20210814-Re_GSoC Port Forwarding-14347.html 7.0 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192
  1. <html>
  2. <head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
  3. <title>Re: GSoC Port Forwarding</title>
  4. <link rel="important stylesheet" href="">
  5. <style>div.headerdisplayname {font-weight:bold;}
  6. </style></head>
  7. <body>
  8. <table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1"><tr><td><div class="headerdisplayname" style="display:inline;">Oggetto: </div>Re: GSoC Port Forwarding</td></tr><tr><td><div class="headerdisplayname" style="display:inline;">Mittente: </div>Marek Marczykowski-Górecki &lt;marmarek@invisiblethingslab.com&gt;</td></tr><tr><td><div class="headerdisplayname" style="display:inline;">Data: </div>14/08/2021, 23:43</td></tr></table><table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part2"><tr><td><div class="headerdisplayname" style="display:inline;">A: </div>Giulio <giulio@gmx.com></td></tr><tr><td><div class="headerdisplayname" style="display:inline;">CC: </div>Frédéric Pierret &lt;frederic.pierret@qubes-os.org&gt;</td></tr></table><br>
  9. <div class="moz-text-plain" wrap=true graphical-quote=true style="font-family: -moz-fixed; font-size: 14px;" lang="x-unicode"><pre wrap class="moz-quote-pre">
  10. On Sat, Aug 14, 2021 at 06:33:18PM +0200, Giulio wrote:
  11. </pre><blockquote type=cite style="color: #007cff;"><pre wrap class="moz-quote-pre">
  12. <span class="moz-txt-citetags">&gt; </span>Hello,
  13. <span class="moz-txt-citetags">&gt; </span>Sorry for the late reply.
  14. <span class="moz-txt-citetags">&gt; </span>While everything cli related is almost ready, I am having some issues on
  15. <span class="moz-txt-citetags">&gt; </span>the actual implementation of the iptables/nft rules. I see that in the
  16. <span class="moz-txt-citetags">&gt; </span>current state, it seems like Qubes is using both as also stated in [1].
  17. </pre></blockquote><pre wrap class="moz-quote-pre">
  18. Yes, there are two backends, depending on nft availability. This is
  19. mostly because older distros (Debian 8...) did not have nft at all.
  20. </pre><blockquote type=cite style="color: #007cff;"><pre wrap class="moz-quote-pre">
  21. <span class="moz-txt-citetags">&gt; </span>However, in the core-agent-linux source code, if the 'nft' binary is
  22. <span class="moz-txt-citetags">&gt; </span>available that is the only one that gets invoked. Furthermore, there
  23. <span class="moz-txt-citetags">&gt; </span>are differences on the iptables backend depending on templates as
  24. <span class="moz-txt-citetags">&gt; </span>reported in [2].
  25. </pre></blockquote><pre wrap class="moz-quote-pre">
  26. Yes, and since basically all the distributions have nft now, iptables
  27. backend may be soon removed. I don't think we have any case where
  28. iptables backend is used in practice in Qubes 4.1. RPM package has
  29. strict dependency on nft, and Debian package has it as Suggests only,
  30. but it is in practice installed.
  31. </pre><blockquote type=cite style="color: #007cff;"><pre wrap class="moz-quote-pre">
  32. <span class="moz-txt-citetags">&gt; </span>I am a bit stuck in understanding which rule to put where in order to
  33. <span class="moz-txt-citetags">&gt; </span>have consistency across templates and between iptables/nft, also because
  34. <span class="moz-txt-citetags">&gt; </span>if I blindly implement the rules suggested in [1] they will not actually
  35. <span class="moz-txt-citetags">&gt; </span>work since most of the time iptables is not invoked at all.
  36. </pre></blockquote><pre wrap class="moz-quote-pre">
  37. Indeed adding rules to the IptablesWorker class will make no effect if
  38. nft is in use.
  39. Theoretically, iptables rules and nft rules can coexist, but we should
  40. really focus on nft with new features.
  41. </pre><blockquote type=cite style="color: #007cff;"><pre wrap class="moz-quote-pre">
  42. <span class="moz-txt-citetags">&gt; </span>I also checked [3], however it is very similar to the instructions in
  43. <span class="moz-txt-citetags">&gt; </span>[1] which leads to the same problems.
  44. <span class="moz-txt-citetags">&gt; </span>Are we able to write working nft forwarding rules without invoking
  45. <span class="moz-txt-citetags">&gt; </span>iptables at all? If yes, could you heml me determine which ones?
  46. </pre></blockquote><pre wrap class="moz-quote-pre">
  47. As for the nft syntax, I think iptables-translate tool can help you
  48. (part of the iptables-nft package).
  49. See <a class="moz-txt-link-freetext" href="https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables">https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables</a>
  50. </pre><blockquote type=cite style="color: #007cff;"><pre wrap class="moz-quote-pre">
  51. <span class="moz-txt-citetags">&gt; </span>You can see in [4] how I organized the forwarding mechanism. All the
  52. <span class="moz-txt-citetags">&gt; </span>necessary information, as well as ipv4/ipv6 support should already be in
  53. <span class="moz-txt-citetags">&gt; </span>the 'prepare_forward_rules' function meaning that only the actual
  54. <span class="moz-txt-citetags">&gt; </span>building syntax is left.
  55. </pre></blockquote><pre wrap class="moz-quote-pre">
  56. Yes, this layout looks ok.
  57. </pre><blockquote type=cite style="color: #007cff;"><pre wrap class="moz-quote-pre">
  58. <span class="moz-txt-citetags">&gt; </span>For simplicity you can look at the other changes at [5] and at [6].
  59. </pre></blockquote><pre wrap class="moz-quote-pre">
  60. This too looks fine (although I haven't don't detailed review).
  61. In both cases, the code will need some tests of course.
  62. </pre><blockquote type=cite style="color: #007cff;"><pre wrap class="moz-quote-pre">
  63. <span class="moz-txt-citetags">&gt; </span>[1] - <a class="moz-txt-link-freetext" href="https://www.qubes-os.org/doc/firewall/">https://www.qubes-os.org/doc/firewall/</a>
  64. <span class="moz-txt-citetags">&gt; </span>[2] - <a class="moz-txt-link-freetext" href="https://github.com/QubesOS/qubes-issues/issues/5031">https://github.com/QubesOS/qubes-issues/issues/5031</a>
  65. <span class="moz-txt-citetags">&gt; </span>[3] - <a class="moz-txt-link-freetext" href="https://gist.github.com/fepitre/941d7161ae1150d90e15f778027e3248">https://gist.github.com/fepitre/941d7161ae1150d90e15f778027e3248</a>
  66. <span class="moz-txt-citetags">&gt; </span>[4] -
  67. <span class="moz-txt-citetags">&gt; </span><a class="moz-txt-link-freetext" href="https://github.com/lsd-cat/qubes-core-agent-linux/compare/f24ca2c..3e944af">https://github.com/lsd-cat/qubes-core-agent-linux/compare/f24ca2c..3e944af</a>
  68. <span class="moz-txt-citetags">&gt; </span>[5] - <a class="moz-txt-link-freetext" href="https://github.com/lsd-cat/qubes-core-admin/compare/6a1570b..6e3e250">https://github.com/lsd-cat/qubes-core-admin/compare/6a1570b..6e3e250</a>
  69. <span class="moz-txt-citetags">&gt; </span>[6] -
  70. <span class="moz-txt-citetags">&gt; </span><a class="moz-txt-link-freetext" href="https://github.com/lsd-cat/qubes-core-admin-client/compare/1a2ce72..a17853b">https://github.com/lsd-cat/qubes-core-admin-client/compare/1a2ce72..a17853b</a>
  71. </pre></blockquote><pre wrap class="moz-quote-pre">
  72. <div class="moz-txt-sig">--
  73. Best Regards,
  74. Marek Marczykowski-Górecki
  75. Invisible Things Lab
  76. </div></pre></div></body>
  77. </html>
  78. </table></div>