82 lines
6.6 KiB
HTML
82 lines
6.6 KiB
HTML
|
<html>
|
||
|
|
<head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
|
||
|
|
<title>Re: GSoC Port Forwarding</title>
|
||
|
|
<link rel="important stylesheet" href="">
|
||
|
|
<style>div.headerdisplayname {font-weight:bold;}
|
||
|
|
</style></head>
|
||
|
|
<body>
|
||
|
|
<table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1"><tr><td><div class="headerdisplayname" style="display:inline;">Oggetto: </div>Re: GSoC Port Forwarding</td></tr><tr><td><div class="headerdisplayname" style="display:inline;">Mittente: </div>Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com></td></tr><tr><td><div class="headerdisplayname" style="display:inline;">Data: </div>29/06/2021, 03:31</td></tr></table><table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part2"><tr><td><div class="headerdisplayname" style="display:inline;">A: </div>Giulio <giulio@gmx.com></td></tr><tr><td><div class="headerdisplayname" style="display:inline;">CC: </div>Frédéric Pierret <frederic.pierret@qubes-os.org></td></tr></table><br>
|
||
|
|
<div class="moz-text-plain" wrap=true graphical-quote=true style="font-family: -moz-fixed; font-size: 14px;" lang="x-unicode"><pre wrap class="moz-quote-pre">
|
||
|
|
On Mon, Jun 28, 2021 at 10:46:59PM +0200, Giulio wrote:
|
||
|
|
</pre><blockquote type=cite style="color: #007cff;"><pre wrap class="moz-quote-pre">
|
||
|
|
<span class="moz-txt-citetags">> </span>On 6/23/21 11:11 PM, Marek Marczykowski-Górecki wrote:
|
||
|
|
</pre><blockquote type=cite style="color: #007cff;"><pre wrap class="moz-quote-pre">
|
||
|
|
<span class="moz-txt-citetags">> > </span>On Wed, Jun 23, 2021 at 04:37:20PM +0200, Giulio wrote:
|
||
|
|
</pre><blockquote type=cite style="color: #007cff;"><pre wrap class="moz-quote-pre">
|
||
|
|
<span class="moz-txt-citetags">> > > </span>Hello,
|
||
|
|
<span class="moz-txt-citetags">> > > </span>thank you again for your time and the explanations, as well as the
|
||
|
|
<span class="moz-txt-citetags">> > > </span>network graph. I have now a better understanding of the overall design
|
||
|
|
<span class="moz-txt-citetags">> > > </span>and I am moving myself trhough the source code in order to think what to
|
||
|
|
<span class="moz-txt-citetags">> > > </span>place where.
|
||
|
|
<span class="moz-txt-citetags">> > > </span>
|
||
|
|
<span class="moz-txt-citetags">> > > </span>So, in order to translate what we discussed in practice and also check
|
||
|
|
<span class="moz-txt-citetags">> > > </span>my understanding of the code so far:
|
||
|
|
<span class="moz-txt-citetags">> > > </span>
|
||
|
|
<span class="moz-txt-citetags">> > > </span>1) In core-admin-client/qubesadmin/firewall.py firewall.py > The code
|
||
|
|
<span class="moz-txt-citetags">> > > </span>needs to support the new options for the rule (action=forward
|
||
|
|
<span class="moz-txt-citetags">> > > </span>frowardtype=<internal/external> srcports=443-443 srchosts=0.0.0.0/0
|
||
|
|
<span class="moz-txt-citetags">> > > </span>2) In core-admin/qubes/firewall.py -> The code needs to support the same
|
||
|
|
<span class="moz-txt-citetags">> > > </span>options as the point above
|
||
|
|
<span class="moz-txt-citetags">> > > </span>3) In core-admin/qubes/vm/mix/net.py -> The most important logic goes
|
||
|
|
<span class="moz-txt-citetags">> > > </span>here. Here there is the need to resolve the full network chain for
|
||
|
|
<span class="moz-txt-citetags">> > > </span>external port forwarding. From here it is possible to add the respective
|
||
|
|
<span class="moz-txt-citetags">> > > </span>rules to the QubesDB of each netvm in he chain and trigger a reload event.
|
||
|
|
<span class="moz-txt-citetags">> > > </span>4) in core-agent-linux/qubesagent/firewall.py -> Here goes the logic for
|
||
|
|
<span class="moz-txt-citetags">> > > </span>building the correct syntax for iptables or nft and the actual execution
|
||
|
|
<span class="moz-txt-citetags">> > > </span>
|
||
|
|
<span class="moz-txt-citetags">> > > </span>Does it makes sense for you?
|
||
|
|
</pre></blockquote><pre wrap class="moz-quote-pre">
|
||
|
|
<span class="moz-txt-citetags">> > </span>
|
||
|
|
<span class="moz-txt-citetags">> > </span>Yes, I think you got this perfectly correct.
|
||
|
|
<span class="moz-txt-citetags">> > </span>
|
||
|
|
</pre></blockquote><pre wrap class="moz-quote-pre">
|
||
|
|
<span class="moz-txt-citetags">> </span>
|
||
|
|
<span class="moz-txt-citetags">> </span>I am at a good stage with 1 and 2. In 3, I am still thinking about some
|
||
|
|
<span class="moz-txt-citetags">> </span>design choices. I have written the function to resolve the network
|
||
|
|
<span class="moz-txt-citetags">> </span>'path', however I am trying to figure out which one is the most
|
||
|
|
<span class="moz-txt-citetags">> </span>appropriate way of inserting the forward rule(s) in each vm in the
|
||
|
|
<span class="moz-txt-citetags">> </span>chain. I feel like no parsing of the rules should be done in net.py
|
||
|
|
<span class="moz-txt-citetags">> </span>since it would be out of place and not fit well within the rest of the
|
||
|
|
<span class="moz-txt-citetags">> </span>code. Thus the rules should be provided to net.py already separated and
|
||
|
|
<span class="moz-txt-citetags">> </span>sorted in some way. My idea as of now is to add a 'qdb_forward_entries'
|
||
|
|
<span class="moz-txt-citetags">> </span>function, returning a dict of lists for 'internal' and 'external' rules
|
||
|
|
<span class="moz-txt-citetags">> </span>in firewall.py. It would be the trivial to process the information in
|
||
|
|
<span class="moz-txt-citetags">> </span>net.py. What do you think about that?
|
||
|
|
</pre></blockquote><pre wrap class="moz-quote-pre">
|
||
|
|
|
||
|
|
Yes, preparing rules in firewall.py sounds like a good idea. A new
|
||
|
|
function is a good idea too. But note that for 'external' rules you need
|
||
|
|
to apply them at several places (sys-net, sys-firewall etc). They aren't
|
||
|
|
necessarily will be the same.
|
||
|
|
I'd recommend getting an example, and writing down all the rules that
|
||
|
|
should be applied, in all related VMs (specific iptables/nft commands).
|
||
|
|
You have mostly done this part already.
|
||
|
|
This part you can also test manually - really add those rules
|
||
|
|
manually and check if everything works as it should. This way you ensure
|
||
|
|
the rule set is sufficient.
|
||
|
|
|
||
|
|
Then, write down QubesDB entries that describe them - carefully matching
|
||
|
|
which information in the rule is built from which information in qdb
|
||
|
|
entry.
|
||
|
|
With that information, you know what qdb entries you need to produce for
|
||
|
|
each VM, and should be easier to design this extra function/functions -
|
||
|
|
especially, you'll see what input data such function needs and how many
|
||
|
|
different rules it needs to return.
|
||
|
|
|
||
|
|
<div class="moz-txt-sig">--
|
||
|
|
Best Regards,
|
||
|
|
Marek Marczykowski-Górecki
|
||
|
|
Invisible Things Lab
|
||
|
|
</div></pre></div></body>
|
||
|
|
</html>
|
||
|
|
</table></div>
|