[libvirt-users] NWFilter and IPv6
Laine Stump
laine at laine.org
Mon Nov 26 15:41:47 UTC 2012
On 11/07/2012 03:22 AM, Guido Winkelmann wrote:
> Hi,
>
> Libvirt's nwfilter ships a number of useful filter scripts by default, but
> none to handle IPv6 traffic. Is there a particular reason for that, or is that
> just because nobody has got around to that yet?
Hi Guido! I just saw this message you sent to the list a couple weeks ago.
Stefan Berger can confirm, but I believe the answer is the latter -
nobody has gotten around to it. I'm sure patches would be greatly
appreciated :-)
>
> One interesting thing about dealing with IPv6 traffic is that hosts often have
> several auto-configured addresses, usually at least one auto-configured link-
> local address under fe80::/64 and one auto-configured one from router-
> advertisements. For writing filter rules, it would be nice to have some
> function/notation to calculate those auto-configured addresses for the user,
> so we can write something like this:
>
> <rule action='return' direction='out' priority='500'>
> <ipv6 srcipaddr='ipv6_autoconf($IPV6_PREFIX[@1], $IPV6_MASK[@1], $MAC)'/>
> </rule>
> <rule action='return' direction='out' priority='500'>
> <ipv6 srcipaddr='$IPV6'/>
> </rule>
> <rule action='drop' direction='out' priority='1000'/>
>
> or maybe more like this:
>
> <ipv6 mode='autoconf' field='srcipaddr' prefix='$IPV6_PREFIX[@1]'
> netmask='$IPV6_MASK[@1]' mac='$MAC)'/>
There is similar functionality for IPv4, and it would be nice to have
IPv6 variables that parallel those for IPv4. Again - patches welcome!
More information about the libvirt-users
mailing list