[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] Proposed: always allow packets internal to an interface



On 11/08/2012 04:44 PM, Daniel P. Berrange wrote:
On Thu, Nov 08, 2012 at 02:41:29PM -0500, Laine Stump wrote:
On 11/07/2012 04:25 PM, Gene Czarcinski wrote:
IPv4 and IPv6 networks are suppose to have the same (more or less)
functionality so why isn't this OK.
"Maintaining backward compatibility", both API and operational. In the
past it wasn't the case that we simply did nothing about ipv6 on
libvirt's networks, instead we explicitly set a sysctl to *disable* it.
That must have been done for some reason. That reason may no longer be
valid, but we don't know that yet (it happened before I was around). If
the reason is no longer valid, we can go ahead as you suggest (and I
would say we don't even need an option to not have ip6tables, just force
people to build the full iptables package as God intended :-P). If the
reason *is* still valid, then we need to only enable the ipv6 sysctl and
add the ip6tables rule in response to some new flag attribute in the
network config.
If you don't disable IPv6 on the bridge device, then when starting the
network device, the kernel will auto-assign an IPv6 link local address,
which the guest can then use to communicate with the host. In the IPv4
case, if you don't specify any <ip> address, there is no "link local"
like address present, so there's no connectivity between guest and
host. So explicitly disabling IPv6 is in fact required in order to
give consistent behaviour between IPv6 and IPv4.

I've no objections to anyone adding a new 'ipv6=on|off' attribute to
the network XML so that admins can explicitly choosen whether to allow
IPv6, indepedently of whether any <ip> element is set with an IPv6 address.

I hear what you are saying but I am not sure I understand it because some simple testing I did resulted in exactly what I wanted.

1. Configure and start ad virtual network interface such as:
<network>
  <name>nogw</name>
  <uuid>7a3b7497-1ec7-8aef-6d5c-38dff9109e93</uuid>
  <bridge name='virbr19' stp='on' delay='0' />
  <mac address='52:54:00:08:10:43'/>
</network>

ip addr shows the following:
44: virbr19: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN
    link/ether 52:54:00:08:10:43 brd ff:ff:ff:ff:ff:ff
45: virbr19-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr19 state DOWN qlen 500
    link/ether 52:54:00:08:10:43 brd ff:ff:ff:ff:ff:ff

and I added a rule to ip6tables resulting in:
-A FORWARD -i virbr19 -o virbr19 -j ACCEPT

2. Take two F17 virtual guest systems and configure them with "nogw" on a network interface.

3. Start them up and manually configure the NIC with the "nogw" network for fd00:1:1:1::2/64 and fd00:1:1:1::3/64

4. try doing a ping6 between the two ... works fine.

Now, all I am asking for is to have the above ip6table rule added automatically (along with the standard rejects).

The reult is a very private IPv6 network between the virtual guest systems.

BTW, for "sysctl -a | grep virbr19 | grep "disable_ipv6"", the result is:
net.ipv6.conf.virbr19.disable_ipv6 = 1
net.ipv6.conf.virbr19-nic.disable_ipv6 = 0

Just for info, this is all F17 with libvirt-1.0.0+ my bunch of patches.

Now, what am I missing?  What do I not understand?

Gene


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]