-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Tue, Apr 23, 2024 at 11:16:56AM -0000, qubist wrote: > On Tue, 23 Apr 2024 12:04:22 +0200 Marek Marczykowski-Górecki wrote: > > > Care to open a pull request then? > > A few things: > > 1. The customizations I am working on are atomic nftables tables, > chains and rules. So far, they work fine independently and along with > the current default firewall. > > 2. I still don't know how to work with git efficiently, so this "pull > request" is something I need to learn about first. All I know so far is > how to create a project and commit changes. > > 3. My firewall work (which involves other improvements, I hope) is > still not complete. As soon as it is, I would gladly share it. > > > This is done in the vif hotplug script: > > https://github.com/QubesOS/qubes-core-agent-linux/blob/main/network/vif-route-qubes#L222-L223 > > Thanks! Bash is fine for me, so I will see what modification works > best. What calls that script BTW?
xendriverdomain daemon (xl devd), when the vif interface is created/removed. > > Have you measured it? > > Not yet. At least not in a way deserving to be called measurement. All > I have done is to trace the result and see that ingress works with less > steps. If you know a good way to measure it correctly, please let me > know. I'd use some packet generator, maybe even ping (or nping) will be enough. You can easily try spoofing by changing IP inside some test VM. > > I'd say it's up to ones who propose a change to justify it. > > Of course. > > > Or do you mean moving just "antispoof" chain out of "prerouting" and > > have it hooked directly? > > I am testing my stuff in the netdev with priority -500. However, > ingress is available in prerouting too, so that move might work as well. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmYnnqEACgkQ24/THMrX 1ywroAf/U0Iq2WsIFs1HPv/PGobjCdEz5cSFsL+4fWACYydi+Cqtj8EOQmc1cRh/ ei9xYpGcQYFD69/suZZuostkb87LIuwNsA/jJ2NDQjnCdM1G/i0Z/lUoPAuNNb07 h3csaDGQPWtKuLAM30ADsVSa+dneAyu9tkK+xAOI+Kq8R+UjkVPr1Dxdnf5RXHSL niFIicJB6U9+cVCO8jr/3O4DgYp8xf1GsL6uCXx9bPgO25R57Y+Mcga5Jam1SeG7 P5f3REk91kiZ2BZG5kmlfg9ipAE/Fyx9y4QLcz9fcafzwu17NFZlP+jRDShqLKAx ijh44R63lS1nT5TiPJFYLbsrMmtQEg== =xJVU -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/ZieeocPY_0fxKw5M%40mail-itl.