20210628-Re_GSoC Port Forwarding-1058.html 3.4 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253
  1. <html>
  2. <head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
  3. <title>Re: GSoC Port Forwarding</title>
  4. <link rel="important stylesheet" href="">
  5. <style>div.headerdisplayname {font-weight:bold;}
  6. </style></head>
  7. <body>
  8. <table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1"><tr><td><div class="headerdisplayname" style="display:inline;">Oggetto: </div>Re: GSoC Port Forwarding</td></tr><tr><td><div class="headerdisplayname" style="display:inline;">Mittente: </div>Giulio <giulio@gmx.com></td></tr><tr><td><div class="headerdisplayname" style="display:inline;">Data: </div>28/06/2021, 22:46</td></tr></table><table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part2"><tr><td><div class="headerdisplayname" style="display:inline;">A: </div>Marek Marczykowski-Górecki &lt;marmarek@invisiblethingslab.com&gt;</td></tr><tr><td><div class="headerdisplayname" style="display:inline;">CC: </div>Frédéric Pierret &lt;frederic.pierret@qubes-os.org&gt;</td></tr></table><br>
  9. <div class="moz-text-flowed" style="font-family: -moz-fixed; font-size: 14px;" lang="x-unicode">On 6/23/21 11:11 PM, Marek Marczykowski-Górecki wrote:
  10. <br><blockquote type=cite style="color: #007cff;">On Wed, Jun 23, 2021 at 04:37:20PM +0200, Giulio wrote:
  11. <br><blockquote type=cite style="color: #007cff;">Hello,
  12. <br>thank you again for your time and the explanations, as well as the
  13. <br>network graph. I have now a better understanding of the overall design
  14. <br>and I am moving myself trhough the source code in order to think what to
  15. <br>place where.
  16. <br>
  17. <br>So, in order to translate what we discussed in practice and also check
  18. <br>my understanding of the code so far:
  19. <br>
  20. <br>1) In core-admin-client/qubesadmin/firewall.py firewall.py &gt; The code
  21. <br>needs to support the new options for the rule (action=forward
  22. <br>frowardtype=&lt;internal/external&gt; srcports=443-443 srchosts=0.0.0.0/0
  23. <br>2) In core-admin/qubes/firewall.py -&gt; The code needs to support the same
  24. <br>options as the point above
  25. <br>3) In core-admin/qubes/vm/mix/net.py -&gt; The most important logic goes
  26. <br>here. Here there is the need to resolve the full network chain for
  27. <br>external port forwarding. From here it is possible to add the respective
  28. <br>rules to the QubesDB of each netvm in he chain and trigger a reload event.
  29. <br>4) in core-agent-linux/qubesagent/firewall.py -&gt; Here goes the logic for
  30. <br>building the correct syntax for iptables or nft and the actual execution
  31. <br>
  32. <br>Does it makes sense for you?
  33. <br></blockquote>
  34. <br>Yes, I think you got this perfectly correct.
  35. <br>
  36. <br></blockquote>
  37. <br>I am at a good stage with 1 and 2. In 3, I am still thinking about some
  38. design choices. I have written the function to resolve the network
  39. 'path', however I am trying to figure out which one is the most
  40. appropriate way of inserting the forward rule(s) in each vm in the
  41. chain. I feel like no parsing of the rules should be done in net.py
  42. since it would be out of place and not fit well within the rest of the
  43. code. Thus the rules should be provided to net.py already separated and
  44. sorted in some way. My idea as of now is to add a 'qdb_forward_entries'
  45. function, returning a dict of lists for 'internal' and 'external' rules
  46. in firewall.py. It would be the trivial to process the information in
  47. net.py. What do you think about that?
  48. <br>
  49. <br>Cheers
  50. <br>Giulio
  51. <br></div></body>
  52. </html>
  53. </table></div>