Re: [libvirt] dhcp6, radvd, ip6tables, etc. (update)
On 10/30/2012 06:45 PM, R P Herrold wrote:
I think the rules you want are these (we use the symbolic names for
the packet sub-type as it makes things clearer)
# /etc/sysconfig/ip6tables
# ... -A INPUT -p ipv6-icmp --icmpv6-type router-advertisement
-s $IP6SERVER -j ACCEPT
-A INPUT -p ipv6-icmp --icmpv6-type router-advertisement
-j DROP
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
# ...
I do not know that you need to filter or attempt to direct
'router-solicitation' as your comments mentioned. We have not had a
'real world' need to do so. We run a variation of these rules at pmman
from: man 8 ip6tables
icmp6
This extension can be used if ‘--protocol ipv6-icmp’ or
‘--protocol icmpv6’ is specified. It provides the following
option:
[!] --icmpv6-type type[/code]|typename
This allows specification of the ICMPv6 type, which
can be a numeric ICMPv6 type, type and code, or one
of the ICMPv6 type names shown by the command
ip6tables -p ipv6-icmp -h
It is not icmp6 but dhcpv6 packets.
As I explained earlier in the thread, there is a little 4 packet dance
which implements dhcpv6 addresses. Routing is handled by RA. The
difference is that you much have the AdvManagedFlag on for dhcpv6 and
off otherwise. There does not seem to be a problem with the RA packets
getting through.
But, for dhcpv6, you need port 547 packets (and specifically with a
destination address of ff02::01:2) to get through to the dnsmasq process
running on the virtualization host. To happen, this needs an additional
ip6tables rule. While just specifying "--dport 547" seems to work, the
"correct" appraach should also specify "--destination ff02::1:2" for
"--in-interface <our interface>".
This is what I have currently implemented and it seems to work well.
Gene
Gene