53 lines
3.0 KiB
HTML
53 lines
3.0 KiB
HTML
|
<html>
|
||
|
|
<head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
|
||
|
|
<title>Re: GSoC Port Forwarding</title>
|
||
|
|
<link rel="important stylesheet" href="">
|
||
|
|
<style>div.headerdisplayname {font-weight:bold;}
|
||
|
|
</style></head>
|
||
|
|
<body>
|
||
|
|
<table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1"><tr><td><div class="headerdisplayname" style="display:inline;">Oggetto: </div>Re: GSoC Port Forwarding</td></tr><tr><td><div class="headerdisplayname" style="display:inline;">Mittente: </div>Giulio <giulio@gmx.com></td></tr><tr><td><div class="headerdisplayname" style="display:inline;">Data: </div>14/07/2021, 18:27</td></tr></table><table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part2"><tr><td><div class="headerdisplayname" style="display:inline;">A: </div>Frédéric Pierret <frederic.pierret@qubes-os.org>, Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com></td></tr></table><br>
|
||
|
|
<div class="moz-text-flowed" style="font-family: -moz-fixed; font-size: 14px;" lang="x-unicode">Hi,
|
||
|
|
<br>
|
||
|
|
<br>Il 14/07/2021 17:40, Frédéric Pierret ha scritto:
|
||
|
|
<br><blockquote type=cite style="color: #007cff;">Giulio,
|
||
|
|
<br>
|
||
|
|
<br>Generally looks good. Do you have already some testing and working case?
|
||
|
|
If yes, can you please provide few steps here (that would be also good
|
||
|
|
for doc later).
|
||
|
|
<br>
|
||
|
|
<br></blockquote>
|
||
|
|
<br>I've tested again the code that I added during the refactoring and made
|
||
|
|
a couple of chanegs to make it work. I have not written any test yet,
|
||
|
|
however at this stage you can test manually with the following commands
|
||
|
|
in dom0:
|
||
|
|
<br>
|
||
|
|
<br>- # qvm-firewall <domain> add action=forward forwardtype=internal
|
||
|
|
srcports=443-443 dstports=8443-8443 proto=tcp
|
||
|
|
<br>
|
||
|
|
<br>This command should add an internal forwarding rule. In pratice, as of
|
||
|
|
now, the rule should be visible with the correct attributes running
|
||
|
|
"qvm-firewall <domain>". Furthermore, the added rule should be present
|
||
|
|
in the <i class="moz-txt-slash"><span class="moz-txt-tag">/</span>var/lib/qubes/appvms<span class="moz-txt-tag">/</span></i><domain>/firewall.xml file too and be
|
||
|
|
correctly represented. Lastly, in the untrusted_qdb of <domain>'s netvm
|
||
|
|
there should be an entry containing the added rule in the forwarding
|
||
|
|
base dir.
|
||
|
|
<br>
|
||
|
|
<br>- # qvm-firewall <domain> add action=forward forwardtype=wxternal
|
||
|
|
srcports=80-80 dstports=8080-8080 proto=tcp
|
||
|
|
<br>
|
||
|
|
<br>This command should produce almost the exact outcome as the first one.
|
||
|
|
However, in this case, a specific forward rule containing the ip address
|
||
|
|
of the next hop should be present in the untrusted_qdb of each vm in the
|
||
|
|
network path until the last vm where netvm is None (and thus is expected
|
||
|
|
to have some kind of different interface such as eth).
|
||
|
|
<br>
|
||
|
|
<br>Clearly, the port forwarding itself cannot be tested until the proper
|
||
|
|
handling of the relevant rules is added to the core-agent-linux. I am
|
||
|
|
now working on that and I expect to have something to test more in depth
|
||
|
|
in about a week.
|
||
|
|
<br>
|
||
|
|
<br>Cheers
|
||
|
|
<br>Giulio
|
||
|
|
<br></div></body>
|
||
|
|
</html>
|
||
|
|
</table></div>
|