network: preliminary support for IPv6, disabled by default (#718)

Currently qubes-firewall will try to load the same rules for both IPv4 and IPv6, so only those with names resolvable to both address families will work. The feature is disabled by default (besides some generic ip6tables rules, which are always loaded). It can be enabled using qubes-ipv6 qvm-service. To actually use IPv6 in an AppVM, the user needs to enable qubes-ipv6 service on the whole network chain from NetVM up to (inclusive) the AppVM.
marmarek · Jan 26, 2015 · 789eb51 · 789eb51
1 parent b62665d
commit 789eb51
Show file tree

Hide file tree

Showing 4 changed files with 81 additions and 9 deletions.
diff --git a/network/ip6tables b/network/ip6tables
@@ -1,8 +1,29 @@
-# Generated by ip6tables-save v1.4.14 on Tue Sep 25 16:00:20 2012
+# Generated by iptables-save v1.4.5 on Mon Sep  6 08:57:46 2010
+*nat
+:PREROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:PR-QBS - [0:0]
+:PR-QBS-SERVICES - [0:0]
+-A PREROUTING -j PR-QBS
+-A PREROUTING -j PR-QBS-SERVICES
+-A POSTROUTING -o vif+ -j ACCEPT
+-A POSTROUTING -o lo -j ACCEPT
+-A POSTROUTING -j MASQUERADE
+COMMIT
+# Completed on Mon Sep  6 08:57:46 2010
+# Generated by iptables-save v1.4.5 on Mon Sep  6 08:57:46 2010
 *filter
-:INPUT DROP [1:72]
-:FORWARD DROP [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p ipv6-icmp -j ACCEPT
 -A INPUT -i lo -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i vif+ -o vif+ -j DROP
+-A FORWARD -i vif+ -j ACCEPT
+-A FORWARD -j DROP
 COMMIT
-# Completed on Tue Sep 25 16:00:20 2012
+# Completed on Mon Sep  6 08:57:46 2010
diff --git a/network/qubes-firewall b/network/qubes-firewall
@@ -6,6 +6,10 @@ XENSTORE_IPTABLES=qubes-iptables
 XENSTORE_IPTABLES_HEADER=qubes-iptables-header
 XENSTORE_ERROR=qubes-iptables-error
 OLD_RULES=""
+
+ipv6_flagfile=/var/run/qubes-service/qubes-ipv6
+ipv6_prefix="fd09:24ef:4179:0000::"
+
 # PIDfile handling
 [[ -e $PIDFILE ]] && kill -s 0 $(<$PIDFILE) 2>/dev/null && exit 0
 echo $$ >$PIDFILE
@@ -14,6 +18,14 @@ trap 'exit 0' SIGTERM
 
 FIRST_TIME=yes
 
+convert_rules_ipv6() {
+    RULES_WORK="$1"
+    RULES_WORK="`echo "$RULES_WORK"  | sed -e "s/ -s 10\./ -s ${ipv6_prefix}10./g"`"
+    RULES_WORK="`echo "$RULES_WORK" | sed -e "s/ -d \(10\.13[78]\.\)/ -d ${ipv6_prefix}\1/g"`"
+    RULES_WORK="`echo "$RULES_WORK" | sed -e "s/\<icmp-host-prohibited\>/adm-prohibited/g"`"
+    echo "$RULES_WORK"
+}
+
 while true; do
 
 	echo "1" > /proc/sys/net/ipv4/ip_forward
@@ -37,14 +49,28 @@ while true; do
 	RULES=$(xenstore-read $XENSTORE_IPTABLES_HEADER)
 	IPTABLES_SAVE=$(iptables-save | sed '/^\*filter/,/^COMMIT/d')
 	OUT=`echo -e "$RULES\n$IPTABLES_SAVE" | iptables-restore 2>&1 || true`
+	if [ -e "$ipv6_flagfile" ]; then
+		RULES6=`convert_rules_ipv6 "$RULES"`
+		IP6TABLES_SAVE=$(ip6tables-save | sed '/^\*filter/,/^COMMIT/d')
+		ERRS=`echo -e "$RULES6\n$IP6TABLES_SAVE" | ip6tables-restore 2>&1 || true`
+		OUT="$OUT$ERRS"
+	fi
 
 	for i in $(xenstore-list qubes-iptables-domainrules) ; do
 		RULES=$(xenstore-read qubes-iptables-domainrules/"$i")
 		ERRS=`echo -e "$RULES" | /sbin/iptables-restore -n 2>&1 || true`
 		if [ -n "$ERRS" ]; then
-			echo "Failed applying rules for $i: $ERRS" >&2
+			echo "Failed applying ipv4 rules for $i: $ERRS" >&2
 			OUT="$OUT$ERRS"
 		fi
+		if [ -e "$ipv6_flagfile" ]; then
+			RULES6=`convert_rules_ipv6 "$RULES"`
+			ERRS=`echo -e "$RULES6" | /sbin/ip6tables-restore -n 2>&1 || true`
+			if [ -n "$ERRS" ]; then
+				echo "Failed applying ipv6 rules for $i: $ERRS" >&2
+				OUT="$OUT$ERRS"
+			fi
+		fi
 	done		
 	xenstore-write $XENSTORE_ERROR "$OUT"
 	if [ -n "$OUT" ]; then

diff --git a/network/setup-ip b/network/setup-ip
@@ -1,5 +1,8 @@
 #!/bin/sh
 
+ipv6_flagfile=/var/run/qubes-service/qubes-ipv6
+ipv6_prefix="fd09:24ef:4179:0000::"
+
 if [ -x /usr/sbin/xenstore-read ]; then
 	XENSTORE_READ="/usr/sbin/xenstore-read"
 else
@@ -12,6 +15,9 @@ if [ x$ip != x ]; then
     gateway=`$XENSTORE_READ qubes-gateway`
     secondary_dns=`$XENSTORE_READ qubes-secondary-dns`
     /sbin/ifconfig $INTERFACE $ip netmask 255.255.255.255
+    if [ -e "$ipv6_flagfile" ]; then
+        /sbin/ip addr add "$ipv6_prefix$ip/128" dev $INTERFACE
+    fi
     /sbin/ifconfig $INTERFACE up
     /sbin/route add -host $gateway dev $INTERFACE
     if [ -f /var/run/qubes-service/set-default-route ]; then
@@ -38,9 +44,6 @@ id=VM uplink $INTERFACE
 uuid=de85f79b-8c3d-405f-a652-cb4c10b4f9ef
 type=802-3-ethernet
 
-[ipv6]
-method=ignore
-
 [ipv4]
 method=manual
 may-fail=false
@@ -53,6 +56,22 @@ __EOF__
         else
             echo "address1=$ip/32" >> $nm_config
         fi
+        if [ -e "$ipv6_flagfile" ]; then
+            cat >> $nm_config <<__EOF__
+[ipv6]
+method=manual
+__EOF__
+        if [ -f /var/run/qubes-service/set-default-route ]; then
+            echo "address1=fd09:24ef:4179:0000::$ip/128,fe80::fcff:ffff:feff:ffff" >> $nm_config
+        else
+            echo "address1=fd09:24ef:4179:0000::$ip/128" >> $nm_config
+        fi
+        else
+            cat >> $nm_config <<__EOF__
+[ipv6]
+method=ignore
+__EOF__
+        fi
         chmod 600 $nm_config
     fi
 	network=$($XENSTORE_READ qubes-netvm-network 2>/dev/null)

diff --git a/network/vif-route-qubes b/network/vif-route-qubes
@@ -23,6 +23,8 @@
 dir=$(dirname "$0")
 . "$dir/vif-common.sh"
 
+ipv6_prefix=fd09:24ef:4179:0000::
+ipv6_flagfile=/var/run/qubes-service/qubes-ipv6
 #main_ip=$(dom0_ip)
 
 case "$command" in
@@ -48,12 +50,16 @@ domid=${domid/.*/}
 metric=$[ 32752 - $domid ]
 
 if [ "${ip}" ] ; then
-	# If we've been given a list of IP addresses, then add routes from dom0 to
+	# If we've been given a list of IP addresses, then add routes to
 	# the guest using those addresses.
 	for addr in ${ip} ; do
 		${cmdprefix} ip route ${ipcmd} ${addr} dev ${vif} metric $metric
+		if [ -e "$ipv6_flagfile" ]; then
+			${cmdprefix} ip -6 route ${ipcmd} ${ipv6_prefix}${ip} dev ${vif} metric $metric
+		fi
 	done
 	${cmdprefix} iptables -t raw $iptables_cmd -i ${vif} \! -s ${ip} -j DROP
+	${cmdprefix} ip6tables -t raw $iptables_cmd -i ${vif} \! -s ${ipv6_prefix}${ip} -j DROP
 	back_ip=`xenstore-read qubes-netvm-gateway`
 	${cmdprefix} ip addr ${ipcmd} ${back_ip}/32 dev ${vif}
 fi