Home Verkennen Help
Inloggen
Qubes
/
core-agent-linux
2
0
Vork 0
Bestanden Issues 0 Pull-aanvragen 0 Wiki
Bladeren bron

network: do not assume IPv6 gateway is a link-local address

If IPv6 gateway address provided by dom0 isn't a link local address, add
a /128 route to it. Also, add this address on backend interfaces (vif*).

This is to allow proper ICMP host unreachable packets forwarding - if
gateway (address on vif* interface) have only fe80: address, it will be
used as a source for ICMP reply. It will be properly delivered to the VM
directly connected there (for example from sys-net to sys-firewall), but
because of being link-local address, it will not be forwarded any
further.
This results timeouts if host doesn't have IPv6 connectivity.
Marek Marczykowski-Górecki 6 jaren geleden
bovenliggende
0ef6297bfc
commit
c281d6454f
2 gewijzigde bestanden met toevoegingen van 9 en 1 verwijderingen
Zij-aan-zij weergave Toon Diff Stats
  1. 3 0
      network/setup-ip
  2. 6 1
      network/vif-route-qubes

+ 3 - 0
network/setup-ip
Bestand weergeven 

@@ -91,6 +91,9 @@ __EOF__
 
         fi
 
         /sbin/ifconfig "$INTERFACE" up
 
         /sbin/route add -host "$gateway" dev "$INTERFACE"
 
+        if [ -n "$gateway6" ] && ! echo "$gateway6" | grep -q "^fe80:"; then
 
+            /sbin/route -6 add "$gateway6/128" dev "$INTERFACE"
 
+        fi
 
         if ! qsvc disable-default-route ; then
 
             /sbin/route add default gw "$gateway"
 
             if [ -n "$gateway6" ]; then

+ 6 - 1
network/vif-route-qubes
Bestand weergeven 

@@ -40,10 +40,12 @@ if [ "${ip}" ]; then
 
     # IPs as seen by this VM
 
     netvm_ip="$ip4"
 
     netvm_gw_ip=$(qubesdb-read /qubes-netvm-gateway)
 
+    netvm_gw_ip6=$(qubesdb-read /qubes-netvm-gateway6 || :)
 
     netvm_dns1_ip=$(qubesdb-read /qubes-netvm-primary-dns)
 
     netvm_dns2_ip=$(qubesdb-read /qubes-netvm-secondary-dns)
 
 
     back_ip="$netvm_gw_ip"
 
+    back_ip6="$netvm_gw_ip6"
 
 
     # IPs as seen by the VM - if other than $netvm_ip
 
     appvm_gw_ip="$(qubesdb-read "/mapped-ip/$ip4/visible-gateway" 2>/dev/null || :)"
 
@@ -106,7 +108,10 @@ if [ "${ip}" ] ; then
 
         echo -e "*raw\n$iptables_cmd -i ${vif} -j DROP\nCOMMIT" | \
 
             ${cmdprefix} flock $lockfile ip6tables-restore --noflush
 
     fi
 
-	${cmdprefix} ip addr "${ipcmd}" "${back_ip}/32" dev "${vif}"
 
+    ${cmdprefix} ip addr "${ipcmd}" "${back_ip}/32" dev "${vif}"
 
+    if [ "${back_ip6}" ] && [[ "${back_ip6}" != "fe80:"* ]]; then
 
+        ${cmdprefix} ip addr "${ipcmd}" "${back_ip6}/128" dev "${vif}"
 
+    fi
 
 fi
 
 
 log debug "Successful vif-route-qubes $command for $vif."