Firewall: LAN exception doesn't work on Qubes OS

[rapenne-s]

Bug report

Describe your environment

• Device: Laptop
• OS name and version: Fedora 38 on Qubes OS 4.2
• IVPN app version: v3.13.4

Describe the problem

On Qubes OS, when using the App in a NetVM qube providing network to other qubes, the lan exception doesn't work.

Steps to reproduce:

1. install the App in a qube, make it providing network to other
2. enable the lan exception setting in the qube
3. try to reach a LAN device (10.42.42.42 on my network for instance), either from the qube with the app or a qube using it as a netvm
4. no reply over the network

Observed Results:

There are no network being forwarded there

Expected Results:

Qubes should be able to reach LAN devices

Solution:

I came up with a script injecting the bypass rules for the hosts I want, it's hooked like the other qubes os specific scripts to run when the firewall is being toggled on/off.

#!/bin/sh

nft insert rule qubes custom-forward ip daddr 10.42.42.0/24 counter accept
nft insert rule filter FORWARD ip daddr 10.42.42.0/24 counter accept
nft insert rule filter FORWARD ip saddr 10.42.42.0/24 counter accept

[stenya]

Just for reference, not to forget: #217