ipv6 NAT; accept_ra errors and about network choice
Ian Wienand
iwienand at redhat.com
Tue Aug 18 01:25:05 UTC 2020
On Tue, Aug 18, 2020 at 01:32:06AM +0200, Stefano Brivio wrote:
> The check comes from commit 00d28a78b5d1 ("network: check accept_ra
> before enabling ipv6 forwarding"), and it's there because the accept_ra
> flag works like this (from Documentation/networking/ip-sysctl.txt):
>
> 0 Do not accept Router Advertisements.
> 1 Accept Router Advertisements if forwarding is disabled.
> 2 Overrule forwarding behaviour. Accept Router Advertisements
> even if forwarding is enabled.
>
> Now, as libvirt enables IPv6 forwarding via
> /proc/sys/net/ipv6/conf/all/forwarding (in my opinion, this could be
> limited to the interfaces involved), router advertisements would start
> being discarded on all interfaces if this is '1'.
>
> Another half-baked idea I was thinking about is: if there's at least one
> address on a given interface with the 'noprefixroute' flag, that means
> they are added by userspace. In that case,
> virNetDevIPCheckIPv6ForwardingCallback() could set data->hasRARoutes to
> false, and if userspace is explicitly handling RAs, don't worry at all
> about accept_ra -- 0 is fine if it was set e.g. by NetworkManager.
> Otherwise, just go ahead and set it to 2, we're not conflicting with
> anything that would set addresses from RAs (other than the kernel).
In
https://www.redhat.com/archives/libvir-list/2020-August/msg00437.html
I proposed only checking the interfaces if they're set to "1" already.
I think that will mean we leave userspace configured addresses alone?
> Yes, that would be ideal. I don't think NAT with IPv6 is a wise thing
> to do, but my ISP just delegates a /64 prefix to me. So I need NDP
> proxying because my guests need to appear on the same network. I do it
> manually with something like:
>
> echo 1 > /proc/sys/net/ipv6/conf/<upstream interface>/proxy_ndp
> ip -6 neigh add proxy <guest address> dev <upstream interface>
>
> and passing my network prefix to libvirt:
>
> <ip family='ipv6' address='<my prefix>::1' prefix='64'>
> </ip>
I still haven't found anything other than NAT that replicates the
simple case of a laptop with a wifi card and a docked network card
(and occasionally tethering via phone) that can switch between them
and have IPv6 "just work" (i.e. not having to drop to command line to
rework where proxy ndp is coming from, etc.).
As they say, the nice thing about standards are there so many to
choose from, so maybe I just haven't found the right standard yet :)
-i
More information about the libvirt-users
mailing list