I found a way to route UDP broadcast packets from my personal network to an AppVM by pure trial and error. This method seems a bit hacky. What do you think? Is there a way to improve it?
sys-net nftables config:
table ip mangle {
chain input {
type filter hook input priority mangle; policy accept;
iifname "ens6" ip daddr 192.168.0.255 udp dport 24727 meta mark set 900 dup to <sys-firewall-address>
}
chain output {
type filter hook output priority 150; policy accept;
meta mark 900 ip daddr set 255.255.255.255
}
}
I changed the destination address since otherwise the sys-firewall vm would not feel responsible for it.
sys-firewall nftables config:
table ip mangle {
chain input {
type filter hook input priority mangle; policy accept;
iifname "eth0" ip daddr 255.255.255.255 udp dport 24727 counter packets 674 bytes 146932 meta mark set 0x00000384 dup to <appvm-address>
}
chain output {
type filter hook output priority 150; policy accept;
meta mark 0x00000384 counter packets 674 bytes 146932 ip daddr set 10.137.0.255
}
}
Here I changed the target address again for the same reason.
For the targeted AppVM I created this script:
ifconfig eth0 netmask 255.255.255.0 broadcast 10.137.0.255
route add default eth0
nft add rule qubes custom-input ip daddr 10.137.0.255 udp dport 24727 counter accept