[libvirt] [PATCH 0/2] option to disable default gateway in IPv6 RA
Laine Stump
laine at laine.org
Thu Jun 30 19:55:38 UTC 2016
On 06/30/2016 08:02 AM, Maxim Perevedentsev wrote:
> Laine, many thanks for such a detailed reply.
>
> On 06/29/2016 08:55 PM, Laine Stump wrote:
>>
>> * Beyond that, I think it would make more sense to have the option
>> defined in the <ip> element for the IPv6 address rather than at the
>> toplevel
> Why may we need it? We are talking about isolated networks, so what is
> the need for a gateway if all guests are in the same subnet? This is
> just what you fixed in a related commit
> 013427e6e733f7a662f4e8a9c11f7dad4cd65e3f.
Well, there is no config attached to that at all. And now that you
compare your patch to that patch (and remind me that I wrote it - even
after reading the commit log, I *still* don't remember doing it! :-O), I
don't think yours needs config either. Rather, I think it is *always* a
bug that we are causing guests to get a (bogus) default route on a
network that is designated as isolated.
>
> As I understand, the difference to IPv4 is that IPv6 RA cannot have
> empty default gateway. The link-local address of the source of RA is
> implicitly considered a gateway. And the only thing you can do is to
> set its lifetime to 0 to disable it.
>
> It occured to me that these fixes can be treated as an extension of
> aforementioned commit,
> and we should just add "ra-param=*,0,0" to dnsmasq config if we have a
> new enough version.
Yes, I agree. Current behavior is a bug that nobody could possibly want
(the entire point of a network being "isolated" is that nothing can
escape via that network; we even force the dns server on that network to
never forward unresolvable requests), so libvirt should always disable
it if dnsmasq allows.
>
>> (I know there is already an option called "ipv6" at the toplevel, but
>> that is a special case because it's telling what to do wrt IPv6 when
>> there *aren't any* ipv6 <ip> elements in the network definition). A
>> question: would it be possible to set multiple IPv6 addresses, and
>> mark one of them as the default? If so, how would that be configured?
>
> From "man dnsmasq":
> "When RA is enabled, dnsmasq will advertise a prefix for each
> dhcp-range, with default router and recursive DNS server as the
> relevant link-local address on the machine running dnsmasq."
I guess I should spend some time brushing on on IPv6; I had thought that
the link-local address on any interface was only used for things like
address discovery, not for forwarding traffic.
>
> So it looks like this is impossible, at least for dnsmasq (I have not
> manage to make it work).
> A little of googling gave me that radvd supports default route, but it
> is not the case.
>
>>
>> * When you're checking for whether or not dnsmasq is able to support
>> the option you're using, you base this on a dnsnasq version number.
>> Is there any chance that the necessary info could be learned from the
>> output of dnsmasq --help? Would it be adequate to just check for the
>> presence of the string "--ra-param=" in the help output? This is
>> already done to check for dnsmasq's use of SO_BINDTODEVICE - see
>> dnsmasqCapsSetFromBuffer(). I'm guessing you based your addition on
>> the existing code for DNSMASQ_DHCPv6_SUPPORT() and
>> DNSMASQ_RA_SUPPORT(), but I think those were probably put in before
>> the patches that added parsing of --help output to learn dnsmasq
>> capabilities.
> OK
>
More information about the libvir-list
mailing list