[libvirt] Proposed: always allow packets internal to an interface
Gene Czarcinski
gene at czarc.net
Thu Nov 8 22:41:29 UTC 2012
On 11/08/2012 04:44 PM, Daniel P. Berrange wrote:
> On Thu, Nov 08, 2012 at 02:41:29PM -0500, Laine Stump wrote:
>> On 11/07/2012 04:25 PM, Gene Czarcinski wrote:
>>> IPv4 and IPv6 networks are suppose to have the same (more or less)
>>> functionality so why isn't this OK.
>> "Maintaining backward compatibility", both API and operational. In the
>> past it wasn't the case that we simply did nothing about ipv6 on
>> libvirt's networks, instead we explicitly set a sysctl to *disable* it.
>> That must have been done for some reason. That reason may no longer be
>> valid, but we don't know that yet (it happened before I was around). If
>> the reason is no longer valid, we can go ahead as you suggest (and I
>> would say we don't even need an option to not have ip6tables, just force
>> people to build the full iptables package as God intended :-P). If the
>> reason *is* still valid, then we need to only enable the ipv6 sysctl and
>> add the ip6tables rule in response to some new flag attribute in the
>> network config.
> If you don't disable IPv6 on the bridge device, then when starting the
> network device, the kernel will auto-assign an IPv6 link local address,
> which the guest can then use to communicate with the host. In the IPv4
> case, if you don't specify any <ip> address, there is no "link local"
> like address present, so there's no connectivity between guest and
> host. So explicitly disabling IPv6 is in fact required in order to
> give consistent behaviour between IPv6 and IPv4.
>
> I've no objections to anyone adding a new 'ipv6=on|off' attribute to
> the network XML so that admins can explicitly choosen whether to allow
> IPv6, indepedently of whether any <ip> element is set with an IPv6 address.
>
I hear what you are saying but I am not sure I understand it because
some simple testing I did resulted in exactly what I wanted.
1. Configure and start ad virtual network interface such as:
<network>
<name>nogw</name>
<uuid>7a3b7497-1ec7-8aef-6d5c-38dff9109e93</uuid>
<bridge name='virbr19' stp='on' delay='0' />
<mac address='52:54:00:08:10:43'/>
</network>
ip addr shows the following:
44: virbr19: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
state DOWN
link/ether 52:54:00:08:10:43 brd ff:ff:ff:ff:ff:ff
45: virbr19-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master
virbr19 state DOWN qlen 500
link/ether 52:54:00:08:10:43 brd ff:ff:ff:ff:ff:ff
and I added a rule to ip6tables resulting in:
-A FORWARD -i virbr19 -o virbr19 -j ACCEPT
2. Take two F17 virtual guest systems and configure them with "nogw" on
a network interface.
3. Start them up and manually configure the NIC with the "nogw" network
for fd00:1:1:1::2/64 and fd00:1:1:1::3/64
4. try doing a ping6 between the two ... works fine.
Now, all I am asking for is to have the above ip6table rule added
automatically (along with the standard rejects).
The reult is a very private IPv6 network between the virtual guest systems.
BTW, for "sysctl -a | grep virbr19 | grep "disable_ipv6"", the result is:
net.ipv6.conf.virbr19.disable_ipv6 = 1
net.ipv6.conf.virbr19-nic.disable_ipv6 = 0
Just for info, this is all F17 with libvirt-1.0.0+ my bunch of patches.
Now, what am I missing? What do I not understand?
Gene
More information about the libvir-list
mailing list