Hello Qubes devs,
I'm working on a project where I don't want the AppVM to be masqueraded
as the sys-firewall from the perspective of sys-net (I desire to see the
ip address of the appvm). This is necessary for my application, as I
desire sys-net to perform per-appvm task, such as (as an example)
modifying the DSCP code point.
In summary (the short version), a ping initiated within the sys-firewall
will route onto the network (as observed from tcpdump on the pif in
sys-net), but a ping initiated in the appvm will not (I see appvm
traffic on the vif in sys-net, but not on the pif).
Here's greater detail. I remove the general MASQUERADE rule from
sys-firewall and clear the raw table in sys-net and sys-firewall. To be
comprehensive, I change the default chain policies to ACCEPT and remove
any drop-all rules. Then, I modify the routes in sys-net, to forward the
appvm back into the sys-firewall.
When I ping an external IP (say gateway) from the appvm, the packets can
be observed on the vif, put not the pif. If I do the same on the
sys-firewall, I observe traffic both on the vif and pif and at the end
device.
To further support diagnosis, I changed the ip addresses to /31 on the
vif between sys-net and sys-fireall, updating the routes where
necessary. Furthermore, I disabled proxy_arp on the vif in sys-net as
this should be the case of conventional routing. Moreover, I also
disabled rp_filter at all location. Even with these changes, I observe
the same behavior in that the sys-firewall will route out, but the appvm
stops at the sys-net.
Does anyone have insight why this doesn't work? I would assume this to
be straightforward routing.
I appreciate your help. Thanks in advance.
~ Tom
--
You received this message because you are subscribed to the Google Groups
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-devel/4495b0e7-721a-1c67-8b26-e3db9819552a%40pnnl.gov.
For more options, visit https://groups.google.com/d/optout.
