[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] Plan A or Plan B?



On 11/19/2012 02:24 PM, Laine Stump wrote:
1.  In a manner similar to what is done for IPV6, add ip6tables rules
>>>to permit virtual systems to communicate via a defined virtual
>>>interface which has no gateway addresses defined.  This does mean that
>>>virtual systems will not be able to communicate with the host via this
>>>interface ... only with each other.  Also, the following must be:
>>>        net.ipv6.conf.virbr19.disable_ipv6 = 1
>>>so that the kernel does not start anything.
>>This discussion was left open at the end - Dan, do you see any problem
>>with adding the rules permitting IPv6 traffic between the guests as long
>>as the host has disable_ipv6 set? Or will we still need to add an
>>"ipv6='yes'" attribute to the toplevel <network> element?
>I have looked over the code as well as done some testing (the code is
>all in network/bridge_driver.c).  Unless there really is an IPv6
>address specified, disable_ipv6=1.
Yes, technically it can be done. I just want to make sure that it
saitisfies everyone's "don't open a new hole by default"

Just trying to emphasize that the hole Dan is concerned about is not opened and, besides doing testing, he can verify this by looking at src/network/bridge_driver.c ... see networkAddGeneralIp6tablesRules() for the ip6tables rules and see networkSetIPv6Sysctls() for setting disable_ipv6.

Gene


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]