add IPv6 support to Qubes-Whonix

[adrelanos]

Qubes OS release

Qubes R4.1

Brief summary

A user using a mobile ISP that provides IPv6 addresses only, reported that Whonix is unable to connect. [1] [2]

[1] https://forums.whonix.org/t/4g-mobile-internet-only-gives-ipv6-address-so-no-internet-route-for-kvm-how-to-solve/19854 [2] While the report is about Non-Qubes-Whonix, the same would happen with Qubes-Whonix.

Steps to reproduce

1. Use a IPv6 only ISP.
2. Attempt to use Whonix.

Expected behavior

Functional connectivity.

Actual behavior

Broken connectivity.

Discussion.

I am working on adding IPv6 support to Whonix. Some Qubes specific questions...

      LOCAL_NET="\
            127.0.0.0/24 \
            10.137.0.0/16 \
            10.138.0.0/16 \
         "

      WORKSTATION_DEST_SOCKSIFIED="\
        10.137.0.0/16 \
        10.138.0.0/16 \
        10.152.152.10 \
      "

Any IPv6 versions?

---

    ## DROP PACKETS WITH INCOMING FRAGMENTS. THIS ATTACK ONCE RESULTED IN KERNEL PANICS
    #$iptables_cmd -A output -f -j REJECT --reject-with icmp-admin-prohibited
    $nftables_cmd add rule inet filter output ip frag-off "&" 0x1fff != 0 counter reject

Useful for IPv6? What would be the equivalent?

---

  if qubes_primary_dns="$(qubesdb-read /qubes-primary-dns 2> /dev/null)"; then
    #$iptables_cmd -A output -p udp --dport 53 --dst "$qubes_primary_dns" -j ACCEPT
    $nftables_cmd add rule inet filter output ip daddr "$qubes_primary_dns" udp dport 53 counter accept
    counter=$((counter + 1))
  fi

  if qubes_secondary_dns="$(qubesdb-read /qubes-secondary-dns 2> /dev/null)"; then
    #$iptables_cmd -A output -p udp --dport 53 --dst "$qubes_secondary_dns" -j ACCEPT
    $nftables_cmd add rule inet filter output ip daddr "$qubes_secondary_dns" udp dport 53 counter accept
    counter=$((counter + 1))
  fi

qubesdb-read /qubes-primary-dns will remain IPv4 only?

---

  $nftables_cmd add rule inet filter output skuid "$UPDATESPROXYCHECK_USER" ip daddr 10.137.255.254-10.137.255.254 tcp dport "$qubes_updates_proxy_port" counter accept

What range would that be for IPv6?

[andrewdavidwong]

Please note that this issue tracker (qubes-issues) is not intended to be a place for fielding questions. Instead, we have other venues meant for asking questions, asking for help, and having discussions. In this case, it sounds like qubes-devel would be most appropriate. (By contrast, the issue tracker is more of a technical tool intended to support our developers in their work.) Thank you for your understanding.

[github-actions[bot]]

This issue has been closed as "not applicable." Here are some common examples of cases in which issues are closed as not applicable:

• Help and support requests (please see Help, support, mailing lists, and forum)
• Questions (please see Help, support, mailing lists, and forum)
• Discussion issues (please see Help, support, mailing lists, and forum)
• Bug reports for behavior that is already working as intended
• Enhancement requests to improve things that are already working as intended
• Issues that rest on mistaken assumptions or misunderstandings
• Issues that do not provide enough information
• Issues that are not actionable

We respect the time and effort you have taken to file this issue, and we understand that this outcome may be unsatisfying. Please accept our sincere apologies and know that we greatly value your participation and membership in the Qubes community.

Regarding help and support requests, please note that this issue tracker (qubes-issues) is not intended to serve as a help desk or tech support center. Instead, we've set up other venues where you can ask for help and support, ask questions, and have discussions. By contrast, the issue tracker is more of a technical tool intended to support our developers in their work. We thank you for your understanding.

If anyone reading this believes that this issue was closed in error or that the resolution of "not applicable" is not accurate, please leave a comment below saying so, and we will review this issue again. For more information, see How issues get closed.

[adrelanos]

That seems a bit overly bureaucratic to me. Not sure you seen my user name? As you know, I am a developer.

The non-support of IPv6 by Qubes-Whonix at time of writing is a, depending on your look at it, a missing feature and due to some users now claiming to only have IPv6 addresses assigned and no IPv4 even a bug that should be fixed and is now realistic to fix.

Also I am the one to work on it.

I am using the C: Whonix tag to see tickets related to Qubes-Whonix to see where there are bugs that I can fix, features to implement.

I could have phrased this as a bug report or feature request and then ask these questions later (because that's what happens during work of developers on tickets, comments, questions, answers, coordination) but that seems overly bureaucratic.

Please re-open.

[unman]

On Thu, May 30, 2024 at 06:23:54AM -0700, Patrick Schleizer wrote:

That seems a bit overly bureaucratic to me. Not sure you seen my user name? As you know, I am a developer.

The non-support of IPv6 by Qubes-Whonix at time of writing is a, depending on your look at it, a missing feature and due to some users now claiming to only have IPv6 addresses assigned and no IPv4 even a bug that should be fixed and is now realistic to fix.

Also I am the one to work on it.

I am using the C: Whonix tag to see tickets related to Qubes-Whonix to see where there are bugs that I can fix, features to implement.

I could have phrased this as a bug report or feature request and then ask these questions later (because that's what happens during work of developers on tickets, comments, questions, answers, coordination) but that seems overly bureaucratic.

Please re-open.

It seems a Whonix bug (or feature) - usually requests for information and discussion are sent to the qubes-devel list. This is what you have done in the past.

[andrewdavidwong]

@adrelanos: I've reopened this issue at your request, but it would be very helpful for everyone if you could use one of the issue templates (whichever one you see fit) so that others can understand it. When opening a new issue, a good heuristic is to imagine that it could eventually be (re)assigned to someone new who joins the project in the future. Issues should be comprehensible to others (at the very least, other team members, but ideally also to community developers and contributors).

[adrelanos]

Thank you, much appreciated! I updated the text above and made it a proper bug report. (Not sure about bug report versus enhancement.)

[andrewdavidwong]

I updated the text above and made it a proper bug report.

Thank you!

(Not sure about bug report versus enhancement.)

This one could go either way, but to me it seems more like an enhancement request, because IPv6 support does not exist in Qubes-Whonix yet, so there is no expectation that it should work. It's a feature that needs to be added first. If IPv6 were already supported but were malfunctioning in some way, that would be a bug.