Update networking page to make it clear that the ipv6 feature only affects qubes-configured networking

Merge branch 'pr-1433'

developer/building/development-workflow.md

@@ -12,42 +12,41 @@ title: Development workflow
 
 A workflow for developing Qubes OS+
 
-First things first, setup [QubesBuilder](/doc/qubes-builder/). This guide
-assumes you're using qubes-builder to build Qubes.
+To begin, setup [QubesBuilder](/doc/qubes-builder-v2/). This guide
+assumes you're using qubes-builder v2 to build Qubes.
 
 ## Repositories and committing Code
 
-Qubes is split into a bunch of git repos. These are all contained in the
-`qubes-src` directory under qubes-builder. Subdirectories there are separate
-components, stored in separate git repositories.
+Qubes source code is split into many git repos. These are all contained in the
+`artifacts/sources` directory under qubes-builder. Subdirectories there are
+separate components, stored in separate git repositories.
 
 The best way to write and contribute code is to create a git repo somewhere
-(e.g., github) for the repo you are interested in editing (e.g.,
+(e.g., GitHub) for the repo you are interested in editing (e.g.,
 `qubes-manager`, `core-agent-linux`, etc). To integrate your repo with the rest
 of Qubes, cd to the repo directory and add your repository as a remote in git
 
 **Example:**
 
 ~~~
-$ cd qubes-builder/qubes-src/qubes-manager
-$ git remote add abel git@github.com:abeluck/qubes-manager.git
+$ cd qubes-builder/artifacts/sources/qubes-manager
+$ git remote add abel git@GitHub.com:abeluck/qubes-manager.git
 ~~~
 
 You can then proceed to easily develop in your own branches, pull in new
-commits from the dev branches, merge them, and eventually push to your own repo
-on github.
+commits from the dev branches, merge them, and eventually push to your own repo.
 
 When you are ready to submit your changes to Qubes to be merged, push your
 changes, then create a signed git tag (using `git tag -s`). Finally, send a
-letter to the Qubes listserv describing the changes and including the link to
-your repository. You can also create pull request on github. Don't forget to
-include your public PGP key you use to sign your tags.
+letter to the Qubes listserv describing the changes, and including a link to
+your repository. If you are using GitHub you can instead create a pull request.
+Don't forget to include the public PGP key you use to sign your tags.
 
 ### Kernel-specific notes
 
 #### Prepare fresh version of kernel sources, with Qubes-specific patches applied
 
-In qubes-builder/qubes-src/linux-kernel:
+In qubes-builder/artifacts/sources/linux-kernel:
 
 ~~~
 make prep
@@ -66,7 +65,7 @@ drwxr-xr-x  6 user user 4096 Nov 21 20:48 kernel-3.4.18/linux-obj
 
 #### Go to the kernel tree and update the version
 
-In qubes-builder/qubes-src/linux-kernel:
+In qubes-builder/artifacts/sources/linux-kernel:
 
 ~~~
 cd kernel-3.4.18/linux-3.4.18
@@ -117,9 +116,7 @@ vi series.conf
 
 #### Building RPMs
 
-TODO: Is this step generic for all subsystems?
-
-Now it is a good moment to make sure you have changed kernel release name in
+Now is a good moment to make sure you have changed the kernel release name in
 rel file. For example, if you change it to '1debug201211116c' the
 resulting RPMs will be named
 'kernel-3.4.18-1debug20121116c.pvops.qubes.x86\_64.rpm'. This will help
@@ -131,34 +128,23 @@ your changes locally.
 To actually build RPMs, in qubes-builder:
 
 ~~~
-make linux-kernel
+./qb -c linux-kernel package fetch prep build
 ~~~
 
-RPMs will appear in qubes-src/linux-kernel/pkgs/fc20/x86\_64:
+RPMs will appear in
+`artifacts/repository/destination_name/package_name`
+(for example `artifacts/repository/host-fc37/linux-kernel-6.6.31-1.1/`
 
-~~~
--rw-rw-r-- 1 user user 42996126 Nov 17 04:08 kernel-3.4.18-1debug20121116c.pvops.qubes.x86_64.rpm
--rw-rw-r-- 1 user user 43001450 Nov 17 05:36 kernel-3.4.18-1debug20121117a.pvops.qubes.x86_64.rpm
--rw-rw-r-- 1 user user  8940138 Nov 17 04:08 kernel-devel-3.4.18-1debug20121116c.pvops.qubes.x86_64.rpm
--rw-rw-r-- 1 user user  8937818 Nov 17 05:36 kernel-devel-3.4.18-1debug20121117a.pvops.qubes.x86_64.rpm
--rw-rw-r-- 1 user user 54490741 Nov 17 04:08 kernel-qubes-vm-3.4.18-1debug20121116c.pvops.qubes.x86_64.rpm
--rw-rw-r-- 1 user user 54502117 Nov 17 05:37 kernel-qubes-vm-3.4.18-1debug20121117a.pvops.qubes.x86_64.rpm
-~~~
+### Useful [QubesBuilder](/doc/qubes-builder-v2/) commands
 
-### Useful [QubesBuilder](/doc/qubes-builder/) commands
-
-1. `make check` - will check if all the code was committed into repository and
-if all repository are tagged with signed tag.
-2. `make show-vtags` - show version of each component (based on git tags) -
-mostly useful just before building ISO. **Note:** this will not show version
-for components containing changes since last version tag.
-3. `make push` - push change from **all** repositories to git server. You must
-set proper remotes (see above) for all repositories first.
-4. `make prepare-merge` - fetch changes from remote repositories (can be
-specified on commandline via GIT\_SUBDIR or GIT\_REMOTE vars), (optionally)
-verify tags and show the changes. This do not merge the changes - there are
-left for review as FETCH\_HEAD ref. You can merge them using `git merge
-FETCH_HEAD` (in each repo directory). Or `make do-merge` to merge all of them.
+1. `./qb package diff` - show uncommitted changes
+2. ` ./qb repository check-release-status-for-component` and
+`./qb repository check-release-status-for-template`- show version of each
+   component/template (based on git tags)
+3. `./qb package sign` -  sign built packages
+4. `./qb package publish` and `./qb package upload` - publish signed packages
+   and upload published
+   repository
 
 ## Copying Code to dom0
 
@@ -297,12 +283,12 @@ if [ "$1" = "tb" ]; then
     exit $?
 fi
 
-git remote add $1 git@github.com:$1/qubes-`basename $PWD`
+git remote add $1 git@GitHub.com:$1/qubes-`basename $PWD`
 ~~~
 
 It should be executed from component top level directory. This script takes one
 argument - remote name. If it is `tb`, then it creates qrexec-based git remote
-to `testbuilder` VM. Otherwise it creates remote pointing at github account of
+to `testbuilder` VM. Otherwise it creates remote pointing at GitHub account of
 the same name. In any case it points at repository matching current directory
 name.
 
@@ -321,7 +307,7 @@ current and current-testing).
 
 ### RPM packages - yum repo
 
-In source VM, grab [linux-yum](https://github.com/QubesOS/qubes-linux-yum) repository (below is assumed you've made it in
+In source VM, grab [linux-yum](https://GitHub.com/QubesOS/qubes-linux-yum) repository (below is assumed you've made it in
 `~/repo-yum-upload` directory) and replace `update_repo.sh` script with:
 
 ~~~
@@ -337,7 +323,7 @@ find -type f -name '*.rpm' -delete
 qrexec-client-vm $VMNAME local.UpdateYum
 ~~~
 
-In target VM, setup actual yum repository (also based on [linux-yum](https://github.com/QubesOS/qubes-linux-yum), this time
+In target VM, setup actual yum repository (also based on [linux-yum](https://GitHub.com/QubesOS/qubes-linux-yum), this time
 without modifications). You will also need to setup some gpg key for signing
 packages (it is possible to force yum to install unsigned packages, but it
 isn't possible for `qubes-dom0-update` tool). Fill `~/.rpmmacros` with
@@ -417,7 +403,7 @@ Remember to also import gpg public key using `rpm --import`.
 
 Steps are mostly the same as in the case of yum repo. The only details that differ:
 
-- use [linux-deb](https://github.com/QubesOS/qubes-linux-deb) instead of [linux-yum](https://github.com/QubesOS/qubes-linux-yum) as a base - both in source and target VM
+- use [linux-deb](https://GitHub.com/QubesOS/qubes-linux-deb) instead of [linux-yum](https://GitHub.com/QubesOS/qubes-linux-yum) as a base - both in source and target VM
 - use different `update_repo.sh` script in source VM (below)
 - use `local.UpdateApt` qrexec service in target VM (code below)
 - in target VM additionally place `update-local-repo.sh` script in repository dir (code below)

developer/building/qubes-builder-v2.md

@@ -0,0 +1,162 @@
+---
+lang: en
+layout: doc
+permalink: /doc/qubes-builder-v2/
+redirect_from:
+- /en/doc/qubes-builder-v2/
+- /doc/QubesBuilder2/
+- /wiki/QubesBuilder2/
+ref: 311
+title: Qubes builder v2
+---
+
+This is a brief introduction to using Qubes Builder v2 to work with Qubes OS
+sources. It will walk you through installing and configuring Builder v2, and
+using it to fetch and build Qubes OS packages.
+
+For details and customization, use [Qubes OS v2 builder documentation](https://github.com/QubesOS/qubes-builderv2/).
+
+# Overview
+
+In the second generation of Qubes OS builder, container or disposable qube
+isolation is used to perform every stage of the build and release process.
+From fetching sources to building, everything is executed inside an isolated
+*cage* (either a disposable or a container) using an *executor*. For every
+command that needs to perform an action on sources, like cloning and
+verifying Git repos, rendering a SPEC file, generating SRPM or Debian
+source packages, a new cage is used. Only the signing, publishing, and
+uploading stages are executed locally outside a cage.
+
+
+# Setup
+
+This is a simple setup using a docker executor. This is a good default choice;
+if you don't know which executor to use, use docker.
+
+1. First, decide what qube you are going to use when working with Qubes
+   Builder v2. It can be an AppVM or a Standalone qube, with some steps
+   different between the two.
+
+2. Installing dependencies
+
+   If you want to use an app qube for developing, install dependencies in the template.
+   If you are using a standalone, install them in the qube itself.
+    Dependencies are specified in `dependencies-*.
+   txt` files in the main builder directory, and you can install them easily
+   in the following ways:
+   1. for Fedora, use:
+    ```shell
+    $ sudo dnf install $(cat dependencies-fedora.txt)
+    $ test -f /usr/share/qubes/marker-vm && sudo dnf install qubes-gpg-split
+   ```
+   2. for Debian (note: some Debian packages require Debian version 13 or
+      later), use:
+    ```shell
+    $ sudo apt install $(cat dependencies-debian.txt)
+    $ test -f /usr/share/qubes/marker-vm && sudo apt install qubes-gpg-split
+   ```
+
+    If you have installed dependencies in the template, close it, and
+    (re)start the development qube.
+
+3. Clone the qubes-builder v2 repository into a location of your choice:
+    ```shell
+    git clone https://github.com/QubesOS/qubes-builderv2
+    cd qubes-builderv2/
+    ```
+
+4. If you haven't previously used docker in the current qube, you need to set up
+   some permissions. In particular, the user has to be added to the `docker`
+   group:
+    ```shell
+   $ sudo usermod -aG docker user
+    ```
+    Next, **restart the qube**.
+
+5. Finally, you need to generate a docker image:
+    ```shell
+   $ tools/generate-container-image.sh docker
+    ```
+
+   In an app qube, as `/var/lib/docker` is not persistent by default, you also
+   need to use [bind-dirs](/doc/bind-dirs/) to avoid repeating this step after reboot, adding
+   the following to the `/rw/config/qubes-bind-dirs.d/docker.conf` file in
+   this qube:
+
+   ```
+   binds+=( '/var/lib/docker' )
+   ```
+
+# Configuration
+
+To use Qubes OS Builder v2, you need to have a `builder.yml` configuration file.
+You can use one of the sample files from the `example-configs/` directory; for a
+more readable `builder.yml`, you can also include one of the files from that
+directory in your `builder.yml`. An example `builder.yml` is:
+
+```yaml
+# include configuration relevant for the current release
+include:
+- example-configs/qubes-os-r4.2.yml
+
+# which repository to use to fetch sources
+use-qubes-repo:
+  version: 4.2
+  testing: true
+
+# each package built will have local build number appended to package release
+# number. It makes it easier to update in testing environment
+increment-devel-versions: true
+
+# reduce output
+debug: false
+
+# this can be set to true if you do not want sources to be automatically
+# fetched from git
+skip-git-fetch: false
+
+# executor configuration
+executor:
+  type: docker
+  options:
+    image: "qubes-builder-fedora:latest"
+
+```
+
+
+# Using Builder v2
+
+To fetch sources - in this example, for the `core-admin-client` package, you
+can use the following command:
+
+```shell
+$ ./qb -c core-admin-client package fetch
+```
+
+This will fetch the sources for the listed package and place them in
+`artifacts/sources` directory.
+
+To build a package (from sources in the `artifacts/sources` directory), use:
+
+```shell
+$ ./qb -c core-admin-client package fetch prep build
+```
+
+or, if you want to build for a specific target (`host-fc37` is a `dom0`
+using Fedora 37, `vm-fc40` would be a qube using Fedora 40 etc.), use:
+
+```shell
+$ ./qb -c core-admin-client -d host-fc37 package fetch prep build
+```
+
+If you want to fetch the entire Qubes OS source use the following:
+
+```shell
+$ ./qb package fetch
+```
+
+**caution**: some repositories might have additional requirements. You can
+disable repositories that are not needed in the `example-configs/*.yml`
+file you are using by commenting them out. In particular, `python-fido2`,
+`lvm` and `windows`-related repositories have special requirements.
+

developer/debugging/automated-tests.md

@@ -132,7 +132,7 @@ Whereas integration tests are mostly stored in the [qubes-core-admin](https://gi
 To for example run the `qubes-core-admin` unit tests, you currently have to clone at least [qubes-core-admin](https://github.com/QubesOS/qubes-core-admin) and
 its dependency [qubes-core-qrexec](https://github.com/QubesOS/qubes-core-qrexec) repository in the branches that you want to test.
 
-The below example however will assume that you set up a build environment as described in the [Qubes Builder documentation](/doc/qubes-builder/).
+The below example however will assume that you set up a build environment as described in the [Qubes Builder documentation](/doc/qubes-builder-v2/).
 
 Assuming you cloned the `qubes-builder` repository to your home directory inside a fedora VM, you can use the following commands to run the unit tests:
 

developer/debugging/test-bench.md

@@ -205,9 +205,10 @@ pushd ${HOME}/builder >/dev/null
 
 # the following are needed only if you have sources outside builder
 #rm -rf qubes-src/core-admin
-#make COMPONENTS=core-admin get-sources
+#qb -c core-admin package fetch
 
-make core-admin
+qb -c core-admin -d host-fc41 prep build
+# update your dom0 fedora distribution as appropriate
 qtb-install qubes-src/core-admin/rpm/x86_64/qubes-core-dom0-*.rpm
 qtb-runtests
 ```

developer/general/gsoc.md

@@ -31,7 +31,7 @@ You should start learning the components that you plan on working on before the
 
 Coming up with an interesting idea that you can realistically achieve in the time available to you (one summer) is probably the most difficult part. We strongly recommend getting involved in advance of the beginning of GSoC, and we will look favorably on applications from prospective contributors who have already started to act like free and open source developers.
 
-Before the summer starts, there are some preparatory tasks which are highly encouraged. First, if you aren't already, definitely start using Qubes as your primary OS as soon as possible! Also, it is encouraged that you become familiar and comfortable with the Qubes development workflow sooner than later. A good way to do this (and also a great way to stand out as an awesome applicant and make us want to accept you!) might be to pick up some issues from [qubes-issues](https://github.com/QubesOS/qubes-issues/issues) (our issue-tracking repo) and submit some patches addressing them. Some suitable issues might be those with tags ["help wanted" and "P: minor"](https://github.com/QubesOS/qubes-issues/issues?q=is%3Aissue%20is%3Aopen%20label%3A%22P%3A%20minor%22%20label%3A%22help%20wanted%22) (although more significant things are also welcome, of course). Doing this will get you some practice with [qubes-builder](/doc/qubes-builder/), our code-signing policies, and some familiarity with our code base in general so you are ready to hit the ground running come summer.
+Before the summer starts, there are some preparatory tasks which are highly encouraged. First, if you aren't already, definitely start using Qubes as your primary OS as soon as possible! Also, it is encouraged that you become familiar and comfortable with the Qubes development workflow sooner than later. A good way to do this (and also a great way to stand out as an awesome applicant and make us want to accept you!) might be to pick up some issues from [qubes-issues](https://github.com/QubesOS/qubes-issues/issues) (our issue-tracking repo) and submit some patches addressing them. Some suitable issues might be those with tags ["help wanted" and "P: minor"](https://github.com/QubesOS/qubes-issues/issues?q=is%3Aissue%20is%3Aopen%20label%3A%22P%3A%20minor%22%20label%3A%22help%20wanted%22) (although more significant things are also welcome, of course). Doing this will get you some practice with [qubes-builder](/doc/qubes-builder-v2/), our code-signing policies, and some familiarity with our code base in general so you are ready to hit the ground running come summer.
 
 ### Contributor proposal guidelines
 
@@ -422,7 +422,7 @@ for more information and qubes-specific background.
 
 **Difficulty**: medium
 
-**Knowledge prerequisite**: qubes-builder [[1]](/doc/qubes-builder/) [[2]](/doc/qubes-builder-details/) [[3]](https://github.com/QubesOS/qubes-builder/tree/master/doc), and efficient at introspecting complex systems: comfortable with tracing and debugging tools, ability to quickly identify and locate issues within a large codebase (upstream build tools), etc.
+**Knowledge prerequisite**: qubes-builder [[1]](/doc/qubes-builder-v2/) [[2]](https://github.com/QubesOS/qubes-builderv2), and efficient at introspecting complex systems: comfortable with tracing and debugging tools, ability to quickly identify and locate issues within a large codebase (upstream build tools), etc.
 
 **Size of the project**: 350 hours
 

developer/system/networking.md

@@ -62,9 +62,12 @@ Such configuration can be expressed by enabling `ipv6` feature only on some subs
 
 ![ipv6-2](/attachment/doc/ipv6-2.png)
 
-Besides enabling IPv6 forwarding, standard Qubes firewall can be used to limit what network resources are available to each qube. Currently only `qvm-firewall` command support adding IPv6 rules, GUI firewall editor will have this ability later.
+Besides enabling IPv6 forwarding, the standard Qubes firewall can be used to limit what network resources are available to each qube. Currently only the `qvm-firewall` command supports adding IPv6 rules, the GUI firewall editor will have this ability later.
+
+**Note:** Setting or unsetting the `ipv6` feature only affects qubes-configured networking. It does not affect e.g. external interfaces. If you want to restrict IPv6 on these interfaces change the settings in Network Manager. Alternatively, disable IPv6 support using methods appropriate to the underlying template.
 
 ### Limitations
 
 Currently only IPv4 DNS servers are configured, regardless of `ipv6` feature state. It is done this way to avoid reconfiguring all connected qubes whenever IPv6 DNS becomes available or not. Configuring qubes to always use IPv6 DNS and only fallback to IPv4 may result in relatively long timeouts and poor usability.
 But note that DNS using IPv4 does not prevent to return IPv6 addresses. In practice this is only a problem for IPv6-only networks.
+

introduction/faq.md

@@ -678,7 +678,7 @@ Any rpm-based, 64-bit environment, the preferred OS being Fedora.
 
 ### How do I build Qubes from sources?
 
-See [these instructions](/doc/qubes-builder/).
+See [these instructions](/doc/qubes-builder-v2/).
 
 ### How do I submit a patch?
 

user/advanced-topics/config-files.md

@@ -18,7 +18,7 @@ That way, they can be used to customize a single VM instead of all VMs based on
 The scripts here all run as root.
 
 - `/rw/config/rc.local` - script runs at VM startup.
-    Good place to change some service settings, replace config files with its copy stored in `/rw/config`, etc.
+    Good place to change some service settings, replace config files with its copy stored in `/rw/config`, etc. The script need to have the executable permission set to be executed.
     Example usage:
 
     ~~~
@@ -32,6 +32,8 @@ The scripts here all run as root.
     echo '127.0.0.1 example.com' >> /etc/hosts
     ~~~
 
+- `/rw/config/rc.local.d/*.rc` - scripts run at VM startup just before `/rw/config/rc.local`
+- `/rw/config/rc.local-early.d/*.rc`, `/rw/config/rc.local-early` - scripts similar to `/rw/config/rc.local`, but running earlier in the system startup sequence - just before `sysinit.target`, and setting up the network.
 - `/rw/config/qubes-ip-change-hook` - script runs in NetVM after every external IP change and on "hardware" link status change.
 
 - In ProxyVMs (or app qubes with `qubes-firewall` service enabled), scripts placed in the following directories will be executed in the listed order followed by `qubes-firewall-user-script` at start up.

user/downloading-installing-upgrading/testing.md

@@ -17,7 +17,7 @@ How to test upcoming Qubes OS releases:
 
 - Test the latest release candidate (RC) on the [downloads](/downloads/) page, if one is currently available. (Or try an older RC from our [FTP server](https://ftp.qubes-os.org/iso/).)
 - Try the [signed weekly builds](https://qubes.notset.fr/iso/). ([Learn more](https://forum.qubes-os.org/t/16929) and [track their status](https://github.com/fepitre/updates-status-iso/issues).)
-- Use [qubes-builder](/doc/qubes-builder/) to build the latest release yourself.
+- Use [qubes-builder](/doc/qubes-builder-v2/) to build the latest release yourself.
 - (No support) Experiment with developer alpha ISOs found from time to time at [Qubes OpenQA](https://openqa.qubes-os.org/).
 
 Please make sure to [report any bugs you encounter](/doc/issue-tracking/).

user/security-in-qubes/firewall.md

@@ -269,7 +269,8 @@ As an example we can take the use case of qube QubeDest running a web server lis
 
 **1. Identify the IP addresses you will need to use for sys-net, sys-firewall and the destination qube.**
 
-You can get this information using various methods, but only the first one can be used for `sys-net` outside world IP:
+You can get this information using various methods.
+Only the first method can be used for `sys-net` to find the external IP:
 
 - by running this command in each qube: `ip -4 -br a | grep UP`
 - using `qvm-ls -n`
@@ -284,7 +285,12 @@ Note the IP addresses you will need, they will be required in the next steps.
 
 For the following example, we assume that the physical interface ens6 in sys-net is on the local network 192.168.x.y with the IP 192.168.x.n, and that the IP address of sys-firewall is 10.137.1.z.
 
-In the sys-net VM's Terminal, the first step is to define an ntables chain that will receive DNAT rules to relay the network traffic on a given port to the qube NetVM, we recommend to define a new chain for each destination qube to ease rules management:
+When writing rules in sys-net, you can use `iif` or `iifname`.
+`iif` is faster, but can change where interfaces are dynamically created and destroyed, eg. ppp0.
+In that case use `iifname`, like this `iifname ens6`.
+`iifname` can also match wildcards - `iifname "eth*"`
+
+In the sys-net VM's Terminal, the first step is to define an nftables chain that will receive DNAT rules to relay the network traffic on a given port to the qube NetVM, we recommend to define a new chain for each destination qube to ease rules management:
 
 ```
 nft add chain qubes custom-dnat-qubeDEST '{ type nat hook prerouting priority filter +1 ; policy accept; }'
@@ -292,25 +298,24 @@ nft add chain qubes custom-dnat-qubeDEST '{ type nat hook prerouting priority fi
 
 > Note: the name `custom-dnat-qubeDST` is arbitrary
 
-> Note: while we use a DNAT chain for a single qube, it's totally possible to have a single DNAT chain for multiple qubes
+> Note: while we use a DNAT chain for a single qube, it's possible to have a single DNAT chain for multiple qubes
 
 Second step, code a natting firewall rule to route traffic on the outside interface for the service to the sys-firewall VM
 
 ```
-nft add rule qubes custom-dnat-qubeDEST iif == "ens6" ip saddr 192.168.x.y/24 tcp dport 443 ct state new,established,related counter dnat 10.137.1.z
+nft add rule qubes custom-dnat-qubeDEST iifname ens6 ip saddr 192.168.x.y/24 tcp dport 443 ct state new,established,related counter dnat 10.137.1.z
 ```
 
 Third step, code the appropriate new filtering firewall rule to allow new connections for the service
 
 ```
-nft add rule qubes custom-forward iif == "ens6" ip saddr 192.168.x.y/24 ip daddr 10.137.1.z tcp dport 443 ct state new,established,related counter accept
+nft add rule qubes custom-forward iifname ens6 ip saddr 192.168.x.y/24 ip daddr 10.137.1.z tcp dport 443 ct state new,established,related counter accept
 ```
 
 > Note: If you do not wish to limit the IP addresses connecting to the service, remove `ip saddr 192.168.x.y/24` from the rules
+> If you want to expose the service on multiple interfaces, repeat steps 2 and 3 above, for each interface. Alternatively, you can leave out the interface completely.
 
-> If you want to expose the service on multiple interfaces, repeat the steps 2 and 3 described above, for each interface. Alternatively, you can leave out the interface completely.
-
-Verify the rules on sys-net firewall correctly match the packets you want by looking at its counters, check for the counter lines in the chains `custom-forward` and `custom-dnat-qubeDEST`:
+Verify the rules on the sys-net firewall correctly match the packets you want by looking at the counters: check for the counter lines in the chains `custom-forward` and `custom-dnat-qubeDEST`:
 
 ```
 nft list table ip qubes
@@ -320,12 +325,12 @@ In this example, we can see 7 packets in the forward rule, and 3 packets in the
 
 ```
 chain custom-forward {
-  iif "ens6" ip saddr 192.168.x.y/24 ip daddr 10.137.1.z tcp dport 443 ct state new,established,related counter packets 7 bytes 448 accept
+  iifname ens6 ip saddr 192.168.x.y/24 ip daddr 10.137.1.z tcp dport 443 ct state new,established,related counter packets 7 bytes 448 accept
 }
 
 chain custom-dnat-qubeDEST {
   type nat hook prerouting priority filter + 1; policy accept;
-  iif "ens6" ip saddr 192.168.x.y/24 tcp dport 443 ct state new,established,related counter packets 3 bytes 192 dnat to 10.138.33.59
+  iifname ens6 ip saddr 192.168.x.y/24 tcp dport 443 ct state new,established,related counter packets 3 bytes 192 dnat to 10.138.33.59
 }
 ```
 
@@ -351,18 +356,20 @@ Content of `/rw/config/qubes-firewall-user-script` in `sys-net`:
 if nft add chain qubes custom-dnat-qubeDEST '{ type nat hook prerouting priority filter +1 ; policy accept; }'
 then
   # create the dnat rule
-  nft add rule qubes custom-dnat-qubeDEST iif == "ens6" saddr 192.168.x.y/24 tcp dport 443 ct state new,established,related counter dnat 10.137.1.z
+  nft add rule qubes custom-dnat-qubeDEST iifname ens6 saddr 192.168.x.y/24 tcp dport 443 ct state new,established,related counter dnat 10.137.1.z
 
   # allow forwarded traffic
-  nft add rule qubes custom-forward iif == "ens6" ip saddr 192.168.x.y/24 ip daddr 10.137.1.z tcp dport 443 ct state new,established,related counter accept
+  nft add rule qubes custom-forward iifname ens6 ip saddr 192.168.x.y/24 ip daddr 10.137.1.z tcp dport 443 ct state new,established,related counter accept
 fi
 ~~~
 
 **3. Route packets from the FirewallVM to the VM**
 
-For the following example, we use the fact that the physical interface of sys-firewall, facing sys-net, is eth0. Furthermore, we assume that the target VM running the web server has the IP address 10.137.0.xx and that the IP address of sys-firewall is 10.137.1.z.
+For the following example, we use the fact that the interface of sys-firewall facing sys-net, is eth0.
+This is allocated to iifgroup 1.
+Furthermore, we assume that the IP address of sys-firewall is 10.137.1.z, and the target VM running the web server has the IP address 10.137.0.xx.
 
-In the sys-firewall VM's Terminal, add a DNAT chain that will contain routing rules:
+In the sys-firewall Terminal, add a DNAT chain that will contain routing rules:
 
 ```
 nft add chain qubes custom-dnat-qubeDEST '{ type nat hook prerouting priority filter +1 ; policy accept; }'
@@ -371,13 +378,13 @@ nft add chain qubes custom-dnat-qubeDEST '{ type nat hook prerouting priority fi
 Second step, code a natting firewall rule to route traffic on the outside interface for the service to the destination qube
 
 ```
-nft add rule qubes custom-dnat-qubeDEST iif == "eth0" ip saddr 192.168.x.y/24 tcp dport 443 ct state new,established,related counter dnat 10.137.0.xx
+nft add rule qubes custom-dnat-qubeDEST iifgroup 1 ip saddr 192.168.x.y/24 tcp dport 443 ct state new,established,related counter dnat 10.137.0.xx
 ```
 
 Third step, code the appropriate new filtering firewall rule to allow new connections for the service
 
 ```
-nft add rule qubes custom-forward iif == "eth0" ip saddr 192.168.x.y/24 ip daddr 10.137.0.xx tcp dport 443 ct state new,established,related counter accept
+nft add rule qubes custom-forward iifgroup 1 ip saddr 192.168.x.y/24 ip daddr 10.137.0.xx tcp dport 443 ct state new,established,related counter accept
 ```
 
 > Note: If you do not wish to limit the IP addresses connecting to the service, remove `ip saddr 192.168.x.y/24` from the rules
@@ -398,10 +405,10 @@ Content of `/rw/config/qubes-firewall-user-script` in `sys-firewall`:
 if nft add chain qubes custom-dnat-qubeDEST '{ type nat hook prerouting priority filter +1 ; policy accept; }'
 then
   # create the dnat rule
-  nft add rule qubes custom-dnat-qubeDEST iif == "eth0" tcp dport 443 ct state new,established,related counter dnat 10.137.0.xx
+  nft add rule qubes custom-dnat-qubeDEST iifgroup 1 tcp dport 443 ct state new,established,related counter dnat 10.137.0.xx
 
   # allow forwarded traffic
-  nft add rule qubes custom-forward iif == "eth0" ip saddr 192.168.x.y/24 ip daddr 10.137.0.xx tcp dport 443 ct state new,established,related counter accept
+  nft add rule qubes custom-forward iifgroup 1 ip saddr 192.168.x.y/24 ip daddr 10.137.0.xx tcp dport 443 ct state new,established,related counter accept
 fi
 ~~~
 

user/templates/templates.md

@@ -387,8 +387,9 @@ this context: the same as their template filesystem, of course.
 
 * Some templates are available in ready-to-use binary form, but some of them
   are available only as source code, which can be built using the [Qubes
-  Builder](/doc/qubes-builder/). In particular, some template "flavors" are
-  available in source code form only. For the technical details of the template
+  Builder](https://github.com/QubesOS/qubes-builderv2/). In particular, some
+  template "flavors" are  available in source code form only. For the
+  technical details of the template
   system, please see [Template Implementation](/doc/template-implementation/).
-  Take a look at the [Qubes Builder](/doc/qubes-builder/) documentation for
+  Take a look at the [Qubes Builder](/doc/qubes-builder-v2/) documentation for
   instructions on how to compile them.