Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Firewall improvements #198

Open
3 of 6 tasks
palainp opened this issue May 23, 2024 · 0 comments
Open
3 of 6 tasks

Firewall improvements #198

palainp opened this issue May 23, 2024 · 0 comments

Comments

@palainp
Copy link
Member

palainp commented May 23, 2024

As stated in @DemiMarie's comment (QubesOS/qubes-issues#3792 (comment)), a few improvements need be done to have qubes-mirage-firewall a replacement for the default linux sys-firewall. So far:

  • the PVH item is done since mirage 3.9 (https://github.com/mirage/mirage/releases/tag/v3.9.0)
  • the ethernet stack need to be tested/audited, maybe some fuzzing tests can be used?
  • the speed of the unikernel should be improved (see Slower bandwidth compared to sys-firewall #130, to me the main issue is the absence of TCP Segmentation Offload which shows lower bandwidth in iperf-like tests, but as a daily fw it's not a bottleneck on my laptop, and with TSO desactivated it has not so far performances from linux)

And as side note:

  • it now can use *BSD as netvm, and at least one user is using it like that (netvm is HardenedBSD, fw is qubes-mirage-firewall, AppVM are classic linuxes)
  • @dinosaure started a code review/update/simplification of the unikernel (see Use Lwt.Syntax and avoid some >>= fun () patterns #197)
  • maybe another round of review/update/simplification can be done

Any comments, and other requests, are welcome :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant