Hello Qubes devs,
I'm working on a project where I don't want the AppVM to be masqueraded
as the sys-firewall from the perspective of sys-net (I desire to see the
ip address of the appvm). This is necessary for my application, as I
desire sys-net to perform per-appvm task, such as (as an example)
modifying the DSCP code point.
In summary (the short version), a ping initiated within the sys-firewall
will route onto the network (as observed from tcpdump on the pif in
sys-net), but a ping initiated in the appvm will not (I see appvm
traffic on the vif in sys-net, but not on the pif).
Here's greater detail. I remove the general MASQUERADE rule from
sys-firewall and clear the raw table in sys-net and sys-firewall. To be
comprehensive, I change the default chain policies to ACCEPT and remove
any drop-all rules. Then, I modify the routes in sys-net, to forward the
appvm back into the sys-firewall.
When I ping an external IP (say gateway) from the appvm, the packets can
be observed on the vif, put not the pif. If I do the same on the
sys-firewall, I observe traffic both on the vif and pif and at the end
To further support diagnosis, I changed the ip addresses to /31 on the
vif between sys-net and sys-fireall, updating the routes where
necessary. Furthermore, I disabled proxy_arp on the vif in sys-net as
this should be the case of conventional routing. Moreover, I also
disabled rp_filter at all location. Even with these changes, I observe
the same behavior in that the sys-firewall will route out, but the appvm
stops at the sys-net.
Does anyone have insight why this doesn't work? I would assume this to
be straightforward routing.
I appreciate your help. Thanks in advance.
You received this message because you are subscribed to the Google Groups
To unsubscribe from this group and stop receiving emails from it, send an email
To post to this group, send email to email@example.com.
To view this discussion on the web visit
For more options, visit https://groups.google.com/d/optout.