Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IPv6 routing between AppVMs #718

Closed
marmarek opened this issue Mar 8, 2015 · 20 comments
Closed

IPv6 routing between AppVMs #718

marmarek opened this issue Mar 8, 2015 · 20 comments

Comments

@marmarek
Copy link
Member

marmarek commented Mar 8, 2015

Reported by joanna on 24 Feb 2013 15:33 UTC
None

Migrated-From: https://wiki.qubes-os.org/ticket/718

@marmarek
Copy link
Member Author

marmarek commented Mar 8, 2015

Modified by joanna on 1 Aug 2013 11:52 UTC

@marmarek marmarek added this to the Release 2 Beta 3 milestone Mar 8, 2015
@marmarek marmarek added enhancement C: core P: major Priority: major. Between "default" and "critical" in severity. labels Mar 8, 2015
@marmarek marmarek modified the milestones: Release 3, Release 2 Beta 3 Mar 8, 2015
@marmarek
Copy link
Member Author

marmarek commented Mar 8, 2015

Comment by marmarek on 9 Oct 2014 02:07 UTC
It looks like starting with 3.13 Linux kernel supports NAT for IPv6, so (theoretically) we can use the same scheme as for IPv4.

@marmarek
Copy link
Member Author

marmarek commented Mar 8, 2015

Comment by joanna on 9 Oct 2014 21:32 UTC
I might not be up to date with all this networking stuff, but I thought the point of ipv6 was to actually not use NATing...?

@marmarek
Copy link
Member Author

marmarek commented Mar 8, 2015

Comment by marmarek on 9 Oct 2014 21:53 UTC
Generally yes (and I'm surprised that NAT support comes to ip6tables), but for our network scheme it is beneficial to use NAT, instead of routing. For example inter-VM connections can be configured independent of external IP address.

@marmarek
Copy link
Member Author

marmarek commented Mar 8, 2015

Comment by marmarek on 20 Jan 2015 03:43 UTC
I've done some testing and it looks straightforward to support IPv6 in our VMs (using NAT). All required changes are in core-agent-linux repo, in scripts which are almost the same in R2 and R3. Additionally it is easy to make it opt-in feature (using qvm-service framework). So I propose to move this task to R2.

The only potentially problematic thing is qubes-firewall (per-VM firewall rules). Currently user can set rules based on IP(v4) or name. In case of an IPv4 rule, obviously it is not applicable to IPv6 firewall. In case of a name, it can be - if that name resolves to IPv6 address. But if not - ip6tables will fail loading such rule.
The simplest solution would be to modify qubes-firewall script (which loads that rules in firewallvm) to filter-out rules not applicable to IPv6. In most common use of non-empty firewall (default policy DROP) this shouldn't harm - at worst some traffic will be filtered (so application would fall back to IPv4).

In the future we might introduce more advanced firewall configuration, with option to set IPv4 and IPv6 rules explicitly.

@marmarek marmarek modified the milestones: Release 3.1, Release 3.0 May 13, 2015
@marmarek marmarek modified the milestones: Release 3.2, Release 3.1 Feb 8, 2016
@marmarek
Copy link
Member Author

marmarek commented Feb 8, 2016

@woju I think we forgot about this one when implementing "NetVM" in Qubes 4.0...

@marmarek marmarek modified the milestones: Release 4.0, Release 3.2 Feb 8, 2016
@ghost
Copy link

ghost commented Aug 12, 2016

I'm a little bit disappointed now. I was looking forward to setup and use Qubes OS. Finally with a new machine I did this today using Qubes OS 3.2 rc 2.

I struggled a bit with networking (so my hope is I'm doing something wrong) but finally I got it working. But I did not get an IPv6 assigned (This works properly in my network).

So to be clear: This really means as of today there is no IPv6 in Quebes and for the future you are looking to NAT it ?

I would be happy to "turn" off all firewall features of Qubes OS since I got this covered by an rather extensive network setup. Is this an option ?

@marmarek
Copy link
Member Author

On Fri, Aug 12, 2016 at 03:30:41PM -0700, iggs0 wrote:

So to be clear: This really means as of today there is no IPv6 in Quebes and for the future you are looking to NAT it ?

Yes.

I would be happy to "turn" off all firewall features of Qubes OS since I got this covered by an rather extensive network setup. Is this an option ?

It depends what you call "all firewall features". You don't need to use
outbound traffic limiting ("Firewall" tab in VM settings). You can even
disable "qubes-firewall" service in Proxy VMs (which will really do
nothing anyway if you don't fill "Firewall" tab in VM settings).

But you can't disable NAT. This is rather unavoidable(*) with tree-like
structure of network connections between VMs (sys-net -> sys-firewall ->
AppVMs, possibly sys-whonix in between).

(*) without modifying every routing table in your LAN.

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

marmarek added a commit to marmarek/old-qubes-core-agent-linux that referenced this issue Sep 12, 2016
This rewrite is mainly to adopt new interface for Qubes 4.x.
Main changes:
 - change language from bash to python, introduce qubesagent python package
 - support both nftables (preferred) and iptables
 - new interface (https://qubes-os.org/doc/vm-interface/)
 - IPv6 support
 - unit tests included
 - nftables version support running along with other firewall loaded

Fixes QubesOS/qubes-issues#1815
QubesOS/qubes-issues#718
@marmarek
Copy link
Member Author

Script mentioned above: marmarek/qubes-core-agent-linux@789eb51

@mfc mfc mentioned this issue Jan 31, 2017
2 tasks
marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Dec 1, 2017
Add property for IPv6 address ('ip6'). Build default value similarly to
IPv4 - common prefix + QID or Disp ID (for DispVMs).
This all is disabled unless 'ipv6' feature is enabled. It is inherited
from netvm (not template).
Even when enabled, VM may decide to not use it - or simply not support
it.

QubesOS/qubes-issues#718
marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Dec 5, 2017
Add property for IPv6 address ('ip6'). Build default value similarly to
IPv4 - common prefix + QID or Disp ID (for DispVMs).
This all is disabled unless 'ipv6' feature is enabled. It is inherited
from netvm (not template).
Even when enabled, VM may decide to not use it - or simply not support
it.

QubesOS/qubes-issues#718
marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Dec 5, 2017
Check produced libvirt XML, and QubesDB entries

QubesOS/qubes-issues#718
marmarek added a commit to marmarek/qubes-core-admin that referenced this issue Dec 5, 2017
Run also all IPv4 tests with IPv6 enabled to check for regressions
(broken IPv4 because of enabled IPv6).

QubesOS/qubes-issues#718
@qubesos-bot
Copy link

Automated announcement from builder-github

The package core-agent-linux has been pushed to the r4.0 testing repository for the CentOS centos7 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-4.0.14-1.fc24 has been pushed to the r4.0 testing repository for the Fedora fc24 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-4.0.14-1.fc25 has been pushed to the r4.0 testing repository for the Fedora fc25 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-4.0.14-1.fc26 has been pushed to the r4.0 testing repository for the Fedora fc26 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r4.0-current-testing

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The package core-agent-linux has been pushed to the r4.0 stable repository for the Fedora centos7 template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-4.0.15-1.fc24 has been pushed to the r4.0 stable repository for the Fedora fc24 template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The package qubes-core-agent_4.0.15-1+deb8u1 has been pushed to the r4.0 stable repository for the Debian jessie template.
To install this update, please use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The package qubes-core-agent_4.0.15-1+deb9u1 has been pushed to the r4.0 stable repository for the Debian stretch template.
To install this update, please use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@qubesos-bot
Copy link

Automated announcement from builder-github

The component core-agent-linux (including package python2-dnf-plugins-qubes-hooks-4.0.20-1.fc26) has been pushed to the r4.0 stable repository for the Fedora template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants