82 lines
4.6 KiB
HTML
Executable File
82 lines
4.6 KiB
HTML
Executable File
<html>
|
||
<head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
|
||
<title>Re: GSoC Port Forwarding</title>
|
||
<link rel="important stylesheet" href="">
|
||
<style>div.headerdisplayname {font-weight:bold;}
|
||
</style></head>
|
||
<body>
|
||
<table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1"><tr><td><div class="headerdisplayname" style="display:inline;">Oggetto: </div>Re: GSoC Port Forwarding</td></tr><tr><td><div class="headerdisplayname" style="display:inline;">Mittente: </div>Frédéric Pierret <frederic.pierret@qubes-os.org></td></tr><tr><td><div class="headerdisplayname" style="display:inline;">Data: </div>14/07/2021, 12:10</td></tr></table><table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part2"><tr><td><div class="headerdisplayname" style="display:inline;">A: </div>Giulio <giulio@gmx.com>, Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com></td></tr></table><br>
|
||
<div class="moz-text-flowed" style="font-family: -moz-fixed; font-size: 14px;" lang="x-unicode">Hi,
|
||
<br>
|
||
<br>Le 7/13/21 à 3:56 PM, Giulio a écrit :
|
||
<br><blockquote type=cite style="color: #007cff;">Hi,
|
||
<br>
|
||
<br>Il 29/06/2021 03:31, Marek Marczykowski-Górecki ha scritto:
|
||
<br><blockquote type=cite style="color: #007cff;">Yes, preparing rules in firewall.py sounds like a good idea. A new
|
||
<br>function is a good idea too. But note that for 'external' rules you need
|
||
<br>to apply them at several places (sys-net, sys-firewall etc). They aren't
|
||
<br>necessarily will be the same.
|
||
<br>I'd recommend getting an example, and writing down all the rules that
|
||
<br>should be applied, in all related VMs (specific iptables/nft commands).
|
||
<br>You have mostly done this part already.
|
||
<br>This part you can also test manually - really add those rules
|
||
<br>manually and check if everything works as it should. This way you ensure
|
||
<br>the rule set is sufficient.
|
||
<br>
|
||
<br>Then, write down QubesDB entries that describe them - carefully matching
|
||
<br>which information in the rule is built from which information in qdb
|
||
<br>entry.
|
||
<br>With that information, you know what qdb entries you need to produce for
|
||
<br>each VM, and should be easier to design this extra function/functions -
|
||
<br>especially, you'll see what input data such function needs and how many
|
||
<br>different rules it needs to return.
|
||
<br>
|
||
<br></blockquote>
|
||
<br>I tried writing a possible implementation to see how it could work and
|
||
<br>also to get an initial feedback. Since in the past week I had no access
|
||
<br>to my test machine, I just fixed the last things today and seems that
|
||
<br>overall the implemented parts are working (up to writing the rules with
|
||
<br>the correctly IPs in the appropriate agent databases).
|
||
<br>
|
||
<br>Here are the repositories <a class="moz-txt-link-freetext" href="https://git.lsd.cat/Qubes">https://git.lsd.cat/Qubes</a>
|
||
<br>
|
||
<br>Here is a list of what has yet to be done:
|
||
<br>1) Lot of testing and writing tests
|
||
<br>2) Any modification to the agent (such as applying the rules)
|
||
<br>3) "srchost" parameter support
|
||
<br>4) GUI
|
||
<br>5) Find a way to display the chain of rules in the qvm-firewall of every
|
||
<br>VM involved since as of now it is displayed only in the VM for which the
|
||
<br>rule was set
|
||
<br>
|
||
<br>Here is a list of what should work:
|
||
<br>1) Adding and deleting forward rules, both internal and external, via
|
||
<br>qvm-firewall. Also basic checks of the consistency of rules and required
|
||
<br>options should be in place
|
||
<br>2) Display of forward rules via qvm-firewall
|
||
<br>3) Persistence and resume of forward rules in firewall.xml
|
||
<br>4) Correct distribution of the required rules in the network chain in net.py
|
||
<br>
|
||
<br>
|
||
<br>Overall I tried getting the most possible from already existing code in
|
||
<br>order not to change the style and introduce as few changes as possible.
|
||
<br>Without having you correct the code step by step, before going forward
|
||
<br>with the agent I would like to have a feedback if the coding style seems
|
||
<br>consistent enough with yours and especially if the implementation in
|
||
<br>net.py of the distributions of the rules matches your expectations.
|
||
<br>
|
||
<br>My changes are only in core-admin and core-admin-client for now.
|
||
<br>
|
||
<br>Cheers
|
||
<br>Giulio
|
||
<br></blockquote>
|
||
<br>I will have a look to your work probably in the afternoon.
|
||
<br>
|
||
<br>Just a question, any reason for hosting your work elsewhere than on GitHub? For example, that would be easier for us to review your code directly on GitHub (adding comments, tracking easily progression etc). Also, I've briefly checked, a good practice is to not work on master branch directly. I encourage you to use a separate branch named as you want.
|
||
<br>
|
||
<br>Best regards,
|
||
<br>Frédéric
|
||
<br>
|
||
<br></div></body>
|
||
</html>
|
||
</table></div> |