[libvirt] Proposed: always allow packets internal to an interface
Laine Stump
laine at laine.org
Fri Nov 9 02:01:44 UTC 2012
On 11/08/2012 04:44 PM, Daniel P. Berrange wrote:
> On Thu, Nov 08, 2012 at 02:41:29PM -0500, Laine Stump wrote:
>> On 11/07/2012 04:25 PM, Gene Czarcinski wrote:
>>> IPv4 and IPv6 networks are suppose to have the same (more or less)
>>> functionality so why isn't this OK.
>> "Maintaining backward compatibility", both API and operational. In the
>> past it wasn't the case that we simply did nothing about ipv6 on
>> libvirt's networks, instead we explicitly set a sysctl to *disable* it.
>> That must have been done for some reason. That reason may no longer be
>> valid, but we don't know that yet (it happened before I was around). If
>> the reason is no longer valid, we can go ahead as you suggest (and I
>> would say we don't even need an option to not have ip6tables, just force
>> people to build the full iptables package as God intended :-P). If the
>> reason *is* still valid, then we need to only enable the ipv6 sysctl and
>> add the ip6tables rule in response to some new flag attribute in the
>> network config.
> If you don't disable IPv6 on the bridge device, then when starting the
> network device, the kernel will auto-assign an IPv6 link local address,
> which the guest can then use to communicate with the host. In the IPv4
> case, if you don't specify any <ip> address, there is no "link local"
> like address present, so there's no connectivity between guest and
> host. So explicitly disabling IPv6 is in fact required in order to
> give consistent behaviour between IPv6 and IPv4.
Okay, so there's the straight dope :-)
> I've no objections to anyone adding a new 'ipv6=on|off' attribute to
> the network XML so that admins can explicitly choosen whether to allow
> IPv6, indepedently of whether any <ip> element is set with an IPv6 address.
Hmm - would it maybe be okay to always add the ip6tables rule to allow
ipv6 traffic between interfaces on the bridge, while still setting
disable_ipv6=1 (unless there is an <ip> with an ipv6 address)? The
guests could then do IPv6 among themselves if they wanted, but there
would be no way to get to the host via IPv6.
More information about the libvir-list
mailing list