[run-virt] fw: If unable to redirect ipv6 dns, block entirely

1 files changed, 5 insertions, 2 deletions

diff --git a/core/modules/run-virt/data/opt/openslx/vmchooser/scripts/set-firewall b/core/modules/run-virt/data/opt/openslx/vmchooser/scripts/set-firewall
index 64c8eaa8..2f64e754 100644
--- a/core/modules/run-virt/data/opt/openslx/vmchooser/scripts/set-firewall
+++ b/core/modules/run-virt/data/opt/openslx/vmchooser/scripts/set-firewall
@@ -292,8 +292,11 @@ if ! (
 		cat >> "$DNS_IPT_FILE" <<-EOF
 		iptables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-port "$DNSPORT"
 		iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-port "$DNSPORT"
-		ip6tables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-port "$DNSPORT"
-		ip6tables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-port "$DNSPORT"
+		ip6tables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-port "$DNSPORT" \
+			|| ip6tables -A FORWARD -p tcp --dport 53 -j DROP
+		ip6tables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-port "$DNSPORT" \
+			|| ip6tables -A FORWARD -p udp --dport 53 -j DROP
+		true
 		EOF
 		chmod +x "$DNS_IPT_FILE"
 	fi