Qubes/gsoc
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
master
gsoc/mails/20210814-Re_GSoC Port Forwarding-14347.html

92 lines
7.0 KiB
HTML
Executable File
Raw Permalink Blame History

<html>
<head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Re: GSoC Port Forwarding</title>
<link rel="important stylesheet" href="">
<style>div.headerdisplayname {font-weight:bold;}
</style></head>
<body>
<table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1"><tr><td><div class="headerdisplayname" style="display:inline;">Oggetto: </div>Re: GSoC Port Forwarding</td></tr><tr><td><div class="headerdisplayname" style="display:inline;">Mittente: </div>Marek Marczykowski-Górecki &lt;marmarek@invisiblethingslab.com&gt;</td></tr><tr><td><div class="headerdisplayname" style="display:inline;">Data: </div>14/08/2021, 23:43</td></tr></table><table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part2"><tr><td><div class="headerdisplayname" style="display:inline;">A: </div>Giulio <giulio@gmx.com></td></tr><tr><td><div class="headerdisplayname" style="display:inline;">CC: </div>Frédéric Pierret &lt;frederic.pierret@qubes-os.org&gt;</td></tr></table><br>
<div class="moz-text-plain" wrap=true graphical-quote=true style="font-family: -moz-fixed; font-size: 14px;" lang="x-unicode"><pre wrap class="moz-quote-pre">
On Sat, Aug 14, 2021 at 06:33:18PM +0200, Giulio wrote:
</pre><blockquote type=cite style="color: #007cff;"><pre wrap class="moz-quote-pre">
<span class="moz-txt-citetags">&gt; </span>Hello,
<span class="moz-txt-citetags">&gt; </span>Sorry for the late reply.
<span class="moz-txt-citetags">&gt; </span>While everything cli related is almost ready, I am having some issues on
<span class="moz-txt-citetags">&gt; </span>the actual implementation of the iptables/nft rules. I see that in the
<span class="moz-txt-citetags">&gt; </span>current state, it seems like Qubes is using both as also stated in [1].
</pre></blockquote><pre wrap class="moz-quote-pre">
Yes, there are two backends, depending on nft availability. This is
mostly because older distros (Debian 8...) did not have nft at all.
</pre><blockquote type=cite style="color: #007cff;"><pre wrap class="moz-quote-pre">
<span class="moz-txt-citetags">&gt; </span>However, in the core-agent-linux source code, if the 'nft' binary is
<span class="moz-txt-citetags">&gt; </span>available that is the only one that gets invoked. Furthermore, there
<span class="moz-txt-citetags">&gt; </span>are differences on the iptables backend depending on templates as
<span class="moz-txt-citetags">&gt; </span>reported in [2].
</pre></blockquote><pre wrap class="moz-quote-pre">
Yes, and since basically all the distributions have nft now, iptables
backend may be soon removed. I don't think we have any case where
iptables backend is used in practice in Qubes 4.1. RPM package has
strict dependency on nft, and Debian package has it as Suggests only,
but it is in practice installed.
</pre><blockquote type=cite style="color: #007cff;"><pre wrap class="moz-quote-pre">
<span class="moz-txt-citetags">&gt; </span>I am a bit stuck in understanding which rule to put where in order to
<span class="moz-txt-citetags">&gt; </span>have consistency across templates and between iptables/nft, also because
<span class="moz-txt-citetags">&gt; </span>if I blindly implement the rules suggested in [1] they will not actually
<span class="moz-txt-citetags">&gt; </span>work since most of the time iptables is not invoked at all.
</pre></blockquote><pre wrap class="moz-quote-pre">
Indeed adding rules to the IptablesWorker class will make no effect if
nft is in use.
Theoretically, iptables rules and nft rules can coexist, but we should
really focus on nft with new features.
</pre><blockquote type=cite style="color: #007cff;"><pre wrap class="moz-quote-pre">
<span class="moz-txt-citetags">&gt; </span>I also checked [3], however it is very similar to the instructions in
<span class="moz-txt-citetags">&gt; </span>[1] which leads to the same problems.
<span class="moz-txt-citetags">&gt; </span>Are we able to write working nft forwarding rules without invoking
<span class="moz-txt-citetags">&gt; </span>iptables at all? If yes, could you heml me determine which ones?
</pre></blockquote><pre wrap class="moz-quote-pre">
As for the nft syntax, I think iptables-translate tool can help you
(part of the iptables-nft package).
See <a class="moz-txt-link-freetext" href="https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables">https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables</a>
</pre><blockquote type=cite style="color: #007cff;"><pre wrap class="moz-quote-pre">
<span class="moz-txt-citetags">&gt; </span>You can see in [4] how I organized the forwarding mechanism. All the
<span class="moz-txt-citetags">&gt; </span>necessary information, as well as ipv4/ipv6 support should already be in
<span class="moz-txt-citetags">&gt; </span>the 'prepare_forward_rules' function meaning that only the actual
<span class="moz-txt-citetags">&gt; </span>building syntax is left.
</pre></blockquote><pre wrap class="moz-quote-pre">
Yes, this layout looks ok.
</pre><blockquote type=cite style="color: #007cff;"><pre wrap class="moz-quote-pre">
<span class="moz-txt-citetags">&gt; </span>For simplicity you can look at the other changes at [5] and at [6].
</pre></blockquote><pre wrap class="moz-quote-pre">
This too looks fine (although I haven't don't detailed review).
In both cases, the code will need some tests of course.
</pre><blockquote type=cite style="color: #007cff;"><pre wrap class="moz-quote-pre">
<span class="moz-txt-citetags">&gt; </span>[1] - <a class="moz-txt-link-freetext" href="https://www.qubes-os.org/doc/firewall/">https://www.qubes-os.org/doc/firewall/</a>
<span class="moz-txt-citetags">&gt; </span>[2] - <a class="moz-txt-link-freetext" href="https://github.com/QubesOS/qubes-issues/issues/5031">https://github.com/QubesOS/qubes-issues/issues/5031</a>
<span class="moz-txt-citetags">&gt; </span>[3] - <a class="moz-txt-link-freetext" href="https://gist.github.com/fepitre/941d7161ae1150d90e15f778027e3248">https://gist.github.com/fepitre/941d7161ae1150d90e15f778027e3248</a>
<span class="moz-txt-citetags">&gt; </span>[4] -
<span class="moz-txt-citetags">&gt; </span><a class="moz-txt-link-freetext" href="https://github.com/lsd-cat/qubes-core-agent-linux/compare/f24ca2c..3e944af">https://github.com/lsd-cat/qubes-core-agent-linux/compare/f24ca2c..3e944af</a>
<span class="moz-txt-citetags">&gt; </span>[5] - <a class="moz-txt-link-freetext" href="https://github.com/lsd-cat/qubes-core-admin/compare/6a1570b..6e3e250">https://github.com/lsd-cat/qubes-core-admin/compare/6a1570b..6e3e250</a>
<span class="moz-txt-citetags">&gt; </span>[6] -
<span class="moz-txt-citetags">&gt; </span><a class="moz-txt-link-freetext" href="https://github.com/lsd-cat/qubes-core-admin-client/compare/1a2ce72..a17853b">https://github.com/lsd-cat/qubes-core-admin-client/compare/1a2ce72..a17853b</a>
</pre></blockquote><pre wrap class="moz-quote-pre">
<div class="moz-txt-sig">--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
</div></pre></div></body>
</html>
</table></div>
Reference in New Issue View Git Blame Copy Permalink