diff --git a/Makefile b/Makefile index 2ea788b..d68752e 100644 --- a/Makefile +++ b/Makefile @@ -345,6 +345,7 @@ endif install -m 0400 -D network/iptables $(DESTDIR)/etc/qubes/iptables.rules install -m 0400 -D network/ip6tables $(DESTDIR)/etc/qubes/ip6tables.rules + install -m 0400 -D network/ip6tables-enabled $(DESTDIR)/etc/qubes/ip6tables-enabled.rules install -m 0755 -D qubes-rpc/qubes.UpdatesProxy $(DESTDIR)/etc/qubes-rpc/qubes.UpdatesProxy diff --git a/debian/qubes-core-agent-networking.install b/debian/qubes-core-agent-networking.install index 015e1ec..e80bb5a 100644 --- a/debian/qubes-core-agent-networking.install +++ b/debian/qubes-core-agent-networking.install @@ -1,6 +1,7 @@ etc/dhclient.d/qubes-setup-dnat-to-ns.sh etc/qubes-rpc/qubes.UpdatesProxy etc/qubes/ip6tables.rules +etc/qubes/ip6tables-enabled.rules etc/qubes/iptables.rules etc/tinyproxy/tinyproxy-updates.conf etc/tinyproxy/updates-blacklist diff --git a/network/ip6tables-enabled b/network/ip6tables-enabled new file mode 100644 index 0000000..fafedae --- /dev/null +++ b/network/ip6tables-enabled @@ -0,0 +1,31 @@ +*nat +:PREROUTING ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +:PR-QBS - [0:0] +:PR-QBS-SERVICES - [0:0] +-A PREROUTING -j PR-QBS +-A PREROUTING -j PR-QBS-SERVICES +-A POSTROUTING -o vif+ -j ACCEPT +-A POSTROUTING -o lo -j ACCEPT +-A POSTROUTING -j MASQUERADE +COMMIT +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] +:QBS-FORWARD - [0:0] +-A INPUT -i lo -j ACCEPT +-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A INPUT -i vif+ -p icmpv6 --icmpv6-type router-advertisement -j DROP +-A INPUT -i vif+ -p icmpv6 --icmpv6-type redirect -j DROP +-A INPUT -i vif+ -p icmpv6 -j ACCEPT +-A INPUT -i vif+ -j REJECT --reject-with icmp6-adm-prohibited +-A INPUT -p icmpv6 -j ACCEPT +-A INPUT -j DROP +-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A FORWARD -j QBS-FORWARD +-A FORWARD -i vif+ -o vif+ -j DROP +-A FORWARD -i vif+ -j ACCEPT +-A FORWARD -j DROP +COMMIT diff --git a/network/qubes-iptables b/network/qubes-iptables index 08e4a62..5688bff 100755 --- a/network/qubes-iptables +++ b/network/qubes-iptables @@ -29,6 +29,15 @@ fi start() { ipt=$1 IPTABLES_DATA=$IPTABLES_DATA_DIR/${ipt}.rules + ipv6_enabled= + if qubesdb-read /qubes-ip6 >/dev/null 2>&1 || \ + qubesdb-read /qubes-netvm-gateway6 >/dev/null 2>&1; then + ipv6_enabled=true + fi + # if IPv6 is enabled, load alternative rules file + if [ "$ipt" = "ip6tables" ] && [ -n "$ipv6_enabled" ]; then + IPTABLES_DATA=$IPTABLES_DATA_DIR/${ipt}-enabled.rules + fi CMD=$ipt # Do not start if there is no config file. [ ! -f "$IPTABLES_DATA" ] && return 6 diff --git a/rpm_spec/core-agent.spec b/rpm_spec/core-agent.spec index 1934697..cea656f 100644 --- a/rpm_spec/core-agent.spec +++ b/rpm_spec/core-agent.spec @@ -682,6 +682,7 @@ rm -f %{name}-%{version} %files networking %config(noreplace) /etc/qubes-rpc/qubes.UpdatesProxy %config(noreplace) /etc/qubes/ip6tables.rules +%config(noreplace) /etc/qubes/ip6tables-enabled.rules %config(noreplace) /etc/qubes/iptables.rules %config(noreplace) /etc/tinyproxy/tinyproxy-updates.conf %config(noreplace) /etc/tinyproxy/updates-blacklist diff --git a/vm-systemd/network-proxy-setup.sh b/vm-systemd/network-proxy-setup.sh index 9ba8d68..ec8504e 100755 --- a/vm-systemd/network-proxy-setup.sh +++ b/vm-systemd/network-proxy-setup.sh @@ -11,6 +11,7 @@ if [ "x$network" != "x" ]; then fi gateway=$(qubesdb-read /qubes-netvm-gateway) + gateway6=$(qubesdb-read /qubes-netvm-gateway6 ||:) #netmask=$(qubesdb-read /qubes-netvm-netmask) primary_dns=$(qubesdb-read /qubes-netvm-primary-dns 2>/dev/null || echo "$gateway") secondary_dns=$(qubesdb-read /qubes-netvm-secondary-dns) @@ -19,5 +20,9 @@ if [ "x$network" != "x" ]; then echo "NS2=$secondary_dns" >> /var/run/qubes/qubes-ns /usr/lib/qubes/qubes-setup-dnat-to-ns echo "1" > /proc/sys/net/ipv4/ip_forward + # enable also IPv6 forwarding, if IPv6 is enabled + if [ -n "$gateway6" ]; then + echo 1 > /proc/sys/net/ipv6/conf/all/forwarding + fi /sbin/ethtool -K eth0 sg off || true fi