[libvirt-users] NWFilter and IPv6
Stefan Berger
stefanb at linux.vnet.ibm.com
Wed Dec 5 00:18:01 UTC 2012
On 12/04/2012 09:39 AM, Guido Winkelmann wrote:
> Am Montag, 26. November 2012, 12:24:11 schrieb Stefan Berger:
>> On 11/26/2012 10:41 AM, Laine Stump wrote:
>>> On 11/07/2012 03:22 AM, Guido Winkelmann wrote:
>>>> Hi,
>>>>
>>>> Libvirt's nwfilter ships a number of useful filter scripts by default,
>>>> but
>>>> none to handle IPv6 traffic. Is there a particular reason for that, or is
>>>> that just because nobody has got around to that yet?
>>> Hi Guido! I just saw this message you sent to the list a couple weeks ago.
>>>
>>> Stefan Berger can confirm, but I believe the answer is the latter -
>>> nobody has gotten around to it. I'm sure patches would be greatly
>>> appreciated :-)
>> Yes, patches would be appreciated. The IP address detection methods may
>> also need to be extended for IPv6 support.
>> One problem I want to mention, though: A bigger problem would be if a
>> machine wanted to use IPv4 and IPv6 (dual stack) and use DHCP for both ,
>> which in effect would result in two variables that need to have values
>> detected which in turn would require partial instantiation of filters
>> (since one variable may not have a value assigned while the other has),
>> which does not currently work...
> Hm, how do you even do it with one variable? Do you leave the firewall
> undefined until you could detect the dhcp-answer package and then pull it up?
We assume that DHCP is being used and for example put a filter in that
only allows DHCP traffic to pass and once we grab the IP address we
instantiate the user-provided filter. For that we use $IP. The variable
is set once the IP address has been detected. For IPv6 we should
probably use $IPV6 (reserved variable).
>
>> Also as I recall for IPv4 the ARP-equivalent is NDP (Neighbor Discovery
>> Protocol based on ICMPv6), which may need support in ebtables. At least
>> a while ago there was no support for filtering that NDP subset of ICMPv6
>> in ebtables.
> According to the ebtables man-page, you've got --ip6-icmp-type, which should
> be enough for this. Router advertisements have ICMPv6 type 134 and multicast
> router advertisements are 153. AFAICT, you can just filter by those...
I am not the expert on IPv6, but from reading on this page here
http://www.tcpipguide.com/free/t_ICMPv6NeighborAdvertisementandNeighborSolicitation-2.htm
I get the impression that for example the target address should be
verified for possible 'abuse'. I don't think one can grab that field
with ebtables and compare against allowed values.
Stefan
More information about the libvirt-users
mailing list