[libvirt] [PATCH 0/2] option to disable default gateway in IPv6 RA

Thu Jun 30 19:55:38 UTC 2016

On 06/30/2016 08:02 AM, Maxim Perevedentsev wrote:
> Laine, many thanks for such a detailed reply.
>
> On 06/29/2016 08:55 PM, Laine Stump wrote:
>>
>> * Beyond that, I think it would make more sense to have the option 
>> defined in the <ip> element for the IPv6 address rather than at the 
>> toplevel 
> Why may we need it? We are talking about isolated networks, so what is 
> the need for a gateway if all guests are in the same subnet? This is 
> just what you fixed in a related commit 
> 013427e6e733f7a662f4e8a9c11f7dad4cd65e3f.

Well, there is no config attached to that at all. And now that you 
compare your patch to that patch (and remind me that I wrote it - even 
after reading the commit log, I *still* don't remember doing it! :-O), I 
don't think yours needs config either. Rather, I think it is *always* a 
bug that we are causing guests to get a (bogus) default route on a 
network that is designated as isolated.

>
> As I understand, the difference to IPv4 is that IPv6 RA cannot have 
> empty default gateway. The link-local address of the source of RA is 
> implicitly considered a gateway. And the only thing you can do is to 
> set its lifetime to 0 to disable it.
>
> It occured to me that these fixes can be treated as an extension of 
> aforementioned commit,
> and we should just add "ra-param=*,0,0" to dnsmasq config if we have a 
> new enough version.

Yes, I agree. Current behavior is a bug that nobody could possibly want 
(the entire point of a network being "isolated" is that nothing can 
escape via that network; we even force the dns server on that network to 
never forward unresolvable requests), so libvirt should always disable 
it if dnsmasq allows.

>
>> (I know there is already an option called "ipv6" at the toplevel, but 
>> that is a special case because it's telling what to do wrt IPv6 when 
>> there *aren't any* ipv6 <ip> elements in the network definition). A 
>> question: would it be possible to set multiple IPv6 addresses, and 
>> mark one of them as the default? If so, how would that be configured?
>
> From "man dnsmasq":
> "When RA is enabled, dnsmasq will advertise a  prefix  for  each 
> dhcp-range,  with  default router and recursive DNS server as the 
> relevant link-local address on the machine running dnsmasq."

I guess I should spend some time brushing on on IPv6; I had thought that 
the link-local address on any interface was only used for things like 
address discovery, not for forwarding traffic.

>
> So it looks like this is impossible, at least for dnsmasq (I have not 
> manage to make it work).
> A little of googling gave me that radvd supports default route, but it 
> is not the case.
>
>>
>> * When you're checking for whether or not dnsmasq is able to support 
>> the option you're using, you base this on a dnsnasq version number. 
>> Is there any chance that the necessary info could be learned from the 
>> output of dnsmasq --help? Would it be adequate to just check for the 
>> presence of the string "--ra-param=" in the help output? This is 
>> already done to check for dnsmasq's use of SO_BINDTODEVICE - see 
>> dnsmasqCapsSetFromBuffer(). I'm guessing you based your addition on 
>> the existing code for DNSMASQ_DHCPv6_SUPPORT() and 
>> DNSMASQ_RA_SUPPORT(), but I think those were probably put in before 
>> the patches that added parsing of --help output to learn dnsmasq 
>> capabilities.
> OK
>