[libvirt] Proposed: always allow packets internal to an interface

Daniel P. Berrange berrange at redhat.com
Thu Nov 8 21:44:36 UTC 2012

On Thu, Nov 08, 2012 at 02:41:29PM -0500, Laine Stump wrote:
> On 11/07/2012 04:25 PM, Gene Czarcinski wrote:
> > IPv4 and IPv6 networks are suppose to have the same (more or less)
> > functionality so why isn't this OK.
> "Maintaining backward compatibility", both API and operational. In the
> past it wasn't the case that we simply did nothing about ipv6 on
> libvirt's networks, instead we explicitly set a sysctl to *disable* it.
> That must have been done for some reason. That reason may no longer be
> valid, but we don't know that yet (it happened before I was around). If
> the reason is no longer valid, we can go ahead as you suggest (and I
> would say we don't even need an option to not have ip6tables, just force
> people to build the full iptables package as God intended :-P). If the
> reason *is* still valid, then we need to only enable the ipv6 sysctl and
> add the ip6tables rule in response to some new flag attribute in the
> network config.

If you don't disable IPv6 on the bridge device, then when starting the
network device, the kernel will auto-assign an IPv6 link local address,
which the guest can then use to communicate with the host. In the IPv4
case, if you don't specify any <ip> address, there is no "link local"
like address present, so there's no connectivity between guest and
host. So explicitly disabling IPv6 is in fact required in order to
give consistent behaviour between IPv6 and IPv4.

I've no objections to anyone adding a new 'ipv6=on|off' attribute to
the network XML so that admins can explicitly choosen whether to allow
IPv6, indepedently of whether any <ip> element is set with an IPv6 address.

|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the libvir-list mailing list