From aa71677cbd881516b8e61f5e7a8c3a80a0dbbe50 Mon Sep 17 00:00:00 2001
From: Demi Marie Obenour <athena@invisiblethingslab.com>
Date: Tue, 10 Nov 2020 16:28:53 -0500
Subject: [PATCH] Add permanent neighbor entries

This allows network traffic to flow even if ARP and NDP do not work or
ave explicitly been disabled.
---
 network/setup-ip        | 18 +++++++++++++++---
 network/vif-route-qubes |  6 +++++-
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/network/setup-ip b/network/setup-ip
index 917b028..b8900d0 100755
--- a/network/setup-ip
+++ b/network/setup-ip
@@ -4,6 +4,14 @@
 # shellcheck disable=SC1091
 . /usr/lib/qubes/init/functions
 
+add_host_route () {
+    /sbin/ip -- route replace to unicast "$1" dev "$2" onlink scope host
+}
+
+add_default_route () {
+    /sbin/ip -- route replace to unicast default via "$1" dev "$2" onlink
+}
+
 configure_network() {
     local MAC="$1"
     local INTERFACE="$2"
@@ -17,20 +25,24 @@ configure_network() {
     local secondary_dns="${10}"
 
     /sbin/ifconfig "$INTERFACE" "$ip" netmask "$netmask"
+    /sbin/ip -- neighbour replace to "$ip" dev "$INTERFACE" \
+        lladdr "$MAC" nud permanent
     if [ -n "$ip6" ]; then
         /sbin/ifconfig "$INTERFACE" add "$ip6/$netmask6"
+        /sbin/ip -- neighbour replace to "$ip6" dev "$INTERFACE" \
+            lladdr "$MAC" nud permanent
     fi
     /sbin/ifconfig "$INTERFACE" up
 
     if [ -n "$gateway" ]; then
         /sbin/route add -host "$gateway" dev "$INTERFACE"
         if [ -n "$gateway6" ] && ! echo "$gateway6" | grep -q "^fe80:"; then
-            /sbin/route -6 add "$gateway6/$netmask6" dev "$INTERFACE"
+            add_route "$gateway6/$netmask6" "$INTERFACE"
         fi
         if ! qsvc disable-default-route ; then
-            /sbin/route add default gw "$gateway"
+            add_default_route "$gateway" "$INTERFACE"
             if [ -n "$gateway6" ]; then
-                /sbin/route -6 add default gw "$gateway6" dev "$INTERFACE"
+                add_default_route "$gateway6" "$INTERFACE"
             fi
         fi
     fi
diff --git a/network/vif-route-qubes b/network/vif-route-qubes
index 345b120..82c0549 100755
--- a/network/vif-route-qubes
+++ b/network/vif-route-qubes
@@ -134,6 +134,10 @@ if [ "${ip}" ]; then
             "$iptables_cmd ! -i vif+ -s ${addr} -j DROP" \
             "COMMIT" | \
             ${cmdprefix} $ipt --noflush $ipt_arg
+        if [[ "$command" = 'online' ]]; then
+            ip neighbour "${ipcmd}" to "${addr}" \
+                dev "${vif}" lladdr 00:16:3e:5e:6c:6c:00 nud permanent
+        fi
     done
     # if no IPv6 is assigned, block all IPv6 traffic on that interface
     if ! [[ "$ip" = *:* ]]; then
@@ -155,7 +159,7 @@ if [ "${ip}" ]; then
             log error "Cannot set IPv6 route to ${addr}, IPv6 disabled in the kernel"
             continue
         fi
-        ${cmdprefix} ip route "${ipcmd}" "${addr}" dev "${vif}" metric "$metric"
+        ${cmdprefix} ip route "${ipcmd}" "${addr}" dev "${vif}" metric "$metric" onlink
 
         network_hooks "${command}" "${vif}" "${addr}"
     done