[libvirt] Enhancing clean-traffic to work with IPv6

Daniel P. Berrange berrange at redhat.com
Fri Apr 4 14:06:31 UTC 2014


On Fri, Apr 04, 2014 at 09:35:26AM -0400, Brian Rak wrote:
> On 4/4/2014 4:55 AM, Daniel P. Berrange wrote:
> >On Thu, Apr 03, 2014 at 05:28:35PM -0400, Brian Rak wrote:
> >>I'm looking into adding IPv6 support to the nwfilter clean-traffic
> >>rules, but I'm unsure of the best approach to this.  I'm planning on
> >>sending patches once I get this correct, so I'm trying to figure out
> >>what way fits in best.
> >>
> >>There's a couple different ways I can think of:
> >>
> >>1) Explicitly add v6 rules to the existing clean-traffic rules. This
> >>would enable IPv6 for guests whenever libvirt was upgraded, which
> >>may be a problem.
> >>2) Add another filter chain (clean-ipv6-traffic) that would do the
> >>same thing as clean-traffic, just for IPv6
> >>3) Add another filter chain (clean-ipv6-ipv4-traffic), that would
> >>clean IPv6 traffic, and include the clean-traffic filter set
> >>
> >>The limitation here is that IP learning will not work for IPv6, so
> >>actually using IPv6 is going to require passing in parameters to
> >>filter specifying what ranges the guest should be allowed to use.  I
> >>think this rules out #1.
> >Why do you say IP learning won't work ?  The current impl of IP
> >learning only supports IPv4, but AFAIK, it should be viable to
> >enhance it to detect an address from the first outbound IPv6
> >packet, or by snooping DHCPv6 responses, just as we do for IPv4
> >
<
> Right, that was mainly my point.  Currently, IP learning does not
> support IPv6.    It's probably possible to add support for this, but
> since we don't actually make use of IP learning at this point, it's
> not something I was planning on implementing.

Ok, but from the POV of the default out-of-the-box 'clean-traffic' filter
that we ship, I think that relying on IP learning is the best behaviour.


Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|




More information about the libvir-list mailing list