1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253 |
- <html>
- <head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
- <title>Re: GSoC Port Forwarding</title>
- <link rel="important stylesheet" href="">
- <style>div.headerdisplayname {font-weight:bold;}
- </style></head>
- <body>
- <table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1"><tr><td><div class="headerdisplayname" style="display:inline;">Oggetto: </div>Re: GSoC Port Forwarding</td></tr><tr><td><div class="headerdisplayname" style="display:inline;">Mittente: </div>Giulio <giulio@gmx.com></td></tr><tr><td><div class="headerdisplayname" style="display:inline;">Data: </div>28/06/2021, 22:46</td></tr></table><table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part2"><tr><td><div class="headerdisplayname" style="display:inline;">A: </div>Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com></td></tr><tr><td><div class="headerdisplayname" style="display:inline;">CC: </div>Frédéric Pierret <frederic.pierret@qubes-os.org></td></tr></table><br>
- <div class="moz-text-flowed" style="font-family: -moz-fixed; font-size: 14px;" lang="x-unicode">On 6/23/21 11:11 PM, Marek Marczykowski-Górecki wrote:
- <br><blockquote type=cite style="color: #007cff;">On Wed, Jun 23, 2021 at 04:37:20PM +0200, Giulio wrote:
- <br><blockquote type=cite style="color: #007cff;">Hello,
- <br>thank you again for your time and the explanations, as well as the
- <br>network graph. I have now a better understanding of the overall design
- <br>and I am moving myself trhough the source code in order to think what to
- <br>place where.
- <br>
- <br>So, in order to translate what we discussed in practice and also check
- <br>my understanding of the code so far:
- <br>
- <br>1) In core-admin-client/qubesadmin/firewall.py firewall.py > The code
- <br>needs to support the new options for the rule (action=forward
- <br>frowardtype=<internal/external> srcports=443-443 srchosts=0.0.0.0/0
- <br>2) In core-admin/qubes/firewall.py -> The code needs to support the same
- <br>options as the point above
- <br>3) In core-admin/qubes/vm/mix/net.py -> The most important logic goes
- <br>here. Here there is the need to resolve the full network chain for
- <br>external port forwarding. From here it is possible to add the respective
- <br>rules to the QubesDB of each netvm in he chain and trigger a reload event.
- <br>4) in core-agent-linux/qubesagent/firewall.py -> Here goes the logic for
- <br>building the correct syntax for iptables or nft and the actual execution
- <br>
- <br>Does it makes sense for you?
- <br></blockquote>
- <br>Yes, I think you got this perfectly correct.
- <br>
- <br></blockquote>
- <br>I am at a good stage with 1 and 2. In 3, I am still thinking about some
- design choices. I have written the function to resolve the network
- 'path', however I am trying to figure out which one is the most
- appropriate way of inserting the forward rule(s) in each vm in the
- chain. I feel like no parsing of the rules should be done in net.py
- since it would be out of place and not fit well within the rest of the
- code. Thus the rules should be provided to net.py already separated and
- sorted in some way. My idea as of now is to add a 'qdb_forward_entries'
- function, returning a dict of lists for 'internal' and 'external' rules
- in firewall.py. It would be the trivial to process the information in
- net.py. What do you think about that?
- <br>
- <br>Cheers
- <br>Giulio
- <br></div></body>
- </html>
- </table></div>
|