network: IPv6-enabled firewall

If IPv6 is configured in the VM, and it is providing network to others, apply IPv6 firewall similar to the IPv4 one (including NAT for outgoing traffix), instead of blocking everything. Also, enable IP forwarding for IPv6 in such a case. Fixes QubesOS/qubes-issues#718
2017-12-03 03:30:53 +01:00 · 2017-12-03 03:30:53 +01:00 · 715693b93d
commit 715693b93d
parent 44f8cceb38
6 changed files with 48 additions and 0 deletions
--- a/1
+++ b/1
@ -345,6 +345,7 @@ endif

 	install -m 0400 -D network/iptables $(DESTDIR)/etc/qubes/iptables.rules
 	install -m 0400 -D network/ip6tables $(DESTDIR)/etc/qubes/ip6tables.rules
+	install -m 0400 -D network/ip6tables-enabled $(DESTDIR)/etc/qubes/ip6tables-enabled.rules

 	install -m 0755 -D qubes-rpc/qubes.UpdatesProxy $(DESTDIR)/etc/qubes-rpc/qubes.UpdatesProxy

--- a/debian/qubes-core-agent-networking.install
+++ b/debian/qubes-core-agent-networking.install
@ -1,6 +1,7 @@
 etc/dhclient.d/qubes-setup-dnat-to-ns.sh
 etc/qubes-rpc/qubes.UpdatesProxy
 etc/qubes/ip6tables.rules
+etc/qubes/ip6tables-enabled.rules
 etc/qubes/iptables.rules
 etc/tinyproxy/tinyproxy-updates.conf
 etc/tinyproxy/updates-blacklist
--- a/network/ip6tables-enabled
+++ b/network/ip6tables-enabled
@ -0,0 +1,31 @@
+*nat
+:PREROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:PR-QBS - [0:0]
+:PR-QBS-SERVICES - [0:0]
+-A PREROUTING -j PR-QBS
+-A PREROUTING -j PR-QBS-SERVICES
+-A POSTROUTING -o vif+ -j ACCEPT
+-A POSTROUTING -o lo -j ACCEPT
+-A POSTROUTING -j MASQUERADE
+COMMIT
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+:QBS-FORWARD - [0:0]
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i vif+ -p icmpv6 --icmpv6-type router-advertisement -j DROP
+-A INPUT -i vif+ -p icmpv6 --icmpv6-type redirect -j DROP
+-A INPUT -i vif+ -p icmpv6 -j ACCEPT
+-A INPUT -i vif+ -j REJECT --reject-with icmp6-adm-prohibited
+-A INPUT -p icmpv6 -j ACCEPT
+-A INPUT -j DROP
+-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -j QBS-FORWARD
+-A FORWARD -i vif+ -o vif+ -j DROP
+-A FORWARD -i vif+ -j ACCEPT
+-A FORWARD -j DROP
+COMMIT
--- a/network/qubes-iptables
+++ b/network/qubes-iptables
@ -29,6 +29,15 @@ fi
 start() {
    ipt=$1
    IPTABLES_DATA=$IPTABLES_DATA_DIR/${ipt}.rules
+    ipv6_enabled=
+    if qubesdb-read /qubes-ip6 >/dev/null 2>&1 || \
+        qubesdb-read /qubes-netvm-gateway6 >/dev/null 2>&1; then
+        ipv6_enabled=true
+    fi
+    # if IPv6 is enabled, load alternative rules file
+    if [ "$ipt" = "ip6tables" ] && [ -n "$ipv6_enabled" ]; then
+        IPTABLES_DATA=$IPTABLES_DATA_DIR/${ipt}-enabled.rules
+    fi
    CMD=$ipt
    # Do not start if there is no config file.
    [ ! -f "$IPTABLES_DATA" ] && return 6
--- a/rpm_spec/core-agent.spec
+++ b/rpm_spec/core-agent.spec
@ -682,6 +682,7 @@ rm -f %{name}-%{version}
 %files networking
 %config(noreplace) /etc/qubes-rpc/qubes.UpdatesProxy
 %config(noreplace) /etc/qubes/ip6tables.rules
+%config(noreplace) /etc/qubes/ip6tables-enabled.rules
 %config(noreplace) /etc/qubes/iptables.rules
 %config(noreplace) /etc/tinyproxy/tinyproxy-updates.conf
 %config(noreplace) /etc/tinyproxy/updates-blacklist
--- a/vm-systemd/network-proxy-setup.sh
+++ b/vm-systemd/network-proxy-setup.sh
@ -11,6 +11,7 @@ if [ "x$network" != "x" ]; then
    fi

    gateway=$(qubesdb-read /qubes-netvm-gateway)
+    gateway6=$(qubesdb-read /qubes-netvm-gateway6 ||:)
    #netmask=$(qubesdb-read /qubes-netvm-netmask)
    primary_dns=$(qubesdb-read /qubes-netvm-primary-dns 2>/dev/null || echo "$gateway")
    secondary_dns=$(qubesdb-read /qubes-netvm-secondary-dns)
@ -19,5 +20,9 @@ if [ "x$network" != "x" ]; then
    echo "NS2=$secondary_dns" >> /var/run/qubes/qubes-ns
    /usr/lib/qubes/qubes-setup-dnat-to-ns
    echo "1" > /proc/sys/net/ipv4/ip_forward
+    # enable also IPv6 forwarding, if IPv6 is enabled
+    if [ -n "$gateway6" ]; then
+        echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+    fi
    /sbin/ethtool -K eth0 sg off || true
 fi