[libvirt-users] Privacy Extension not working in VM

Daniel P. Berrangé berrange at redhat.com
Mon Sep 23 10:09:00 UTC 2019 

On Sat, Sep 21, 2019 at 11:28:56AM +0200, Thomas Luening wrote:
> Hello @ all
> 
> With the rebuilding of my Server from Debian 9 to Debian 10, I also switch
> from Virtual Box to Libvirt/KVM. Due to new requirements for the VMs, now I
> have an actual problem, which unfortunately I can not solve. The problem has
> already been discussed in the German Debian-Forum ... unfortunately also
> without success.
> 
> The facts:
> - ISP = Dual Stack with daily separation
> - Host and VM = Debian 10
> - The VMs are via macvtap-device regular LAN-Clients
>   - IPv4 = DHCP and NAT by DSL-Router
>   - IPv6 = GUA via RA and SLAAC (2003::/3)
> - IPv4 works fine in the VM
> - IPv6 (NDP, RA, SLAAC) works basically also fine in the VM
> 
> The existing problem in the VM:
> - MAC-Based GUA (2000::/3) is ok, both inbound and outbound
> 
> - Outbound traffic via the second GUA (PE-Based) is filtered apparently,
>   but not via packetfiltering, I don't know where. There are no error
>   messages. On the part of the kernel in the VM and the IPv6-stack,
>   everything looks completely ok, no error messages, except that
>   Outbound-Traffic by the PE-Address is quietly blocked. The MAC-
>   Based IPv6 works unchanged and without error as before.
> 
> My questions:
> 1. Is there a special setting for the VM, to allow the use of Privacy
>    Extensions for IPv6 unlimited?
> 2. Or is that possibly even a known and at the moment unsolved problem?
> 3. Or is this a intended limitation of virtualization?
> 
> Can anyone help me with a solution or a hint? Thank you.

You mention you used 'macvtap' but not which mode of macvtap ? None the
less if you're using it in bridge mode, or passthroug hmode, there should
be no filtering of guest traffic in general, since the guest traffic is
forwarding at the ethernet layer, not IP layer.

The exception would be if you hve the br-netfilter extension loaded which
causes guest traffic to be processed by the host firewall.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the libvirt-users mailing list