Qubes/core-agent-linux
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Qubes firewall: correct syntax for icmpv6 rejects

Browse Source 
I've run into an issue with incorrectly generated rules for IPv6. I
added some debugging code printing the generated rules and the
resulting error (see below). Turns out "reject with" expects icmpv6
rather than icmp6.

--- generated rule ---

flush chain ip6 qubes-firewall qbs-fd09-24ef-4179--a89-15
table ip6 qubes-firewall {
  chain qbs-fd09-24ef-4179--a89-15 {
    ip6 daddr fc00::/8 reject with icmp6 type admin-prohibited
    ip6 daddr fd00::/8 reject with icmp6 type admin-prohibited
    ip6 daddr fe80::/10 reject with icmp6 type admin-prohibited
    accept
    reject with icmp6 type admin-prohibited
  }
}

--- output ---

/dev/stdin:4:36-40: Error: syntax error, unexpected string, expecting icmp or icmpv6 or tcp or icmpx

                                   ^^^^^
/dev/stdin:5:36-40: Error: syntax error, unexpected string, expecting icmp or icmpv6 or tcp or icmpx

                                   ^^^^^
/dev/stdin:6:37-41: Error: syntax error, unexpected string, expecting icmp or icmpv6 or tcp or icmpx

                                    ^^^^^
/dev/stdin:8:17-21: Error: syntax error, unexpected string, expecting icmp or icmpv6 or tcp or icmpx

                ^^^^^
This commit is contained in:
Peter Gerber 2018-05-07 22:22:58 +00:00
parent df5722e880
commit 7d783b3010
No known key found for this signature in database
GPG Key ID: 07C068AEE44683A1
2 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
qubesagent/firewall.py
View File

@ -504,7 +504,7 @@ class NftablesWorker(FirewallWorker):
action = 'accept'
elif rule['action'] == 'drop':
action = 'reject with icmp{} type admin-prohibited'.format(
'6' if family == 6 else '')
'v6' if family == 6 else '')
else:
raise RuleParseError(
'Invalid rule action {}'.format(rule['action']))

6
qubesagent/test_firewall.py
View File

@ -411,10 +411,10 @@ class TestNftablesWorker(TestCase):
' ip6 daddr { 2001::1/128, 2001::2/128 } tcp dport 53 accept\n'
' ip6 daddr { 2001::1/128, 2001::2/128 } udp dport 53 accept\n'
' ip6 nexthdr udp ip6 daddr { 2001::1/128, 2001::2/128 } '
'udp dport 53 reject with icmp6 type admin-prohibited\n'
' ip6 nexthdr icmpv6 icmpv6 type 128 reject with icmp6 type '
'udp dport 53 reject with icmpv6 type admin-prohibited\n'
' ip6 nexthdr icmpv6 icmpv6 type 128 reject with icmpv6 type '
'admin-prohibited\n'
' reject with icmp6 type admin-prohibited\n'
' reject with icmpv6 type admin-prohibited\n'
' }\n'
'}\n'
)