20210629-Re_GSoC Port Forwarding-13756.html 6.6 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182
  1. <html>
  2. <head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
  3. <title>Re: GSoC Port Forwarding</title>
  4. <link rel="important stylesheet" href="">
  5. <style>div.headerdisplayname {font-weight:bold;}
  6. </style></head>
  7. <body>
  8. <table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1"><tr><td><div class="headerdisplayname" style="display:inline;">Oggetto: </div>Re: GSoC Port Forwarding</td></tr><tr><td><div class="headerdisplayname" style="display:inline;">Mittente: </div>Marek Marczykowski-Górecki &lt;marmarek@invisiblethingslab.com&gt;</td></tr><tr><td><div class="headerdisplayname" style="display:inline;">Data: </div>29/06/2021, 03:31</td></tr></table><table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part2"><tr><td><div class="headerdisplayname" style="display:inline;">A: </div>Giulio <giulio@gmx.com></td></tr><tr><td><div class="headerdisplayname" style="display:inline;">CC: </div>Frédéric Pierret &lt;frederic.pierret@qubes-os.org&gt;</td></tr></table><br>
  9. <div class="moz-text-plain" wrap=true graphical-quote=true style="font-family: -moz-fixed; font-size: 14px;" lang="x-unicode"><pre wrap class="moz-quote-pre">
  10. On Mon, Jun 28, 2021 at 10:46:59PM +0200, Giulio wrote:
  11. </pre><blockquote type=cite style="color: #007cff;"><pre wrap class="moz-quote-pre">
  12. <span class="moz-txt-citetags">&gt; </span>On 6/23/21 11:11 PM, Marek Marczykowski-Górecki wrote:
  13. </pre><blockquote type=cite style="color: #007cff;"><pre wrap class="moz-quote-pre">
  14. <span class="moz-txt-citetags">&gt; &gt; </span>On Wed, Jun 23, 2021 at 04:37:20PM +0200, Giulio wrote:
  15. </pre><blockquote type=cite style="color: #007cff;"><pre wrap class="moz-quote-pre">
  16. <span class="moz-txt-citetags">&gt; &gt; &gt; </span>Hello,
  17. <span class="moz-txt-citetags">&gt; &gt; &gt; </span>thank you again for your time and the explanations, as well as the
  18. <span class="moz-txt-citetags">&gt; &gt; &gt; </span>network graph. I have now a better understanding of the overall design
  19. <span class="moz-txt-citetags">&gt; &gt; &gt; </span>and I am moving myself trhough the source code in order to think what to
  20. <span class="moz-txt-citetags">&gt; &gt; &gt; </span>place where.
  21. <span class="moz-txt-citetags">&gt; &gt; &gt; </span>
  22. <span class="moz-txt-citetags">&gt; &gt; &gt; </span>So, in order to translate what we discussed in practice and also check
  23. <span class="moz-txt-citetags">&gt; &gt; &gt; </span>my understanding of the code so far:
  24. <span class="moz-txt-citetags">&gt; &gt; &gt; </span>
  25. <span class="moz-txt-citetags">&gt; &gt; &gt; </span>1) In core-admin-client/qubesadmin/firewall.py firewall.py &gt; The code
  26. <span class="moz-txt-citetags">&gt; &gt; &gt; </span>needs to support the new options for the rule (action=forward
  27. <span class="moz-txt-citetags">&gt; &gt; &gt; </span>frowardtype=&lt;internal/external&gt; srcports=443-443 srchosts=0.0.0.0/0
  28. <span class="moz-txt-citetags">&gt; &gt; &gt; </span>2) In core-admin/qubes/firewall.py -&gt; The code needs to support the same
  29. <span class="moz-txt-citetags">&gt; &gt; &gt; </span>options as the point above
  30. <span class="moz-txt-citetags">&gt; &gt; &gt; </span>3) In core-admin/qubes/vm/mix/net.py -&gt; The most important logic goes
  31. <span class="moz-txt-citetags">&gt; &gt; &gt; </span>here. Here there is the need to resolve the full network chain for
  32. <span class="moz-txt-citetags">&gt; &gt; &gt; </span>external port forwarding. From here it is possible to add the respective
  33. <span class="moz-txt-citetags">&gt; &gt; &gt; </span>rules to the QubesDB of each netvm in he chain and trigger a reload event.
  34. <span class="moz-txt-citetags">&gt; &gt; &gt; </span>4) in core-agent-linux/qubesagent/firewall.py -&gt; Here goes the logic for
  35. <span class="moz-txt-citetags">&gt; &gt; &gt; </span>building the correct syntax for iptables or nft and the actual execution
  36. <span class="moz-txt-citetags">&gt; &gt; &gt; </span>
  37. <span class="moz-txt-citetags">&gt; &gt; &gt; </span>Does it makes sense for you?
  38. </pre></blockquote><pre wrap class="moz-quote-pre">
  39. <span class="moz-txt-citetags">&gt; &gt; </span>
  40. <span class="moz-txt-citetags">&gt; &gt; </span>Yes, I think you got this perfectly correct.
  41. <span class="moz-txt-citetags">&gt; &gt; </span>
  42. </pre></blockquote><pre wrap class="moz-quote-pre">
  43. <span class="moz-txt-citetags">&gt; </span>
  44. <span class="moz-txt-citetags">&gt; </span>I am at a good stage with 1 and 2. In 3, I am still thinking about some
  45. <span class="moz-txt-citetags">&gt; </span>design choices. I have written the function to resolve the network
  46. <span class="moz-txt-citetags">&gt; </span>'path', however I am trying to figure out which one is the most
  47. <span class="moz-txt-citetags">&gt; </span>appropriate way of inserting the forward rule(s) in each vm in the
  48. <span class="moz-txt-citetags">&gt; </span>chain. I feel like no parsing of the rules should be done in net.py
  49. <span class="moz-txt-citetags">&gt; </span>since it would be out of place and not fit well within the rest of the
  50. <span class="moz-txt-citetags">&gt; </span>code. Thus the rules should be provided to net.py already separated and
  51. <span class="moz-txt-citetags">&gt; </span>sorted in some way. My idea as of now is to add a 'qdb_forward_entries'
  52. <span class="moz-txt-citetags">&gt; </span>function, returning a dict of lists for 'internal' and 'external' rules
  53. <span class="moz-txt-citetags">&gt; </span>in firewall.py. It would be the trivial to process the information in
  54. <span class="moz-txt-citetags">&gt; </span>net.py. What do you think about that?
  55. </pre></blockquote><pre wrap class="moz-quote-pre">
  56. Yes, preparing rules in firewall.py sounds like a good idea. A new
  57. function is a good idea too. But note that for 'external' rules you need
  58. to apply them at several places (sys-net, sys-firewall etc). They aren't
  59. necessarily will be the same.
  60. I'd recommend getting an example, and writing down all the rules that
  61. should be applied, in all related VMs (specific iptables/nft commands).
  62. You have mostly done this part already.
  63. This part you can also test manually - really add those rules
  64. manually and check if everything works as it should. This way you ensure
  65. the rule set is sufficient.
  66. Then, write down QubesDB entries that describe them - carefully matching
  67. which information in the rule is built from which information in qdb
  68. entry.
  69. With that information, you know what qdb entries you need to produce for
  70. each VM, and should be easier to design this extra function/functions -
  71. especially, you'll see what input data such function needs and how many
  72. different rules it needs to return.
  73. <div class="moz-txt-sig">--
  74. Best Regards,
  75. Marek Marczykowski-Górecki
  76. Invisible Things Lab
  77. </div></pre></div></body>
  78. </html>
  79. </table></div>