[libvirt] Question: forbid dnsmasq to install IPv6 default route
Maxim Perevedentsev
mperevedentsev at virtuozzo.com
Thu Jun 16 12:14:54 UTC 2016
Hello guys!
I got into problem with installing IPv6 default gateway on centos7 guest
while running dhcpv6.
=== Scheme ===
Guest has two network interfaces.
*eth0* is connected to Host-Only network over virbr0. This network has
dhcpv6 set up.
[root at s143 ~]# virsh net-dumpxml Host-Only
<network connections='1'>
<name>Host-Only</name>
<uuid>11aa4e6a-9014-4dae-86b9-b13159896efe</uuid>
<bridge name='virbr0' stp='off' delay='0'/>
<mac address='52:54:00:1e:17:49'/>
<ip family='ipv4' address='10.37.130.2' prefix='24'>
<dhcp>
<range start='10.37.130.1' end='10.37.130.254'/>
</dhcp>
</ip>
<ip family='ipv6' address='fdb2:2c26:f4e4::1' prefix='64'>
<dhcp>
<range start='fdb2:2c26:f4e4::' end='fdb2:2c26:f4e4::ffff'/>
</dhcp>
</ip>
</network>
*eth1* is connected to Bridged network over br0 bridge on host enp4s0
interface.
[root at s143 ~]# virsh net-dumpxml Bridged
<network connections='1'>
<name>Bridged</name>
<uuid>1ffa16f9-6a52-4710-9b58-52b8463cdece</uuid>
<forward mode='bridge'/>
<bridge name='br0'/>
</network>
[root at s143 ~]# virsh iface-dumpxml br0
<interface type='bridge' name='br0'>
<protocol family='ipv4'>
<ip address='10.94.1.161' prefix='16'/>
</protocol>
<protocol family='ipv6'>
<ip address='2001:aaad::a5e:a28E' prefix='64'/>
<ip address='fe80::be5f:f4ff:fe44:2cbb' prefix='64'/>
</protocol>
<bridge>
<interface type='ethernet' name='vme42460d71'>
<link state='unknown'/>
<mac address='fe:1c:42:46:0d:71'/>
</interface>
<interface type='ethernet' name='enp4s0'>
<link speed='1000' state='up'/>
<mac address='bc:5f:f4:44:2c:bb'/>
</interface>
</bridge>
</interface>
=== Problem ===
Now I want to set ipv6 address 2001:aaad::a5e:a28F to guest eth1
(bridged to host)
and install a default route
ip -6 route add default via 2001:aaad::a5e:a290 dev eth1 // metric 1024
So I want all the IPv6 traffic w/o route to go into eth1, then through
host bridge to gateway (same for host and guest).
The problem is that I see following in my guest:
// the metric changes somehow, but this does not matter.
default via fe80::5054:ff:fe1e:1749 dev eth0 proto static metric 100
pref medium
default via 2001:aaad::a5e:a290 dev eth1 metric 1024 pref medium
And the first (via link-local) route is preferred on routing.
[root at s143 ~]# ip -6 address show dev virbr0
6: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
inet6 fdb2:2c26:f4e4::1/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fe1e:1749/64 scope link
valid_lft forever preferred_lft forever
The problem is:
guest:/ # radvdump
#
# radvd configuration generated by radvdump 2.11
# based on Router Advertisement from fe80::5054:ff:fe1e:1749
# received by interface eth0
#
interface eth0
{
AdvSendAdvert on;
# Note: {Min,Max}RtrAdvInterval cannot be obtained with radvdump
AdvManagedFlag on;
AdvOtherConfigFlag on;
AdvReachableTime 0;
AdvRetransTimer 0;
AdvCurHopLimit 64;
AdvDefaultLifetime 1800; <----------------
AdvHomeAgentFlag off;
AdvDefaultPreference medium;
AdvLinkMTU 1500;
AdvSourceLLAddress on;
prefix fdb2:2c26:f4e4::/64
{
AdvValidLifetime 3600;
AdvPreferredLifetime 3600;
AdvOnLink on;
AdvAutonomous off;
AdvRouterAddr off;
}; # End of prefix definition
RDNSS fe80::5054:ff:fe1e:1749
{
AdvRDNSSLifetime 3600;
}; # End of RDNSS definition
}; # End of interface definition
So, dnsmasq includes its link-local address into RA and
announces itself as default gateway valid for 30min.
Guest sees this RA and installs a route in accordance.
As a result, the default gateway requested by user is overridden and
thus not used.
We cannot just disable RA since we still need IPv6 address on guest eth0
(dhcp6 part of functionality).
=== Possible solutions ===
I see two possible solutions.
1) Tinker with routes.
As I said, the metric of installed RA routes may change and it's
difficult to override them for sure (maybe with metric 0 or 1?)
Moreover, this may confuse user and requires specific knowledge (IPv6,
RA, etc.).
2) Forbid guest to learn default route from RA
sysctl -w net.ipv6.conf.eth0.accept_ra_defrtr=0
- This should be made for all virbr-based networks.
- This may confuse user as well.
3) Forbid dnsmasq to announce virbr0 link-local address as default gateway.
This can be made with
adding 'ra-param=*,0,0' to /var/lib/libvirt/dnsmasq/Host-Only.conf
// interface=* (any), interval=0 (default), router_lifetime=0 (I am NOT
you gateway, Luke).
// tested on dnsmasq-2.75-3.fc22 but should work from 2.67
now the RA looks as following:
linux-bnqo:/ # radvdump
#
# radvd configuration generated by radvdump 2.11
# based on Router Advertisement from fe80::5054:ff:fe1e:1749
# received by interface eth0
#
interface eth0
{
AdvSendAdvert on;
# Note: {Min,Max}RtrAdvInterval cannot be obtained with radvdump
AdvManagedFlag on;
AdvOtherConfigFlag on;
AdvReachableTime 0;
AdvRetransTimer 0;
AdvCurHopLimit 64;
AdvDefaultLifetime 0;
AdvHomeAgentFlag off;
AdvDefaultPreference medium;
AdvLinkMTU 1500;
AdvSourceLLAddress on;
prefix fdb2:2c26:f4e4::/64
{
AdvValidLifetime 3600;
AdvPreferredLifetime 3600;
AdvOnLink on;
AdvAutonomous off;
AdvRouterAddr off;
}; # End of prefix definition
RDNSS fe80::5054:ff:fe1e:1749
{
AdvRDNSSLifetime 3600;
}; # End of RDNSS definition
}; # End of interface definition
=== Conclusion ====
Please correct me if my setup itself is wrong and causes problems.
Maybe there are another solutions possible, w/o modifying libvirt/guest?
Would you accept patches related to 3rd solution?
Looking forward to your replies.
Thanks in advance!
--
Your sincerely,
Maxim Perevedentsev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20160616/4a19ff3f/attachment-0001.htm>
More information about the libvir-list
mailing list