From 715693b93d69502b9526050b7e87fe0e3a069eb7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Sun, 3 Dec 2017 03:30:53 +0100
Subject: [PATCH] network: IPv6-enabled firewall

If IPv6 is configured in the VM, and it is providing network to others,
apply IPv6 firewall similar to the IPv4 one (including NAT for outgoing
traffix), instead of blocking everything. Also, enable IP forwarding for
IPv6 in such a case.

Fixes QubesOS/qubes-issues#718
---
 Makefile                                   |  1 +
 debian/qubes-core-agent-networking.install |  1 +
 network/ip6tables-enabled                  | 31 ++++++++++++++++++++++
 network/qubes-iptables                     |  9 +++++++
 rpm_spec/core-agent.spec                   |  1 +
 vm-systemd/network-proxy-setup.sh          |  5 ++++
 6 files changed, 48 insertions(+)
 create mode 100644 network/ip6tables-enabled

diff --git a/Makefile b/Makefile
index 2ea788b..d68752e 100644
--- a/Makefile
+++ b/Makefile
@@ -345,6 +345,7 @@ endif
 
 	install -m 0400 -D network/iptables $(DESTDIR)/etc/qubes/iptables.rules
 	install -m 0400 -D network/ip6tables $(DESTDIR)/etc/qubes/ip6tables.rules
+	install -m 0400 -D network/ip6tables-enabled $(DESTDIR)/etc/qubes/ip6tables-enabled.rules
 
 	install -m 0755 -D qubes-rpc/qubes.UpdatesProxy $(DESTDIR)/etc/qubes-rpc/qubes.UpdatesProxy
 
diff --git a/debian/qubes-core-agent-networking.install b/debian/qubes-core-agent-networking.install
index 015e1ec..e80bb5a 100644
--- a/debian/qubes-core-agent-networking.install
+++ b/debian/qubes-core-agent-networking.install
@@ -1,6 +1,7 @@
 etc/dhclient.d/qubes-setup-dnat-to-ns.sh
 etc/qubes-rpc/qubes.UpdatesProxy
 etc/qubes/ip6tables.rules
+etc/qubes/ip6tables-enabled.rules
 etc/qubes/iptables.rules
 etc/tinyproxy/tinyproxy-updates.conf
 etc/tinyproxy/updates-blacklist
diff --git a/network/ip6tables-enabled b/network/ip6tables-enabled
new file mode 100644
index 0000000..fafedae
--- /dev/null
+++ b/network/ip6tables-enabled
@@ -0,0 +1,31 @@
+*nat
+:PREROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:PR-QBS - [0:0]
+:PR-QBS-SERVICES - [0:0]
+-A PREROUTING -j PR-QBS
+-A PREROUTING -j PR-QBS-SERVICES
+-A POSTROUTING -o vif+ -j ACCEPT
+-A POSTROUTING -o lo -j ACCEPT
+-A POSTROUTING -j MASQUERADE
+COMMIT
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+:QBS-FORWARD - [0:0]
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i vif+ -p icmpv6 --icmpv6-type router-advertisement -j DROP
+-A INPUT -i vif+ -p icmpv6 --icmpv6-type redirect -j DROP
+-A INPUT -i vif+ -p icmpv6 -j ACCEPT
+-A INPUT -i vif+ -j REJECT --reject-with icmp6-adm-prohibited
+-A INPUT -p icmpv6 -j ACCEPT
+-A INPUT -j DROP
+-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -j QBS-FORWARD
+-A FORWARD -i vif+ -o vif+ -j DROP
+-A FORWARD -i vif+ -j ACCEPT
+-A FORWARD -j DROP
+COMMIT
diff --git a/network/qubes-iptables b/network/qubes-iptables
index 08e4a62..5688bff 100755
--- a/network/qubes-iptables
+++ b/network/qubes-iptables
@@ -29,6 +29,15 @@ fi
 start() {
     ipt=$1
     IPTABLES_DATA=$IPTABLES_DATA_DIR/${ipt}.rules
+    ipv6_enabled=
+    if qubesdb-read /qubes-ip6 >/dev/null 2>&1 || \
+        qubesdb-read /qubes-netvm-gateway6 >/dev/null 2>&1; then
+        ipv6_enabled=true
+    fi
+    # if IPv6 is enabled, load alternative rules file
+    if [ "$ipt" = "ip6tables" ] && [ -n "$ipv6_enabled" ]; then
+        IPTABLES_DATA=$IPTABLES_DATA_DIR/${ipt}-enabled.rules
+    fi
     CMD=$ipt
     # Do not start if there is no config file.
     [ ! -f "$IPTABLES_DATA" ] && return 6
diff --git a/rpm_spec/core-agent.spec b/rpm_spec/core-agent.spec
index 1934697..cea656f 100644
--- a/rpm_spec/core-agent.spec
+++ b/rpm_spec/core-agent.spec
@@ -682,6 +682,7 @@ rm -f %{name}-%{version}
 %files networking
 %config(noreplace) /etc/qubes-rpc/qubes.UpdatesProxy
 %config(noreplace) /etc/qubes/ip6tables.rules
+%config(noreplace) /etc/qubes/ip6tables-enabled.rules
 %config(noreplace) /etc/qubes/iptables.rules
 %config(noreplace) /etc/tinyproxy/tinyproxy-updates.conf
 %config(noreplace) /etc/tinyproxy/updates-blacklist
diff --git a/vm-systemd/network-proxy-setup.sh b/vm-systemd/network-proxy-setup.sh
index 9ba8d68..ec8504e 100755
--- a/vm-systemd/network-proxy-setup.sh
+++ b/vm-systemd/network-proxy-setup.sh
@@ -11,6 +11,7 @@ if [ "x$network" != "x" ]; then
     fi
 
     gateway=$(qubesdb-read /qubes-netvm-gateway)
+    gateway6=$(qubesdb-read /qubes-netvm-gateway6 ||:)
     #netmask=$(qubesdb-read /qubes-netvm-netmask)
     primary_dns=$(qubesdb-read /qubes-netvm-primary-dns 2>/dev/null || echo "$gateway")
     secondary_dns=$(qubesdb-read /qubes-netvm-secondary-dns)
@@ -19,5 +20,9 @@ if [ "x$network" != "x" ]; then
     echo "NS2=$secondary_dns" >> /var/run/qubes/qubes-ns
     /usr/lib/qubes/qubes-setup-dnat-to-ns
     echo "1" > /proc/sys/net/ipv4/ip_forward
+    # enable also IPv6 forwarding, if IPv6 is enabled
+    if [ -n "$gateway6" ]; then
+        echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+    fi
     /sbin/ethtool -K eth0 sg off || true
 fi