diff --git a/.gitignore b/.gitignore index f5cd959..bd2f111 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,4 @@ -Makefile +/Makefile _build/ log key_gen.ml diff --git a/README.md b/README.md index bfbef5f..960e568 100644 --- a/README.md +++ b/README.md @@ -86,6 +86,29 @@ qvm-prefs --set my-app-vm netvm mirage-firewall Alternatively, you can configure `mirage-firewall` to be your default firewall VM. +### Components + +This diagram show the main components (each box corresponds to a source `.ml` file with the same name): + +

+ +

+ +Ethernet frames arrives from client qubes (such as `work` or `personal`) or from `sys-net`. +Internet (IP) packets are sent to `firewall`, which consults `rules` to decide what to do with the packet. +If it should be sent on, it uses `router` to send it to the chosen destination. +`client_net` watches the XenStore database provided by dom0 +to find out when clients need to be added or removed. + +The boot process: + +- `config.ml` describes the libraries used and static configuration settings (NAT table size). + The `mirage` tool uses this to generate `main.ml`. +- `main.ml` initialises the drivers selected by `config.ml` + and calls the `start` function in `unikernel.ml`. +- `unikernel.ml` connects the Qubes agents, sets up the networking components, + and then waits for a shutdown request. + ### Easy deployment for developers For development, use the [test-mirage][] scripts to deploy the unikernel (`qubes_firewall.xen`) from your development AppVM. diff --git a/diagrams/Makefile b/diagrams/Makefile new file mode 100644 index 0000000..a6fbc5f --- /dev/null +++ b/diagrams/Makefile @@ -0,0 +1,6 @@ +# Requires https://github.com/blampe/goat + +all: components.svg + +%.svg: %.txt + goat $^ > $@ diff --git a/diagrams/components.svg b/diagrams/components.svg new file mode 100644 index 0000000..1e996b1 --- /dev/null +++ b/diagrams/components.svg @@ -0,0 +1,149 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +l +y +s +t +k +r +u +l +n +_ +r +i +e +l +o +n +k +n +o +o +e +e +e +l +s +t +( +f +p +i +i +o +w +t +u +n +- +a +o +X +S +r +m +u +c +r +] +e +r +i +n +s +t +e +k +s +w +e +. +n +e +l +r +s +e +s +r +l +[ +. +p +n +t +o +o +c +h +. +c +t +m +a +e +r +d +0 +) + + diff --git a/diagrams/components.txt b/diagrams/components.txt new file mode 100644 index 0000000..62e4f9e --- /dev/null +++ b/diagrams/components.txt @@ -0,0 +1,20 @@ + +----------+ + | rules | + +----------+ + ^ + |checks + | + +------------+ +-----+----+ + work <---->| +---->| firewall |<--------. + | | +-----+----+ | + | | | +----+---+ + [...] <---->| client_net | | | uplink |<----> sys-net + | | v +--------+ + | | +----------+ ^ +personal <---->| |<----+ router +---------' + +------+-----+ +----------+ + | + |monitors + v + XenStore + (dom0)