From 4d51ea9387c05d123db5d91b08d52823846c0303 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Tue, 5 Dec 2017 17:56:46 +0100
Subject: [PATCH] Fix IPv6 support in qubes-firewall

Chain name in IPv6 cannot be longer than 29 chars, so strip IPv6 prefix
from it.
ICMP on IPv6 is a different protocol than on IPv4 - handle iptables rule
accordingly.

QubesOS/qubes-issues#718
---
 qubesagent/firewall.py      | 7 +++++--
 qubesagent/test_firewall.py | 4 ++--
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/qubesagent/firewall.py b/qubesagent/firewall.py
index c445fc7..e811c6c 100755
--- a/qubesagent/firewall.py
+++ b/qubesagent/firewall.py
@@ -169,7 +169,7 @@ class IptablesWorker(FirewallWorker):
     @staticmethod
     def chain_for_addr(addr):
         '''Generate iptables chain name for given source address address'''
-        return 'qbs-' + addr.replace('.', '-').replace(':', '-')
+        return 'qbs-' + addr.replace('.', '-').replace(':', '-')[-20:]
 
     def run_ipt(self, family, args, **kwargs):
         # pylint: disable=no-self-use
@@ -236,7 +236,10 @@ class IptablesWorker(FirewallWorker):
                 raise RuleParseError('dst6 rule found for IPv4 address')
 
             if 'proto' in rule:
-                protos = [rule['proto']]
+                if rule['proto'] == 'icmp' and family == 6:
+                    protos = ['icmpv6']
+                else:
+                    protos = [rule['proto']]
             else:
                 protos = None
 
diff --git a/qubesagent/test_firewall.py b/qubesagent/test_firewall.py
index b50fb33..c271f6c 100644
--- a/qubesagent/test_firewall.py
+++ b/qubesagent/test_firewall.py
@@ -162,7 +162,7 @@ class TestIptablesWorker(TestCase):
             self.obj.chain_for_addr('10.137.0.1'), 'qbs-10-137-0-1')
         self.assertEqual(
             self.obj.chain_for_addr('fd09:24ef:4179:0000::3'),
-            'qbs-fd09-24ef-4179-0000--3')
+            'qbs-09-24ef-4179-0000--3')
 
     def test_001_create_chain(self):
         testdata = [
@@ -230,7 +230,7 @@ class TestIptablesWorker(TestCase):
             "-A chain -d 2001::2/128 -p udp --dport 53:53 -j ACCEPT\n"
             "-A chain -d 2001::1/128 -p udp --dport 53:53 -j DROP\n"
             "-A chain -d 2001::2/128 -p udp --dport 53:53 -j DROP\n"
-            "-A chain -p icmp -j DROP\n"
+            "-A chain -p icmpv6 -j DROP\n"
             "-A chain -j DROP\n"
             "COMMIT\n"
         )