[libvirt] Enhancing clean-traffic to work with IPv6
Daniel P. Berrange
berrange at redhat.com
Fri Apr 4 14:06:31 UTC 2014
On Fri, Apr 04, 2014 at 09:35:26AM -0400, Brian Rak wrote:
> On 4/4/2014 4:55 AM, Daniel P. Berrange wrote:
> >On Thu, Apr 03, 2014 at 05:28:35PM -0400, Brian Rak wrote:
> >>I'm looking into adding IPv6 support to the nwfilter clean-traffic
> >>rules, but I'm unsure of the best approach to this. I'm planning on
> >>sending patches once I get this correct, so I'm trying to figure out
> >>what way fits in best.
> >>
> >>There's a couple different ways I can think of:
> >>
> >>1) Explicitly add v6 rules to the existing clean-traffic rules. This
> >>would enable IPv6 for guests whenever libvirt was upgraded, which
> >>may be a problem.
> >>2) Add another filter chain (clean-ipv6-traffic) that would do the
> >>same thing as clean-traffic, just for IPv6
> >>3) Add another filter chain (clean-ipv6-ipv4-traffic), that would
> >>clean IPv6 traffic, and include the clean-traffic filter set
> >>
> >>The limitation here is that IP learning will not work for IPv6, so
> >>actually using IPv6 is going to require passing in parameters to
> >>filter specifying what ranges the guest should be allowed to use. I
> >>think this rules out #1.
> >Why do you say IP learning won't work ? The current impl of IP
> >learning only supports IPv4, but AFAIK, it should be viable to
> >enhance it to detect an address from the first outbound IPv6
> >packet, or by snooping DHCPv6 responses, just as we do for IPv4
> >
<
> Right, that was mainly my point. Currently, IP learning does not
> support IPv6. It's probably possible to add support for this, but
> since we don't actually make use of IP learning at this point, it's
> not something I was planning on implementing.
Ok, but from the POV of the default out-of-the-box 'clean-traffic' filter
that we ship, I think that relying on IP learning is the best behaviour.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list