[libvirt-users] NWFilter and IPv6

[Laine Stump]

On 12/04/2012 10:22 AM, Guido Winkelmann wrote:
> Am Montag, 26. November 2012, 10:41:47 schrieb Laine Stump:
>> On 11/07/2012 03:22 AM, Guido Winkelmann wrote:
>>> One interesting thing about dealing with IPv6 traffic is that hosts often
>>> have several auto-configured addresses, usually at least one
>>> auto-configured link- local address under fe80::/64 and one
>>> auto-configured one from router- advertisements. For writing filter
>>> rules, it would be nice to have some function/notation to calculate those
>>> auto-configured addresses for the user, so we can write something like
>>> this:
>>>
>>> <rule action='return' direction='out' priority='500'>
>>>
>>>   <ipv6 srcipaddr='ipv6_autoconf($IPV6_PREFIX[@1], $IPV6_MASK[@1],
>>>   $MAC)'/>
>>>
>>> </rule>
>>> <rule action='return' direction='out' priority='500'>
>>>
>>>   <ipv6 srcipaddr='$IPV6'/>
>>>
>>> </rule>
>>> <rule action='drop' direction='out' priority='1000'/>
>>>
>>> or maybe more like this:
>>>
>>> <ipv6 mode='autoconf' field='srcipaddr' prefix='$IPV6_PREFIX[@1]'
>>> netmask='$IPV6_MASK[@1]' mac='$MAC)'/>
>> There is similar functionality for IPv4, and it would be nice to have
>> IPv6 variables that parallel those for IPv4. Again - patches welcome!
> I don't quite understand, what similar functionality are you talking about? 
> IPv4 does not have stateless autoconfiguration...
>

I mean just the idea of being able to specify the IP address as a
variable in a rule, and have it be auto-discovered and filled in by
nwfilter.