[libvirt PATCH v2 3/3] network: wire up support for IPv6 NAT rules

Laine Stump laine at redhat.com
Thu Jun 11 15:26:49 UTC 2020


On 6/10/20 12:14 AM, Laine Stump wrote:
> On 6/9/20 12:17 PM, Daniel P. Berrangé wrote:
>> Now that we have support for IPv6 in the iptables helpers, and a new
>> option in the XML schema, we can wire up support for it in the network
>> driver.
>>
>> Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
>> ---
>>   src/network/bridge_driver_linux.c             |  23 +-
>>   .../nat-ipv6-masquerade-linux.args            | 228 ++++++++++++++++++
>>   .../nat-ipv6-masquerade.xml                   |  17 ++
>>   tests/networkxml2firewalltest.c               |   1 +
>>   4 files changed, 262 insertions(+), 7 deletions(-)
>>   create mode 100644 
>> tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.args
>>   create mode 100644 
>> tests/networkxml2firewalldata/nat-ipv6-masquerade.xml
>>
>> diff --git a/src/network/bridge_driver_linux.c 
>> b/src/network/bridge_driver_linux.c
>> index b0bd207250..fcb3803965 100644
>> --- a/src/network/bridge_driver_linux.c
>> +++ b/src/network/bridge_driver_linux.c
>> @@ -307,7 +307,8 @@ int networkCheckRouteCollision(virNetworkDefPtr def)
>>       return ret;
>>   }
>>   -static const char networkLocalMulticast[] = "224.0.0.0/24";
>> +static const char networkLocalMulticastIPv4[] = "224.0.0.0/24";
>> +static const char networkLocalMulticastIPv6[] = "ffx2::/16";
>
>
> Once I got everything built and tried starting a network with ipv6 
> nat, I got this error message:
>
>
> virsh net-start ipv6 error: Failed to start network ipv6 error: 
> COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w --table nat --insert 
> LIBVIRT_PRT --source 2001:4978:2ac:5::/80 --destination ffx2::/16 
> --jump RETURN' failed: ip6tables v1.8.3 (legacy): host/network 
> `ffx2::' not found Try `ip6tables -h' or 'ip6tables --help' for more 
> information.
>
>
> Do we need to do something different for multicast traffic in the case 
> of IPv6?
>
> Other than that it all looks good, so
>
>
> Reviewed-by: Laine Stump <laine at redhat.com>
>
>
> once the problem with multicast ffx2::/16 as the destination of a rule 
> is resolved.


Based on discussion on IRC, apparently the "x" "ffx2" in the standards 
docs is intended to mean "any value for this digit", but so far only 
"ff02" is assigned/used, so we're in agreement that we should just 
change ffx2 (both here and in the test results file) to ff02.





More information about the libvir-list mailing list