Hi,

Il 14/07/2021 17:40, Frédéric Pierret ha scritto:

Giulio,

Generally looks good. Do you have already some testing and working case? If yes, can you please provide few steps here (that would be also good for doc later).

I've tested again the code that I added during the refactoring and made a couple of chanegs to make it work. I have not written any test yet, however at this stage you can test manually with the following commands in dom0:

- # qvm-firewall <domain> add action=forward forwardtype=internal srcports=443-443 dstports=8443-8443 proto=tcp

This command should add an internal forwarding rule. In pratice, as of now, the rule should be visible with the correct attributes running "qvm-firewall <domain>". Furthermore, the added rule should be present in the /var/lib/qubes/appvms/<domain>/firewall.xml file too and be correctly represented. Lastly, in the untrusted_qdb of <domain>'s netvm there should be an entry containing the added rule in the forwarding base dir.

- # qvm-firewall <domain> add action=forward forwardtype=wxternal srcports=80-80 dstports=8080-8080 proto=tcp

This command should produce almost the exact outcome as the first one. However, in this case, a specific forward rule containing the ip address of the next hop should be present in the untrusted_qdb of each vm in the network path until the last vm where netvm is None (and thus is expected to have some kind of different interface such as eth).

Clearly, the port forwarding itself cannot be tested until the proper handling of the relevant rules is added to the core-agent-linux. I am now working on that and I expect to have something to test more in depth in about a week.

Cheers
Giulio