If IPv6 is configured in the VM, and it is providing network to others,
apply IPv6 firewall similar to the IPv4 one (including NAT for outgoing
traffix), instead of blocking everything. Also, enable IP forwarding for
IPv6 in such a case.
FixesQubesOS/qubes-issues#718
If dom0 expose IPv6 address settings, configure it on the interface.
Both backend and frontend side. If no IPv6 configuration is provided,
block IPv6 as it was before.
FixesQubesOS/qubes-issues#718
* qubesos/pr/67:
archlinux fix .service added twice in networking install script
Makefile: install-netvm shouldn't be a dependency of itself.
archlinux: add recently splitted packages as optional dependencies of qubes-vm-core
archlinux: fix incorrect keyring being populated
Makefile: remove invalid reference to network dropins install target
archlinux: fix shellcheck issues
archlinux: create a keyring package to install binary repository automatically
Makefile: add network install targets to install-deb
Makefile: fix typo created when spliting the install targets
Makefile: add basic networking to the new install-corevm target
archlinux: split core-agent from netvm-agent
Makefile: ensure that everything is installed by default for rh based agents
Makefile: split network install target from core agent install target
Start qubes-firewall (which will add "DROP by default" rule) before
enabling IP forwarding, to not leave a time slot where some connection
could go around configured firewall.
QubesOS/qubes-issues#3269
In some cases it may make sense to enfoce outgoing firewall also on
sys-net. If the service is disabled, firewall settings will be
(silently) ignored, so better be on the safe side and enable.
QubesOS/qubes-issues#3290
When qubes-firewall service is started, modify firewall to have "DROP"
policy, so if something goes wrong, no data got leaked.
But keep default action "ACCEPT" in case of legitimate service stop, or
not starting it at all - because one may choose to not use this service
at all.
Achieve this by adding "DROP" rule at the end of QBS-FIREWALL chain and
keep it there while qubes-firewall service is running.
FixesQubesOS/qubes-issues#3269
4.0 template builds use `<package>.install` files with dh_install. The
differences between Debian and Ubuntu packages also need to be represented
in these files.
* qubesos/pr/63:
archlinux: restore setup of pam.d/su-l
archlinux: remove python3 dependency
archlinux: ensure [options] section is present in all pacman drop-ins
archlinux: enforce usage of python2 in all scripts
Makefile: avoid using python interpreter as a static name
archlinux: create user 'user' using bash by default instead of zsh
archlinux: ship pam.d/qrexec as a replacement of using su
archlinux: do not mess with locales in post-install script
archlinux: remove pam configuration for su and su-l
archlinux: remove deprecated setup of pam since v4.0.3
Add the 4.0 repo to the PKGBUILD sources list
Restore the binary pacman repo and update it for QubesOS 4.0
Fix the makefile for archlinux - SBINDIR is already /usr/bin
Update the arch PKGBUILD script for QubesOS 4.0
systemd-timesyncd.service isn't enough, for various reasons:
- it is started too early in the boot process - files in
/var/run/qubes-services are not yet there
- by default it does only one shot synchronization, and there is no
network at that early boot time yet
- by default use-ntp is set to "no"
So, in addition, enable actual ntp client.
FixesQubesOS/qubes-issues#3210
Since the qubes-download-dom0-updates script executes dnf with fakeroot, some dnf plugins like etckeeper break the update with "Permission denied" errors.
qubes-gui agent calls su-l instead of initializing its own pam
session such as qrexec.
pam.d/su-l qubes specific configuration must be restored to ensure
that the user login session is properly initialized:
https://github.com/QubesOS/qubes-issues/issues/3185