gsoc/mails/20210713-Re_GSoC Port Forwarding-1069.html

71 lines
4.1 KiB
HTML
Executable File

<html>
<head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Re: GSoC Port Forwarding</title>
<link rel="important stylesheet" href="">
<style>div.headerdisplayname {font-weight:bold;}
</style></head>
<body>
<table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1"><tr><td><div class="headerdisplayname" style="display:inline;">Oggetto: </div>Re: GSoC Port Forwarding</td></tr><tr><td><div class="headerdisplayname" style="display:inline;">Mittente: </div>Giulio <giulio@gmx.com></td></tr><tr><td><div class="headerdisplayname" style="display:inline;">Data: </div>13/07/2021, 15:56</td></tr></table><table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part2"><tr><td><div class="headerdisplayname" style="display:inline;">A: </div>Marek Marczykowski-Górecki &lt;marmarek@invisiblethingslab.com&gt;</td></tr><tr><td><div class="headerdisplayname" style="display:inline;">CC: </div>Frédéric Pierret &lt;frederic.pierret@qubes-os.org&gt;</td></tr></table><br>
<div class="moz-text-flowed" style="font-family: -moz-fixed; font-size: 14px;" lang="x-unicode">Hi,
<br>
<br>Il 29/06/2021 03:31, Marek Marczykowski-Górecki ha scritto:
<br><blockquote type=cite style="color: #007cff;">Yes, preparing rules in firewall.py sounds like a good idea. A new
<br>function is a good idea too. But note that for 'external' rules you need
<br>to apply them at several places (sys-net, sys-firewall etc). They aren't
<br>necessarily will be the same.
<br>I'd recommend getting an example, and writing down all the rules that
<br>should be applied, in all related VMs (specific iptables/nft commands).
<br>You have mostly done this part already.
<br>This part you can also test manually - really add those rules
<br>manually and check if everything works as it should. This way you ensure
<br>the rule set is sufficient.
<br>
<br>Then, write down QubesDB entries that describe them - carefully matching
<br>which information in the rule is built from which information in qdb
<br>entry.
<br>With that information, you know what qdb entries you need to produce for
<br>each VM, and should be easier to design this extra function/functions -
<br>especially, you'll see what input data such function needs and how many
<br>different rules it needs to return.
<br>
<br></blockquote>
<br>I tried writing a possible implementation to see how it could work and
also to get an initial feedback. Since in the past week I had no access
to my test machine, I just fixed the last things today and seems that
overall the implemented parts are working (up to writing the rules with
the correctly IPs in the appropriate agent databases).
<br>
<br>Here are the repositories <a class="moz-txt-link-freetext" href="https://git.lsd.cat/Qubes">https://git.lsd.cat/Qubes</a>
<br>
<br>Here is a list of what has yet to be done:
<br>1) Lot of testing and writing tests
<br>2) Any modification to the agent (such as applying the rules)
<br>3) "srchost" parameter support
<br>4) GUI
<br>5) Find a way to display the chain of rules in the qvm-firewall of every
VM involved since as of now it is displayed only in the VM for which the
rule was set
<br>
<br>Here is a list of what should work:
<br>1) Adding and deleting forward rules, both internal and external, via
qvm-firewall. Also basic checks of the consistency of rules and required
options should be in place
<br>2) Display of forward rules via qvm-firewall
<br>3) Persistence and resume of forward rules in firewall.xml
<br>4) Correct distribution of the required rules in the network chain in net.py
<br>
<br>
<br>Overall I tried getting the most possible from already existing code in
order not to change the style and introduce as few changes as possible.
<br>Without having you correct the code step by step, before going forward
with the agent I would like to have a feedback if the coding style seems
consistent enough with yours and especially if the implementation in
net.py of the distributions of the rules matches your expectations.
<br>
<br>My changes are only in core-admin and core-admin-client for now.
<br>
<br>Cheers
<br>Giulio
<br></div></body>
</html>
</table></div>