From 44f8cceb3814a7a3ee8cc734d3b41dc69dcb6b65 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Sun, 3 Dec 2017 03:27:45 +0100 Subject: [PATCH] network: configure IPv6 when enabled If dom0 expose IPv6 address settings, configure it on the interface. Both backend and frontend side. If no IPv6 configuration is provided, block IPv6 as it was before. Fixes QubesOS/qubes-issues#718 --- network/setup-ip | 62 ++++++++++++++++++++++++++++++++++------- network/vif-route-qubes | 30 ++++++++++++++++---- 2 files changed, 77 insertions(+), 15 deletions(-) diff --git a/network/setup-ip b/network/setup-ip index 5f4aae0..7bc8375 100755 --- a/network/setup-ip +++ b/network/setup-ip @@ -7,9 +7,11 @@ have_qubesdb || exit 0 ip=$(/usr/bin/qubesdb-read /qubes-ip 2> /dev/null) +ip6=$(/usr/bin/qubesdb-read /qubes-ip6 2> /dev/null) if [ "x$ip" != x ]; then #netmask=$(/usr/bin/qubesdb-read /qubes-netmask) gateway=$(/usr/bin/qubesdb-read /qubes-gateway) + gateway6=$(/usr/bin/qubesdb-read /qubes-gateway6) primary_dns=$(/usr/bin/qubesdb-read /qubes-primary-dns 2>/dev/null || echo "$gateway") secondary_dns=$(/usr/bin/qubesdb-read /qubes-secondary-dns) /sbin/ethtool -K "$INTERFACE" sg off @@ -28,32 +30,72 @@ mac-address=$(ip l show dev "$INTERFACE" |grep link|awk '{print $2}') id=VM uplink $INTERFACE uuid=de85f79b-8c3d-405f-a652-cb4c10b4f9ef type=802-3-ethernet - -[ipv6] -method=ignore - +__EOF__ + ip4_nm_config="" + ip6_nm_config="" + if ! qsvc disable-dns-server ; then + ip4_nm_config="${ip4_nm_config} +dns=${primary_dns};${secondary_dns}" + fi + if ! qsvc disable-default-route ; then + ip4_nm_config="${ip4_nm_config} +addresses1=$ip;32;$gateway" + if [ -n "$ip6" ]; then + ip6_nm_config="${ip6_nm_config} +addresses1=$ip6;128;$gateway6" + fi + else + ip4_nm_config="${ip4_nm_config} +addresses1=$ip;32" + if [ -n "$ip6" ]; then + ip6_nm_config="${ip6_nm_config} +addresses1=$ip6;128" + fi + fi + if [ -n "$ip4_nm_config" ]; then + cat >> "$nm_config" <<__EOF__ [ipv4] method=manual may-fail=false +$ip4_nm_config __EOF__ - if ! qsvc disable-dns-server ; then - echo "dns=$primary_dns;$secondary_dns" >> "$nm_config" - fi - if ! qsvc disable-default-route ; then - echo "addresses1=$ip;32;$gateway" >> "$nm_config" else - echo "addresses1=$ip;32" >> "$nm_config" + cat >> "$nm_config" <<__EOF__ +[ipv4] +method=ignore +__EOF__ fi + + if [ -n "$ip6_nm_config" ]; then + cat >> "$nm_config" <<__EOF__ +[ipv6] +method=manual +may-fail=false +$ip6_nm_config +__EOF__ + else + cat >> "$nm_config" <<__EOF__ +[ipv6] +method=ignore +__EOF__ + fi + chmod 600 "$nm_config" # reload connection nmcli connection load "$nm_config" || : else # No NetworkManager enabled, configure the network manually /sbin/ifconfig "$INTERFACE" "$ip" netmask 255.255.255.255 + if [ -n "$ip6" ]; then + /sbin/ifconfig "$INTERFACE" add "$ip6"/128 + fi /sbin/ifconfig "$INTERFACE" up /sbin/route add -host "$gateway" dev "$INTERFACE" if ! qsvc disable-default-route ; then /sbin/route add default gw "$gateway" + if [ -n "$gateway6" ]; then + /sbin/route -6 add default gw "$gateway6" dev "$INTERFACE" + fi fi if ! is_protected_file /etc/resolv.conf ; then echo > /etc/resolv.conf diff --git a/network/vif-route-qubes b/network/vif-route-qubes index 6412b99..07506b2 100755 --- a/network/vif-route-qubes +++ b/network/vif-route-qubes @@ -29,8 +29,16 @@ lockfile=/var/run/xen-hotplug/vif-lock # shellcheck disable=SC2154 if [ "${ip}" ]; then + # get first IPv4 and first IPv6 + for addr in ${ip}; do + if [ -z "$ip4" ] && [[ "$addr" = *.* ]]; then + ip4="$addr" + elif [ -z "$ip6" ] && [[ "$addr" = *:* ]]; then + ip6="$addr" + fi + done # IPs as seen by this VM - netvm_ip="$ip" + netvm_ip="$ip4" netvm_gw_ip=$(qubesdb-read /qubes-netvm-gateway) netvm_dns1_ip=$(qubesdb-read /qubes-netvm-primary-dns) netvm_dns2_ip=$(qubesdb-read /qubes-netvm-secondary-dns) @@ -38,12 +46,14 @@ if [ "${ip}" ]; then back_ip="$netvm_gw_ip" # IPs as seen by the VM - if other than $netvm_ip - appvm_gw_ip="$(qubesdb-read "/mapped-ip/$ip/visible-gateway" 2>/dev/null || :)" - appvm_ip="$(qubesdb-read "/mapped-ip/$ip/visible-ip" 2>/dev/null || :)" + appvm_gw_ip="$(qubesdb-read "/mapped-ip/$ip4/visible-gateway" 2>/dev/null || :)" + appvm_ip="$(qubesdb-read "/mapped-ip/$ip4/visible-ip" 2>/dev/null || :)" fi # Apply NAT if IP visible from the VM is different than the "real" one # See vif-qubes-nat.sh for details +# XXX: supported only for the first IPv4 address, IPv6 is dropped if this +# feature is enabled if [ -n "$appvm_ip" ] && [ -n "$appvm_gw_ip" ] && [ "$appvm_ip" != "$netvm_ip" ]; then # shellcheck disable=SC2154 if test "$command" == online; then @@ -83,9 +93,19 @@ if [ "${ip}" ] ; then # the guest using those addresses. for addr in ${ip} ; do ${cmdprefix} ip route "${ipcmd}" "${addr}" dev "${vif}" metric "$metric" + if [[ "$addr" = *:* ]]; then + ipt=ip6tables-restore + else + ipt=iptables-restore + fi + echo -e "*raw\n$iptables_cmd -i ${vif} ! -s ${addr} -j DROP\nCOMMIT" | \ + ${cmdprefix} flock $lockfile $ipt --noflush done - echo -e "*raw\n$iptables_cmd -i ${vif} ! -s ${ip} -j DROP\nCOMMIT" | \ - ${cmdprefix} flock $lockfile iptables-restore --noflush + # if no IPv6 is assigned, block all IPv6 traffic on that interface + if ! [[ "$ip" = *:* ]]; then + echo -e "*raw\n$iptables_cmd -i ${vif} -j DROP\nCOMMIT" | \ + ${cmdprefix} flock $lockfile ip6tables-restore --noflush + fi ${cmdprefix} ip addr "${ipcmd}" "${back_ip}/32" dev "${vif}" fi