Add permanent neighbor entries

This allows network traffic to flow even if ARP and NDP do not work or
ave explicitly been disabled.
This commit is contained in:
Demi Marie Obenour 2020-11-10 16:28:53 -05:00
parent 74f5fb5ac7
commit aa71677cbd
No known key found for this signature in database
GPG Key ID: 28A45C93B0B5B6E0
2 changed files with 20 additions and 4 deletions

View File

@ -4,6 +4,14 @@
# shellcheck disable=SC1091 # shellcheck disable=SC1091
. /usr/lib/qubes/init/functions . /usr/lib/qubes/init/functions
add_host_route () {
/sbin/ip -- route replace to unicast "$1" dev "$2" onlink scope host
}
add_default_route () {
/sbin/ip -- route replace to unicast default via "$1" dev "$2" onlink
}
configure_network() { configure_network() {
local MAC="$1" local MAC="$1"
local INTERFACE="$2" local INTERFACE="$2"
@ -17,20 +25,24 @@ configure_network() {
local secondary_dns="${10}" local secondary_dns="${10}"
/sbin/ifconfig "$INTERFACE" "$ip" netmask "$netmask" /sbin/ifconfig "$INTERFACE" "$ip" netmask "$netmask"
/sbin/ip -- neighbour replace to "$ip" dev "$INTERFACE" \
lladdr "$MAC" nud permanent
if [ -n "$ip6" ]; then if [ -n "$ip6" ]; then
/sbin/ifconfig "$INTERFACE" add "$ip6/$netmask6" /sbin/ifconfig "$INTERFACE" add "$ip6/$netmask6"
/sbin/ip -- neighbour replace to "$ip6" dev "$INTERFACE" \
lladdr "$MAC" nud permanent
fi fi
/sbin/ifconfig "$INTERFACE" up /sbin/ifconfig "$INTERFACE" up
if [ -n "$gateway" ]; then if [ -n "$gateway" ]; then
/sbin/route add -host "$gateway" dev "$INTERFACE" /sbin/route add -host "$gateway" dev "$INTERFACE"
if [ -n "$gateway6" ] && ! echo "$gateway6" | grep -q "^fe80:"; then if [ -n "$gateway6" ] && ! echo "$gateway6" | grep -q "^fe80:"; then
/sbin/route -6 add "$gateway6/$netmask6" dev "$INTERFACE" add_route "$gateway6/$netmask6" "$INTERFACE"
fi fi
if ! qsvc disable-default-route ; then if ! qsvc disable-default-route ; then
/sbin/route add default gw "$gateway" add_default_route "$gateway" "$INTERFACE"
if [ -n "$gateway6" ]; then if [ -n "$gateway6" ]; then
/sbin/route -6 add default gw "$gateway6" dev "$INTERFACE" add_default_route "$gateway6" "$INTERFACE"
fi fi
fi fi
fi fi

View File

@ -134,6 +134,10 @@ if [ "${ip}" ]; then
"$iptables_cmd ! -i vif+ -s ${addr} -j DROP" \ "$iptables_cmd ! -i vif+ -s ${addr} -j DROP" \
"COMMIT" | \ "COMMIT" | \
${cmdprefix} $ipt --noflush $ipt_arg ${cmdprefix} $ipt --noflush $ipt_arg
if [[ "$command" = 'online' ]]; then
ip neighbour "${ipcmd}" to "${addr}" \
dev "${vif}" lladdr 00:16:3e:5e:6c:6c:00 nud permanent
fi
done done
# if no IPv6 is assigned, block all IPv6 traffic on that interface # if no IPv6 is assigned, block all IPv6 traffic on that interface
if ! [[ "$ip" = *:* ]]; then if ! [[ "$ip" = *:* ]]; then
@ -155,7 +159,7 @@ if [ "${ip}" ]; then
log error "Cannot set IPv6 route to ${addr}, IPv6 disabled in the kernel" log error "Cannot set IPv6 route to ${addr}, IPv6 disabled in the kernel"
continue continue
fi fi
${cmdprefix} ip route "${ipcmd}" "${addr}" dev "${vif}" metric "$metric" ${cmdprefix} ip route "${ipcmd}" "${addr}" dev "${vif}" metric "$metric" onlink
network_hooks "${command}" "${vif}" "${addr}" network_hooks "${command}" "${vif}" "${addr}"
done done