Some more info:
The post at 4.2 equivilant for 4.1 networking commands? mentions that rules should be added to custom-forward
. The iptables interface adds them to ip filter
. Not sure if this is a bug because I don’t see what the source for that claim is (neither of the linked bugs mention it). However, I tried adding the rules to this chain with nft add rule ip qubes custom-forward ip saddr $SENDING_IP counter
. This rule is broader than the the iptables rule I was using (no destination address is specified), but that shouldn’t prevent my target qube from receiving the data. After adding this rule (and deleting the rules from ip filter
) the behavior does not change (tcpdump
shows the packets in sys-firewall but not the target qube) and the counter for the new rule increments.
Additionally, I monitored the interface on the target qube in wireshark and I saw 2 ICMPv6 router solicitation packets sent to the target qube. One came from the sending qube and the other from an address I do not recognize. Based on this, I repeated the nft add rule ...
from above with ip6 instead of ip, but this had no effect on behavior. The counter for the ip6 rule did not increment.
Finally, I tried pinging the target qube’s IPv6 address which led to different results. The sending qube sent several Link-Local Multicast Name Resolution requests but did not receive any replies. The echo requests never appeared in wireshark.