Git-Mirrors/qubes-doc
1
0
Fork 0
mirror of https://github.com/QubesOS/qubes-doc.git synced 2024-12-31 18:26:19 -05:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'pgerber-fw-api'

Browse Source
This commit is contained in:
Andrew David Wong 2018-05-03 21:33:19 -05:00
commit 4271ab396f
No known key found for this signature in database
GPG Key ID: 8CE137352A019A17
1 changed files with 4 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
debugging/vm-interface.md
View File

@ -80,14 +80,13 @@ update, so VM can setup a watch here to trigger rules reload.
retrieving them). The first rule has number `0000`. retrieving them). The first rule has number `0000`.
Each rule is a single QubesDB entry, consisting of pairs `key=value` separated Each rule is a single QubesDB entry, consisting of pairs `key=value` separated
by space. Order of those pairs in a single rule is undefined. QubesDB enforces by space. QubesDB enforces limit on a single entry length - 3072 bytes.
a limit on a single entry length - 3072 bytes.
Possible options for a single rule: Possible options for a single rule:
- `action`, values: `accept`, `drop`; this is present in every rule - `action`, values: `accept`, `drop`; this is present in every rule
- `dst4`, value: destination IPv4 address with a mask; for example: `192.168.0.0/24` - `dst4`, value: destination IPv4 address with a mask; for example: `192.168.0.0/24`
- `dst6`, value: destination IPv6 address with a mask; for example: `2000::/3` - `dst6`, value: destination IPv6 address with a mask; for example: `2000::/3`
- `dstname`, value: DNS hostname of destination host - `dsthost`, value: DNS hostname of destination host
- `proto`, values: `tcp`, `udp`, `icmp` - `proto`, values: `tcp`, `udp`, `icmp`
- `specialtarget`, value: One of predefined target, currently defined values: - `specialtarget`, value: One of predefined target, currently defined values:
- `dns` - such option should match DNS traffic to default DNS server (but - `dns` - such option should match DNS traffic to default DNS server (but
@ -101,8 +100,8 @@ Possible options for a single rule:
Options must appear in the rule in the order listed above. Duplicated options Options must appear in the rule in the order listed above. Duplicated options
are forbidden. are forbidden.
Rule matches only when all predicates matches. Only one of `dst4`, `dst6`, A rule matches only when all predicates match. Only one of `dst4`, `dst6` or
`dstname`, `specialtarget` can be used in a single rule. `dsthost` can be used in a single rule.
If tool applying firewall encounters any parse error (unknown option, invalid If tool applying firewall encounters any parse error (unknown option, invalid
value, duplicated option, etc), it should drop all the traffic coming from that `SOURCE_IP`, value, duplicated option, etc), it should drop all the traffic coming from that `SOURCE_IP`,