Oggetto: Re: GSoC Port Forwarding |
Mittente: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com> |
Data: 29/06/2021, 03:31 |
A: Giulio |
CC: Frédéric Pierret <frederic.pierret@qubes-os.org> |
On Mon, Jun 28, 2021 at 10:46:59PM +0200, Giulio wrote:
On 6/23/21 11:11 PM, Marek Marczykowski-Górecki wrote:
On Wed, Jun 23, 2021 at 04:37:20PM +0200, Giulio wrote:
Hello, thank you again for your time and the explanations, as well as the network graph. I have now a better understanding of the overall design and I am moving myself trhough the source code in order to think what to place where. So, in order to translate what we discussed in practice and also check my understanding of the code so far: 1) In core-admin-client/qubesadmin/firewall.py firewall.py > The code needs to support the new options for the rule (action=forward frowardtype=<internal/external> srcports=443-443 srchosts=0.0.0.0/0 2) In core-admin/qubes/firewall.py -> The code needs to support the same options as the point above 3) In core-admin/qubes/vm/mix/net.py -> The most important logic goes here. Here there is the need to resolve the full network chain for external port forwarding. From here it is possible to add the respective rules to the QubesDB of each netvm in he chain and trigger a reload event. 4) in core-agent-linux/qubesagent/firewall.py -> Here goes the logic for building the correct syntax for iptables or nft and the actual execution Does it makes sense for you?Yes, I think you got this perfectly correct.I am at a good stage with 1 and 2. In 3, I am still thinking about some design choices. I have written the function to resolve the network 'path', however I am trying to figure out which one is the most appropriate way of inserting the forward rule(s) in each vm in the chain. I feel like no parsing of the rules should be done in net.py since it would be out of place and not fit well within the rest of the code. Thus the rules should be provided to net.py already separated and sorted in some way. My idea as of now is to add a 'qdb_forward_entries' function, returning a dict of lists for 'internal' and 'external' rules in firewall.py. It would be the trivial to process the information in net.py. What do you think about that?
Yes, preparing rules in firewall.py sounds like a good idea. A new function is a good idea too. But note that for 'external' rules you need to apply them at several places (sys-net, sys-firewall etc). They aren't necessarily will be the same. I'd recommend getting an example, and writing down all the rules that should be applied, in all related VMs (specific iptables/nft commands). You have mostly done this part already. This part you can also test manually - really add those rules manually and check if everything works as it should. This way you ensure the rule set is sufficient. Then, write down QubesDB entries that describe them - carefully matching which information in the rule is built from which information in qdb entry. With that information, you know what qdb entries you need to produce for each VM, and should be easier to design this extra function/functions - especially, you'll see what input data such function needs and how many different rules it needs to return.-- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab