[libvirt] [PATCH] Add V6LOCAL parameter to nwfilter rules.
Brian Rak
brak at gameservers.com
Fri Apr 4 14:08:26 UTC 2014
On 4/4/2014 4:48 AM, Daniel P. Berrange wrote:
> On Wed, Apr 02, 2014 at 03:40:14PM -0400, Brian Rak wrote:
>> @@ -163,6 +164,28 @@ virNWFilterVarHashmapAddStdValues(virNWFilterHashTablePtr table,
>> "%s", _("Could not add variable 'MAC' to hashmap"));
>> return -1;
>> }
>> +
>> + virMacAddr parsedMac;
>> + if (virMacAddrParse(macaddr, &parsedMac) == 0)
>> + {
>> + parsedMac.addr[0] ^= 2;
>> +
>> + char euiMacAddr[26];
>> + snprintf(euiMacAddr, sizeof(euiMacAddr), "fe80::%x%x:%xff:fe%x:%x%x", parsedMac.addr[0], parsedMac.addr[1], parsedMac.addr[2],
>> + parsedMac.addr[3], parsedMac.addr[4], parsedMac.addr[5]);
> Unfortunately this IPv6 addressing scheme isn't portable. Windows Vista
> will create link local addresses which are completely random, not based
> on the MAC address.
>
> http://technet.microsoft.com/en-us/magazine/2007.08.cableguy.aspx
>
> I wonder if there's a way todo something more clever for IPv6 to learn
> the addresses, we as do for IPv4 address learning, or snoop route
> advertisment traffic as we do for DHCP
>
>
> Regards,
> Daniel
Vista can be configured to use the EUI64 format though (as per that
link). I don't think that we can really trust that the guest is not
malicious, so I'm not sure that trying to learn the link-local IPv6
address would be secure.
I'm not sure if there's other security issues or not, but a malicious
guest using another guest's link local address would definitely cause
some problems.
More information about the libvir-list
mailing list