Fix IPv6 support in qubes-firewall

Chain name in IPv6 cannot be longer than 29 chars, so strip IPv6 prefix
from it.
ICMP on IPv6 is a different protocol than on IPv4 - handle iptables rule
accordingly.

QubesOS/qubes-issues#718

qubesagent/firewall.py

@@ -169,7 +169,7 @@ class IptablesWorker(FirewallWorker):
     @staticmethod
     def chain_for_addr(addr):
         '''Generate iptables chain name for given source address address'''
-        return 'qbs-' + addr.replace('.', '-').replace(':', '-')
+        return 'qbs-' + addr.replace('.', '-').replace(':', '-')[-20:]
 
     def run_ipt(self, family, args, **kwargs):
         # pylint: disable=no-self-use
@@ -236,7 +236,10 @@ class IptablesWorker(FirewallWorker):
                 raise RuleParseError('dst6 rule found for IPv4 address')
 
             if 'proto' in rule:
-                protos = [rule['proto']]
+                if rule['proto'] == 'icmp' and family == 6:
+                    protos = ['icmpv6']
+                else:
+                    protos = [rule['proto']]
             else:
                 protos = None
 

qubesagent/test_firewall.py

@@ -162,7 +162,7 @@ class TestIptablesWorker(TestCase):
             self.obj.chain_for_addr('10.137.0.1'), 'qbs-10-137-0-1')
         self.assertEqual(
             self.obj.chain_for_addr('fd09:24ef:4179:0000::3'),
-            'qbs-fd09-24ef-4179-0000--3')
+            'qbs-09-24ef-4179-0000--3')
 
     def test_001_create_chain(self):
         testdata = [
@@ -230,7 +230,7 @@ class TestIptablesWorker(TestCase):
             "-A chain -d 2001::2/128 -p udp --dport 53:53 -j ACCEPT\n"
             "-A chain -d 2001::1/128 -p udp --dport 53:53 -j DROP\n"
             "-A chain -d 2001::2/128 -p udp --dport 53:53 -j DROP\n"
-            "-A chain -p icmp -j DROP\n"
+            "-A chain -p icmpv6 -j DROP\n"
             "-A chain -j DROP\n"
             "COMMIT\n"
         )