[libvirt-users] NWFilter and IPv6
Guido Winkelmann
guido-libvi at unknownsite.de
Wed Nov 7 08:22:56 UTC 2012
Hi,
Libvirt's nwfilter ships a number of useful filter scripts by default, but
none to handle IPv6 traffic. Is there a particular reason for that, or is that
just because nobody has got around to that yet?
One interesting thing about dealing with IPv6 traffic is that hosts often have
several auto-configured addresses, usually at least one auto-configured link-
local address under fe80::/64 and one auto-configured one from router-
advertisements. For writing filter rules, it would be nice to have some
function/notation to calculate those auto-configured addresses for the user,
so we can write something like this:
<rule action='return' direction='out' priority='500'>
<ipv6 srcipaddr='ipv6_autoconf($IPV6_PREFIX[@1], $IPV6_MASK[@1], $MAC)'/>
</rule>
<rule action='return' direction='out' priority='500'>
<ipv6 srcipaddr='$IPV6'/>
</rule>
<rule action='drop' direction='out' priority='1000'/>
or maybe more like this:
<ipv6 mode='autoconf' field='srcipaddr' prefix='$IPV6_PREFIX[@1]'
netmask='$IPV6_MASK[@1]' mac='$MAC)'/>
Guido
More information about the libvirt-users
mailing list