Hello Qubes devs,

I'm working on a project where I don't want the AppVM to be masqueraded as the sys-firewall from the perspective of sys-net (I desire to see the ip address of the appvm). This is necessary for my application, as I desire sys-net to perform per-appvm task, such as (as an example) modifying the DSCP code point.

In summary (the short version), a ping initiated within the sys-firewall will route onto the network (as observed from tcpdump on the pif in sys-net), but a ping initiated in the appvm will not (I see appvm traffic on the vif in sys-net, but not on the pif).

Here's greater detail. I remove the general MASQUERADE rule from sys-firewall and clear the raw table in sys-net and sys-firewall. To be comprehensive, I change the default chain policies to ACCEPT and remove any drop-all rules. Then, I modify the routes in sys-net, to forward the appvm back into the sys-firewall.

When I ping an external IP (say gateway) from the appvm, the packets can be observed on the vif, put not the pif. If I do the same on the sys-firewall, I observe traffic both on the vif and pif and at the end device.

To further support diagnosis, I changed the ip addresses to /31 on the vif between sys-net and sys-fireall, updating the routes where necessary. Furthermore, I disabled proxy_arp on the vif in sys-net as this should be the case of conventional routing. Moreover, I also disabled rp_filter at all location. Even with these changes, I observe the same behavior in that the sys-firewall will route out, but the appvm stops at the sys-net.

Does anyone have insight why this doesn't work? I would assume this to be straightforward routing.

I appreciate your help. Thanks in advance.

~ Tom

You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to