gsoc/mails/20210814-Re_GSoC Port Forwarding-1106.html

<html>
<head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Re: GSoC Port Forwarding</title>
<link rel="important stylesheet" href="">
<style>div.headerdisplayname {font-weight:bold;}
</style></head>
<body>
<table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1"><tr><td><div class="headerdisplayname" style="display:inline;">Oggetto: </div>Re: GSoC Port Forwarding</td></tr><tr><td><div class="headerdisplayname" style="display:inline;">Mittente: </div>Giulio <giulio@gmx.com></td></tr><tr><td><div class="headerdisplayname" style="display:inline;">Data: </div>14/08/2021, 18:33</td></tr></table><table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part2"><tr><td><div class="headerdisplayname" style="display:inline;">A: </div>Marek Marczykowski-Górecki &lt;marmarek@invisiblethingslab.com&gt;</td></tr><tr><td><div class="headerdisplayname" style="display:inline;">CC: </div>Frédéric Pierret &lt;frederic.pierret@qubes-os.org&gt;</td></tr></table><br>
<div class="moz-text-flowed" style="font-family: -moz-fixed; font-size: 14px;" lang="x-unicode">Hello,
<br>Sorry for the late reply.
<br>While everything cli related is almost ready, I am having some issues on 
the actual implementation of the iptables/nft rules. I see that in the 
current state, it seems like Qubes is using both as also stated in [1].
<br>However, in the core-agent-linux source code, if the 'nft' binary is 
available&nbsp; that is the only one that gets invoked. Furthermore, there 
are differences on the iptables backend depending on templates as 
reported in [2].
<br>I am a bit stuck in understanding which rule to put where in order to 
have consistency across templates and between iptables/nft, also because 
if I blindly implement the rules suggested in [1] they will not actually 
work since most of the time iptables is not invoked at all.
<br>I also checked [3], however it is very similar to the instructions in 
[1] which leads to the same problems.
<br>Are we able to write working nft forwarding rules without invoking 
iptables at all? If yes, could you heml me determine which ones?
<br>
<br>You can see in [4] how I organized the forwarding mechanism. All the 
necessary information, as well as ipv4/ipv6 support should already be in 
the 'prepare_forward_rules' function meaning that only the actual 
building syntax is left.
<br>
<br>For simplicity you can look at the other changes at [5] and at [6].
<br>
<br>Cheers
<br>Giulio
<br>
<br>
<br>[1] - <a class="moz-txt-link-freetext" href="https://www.qubes-os.org/doc/firewall/">https://www.qubes-os.org/doc/firewall/</a>
<br>[2] - <a class="moz-txt-link-freetext" href="https://github.com/QubesOS/qubes-issues/issues/5031">https://github.com/QubesOS/qubes-issues/issues/5031</a>
<br>[3] - <a class="moz-txt-link-freetext" href="https://gist.github.com/fepitre/941d7161ae1150d90e15f778027e3248">https://gist.github.com/fepitre/941d7161ae1150d90e15f778027e3248</a>
<br>[4] - 
<a class="moz-txt-link-freetext" href="https://github.com/lsd-cat/qubes-core-agent-linux/compare/f24ca2c..3e944af">https://github.com/lsd-cat/qubes-core-agent-linux/compare/f24ca2c..3e944af</a>
<br>[5] - <a class="moz-txt-link-freetext" href="https://github.com/lsd-cat/qubes-core-admin/compare/6a1570b..6e3e250">https://github.com/lsd-cat/qubes-core-admin/compare/6a1570b..6e3e250</a>
<br>[6] - 
<a class="moz-txt-link-freetext" href="https://github.com/lsd-cat/qubes-core-admin-client/compare/1a2ce72..a17853b">https://github.com/lsd-cat/qubes-core-admin-client/compare/1a2ce72..a17853b</a>
<br></div></body>
</html>
</table></div>