IPv6 support

[jpds]

Does this firewall support forwarding IPv6 packets? If I spin up a browser behind it, I can't navigate to http://ip6only.me/ - but this works fine when I use the standard sys-firewall.

I've also ran:

$ qvm-features sys-mirage-firewall ipv6 1

[talex5]

Not at the moment:

qubes-mirage-firewall/client_net.ml

Lines 123 to 126 in 006801c

	match eth.Ethernet_packet.ethertype with
	| `ARP -> input_arp ~fixed_arp ~iface payload
	| `IPv4 -> input_ipv4 get_ts fragment_cache ~iface ~router dns_client payload
	| `IPv6 -> Lwt.return_unit (* TODO: oh no! *)

[hannesm]

For starters (who're not deep into QubesOS), how does QubesOS hand out IPv6 addresses? I.e. (a) how is the firewall supposed to get their own IPv6 address? (b) how are IPv6 addresses organised for client VMs (i.e. what is the firewall exptected to handle)? (c) is the firewall supposed to NAT client-v6 data to their own v6 address (or pass it on?)?

I found some documentation: https://www.qubes-os.org/doc/networking/#ipv6

[jpds]

how does QubesOS hand out IPv6 addresses?

It appears to be using IPv6 link and unique local addresses handed out by Xen.

I.e. (a) how is the firewall supposed to get their own IPv6 address?

Also from Xen. I can't see radvd or dhcpdv6 running anywhere.

(b) how are IPv6 addresses organised for client VMs (i.e. what is the firewall exptected to handle)?

One of my VPN VMs (behind sys-firewall) has for example this as eth0:

$ ip -6 a
...
inet6 fd09:24ef:4179::a89:24/128 scope global

This is set as the default route of one of its client VMs:

$ ip -6 r
...
default via fd09:24ef:4179::a89:24 dev eth0 metric 1 pref medium

(c) is the firewall supposed to NAT client-v6 data to their own v6 address (or pass it on?)?

I cannot see a NAT, just forwarding rules - the normal Linux firewall VM is configured like this with nftables for a firewall locked down to a WireGuard host on sys-firewall:

table ip6 qubes-firewall {
	chain forward {
		type filter hook forward priority filter; policy drop;
		ct state established,related accept
		iifname != "vif*" accept
		ip6 saddr fd09:24ef:4179::a89:24 jump qbs-fd09-24ef-4179--a89-24
	}

	chain qbs-fd09-24ef-4179--a89-24 {
		ip6 daddr 2a01:...::/64 accept
		ip6 daddr 2a01:...::f00d udp dport 51820 accept
		ip6 nexthdr ipv6-icmp accept
		reject with icmpv6 type admin-prohibited
		reject with icmpv6 type admin-prohibited
	}
}

And here is the forwarding rules on the sys-vpn VM behind that:

table ip6 qubes-firewall {
	chain forward {
		type filter hook forward priority filter; policy drop;
		ct state established,related accept
		iifname != "vif*" accept
		ip6 saddr fd09:24ef:4179::a89:19 jump qbs-fd09-24ef-4179--a89-19
	}

	chain qbs-fd09-24ef-4179--a89-19 {
		accept
		reject with icmpv6 type admin-prohibited
	}
}

[jpds]

The addresses are indeed set in Xen/libvirt, they can be found in files in /var/lib/xen/:

    <interface type='ethernet'>
      <mac address='00:16:3e:5e:6c:00'/>
      <ip address='...' family='ipv4'/>
      <ip address='fd09:24ef:4179::a89:24' family='ipv6'/>
      <script path='vif-route-qubes'/>
      <backenddomain name='sys-firewall'/>
      <target dev='vif10.0'/>
    </interface>