[libvirt] dhcp6, radvd, ip6tables, etc. (update)
Gene Czarcinski
gene at czarc.net
Tue Oct 30 23:07:27 UTC 2012
On 10/30/2012 06:45 PM, R P Herrold wrote:
> I think the rules you want are these (we use the symbolic names for
> the packet sub-type as it makes things clearer)
>
> # /etc/sysconfig/ip6tables
> # ... -A INPUT -p ipv6-icmp --icmpv6-type router-advertisement
> -s $IP6SERVER -j ACCEPT
> -A INPUT -p ipv6-icmp --icmpv6-type router-advertisement
> -j DROP
> -A INPUT -p ipv6-icmp -j ACCEPT
> -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
> # ...
>
> I do not know that you need to filter or attempt to direct
> 'router-solicitation' as your comments mentioned. We have not had a
> 'real world' need to do so. We run a variation of these rules at pmman
>
> from: man 8 ip6tables
>
> icmp6
> This extension can be used if ‘--protocol ipv6-icmp’ or
> ‘--protocol icmpv6’ is specified. It provides the following
> option:
>
> [!] --icmpv6-type type[/code]|typename
> This allows specification of the ICMPv6 type, which
> can be a numeric ICMPv6 type, type and code, or one
> of the ICMPv6 type names shown by the command
> ip6tables -p ipv6-icmp -h
It is not icmp6 but dhcpv6 packets.
As I explained earlier in the thread, there is a little 4 packet dance
which implements dhcpv6 addresses. Routing is handled by RA. The
difference is that you much have the AdvManagedFlag on for dhcpv6 and
off otherwise. There does not seem to be a problem with the RA packets
getting through.
But, for dhcpv6, you need port 547 packets (and specifically with a
destination address of ff02::01:2) to get through to the dnsmasq process
running on the virtualization host. To happen, this needs an additional
ip6tables rule. While just specifying "--dport 547" seems to work, the
"correct" appraach should also specify "--destination ff02::1:2" for
"--in-interface <our interface>".
This is what I have currently implemented and it seems to work well.
Gene
Gene
More information about the libvir-list
mailing list