gsoc/mails/20210628-Re_GSoC Port Forwarding-1058.html

53 lines
3.4 KiB
HTML
Executable File

<html>
<head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Re: GSoC Port Forwarding</title>
<link rel="important stylesheet" href="">
<style>div.headerdisplayname {font-weight:bold;}
</style></head>
<body>
<table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1"><tr><td><div class="headerdisplayname" style="display:inline;">Oggetto: </div>Re: GSoC Port Forwarding</td></tr><tr><td><div class="headerdisplayname" style="display:inline;">Mittente: </div>Giulio <giulio@gmx.com></td></tr><tr><td><div class="headerdisplayname" style="display:inline;">Data: </div>28/06/2021, 22:46</td></tr></table><table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part2"><tr><td><div class="headerdisplayname" style="display:inline;">A: </div>Marek Marczykowski-Górecki &lt;marmarek@invisiblethingslab.com&gt;</td></tr><tr><td><div class="headerdisplayname" style="display:inline;">CC: </div>Frédéric Pierret &lt;frederic.pierret@qubes-os.org&gt;</td></tr></table><br>
<div class="moz-text-flowed" style="font-family: -moz-fixed; font-size: 14px;" lang="x-unicode">On 6/23/21 11:11 PM, Marek Marczykowski-Górecki wrote:
<br><blockquote type=cite style="color: #007cff;">On Wed, Jun 23, 2021 at 04:37:20PM +0200, Giulio wrote:
<br><blockquote type=cite style="color: #007cff;">Hello,
<br>thank you again for your time and the explanations, as well as the
<br>network graph. I have now a better understanding of the overall design
<br>and I am moving myself trhough the source code in order to think what to
<br>place where.
<br>
<br>So, in order to translate what we discussed in practice and also check
<br>my understanding of the code so far:
<br>
<br>1) In core-admin-client/qubesadmin/firewall.py firewall.py &gt; The code
<br>needs to support the new options for the rule (action=forward
<br>frowardtype=&lt;internal/external&gt; srcports=443-443 srchosts=0.0.0.0/0
<br>2) In core-admin/qubes/firewall.py -&gt; The code needs to support the same
<br>options as the point above
<br>3) In core-admin/qubes/vm/mix/net.py -&gt; The most important logic goes
<br>here. Here there is the need to resolve the full network chain for
<br>external port forwarding. From here it is possible to add the respective
<br>rules to the QubesDB of each netvm in he chain and trigger a reload event.
<br>4) in core-agent-linux/qubesagent/firewall.py -&gt; Here goes the logic for
<br>building the correct syntax for iptables or nft and the actual execution
<br>
<br>Does it makes sense for you?
<br></blockquote>
<br>Yes, I think you got this perfectly correct.
<br>
<br></blockquote>
<br>I am at a good stage with 1 and 2. In 3, I am still thinking about some
design choices. I have written the function to resolve the network
'path', however I am trying to figure out which one is the most
appropriate way of inserting the forward rule(s) in each vm in the
chain. I feel like no parsing of the rules should be done in net.py
since it would be out of place and not fit well within the rest of the
code. Thus the rules should be provided to net.py already separated and
sorted in some way. My idea as of now is to add a 'qdb_forward_entries'
function, returning a dict of lists for 'internal' and 'external' rules
in firewall.py. It would be the trivial to process the information in
net.py. What do you think about that?
<br>
<br>Cheers
<br>Giulio
<br></div></body>
</html>
</table></div>