On Saturday, July 6, 2019 at 6:09:52 AM UTC+1, pr...@tutanota.de wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Hi, > > With the old format of rules for the mirage firewall I had the following > setup: > > ... > let git_addr = Ipaddr.V4.of_string_exn "192.168.1.101" > > let allowed_to_git = List.map Ipaddr.V4.of_string_exn > [ "10.137.0.20" ; > "10.137.0.21" > ] > > let local_subnet = Ipaddr.Prefix.of_string_exn "192.168.0.0/16" > > let mgmt_local = Ipaddr.V4.of_string_exn "10.137.0.22" > > let from_client = function > | { src = `Client c; dst = `External e } when Ipaddr.Prefix.mem e > local_subnet > && c#other_ip = mgmt_local -> `NAT > | { src = `Client c; dst = `External e } when e = Ipaddr.V4 git_addr > && List.mem c#other_ip allowed_to_git -> `NAT > ... > > Is it possible to get the same functionality with the new rules using the > prefix > and the lists of addresses? It would also be useful to be able to block > prefixes > as well if that's possible.
There are two ways to get that working. The quick way is to get the src/dst IP addresses from the `packet` field instead, e.g. let externals = [ "192.168.1.101", `Git; ] ... | { src = `Client _; dst = `External `Git; packet = `IPv4 ({Ipv4_packet.src}, _)} when List.mem src allowed_to_git -> `NAT Another solution would be to edit firewall.ml to allow specifying subnets, not just hosts. That's a bit more work, though. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8c2ffafe-4893-44ec-bb6a-38501449dbbe%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.