[libvirt] Plan A or Plan B?
Gene Czarcinski
gene at czarc.net
Mon Nov 19 20:22:36 UTC 2012
On 11/19/2012 02:24 PM, Laine Stump wrote:
>>>> 1. In a manner similar to what is done for IPV6, add ip6tables rules
>>>> >>>to permit virtual systems to communicate via a defined virtual
>>>> >>>interface which has no gateway addresses defined. This does mean that
>>>> >>>virtual systems will not be able to communicate with the host via this
>>>> >>>interface ... only with each other. Also, the following must be:
>>>> >>> net.ipv6.conf.virbr19.disable_ipv6 = 1
>>>> >>>so that the kernel does not start anything.
>>> >>This discussion was left open at the end - Dan, do you see any problem
>>> >>with adding the rules permitting IPv6 traffic between the guests as long
>>> >>as the host has disable_ipv6 set? Or will we still need to add an
>>> >>"ipv6='yes'" attribute to the toplevel <network> element?
>> >I have looked over the code as well as done some testing (the code is
>> >all in network/bridge_driver.c). Unless there really is an IPv6
>> >address specified, disable_ipv6=1.
> Yes, technically it can be done. I just want to make sure that it
> saitisfies everyone's "don't open a new hole by default"
>
Just trying to emphasize that the hole Dan is concerned about is not
opened and, besides doing testing, he can verify this by looking at
src/network/bridge_driver.c ... see networkAddGeneralIp6tablesRules()
for the ip6tables rules and see networkSetIPv6Sysctls() for setting
disable_ipv6.
Gene
More information about the libvir-list
mailing list