1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071 |
- <html>
- <head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
- <title>Re: GSoC Port Forwarding</title>
- <link rel="important stylesheet" href="">
- <style>div.headerdisplayname {font-weight:bold;}
- </style></head>
- <body>
- <table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1"><tr><td><div class="headerdisplayname" style="display:inline;">Oggetto: </div>Re: GSoC Port Forwarding</td></tr><tr><td><div class="headerdisplayname" style="display:inline;">Mittente: </div>Giulio <giulio@gmx.com></td></tr><tr><td><div class="headerdisplayname" style="display:inline;">Data: </div>13/07/2021, 15:56</td></tr></table><table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part2"><tr><td><div class="headerdisplayname" style="display:inline;">A: </div>Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com></td></tr><tr><td><div class="headerdisplayname" style="display:inline;">CC: </div>Frédéric Pierret <frederic.pierret@qubes-os.org></td></tr></table><br>
- <div class="moz-text-flowed" style="font-family: -moz-fixed; font-size: 14px;" lang="x-unicode">Hi,
- <br>
- <br>Il 29/06/2021 03:31, Marek Marczykowski-Górecki ha scritto:
- <br><blockquote type=cite style="color: #007cff;">Yes, preparing rules in firewall.py sounds like a good idea. A new
- <br>function is a good idea too. But note that for 'external' rules you need
- <br>to apply them at several places (sys-net, sys-firewall etc). They aren't
- <br>necessarily will be the same.
- <br>I'd recommend getting an example, and writing down all the rules that
- <br>should be applied, in all related VMs (specific iptables/nft commands).
- <br>You have mostly done this part already.
- <br>This part you can also test manually - really add those rules
- <br>manually and check if everything works as it should. This way you ensure
- <br>the rule set is sufficient.
- <br>
- <br>Then, write down QubesDB entries that describe them - carefully matching
- <br>which information in the rule is built from which information in qdb
- <br>entry.
- <br>With that information, you know what qdb entries you need to produce for
- <br>each VM, and should be easier to design this extra function/functions -
- <br>especially, you'll see what input data such function needs and how many
- <br>different rules it needs to return.
- <br>
- <br></blockquote>
- <br>I tried writing a possible implementation to see how it could work and
- also to get an initial feedback. Since in the past week I had no access
- to my test machine, I just fixed the last things today and seems that
- overall the implemented parts are working (up to writing the rules with
- the correctly IPs in the appropriate agent databases).
- <br>
- <br>Here are the repositories <a class="moz-txt-link-freetext" href="https://git.lsd.cat/Qubes">https://git.lsd.cat/Qubes</a>
- <br>
- <br>Here is a list of what has yet to be done:
- <br>1) Lot of testing and writing tests
- <br>2) Any modification to the agent (such as applying the rules)
- <br>3) "srchost" parameter support
- <br>4) GUI
- <br>5) Find a way to display the chain of rules in the qvm-firewall of every
- VM involved since as of now it is displayed only in the VM for which the
- rule was set
- <br>
- <br>Here is a list of what should work:
- <br>1) Adding and deleting forward rules, both internal and external, via
- qvm-firewall. Also basic checks of the consistency of rules and required
- options should be in place
- <br>2) Display of forward rules via qvm-firewall
- <br>3) Persistence and resume of forward rules in firewall.xml
- <br>4) Correct distribution of the required rules in the network chain in net.py
- <br>
- <br>
- <br>Overall I tried getting the most possible from already existing code in
- order not to change the style and introduce as few changes as possible.
- <br>Without having you correct the code step by step, before going forward
- with the agent I would like to have a feedback if the coding style seems
- consistent enough with yours and especially if the implementation in
- net.py of the distributions of the rules matches your expectations.
- <br>
- <br>My changes are only in core-admin and core-admin-client for now.
- <br>
- <br>Cheers
- <br>Giulio
- <br></div></body>
- </html>
- </table></div>
|