Indeed, a serializer/deserializer like yojson (with ppx) or jsonm/ezjsonm (with ocplib-json-typed) could be useful for your use case to describe a JSON format and, by this way, make a serializer/deserializer easily. sexplib is an other solution used at some points in the MirageOS’s project.
Yes my intention is supporting Qubes 4 format but since I’m currently using Qubes 3.2 and I’m very noob in OCaml I preferred to try with something pretty simple first that works for 3.2. I hope that with the experience doing it I will migrate later to Qubes 4.
I tried yesterday using my own parsing function, but unfortunately I was using Str.split and then I discovered that Str module was removed from MirageOS. I saw that there are some alternatives, I will try some of them.
Update:
After reading the Qubes 4 rules format, I think that I should change my approach. Instead of maintaining my own list of rules and doing a parser from qubesdb to the list, maybe a best solution would be directly parsing qubesdb entries to the firewall logic. Maybe it has some performance penalty (parsing string to rule/action will be done for each packet), but since the rules are indexed by source ip address, in most cases the rules amount will be very low. As advantage it will remove the need of mutability in the firewall itself.
As outlined in the issue in @talex5’s Github repository linked to above, I believe the best approach for implementing user-supplied firewall rules would be to have a separate pure library (that can be used for other purposes as well, and most notably can be unit-tested and fuzzed without requiring OS-level c stubs for interfacing with hardware or external IP stacks).
Having pure library code separate from the application code (which contains impure side-effects that makes the aforementioned things harder) is a design concept I’ve come to love, but it may sound a bit foreign if you’re not used to functional programming.
I’d also like to have a general mirage-firewall that could be used in Tails, SubgraphOS (from normal operating systems not built on top of Xen, that is).
The Usenix paper linked to from here https://nqsb.io/ may do a better job of explaining the concepts than I can here, and maybe if we ask @hannes nicely he’ll have some more references worth checking out.
I started this effort here: https://github.com/cfcs/ocaml-pf (which currently only implements a parser, not the rule engine). I’ve been working a tiny bit on a rule engine, but while I have been kept up with other things the past month or so, it is in no way a dead project, and I still intend to implement that part.
My approach to parsing the new Qubes 4 rule format is to use the angstrom parser-combinator library to parse the data, and then return it using the types defined by the pf library (since the new rules can be translated to a subset of the pf syntax). I have a local branch for that, I’ll try to push it today or tomorrow and post a link here.
Since it sounds like we’re trying to do almost exactly the same thing, I’d be happy to describe what I’m doing more in-depth, and work together if we can find some common ground, but I am a little bit exhausted after a long day and can’t think of more to write right now.
I know your version. I looked at it before doing anything but since I am new to OCaml and I don’t know pf I thought it was more simple to work on talex’s version.
This thread has lost it’s purpose, please mail me (donoban@riseup.net) and we could talk about working on this
