Can someone explain how sys-net functions?

obituary · July 22, 2024, 6:26pm

Hi,

For some reason I’ve been unable to find documentation about this: how exactly does sys-net function?

Is it simple routing? I.e:

sys-firewall has a network bridge that the AppVM is connected to, and the AppVM sets it gateway to the IP address of the network interface of the sys-firewall qube.
sys-net has a vNIC connected in a similar fashion to sys-firewall which NATs the traffic from the AppVM to sys-net?
sys-net just relays traffic to the hardware NIC?

This is a very rough explanation of what I understand of sys-net, feel free to correct me/add details and documentation to this thread. Thank you for your help.

apparatus · July 22, 2024, 6:31pm

In Qubes, the standard Xen networking is used, based on backend driver in the driver domain and frontend drivers in VMs. In order to eliminate layer 2 attacks originating from a compromised VM, routed networking is used instead of the default bridging of vif devices and NAT is applied at each network hop. The default vif-route script had some deficiencies (requires eth0 device to be up, and sets some redundant iptables rules), therefore the custom vif-route-qubes script is used.

obituary · July 22, 2024, 7:10pm

Thanks! I know I’m going beyond the original question asked, but could you tell me how sys-usb works?

apparatus · July 23, 2024, 2:56am

It’s USB/IP over qrexec:

obituary · July 23, 2024, 4:12am

Thank you so much! I thought that there might be an RPC process between domains that would let them communicate without network access too! Amazing work by Qubes devs to even write their own USB over IP proxy!