53 lines
3.4 KiB
HTML
Executable File
53 lines
3.4 KiB
HTML
Executable File
<html>
|
|
<head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
|
|
<title>Re: GSoC Port Forwarding</title>
|
|
<link rel="important stylesheet" href="">
|
|
<style>div.headerdisplayname {font-weight:bold;}
|
|
</style></head>
|
|
<body>
|
|
<table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1"><tr><td><div class="headerdisplayname" style="display:inline;">Oggetto: </div>Re: GSoC Port Forwarding</td></tr><tr><td><div class="headerdisplayname" style="display:inline;">Mittente: </div>Giulio <giulio@gmx.com></td></tr><tr><td><div class="headerdisplayname" style="display:inline;">Data: </div>28/06/2021, 22:46</td></tr></table><table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part2"><tr><td><div class="headerdisplayname" style="display:inline;">A: </div>Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com></td></tr><tr><td><div class="headerdisplayname" style="display:inline;">CC: </div>Frédéric Pierret <frederic.pierret@qubes-os.org></td></tr></table><br>
|
|
<div class="moz-text-flowed" style="font-family: -moz-fixed; font-size: 14px;" lang="x-unicode">On 6/23/21 11:11 PM, Marek Marczykowski-Górecki wrote:
|
|
<br><blockquote type=cite style="color: #007cff;">On Wed, Jun 23, 2021 at 04:37:20PM +0200, Giulio wrote:
|
|
<br><blockquote type=cite style="color: #007cff;">Hello,
|
|
<br>thank you again for your time and the explanations, as well as the
|
|
<br>network graph. I have now a better understanding of the overall design
|
|
<br>and I am moving myself trhough the source code in order to think what to
|
|
<br>place where.
|
|
<br>
|
|
<br>So, in order to translate what we discussed in practice and also check
|
|
<br>my understanding of the code so far:
|
|
<br>
|
|
<br>1) In core-admin-client/qubesadmin/firewall.py firewall.py > The code
|
|
<br>needs to support the new options for the rule (action=forward
|
|
<br>frowardtype=<internal/external> srcports=443-443 srchosts=0.0.0.0/0
|
|
<br>2) In core-admin/qubes/firewall.py -> The code needs to support the same
|
|
<br>options as the point above
|
|
<br>3) In core-admin/qubes/vm/mix/net.py -> The most important logic goes
|
|
<br>here. Here there is the need to resolve the full network chain for
|
|
<br>external port forwarding. From here it is possible to add the respective
|
|
<br>rules to the QubesDB of each netvm in he chain and trigger a reload event.
|
|
<br>4) in core-agent-linux/qubesagent/firewall.py -> Here goes the logic for
|
|
<br>building the correct syntax for iptables or nft and the actual execution
|
|
<br>
|
|
<br>Does it makes sense for you?
|
|
<br></blockquote>
|
|
<br>Yes, I think you got this perfectly correct.
|
|
<br>
|
|
<br></blockquote>
|
|
<br>I am at a good stage with 1 and 2. In 3, I am still thinking about some
|
|
design choices. I have written the function to resolve the network
|
|
'path', however I am trying to figure out which one is the most
|
|
appropriate way of inserting the forward rule(s) in each vm in the
|
|
chain. I feel like no parsing of the rules should be done in net.py
|
|
since it would be out of place and not fit well within the rest of the
|
|
code. Thus the rules should be provided to net.py already separated and
|
|
sorted in some way. My idea as of now is to add a 'qdb_forward_entries'
|
|
function, returning a dict of lists for 'internal' and 'external' rules
|
|
in firewall.py. It would be the trivial to process the information in
|
|
net.py. What do you think about that?
|
|
<br>
|
|
<br>Cheers
|
|
<br>Giulio
|
|
<br></div></body>
|
|
</html>
|
|
</table></div> |