================
- Hits 458 331 -127
+ Misses 157 135 -22
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
OpenQA test summaryComplete test suite and dependencies: https://openqa.qubes-os.org/tests/overview?distri=qubesos&version=4.2&build=2023050602-4.2&flavor=pull-requests New failures, excluding unstableCompared to: https://openqa.qubes-os.org/tests/overview?distri=qubesos&version=4.2&build=2023021823-4.2&flavor=update
Failed tests31 failures
Fixed failuresCompared to: https://openqa.qubes-os.org/tests/60652#dependencies 8 fixed
Unstable tests
|
|
My guess is https://github.com/QubesOS/qubes-core-agent-linux/blob/71d2fb884451eea25411c7e589c02f9eff02adc3/network/qubes-setup-dnat-to-ns called from setup-ip |
DemiMarie
force-pushed
the
nftables
branch
3 times, most recently
from
578219c to
7c6e904
Compare
|
PipelineRetry |
DemiMarie
force-pushed
the
nftables
branch
2 times, most recently
from
1cba057 to
567775f
Compare
|
PipelineRetryFailed |
|
Please drop the selinux change, there is an alternative: #417 |
|
Besides the Whonix compat issue, the "fake IP" still fails: |
No functional change intended.
Should this be part of this or a separate PR?
Fixed. |
Yes, this one, otherwise this PR regresses Whonix support. |
|
PipelineRetryFailed |
|
No network traffic is passed through, First issue is that |
nftables is the modern replacement for iptables. It has more features and is actively maintained. iptables is deprecated and may be removed from distributions in the future. Instead of a 1-to-1 translation, update the code to use nftables features such as sets and maps. This makes anti-spoofing checks either O(1) or O(log N) (depending on how sets and maps are implemented) in the number of downstream network interfaces. The masquerading path benefits even more, as it now uses netdev rules to directly forward a packet to a specific destination while statelessly changing its addresses. This also removes the legacy iptables support from the firewall daemon. Since the anti-spoofing rules require nftables, supporting iptables in the firewall daemon makes no sense anymore. Furthermore, software flow offload allows NATd traffic to bypass all layer 3 processing. This is implemented using flowtables, which use the ingress hook and therefore come before the prerouting hook. DNS is now handled entirely in Python, rather than by a combination of Python and Bash scripts. This allows much better error checking and makes the code actually possible to understand. It will also be much more extensible in the future. As just one example, this Python code could be used by the firewall daemon to automatically update DNS in response to systemd-resolved events. Instead of using network interface names, the nftables rules use interface groups. This should speed up processing (though no benchmarks have been done) and avoids problems if interface names change in the future. The only exception is the prerouting hooks, which use interface names to ensure that interface ID reuse does not cause problems. The new anti-spoofing rules are deny-by-default. If there is no entry in the "allowed" nftables map for a given IP protocol, all traffic with that protocol will be considered spoofed and dropped. This avoids having to explicitly disable IPv6 on interfaces with no ipv6 addresses.
Previously, neighbor discovery used ARP or NDP, both of which have nonzero attack surface. Additionally, the strict anti-spoofing rules used by Qubes OS tend to break NDP, causing IPv6 traffic to be unreliable. This solves the second problem by adding permanent entries to Linux's neighbor cache. Since the peer MAC address is already known, it is not necessary to use ARP or NDP to discover it. This allows NDP to be blocked outright if it has not been blocked already.
Tiny speedup; otherwise no functional change.
This looks like a legitimate failure, happens for both debian and fedora. The test starts the VM with netvm attached, detaches it and the attaches it again. I'm not sure what specifically failed there, but logs say |
This is actually a race condition in the test. I can reproduce this with normal |
|
PipelineRetryFailed |
|
QubesOS/qubes-core-admin#533 fixes the testsuite race |
Not ideal but OK with me.
For porting Whonix to nft there's Whonix ticket Consider nftables / Berkeley Packet Filter (BPF) as a replacement for iptables. But not easy at all. Critical task. Could use help with this one.
Also sounds good.
Whonix 17 development (port to Debian bookworm) will start after Debian bookworm release. |
There was a problem hiding this comment.
While there are still few network-related issues (QubesOS/qubes-issues#8178, QubesOS/qubes-issues#8169, QubesOS/qubes-core-admin#533), there doesn't seem to be any remaining issue in the changes introduced here. Letslets handle remaining issue in a follow-up PR(s)
| /var/run/$1 $3 gen_context(system_u:object_r:$2_t,s0) | ||
| /run/$1 $3 gen_context(system_u:object_r:$2_t,s0) | ||
| ')dnl | ||
| slash_run(`xen(/.*)?',`xend_var_run') |
There was a problem hiding this comment.
This should be noted in the commit message (was it separate commit in an earlier version?).
Qubes OS 4.2 does that switch. Do the same. The code remains compatible to Qubes OS 4.1 for now and wasn't tested on 4.2 yet. QubesOS/qubes-core-agent-linux#407
Draft as packaging has not been updated.
Fixes: QubesOS/qubes-issues#5031
Fixes: QubesOS/qubes-issues#6062