15:11 <ahou> hannes: heh. thanks for that pointer to solo5_xen.lds ... not surprised i didnt find it on my own.

15:11 <ahou> <3<3<3 the .h _behind_ it has a comment that literaly says ... * HERE BE DRAGONS.

15:12 <ahou> that should be mandatory for anything involving handcrafted linker scripts.

16:33 <hannes> ahou: did you find any dragons?

16:46 <ahou> not yet, even though i did skim xen/boot.S by now.

16:47 <ahou> "add a multiboot header to mirage binary" (aka b) still seems like the easier // more reasonable path.

16:48 <ahou> (as in, it is completely horrible, but just fighting tech dragons seems so much easier than dealing with maintainers of a GNU project...)

17:20 <hannes> yes, iirc the virtio code of solo5 inserts a multiboot header..

17:21 <hannes> so there could be some code to take inspiration from..

17:21 <jpds> Is there any example code on how to build a simple firewall with mirage?

17:26 <hannes> jpds: well, there's https://github.com/mirage/qubes-mirage-firewall/ which is rather involved, eventually the NAT example unikernel is clearer https://github.com/mirage/mirage-nat/tree/master/example

17:42 <ahou> hannes: a) yes, virtio bindings have multiboot code. b) the comments at the top describing the "initial situation" sound very similar. c) so another big thanks for the pointer.

17:43 <jpds> hannes: I'll take a look at the NAT unikernel, thanks - I run a bunch of nftables VMs I'm trying to replace

17:44 <ahou> jpds: if you are running these on qubes, the qubes-mirage-firewall may be a better start. ;)

17:44 <jpds> ahou: Not qubes

17:45 <ahou> jpds: *insert 2.5 pages of qubes propaganda here*

17:45 <jpds> ahou: I've been running qubes on my desktop for years

17:46 <hannes> jpds: it has very nice comments, if you struggle with something, please ask here or on the mailing list

17:47 <hannes> ahou: you're welcome. one day I'll be replaced by a bot ;)

17:47 <ahou> hannes: only if the bot has a search function that is better than "grep -r" ...

17:49 <jpds> Going to have to figure out IPv6, some of the networks behind the VMs have no v4 :(

17:49 <ahou> sounds exotic

17:50 <hannes> jpds: the good news is that we've upcoming ipv6 support in mirage (dual stack)

17:50 <hannes> the issue is some congestion on the release train track

17:51 <hannes> for a firewall, the ipv6 decoder + encoder (tcpip.ipv6) should be sufficient

17:51 <hannes> s/firewall/packet filter/

17:51 <jpds> Nice!

17:52 <hannes> i.e. no need to wait for the dual stack stuff

17:53 <jpds> Sorry, so the v6 support is there, and it's the dual-stack aspect that's upcoming?

17:53 <hannes> yes there is IPv6 support. well, it depends on the meaning of "v6 support".

17:55 <hannes> if you take a look into the tcpip library -- https://github.com/mirage/mirage-tcpip/tree/master/src/ipv6 -- the ipv6 module is around, and there's somewhere code to decode incoming ipv6 packets. now, a packet filter shouldn't need much host network stack logic, but more look at source/destination/protocol/source-port/destination-port, and this is doable afaict with the latest tcpip release

17:56 <hannes> but I'd recommend to first get your hands dirty with an ipv4 firewall ;)