[libvirt] [PATCH 0/2] option to disable default gateway in IPv6 RA

Laine Stump laine at laine.org
Wed Jun 29 17:55:18 UTC 2016 

On 06/29/2016 10:17 AM, Maxim Perevedentsev wrote:
> In case of DHCPv6 in isolated network, we start dnsmasq
> which sends Router Advertisements (RA). If RA containts no gateway
> then the link-local address of the source of RA is considered
> a gateway (and guest installs a corresponding default route).
>
> If a guest has two network interfaces (public and isolated network)
> and the user installs a default route through "public" interface,
> the guest will have something like
>
> default via fe80::ffff:1:1 dev eth2  metric 1024
> default via fe80::5054:ff:fe0a:d808 dev eth3  proto ra  metric 1024  expires 1789sec
>
> RA route metric may vary, and it is preferred.
> The validity of default route is controlled by
> "default [route] lifetime" field in RA. If it is 0, then
> the default gateway announced is considered invalid,
> and no default route is installed into guest.
>
> dnsmasq 2.67+ supports "ra-param=<interface>,<RA interval>,<default lifetime>"
> option. We can pass "ra-param=*,0,0" (here, RA_interval=0 means default)
> to disable default gateway in RA.

Nice detective work! It's good that somebody is actually using IPv6 and 
finding things like this.

Since I'm in a bit of a rush today and this isn't a detailed nitpicky 
review anyway, I'm just going to put all my comments here in one place.

>
> This patchset adds <network ipv6noDefRoute="yes|no"> option
> to network xml and sets the above option to dnsmasq config
> if it is set to yes (default: no).

* I understand why you would want it defaulted to set the default route 
(and that you probably got the idea for the name from the existing local 
variable in virNetworkDefParseXml()[1], but I have a great dislike for 
double-negative attributes as they tend to confuse me (and others too I 
hope :-). I would rather than the option was "ipv6DefRoute" and 
defaulted to "yes" (this takes a bit more setup in the code, but is 
worth it).

* Beyond that, I think it would make more sense to have the option 
defined in the <ip> element for the IPv6 address rather than at the 
toplevel (I know there is already an option called "ipv6" at the 
toplevel, but that is a special case because it's telling what to do wrt 
IPv6 when there *aren't any* ipv6 <ip> elements in the network 
definition). A question: would it be possible to set multiple IPv6 
addresses, and mark one of them as the default? If so, how would that be 
configured?

* When you're checking for whether or not dnsmasq is able to support the 
option you're using, you base this on a dnsnasq version number. Is there 
any chance that the necessary info could be learned from the output of 
dnsmasq --help? Would it be adequate to just check for the presence of 
the string "--ra-param=" in the help output? This is already done to 
check for dnsmasq's use of SO_BINDTODEVICE - see 
dnsmasqCapsSetFromBuffer(). I'm guessing you based your addition on the 
existing code for DNSMASQ_DHCPv6_SUPPORT() and DNSMASQ_RA_SUPPORT(), but 
I think those were probably put in before the patches that added parsing 
of --help output to learn dnsmasq capabilities.

* the split between the two patches is a bit odd compared to the way we 
normally add new features exposed in XML. Usually there would be 2 or 3 
of the following, in the given order:

1) any new low level utilities needed (repeat as necessary), e.g. a 
patch adding a capabilities bit for the ability of dnsmasq to perform 
the needed function (it's not needed this time, but following this you 
could have patches adding new functionality in the utility functions for 
dnsmasq).

2) add the new config option to the schema, docs, parser/formatter, and 
xml2xml test cases (in a single patch)

3) add the code in the (in this case) network driver that examines the 
new config and capabilities flags, and if applicable calls the new low 
level utility to implement the config (in this case, there isn't a new 
low level function, you just add an extra argument to the dnsmasq 
commandline).



[1] Although the internal variable is called "ipv6nogwStr" it is used to 
"enable guest to guest IPv6 communication" and is publicly named simply 
"ipv6", so there is no double negative visible to the outside world.

>
> Maxim Perevedentsev (2):
>    dnsmasq: add option to disable IPv6 default gateway in RA
>    docs: add ipv6noDefRoute to schema and html.
>
>   docs/formatnetwork.html.in  | 15 ++++++++++++++-
>   docs/schemas/network.rng    |  5 +++++
>   src/conf/network_conf.c     | 17 +++++++++++++++++
>   src/conf/network_conf.h     |  3 +++
>   src/network/bridge_driver.c | 22 ++++++++++++++++++++++
>   src/util/virdnsmasq.h       |  6 ++++++
>   6 files changed, 67 insertions(+), 1 deletion(-)
>
> --
> 1.8.3.1
>
> --
> libvir-list mailing list
> libvir-list at redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list
>

More information about the libvir-list mailing list