Qubes
/
gsoc


			
				
					
						
						
							1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253
							<html>
<head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Re: GSoC Port Forwarding</title>
<link rel="important stylesheet" href="">
<style>div.headerdisplayname {font-weight:bold;}
</style></head>
<body>
<table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1"><tr><td><div class="headerdisplayname" style="display:inline;">Oggetto: </div>Re: GSoC Port Forwarding</td></tr><tr><td><div class="headerdisplayname" style="display:inline;">Mittente: </div>Giulio <giulio@gmx.com></td></tr><tr><td><div class="headerdisplayname" style="display:inline;">Data: </div>14/07/2021, 18:27</td></tr></table><table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part2"><tr><td><div class="headerdisplayname" style="display:inline;">A: </div>Frédéric Pierret &lt;frederic.pierret@qubes-os.org&gt;, Marek Marczykowski-Górecki &lt;marmarek@invisiblethingslab.com&gt;</td></tr></table><br>
<div class="moz-text-flowed" style="font-family: -moz-fixed; font-size: 14px;" lang="x-unicode">Hi,
<br>
<br>Il 14/07/2021 17:40, Frédéric Pierret ha scritto:
<br><blockquote type=cite style="color: #007cff;">Giulio,
<br>
<br>Generally looks good. Do you have already some testing and working case? 
If yes, can you please provide few steps here (that would be also good 
for doc later).
<br>
<br></blockquote>
<br>I've tested again the code that I added during the refactoring and made 
a couple of chanegs to make it work. I have not written any test yet, 
however at this stage you can test manually with the following commands 
in dom0:
<br>
<br>- # qvm-firewall &lt;domain&gt; add action=forward forwardtype=internal 
srcports=443-443 dstports=8443-8443 proto=tcp
<br>
<br>This command should add an internal forwarding rule. In pratice, as of 
now, the rule should be visible with the correct attributes running 
"qvm-firewall &lt;domain&gt;". Furthermore, the added rule should be present 
in the <i class="moz-txt-slash"><span class="moz-txt-tag">/</span>var/lib/qubes/appvms<span class="moz-txt-tag">/</span></i>&lt;domain&gt;/firewall.xml file too and be 
correctly represented. Lastly, in the untrusted_qdb of &lt;domain&gt;'s netvm 
there should be an entry containing the added rule in the forwarding 
base dir.
<br>
<br>- # qvm-firewall &lt;domain&gt; add action=forward forwardtype=wxternal 
srcports=80-80 dstports=8080-8080 proto=tcp
<br>
<br>This command should produce almost the exact outcome as the first one. 
However, in this case, a specific forward rule containing the ip address 
of the next hop should be present in the untrusted_qdb of each vm in the 
network path until the last vm where netvm is None (and thus is expected 
to have some kind of different interface such as eth).
<br>
<br>Clearly, the port forwarding itself cannot be tested until the proper 
handling of the relevant rules is added to the core-agent-linux. I am 
now working on that and I expect to have something to test more in depth 
in about a week.
<br>
<br>Cheers
<br>Giulio
<br></div></body>
</html>
</table></div>