gsoc/mails/20210713-Re_GSoC Port Forwarding-1069.html

<html>
<head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Re: GSoC Port Forwarding</title>
<link rel="important stylesheet" href="">
<style>div.headerdisplayname {font-weight:bold;}
</style></head>
<body>
<table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1"><tr><td><div class="headerdisplayname" style="display:inline;">Oggetto: </div>Re: GSoC Port Forwarding</td></tr><tr><td><div class="headerdisplayname" style="display:inline;">Mittente: </div>Giulio <giulio@gmx.com></td></tr><tr><td><div class="headerdisplayname" style="display:inline;">Data: </div>13/07/2021, 15:56</td></tr></table><table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part2"><tr><td><div class="headerdisplayname" style="display:inline;">A: </div>Marek Marczykowski-Górecki &lt;marmarek@invisiblethingslab.com&gt;</td></tr><tr><td><div class="headerdisplayname" style="display:inline;">CC: </div>Frédéric Pierret &lt;frederic.pierret@qubes-os.org&gt;</td></tr></table><br>
<div class="moz-text-flowed" style="font-family: -moz-fixed; font-size: 14px;" lang="x-unicode">Hi,
<br>
<br>Il 29/06/2021 03:31, Marek Marczykowski-Górecki ha scritto:
<br><blockquote type=cite style="color: #007cff;">Yes, preparing rules in firewall.py sounds like a good idea. A new
<br>function is a good idea too. But note that for 'external' rules you need
<br>to apply them at several places (sys-net, sys-firewall etc). They aren't
<br>necessarily will be the same.
<br>I'd recommend getting an example, and writing down all the rules that
<br>should be applied, in all related VMs (specific iptables/nft commands).
<br>You have mostly done this part already.
<br>This part you can also test manually - really add those rules
<br>manually and check if everything works as it should. This way you ensure
<br>the rule set is sufficient.
<br>
<br>Then, write down QubesDB entries that describe them - carefully matching
<br>which information in the rule is built from which information in qdb
<br>entry.
<br>With that information, you know what qdb entries you need to produce for
<br>each VM, and should be easier to design this extra function/functions -
<br>especially, you'll see what input data such function needs and how many
<br>different rules it needs to return.
<br>
<br></blockquote>
<br>I tried writing a possible implementation to see how it could work and 
also to get an initial feedback. Since in the past week I had no access 
to my test machine, I just fixed the last things today and seems that 
overall the implemented parts are working (up to writing the rules with 
the correctly IPs in the appropriate agent databases).
<br>
<br>Here are the repositories <a class="moz-txt-link-freetext" href="https://git.lsd.cat/Qubes">https://git.lsd.cat/Qubes</a>
<br>
<br>Here is a list of what has yet to be done:
<br>1) Lot of testing and writing tests
<br>2) Any modification to the agent (such as applying the rules)
<br>3) "srchost" parameter support
<br>4) GUI
<br>5) Find a way to display the chain of rules in the qvm-firewall of every 
VM involved since as of now it is displayed only in the VM for which the 
rule was set
<br>
<br>Here is a list of what should work:
<br>1) Adding and deleting forward rules, both internal and external, via 
qvm-firewall. Also basic checks of the consistency of rules and required 
options should be in place
<br>2) Display of forward rules via qvm-firewall
<br>3) Persistence and resume of forward rules in firewall.xml
<br>4) Correct distribution of the required rules in the network chain in net.py
<br>
<br>
<br>Overall I tried getting the most possible from already existing code in 
order not to change the style and introduce as few changes as possible.
<br>Without having you correct the code step by step, before going forward 
with the agent I would like to have a feedback if the coding style seems 
consistent enough with yours and especially if the implementation in 
net.py of the distributions of the rules matches your expectations.
<br>
<br>My changes are only in core-admin and core-admin-client for now.
<br>
<br>Cheers
<br>Giulio
<br></div></body>
</html>
</table></div>
Updated readme, added mails 2021-10-19 18:22:56 +02:00			`<html>`
			`<head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />`
			`<title>Re: GSoC Port Forwarding</title>`
			`<link rel="important stylesheet" href="">`
			`<style>div.headerdisplayname {font-weight:bold;}`
			`</style></head>`
			`<body>`
			<table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1"><tr><td><div class="headerdisplayname" style="display:inline;">Oggetto: </div>Re: GSoC Port Forwarding</td></tr><tr><td><div class="headerdisplayname" style="display:inline;">Mittente: </div>Giulio <giulio@gmx.com></td></tr><tr><td><div class="headerdisplayname" style="display:inline;">Data: </div>13/07/2021, 15:56</td></tr></table><table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part2"><tr><td><div class="headerdisplayname" style="display:inline;">A: </div>Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com></td></tr><tr><td><div class="headerdisplayname" style="display:inline;">CC: </div>Frédéric Pierret <frederic.pierret@qubes-os.org></td></tr></table><br>
			`<div class="moz-text-flowed" style="font-family: -moz-fixed; font-size: 14px;" lang="x-unicode">Hi,`
			`<br>`
			`<br>Il 29/06/2021 03:31, Marek Marczykowski-Górecki ha scritto:`
			`<br><blockquote type=cite style="color: #007cff;">Yes, preparing rules in firewall.py sounds like a good idea. A new`
			`<br>function is a good idea too. But note that for 'external' rules you need`
			`<br>to apply them at several places (sys-net, sys-firewall etc). They aren't`
			`<br>necessarily will be the same.`
			`<br>I'd recommend getting an example, and writing down all the rules that`
			`<br>should be applied, in all related VMs (specific iptables/nft commands).`
			`<br>You have mostly done this part already.`
			`<br>This part you can also test manually - really add those rules`
			`<br>manually and check if everything works as it should. This way you ensure`
			`<br>the rule set is sufficient.`
			`<br>`
			`<br>Then, write down QubesDB entries that describe them - carefully matching`
			`<br>which information in the rule is built from which information in qdb`
			`<br>entry.`
			`<br>With that information, you know what qdb entries you need to produce for`
			`<br>each VM, and should be easier to design this extra function/functions -`
			`<br>especially, you'll see what input data such function needs and how many`
			`<br>different rules it needs to return.`
			`<br>`
			`<br></blockquote>`
			`<br>I tried writing a possible implementation to see how it could work and`
			`also to get an initial feedback. Since in the past week I had no access`
			`to my test machine, I just fixed the last things today and seems that`
			`overall the implemented parts are working (up to writing the rules with`
			`the correctly IPs in the appropriate agent databases).`
			`<br>`
			`<br>Here are the repositories <a class="moz-txt-link-freetext" href="https://git.lsd.cat/Qubes">https://git.lsd.cat/Qubes</a>`
			`<br>`
			`<br>Here is a list of what has yet to be done:`
			`<br>1) Lot of testing and writing tests`
			`<br>2) Any modification to the agent (such as applying the rules)`
			`<br>3) "srchost" parameter support`
			`<br>4) GUI`
			`<br>5) Find a way to display the chain of rules in the qvm-firewall of every`
			`VM involved since as of now it is displayed only in the VM for which the`
			`rule was set`
			`<br>`
			`<br>Here is a list of what should work:`
			`<br>1) Adding and deleting forward rules, both internal and external, via`
			`qvm-firewall. Also basic checks of the consistency of rules and required`
			`options should be in place`
			`<br>2) Display of forward rules via qvm-firewall`
			`<br>3) Persistence and resume of forward rules in firewall.xml`
			`<br>4) Correct distribution of the required rules in the network chain in net.py`
			`<br>`
			`<br>`
			`<br>Overall I tried getting the most possible from already existing code in`
			`order not to change the style and introduce as few changes as possible.`
			`<br>Without having you correct the code step by step, before going forward`
			`with the agent I would like to have a feedback if the coding style seems`
			`consistent enough with yours and especially if the implementation in`
			`net.py of the distributions of the rules matches your expectations.`
			`<br>`
			`<br>My changes are only in core-admin and core-admin-client for now.`
			`<br>`
			`<br>Cheers`
			`<br>Giulio`
			`<br></div></body>`
			`</html>`
			`</table></div>`