Fix IPv6 support in qubes-firewall

Chain name in IPv6 cannot be longer than 29 chars, so strip IPv6 prefix
from it.
ICMP on IPv6 is a different protocol than on IPv4 - handle iptables rule
accordingly.

QubesOS/qubes-issues#718
This commit is contained in:
Marek Marczykowski-Górecki 2017-12-05 17:56:46 +01:00
parent 20d9a0bb61
commit 4d51ea9387
No known key found for this signature in database
GPG Key ID: 063938BA42CFA724
2 changed files with 7 additions and 4 deletions

View File

@ -169,7 +169,7 @@ class IptablesWorker(FirewallWorker):
@staticmethod
def chain_for_addr(addr):
'''Generate iptables chain name for given source address address'''
return 'qbs-' + addr.replace('.', '-').replace(':', '-')
return 'qbs-' + addr.replace('.', '-').replace(':', '-')[-20:]
def run_ipt(self, family, args, **kwargs):
# pylint: disable=no-self-use
@ -236,6 +236,9 @@ class IptablesWorker(FirewallWorker):
raise RuleParseError('dst6 rule found for IPv4 address')
if 'proto' in rule:
if rule['proto'] == 'icmp' and family == 6:
protos = ['icmpv6']
else:
protos = [rule['proto']]
else:
protos = None

View File

@ -162,7 +162,7 @@ class TestIptablesWorker(TestCase):
self.obj.chain_for_addr('10.137.0.1'), 'qbs-10-137-0-1')
self.assertEqual(
self.obj.chain_for_addr('fd09:24ef:4179:0000::3'),
'qbs-fd09-24ef-4179-0000--3')
'qbs-09-24ef-4179-0000--3')
def test_001_create_chain(self):
testdata = [
@ -230,7 +230,7 @@ class TestIptablesWorker(TestCase):
"-A chain -d 2001::2/128 -p udp --dport 53:53 -j ACCEPT\n"
"-A chain -d 2001::1/128 -p udp --dport 53:53 -j DROP\n"
"-A chain -d 2001::2/128 -p udp --dport 53:53 -j DROP\n"
"-A chain -p icmp -j DROP\n"
"-A chain -p icmpv6 -j DROP\n"
"-A chain -j DROP\n"
"COMMIT\n"
)