Home Explore Help
Sign In
Qubes
/
gsoc
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 76b877f65b
Branches Tags
gsoc
/
mails
/
20210713-Re_GSoC Port Forwarding-1069.html

20210713-Re_GSoC Port Forwarding-1069.html 4.1 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071 
  1. <html>
    2. 

  2. <head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
    3. 

  3. <title>Re: GSoC Port Forwarding</title>
    4. 

  4. <link rel="important stylesheet" href="">
    5. 

  5. <style>div.headerdisplayname {font-weight:bold;}
    6. 

  6. </style></head>
    7. 

  7. <body>
    8. 

  8. <table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1"><tr><td><div class="headerdisplayname" style="display:inline;">Oggetto: </div>Re: GSoC Port Forwarding</td></tr><tr><td><div class="headerdisplayname" style="display:inline;">Mittente: </div>Giulio <giulio@gmx.com></td></tr><tr><td><div class="headerdisplayname" style="display:inline;">Data: </div>13/07/2021, 15:56</td></tr></table><table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part2"><tr><td><div class="headerdisplayname" style="display:inline;">A: </div>Marek Marczykowski-Górecki &lt;marmarek@invisiblethingslab.com&gt;</td></tr><tr><td><div class="headerdisplayname" style="display:inline;">CC: </div>Frédéric Pierret &lt;frederic.pierret@qubes-os.org&gt;</td></tr></table><br>
    9. 

  9. <div class="moz-text-flowed" style="font-family: -moz-fixed; font-size: 14px;" lang="x-unicode">Hi,
    10. 

  10. <br>
    11. 

  11. <br>Il 29/06/2021 03:31, Marek Marczykowski-Górecki ha scritto:
    12. 

  12. <br><blockquote type=cite style="color: #007cff;">Yes, preparing rules in firewall.py sounds like a good idea. A new
    13. 

  13. <br>function is a good idea too. But note that for 'external' rules you need
    14. 

  14. <br>to apply them at several places (sys-net, sys-firewall etc). They aren't
    15. 

  15. <br>necessarily will be the same.
    16. 

  16. <br>I'd recommend getting an example, and writing down all the rules that
    17. 

  17. <br>should be applied, in all related VMs (specific iptables/nft commands).
    18. 

  18. <br>You have mostly done this part already.
    19. 

  19. <br>This part you can also test manually - really add those rules
    20. 

  20. <br>manually and check if everything works as it should. This way you ensure
    21. 

  21. <br>the rule set is sufficient.
    22. 

  22. <br>
    23. 

  23. <br>Then, write down QubesDB entries that describe them - carefully matching
    24. 

  24. <br>which information in the rule is built from which information in qdb
    25. 

  25. <br>entry.
    26. 

  26. <br>With that information, you know what qdb entries you need to produce for
    27. 

  27. <br>each VM, and should be easier to design this extra function/functions -
    28. 

  28. <br>especially, you'll see what input data such function needs and how many
    29. 

  29. <br>different rules it needs to return.
    30. 

  30. <br>
    31. 

  31. <br></blockquote>
    32. 

  32. <br>I tried writing a possible implementation to see how it could work and 
    33. 

  33. also to get an initial feedback. Since in the past week I had no access 
    34. 

  34. to my test machine, I just fixed the last things today and seems that 
    35. 

  35. overall the implemented parts are working (up to writing the rules with 
    36. 

  36. the correctly IPs in the appropriate agent databases).
    37. 

  37. <br>
    38. 

  38. <br>Here are the repositories <a class="moz-txt-link-freetext" href="https://git.lsd.cat/Qubes">https://git.lsd.cat/Qubes</a>
    39. 

  39. <br>
    40. 

  40. <br>Here is a list of what has yet to be done:
    41. 

  41. <br>1) Lot of testing and writing tests
    42. 

  42. <br>2) Any modification to the agent (such as applying the rules)
    43. 

  43. <br>3) "srchost" parameter support
    44. 

  44. <br>4) GUI
    45. 

  45. <br>5) Find a way to display the chain of rules in the qvm-firewall of every 
    46. 

  46. VM involved since as of now it is displayed only in the VM for which the 
    47. 

  47. rule was set
    48. 

  48. <br>
    49. 

  49. <br>Here is a list of what should work:
    50. 

  50. <br>1) Adding and deleting forward rules, both internal and external, via 
    51. 

  51. qvm-firewall. Also basic checks of the consistency of rules and required 
    52. 

  52. options should be in place
    53. 

  53. <br>2) Display of forward rules via qvm-firewall
    54. 

  54. <br>3) Persistence and resume of forward rules in firewall.xml
    55. 

  55. <br>4) Correct distribution of the required rules in the network chain in net.py
    56. 

  56. <br>
    57. 

  57. <br>
    58. 

  58. <br>Overall I tried getting the most possible from already existing code in 
    59. 

  59. order not to change the style and introduce as few changes as possible.
    60. 

  60. <br>Without having you correct the code step by step, before going forward 
    61. 

  61. with the agent I would like to have a feedback if the coding style seems 
    62. 

  62. consistent enough with yours and especially if the implementation in 
    63. 

  63. net.py of the distributions of the rules matches your expectations.
    64. 

  64. <br>
    65. 

  65. <br>My changes are only in core-admin and core-admin-client for now.
    66. 

  66. <br>
    67. 

  67. <br>Cheers
    68. 

  68. <br>Giulio
    69. 

  69. <br></div></body>
    70. 

  70. </html>
    71. 

  71. </table></div>
    72.