Hi Marek,
While focusing on the vpn stuff[1] I may have stumbled upon a way to
make the forwarding chain much simpler.
Replace all the specific rules for downstream vm addresses with this:
FORWARD -i vif+ -d subnet.1 -j ACCEPT
FORWARD -i vif+ -d subnet.254 -j ACCEPT
So qubes-firewall would become simpler without the need to iterate over
vm addresses associated with a proxy vm. Its probably more effective in
general to focus on interfaces where possible, instead of IPs (can't
source IP addresses be spoofed?).
What do you think?
Chris
1.
https://groups.google.com/forum/#!msg/qubes-devel/9zR_plUWRMA/Q_JbckGbAQAJ
--
You received this message because you are subscribed to the Google Groups
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-devel/574CD5FB.10103%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.
