From 6345c4570a23ab7cb12e21aa776a847c029cee40 Mon Sep 17 00:00:00 2001
From: Marek Marczykowski <marmarek@invisiblethingslab.com>
Date: Tue, 25 Sep 2012 16:04:47 +0200
Subject: [PATCH] vm/iptables: block IPv6 traffic

This isn't properly handled by Qubes VMs yet, so block it in all the VMs.
Also restrict access to firewall config.
---
 network/ip6tables     | 8 ++++++++
 rpm_spec/core-vm.spec | 6 +++++-
 2 files changed, 13 insertions(+), 1 deletion(-)
 create mode 100644 network/ip6tables

diff --git a/network/ip6tables b/network/ip6tables
new file mode 100644
index 0000000..8a906f5
--- /dev/null
+++ b/network/ip6tables
@@ -0,0 +1,8 @@
+# Generated by ip6tables-save v1.4.14 on Tue Sep 25 16:00:20 2012
+*filter
+:INPUT DROP [1:72]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -i lo -j ACCEPT
+COMMIT
+# Completed on Tue Sep 25 16:00:20 2012
diff --git a/rpm_spec/core-vm.spec b/rpm_spec/core-vm.spec
index f9ba774..0c576bf 100644
--- a/rpm_spec/core-vm.spec
+++ b/rpm_spec/core-vm.spec
@@ -139,7 +139,8 @@ ln -s /usr/lib/qubes/qubes_setup_dnat_to_ns $RPM_BUILD_ROOT/etc/dhclient.d/qubes
 install -d $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/
 install network/{qubes_nmhook,30-qubes_external_ip} $RPM_BUILD_ROOT/etc/NetworkManager/dispatcher.d/
 install -D network/vif-route-qubes $RPM_BUILD_ROOT/etc/xen/scripts/vif-route-qubes
-install -m 0644 -D network/iptables $RPM_BUILD_ROOT/etc/sysconfig/iptables
+install -m 0400 -D network/iptables $RPM_BUILD_ROOT/etc/sysconfig/iptables
+install -m 0400 -D network/ip6tables $RPM_BUILD_ROOT/etc/sysconfig/ip6tables
 install -m 0644 -D network/tinyproxy-qubes-yum.conf $RPM_BUILD_ROOT/etc/tinyproxy/tinyproxy-qubes-yum.conf
 install -m 0644 -D network/filter-qubes-yum $RPM_BUILD_ROOT/etc/tinyproxy/filter-qubes-yum
 
@@ -371,6 +372,7 @@ rm -rf $RPM_BUILD_ROOT
 /etc/qubes_rpc/qubes.SuspendPost
 /etc/sudoers.d/qubes
 /etc/sysconfig/iptables
+/etc/sysconfig/ip6tables
 /etc/sysconfig/modules/qubes_core.modules
 /etc/tinyproxy/filter-qubes-yum
 /etc/tinyproxy/tinyproxy-qubes-yum.conf
@@ -489,6 +491,7 @@ chkconfig rsyslog on
 chkconfig haldaemon on
 chkconfig messagebus on
 chkconfig iptables on
+chkconfig ip6tables on
 chkconfig --add qubes_core || echo "WARNING: Cannot add service qubes_core!"
 chkconfig qubes_core on || echo "WARNING: Cannot enable service qubes_core!"
 chkconfig --add qubes_core_netvm || echo "WARNING: Cannot add service qubes_core_netvm!"
@@ -610,6 +613,7 @@ rm -f /etc/systemd/system/getty.target.wants/getty@tty*.service
 
 # Enable some services
 /bin/systemctl enable iptables.service 2> /dev/null
+/bin/systemctl enable ip6tables.service 2> /dev/null
 /bin/systemctl enable rsyslog.service 2> /dev/null
 /bin/systemctl enable ntpd.service 2> /dev/null
 # Disable original service to enable overriden one