[libvirt] [PATCH 1/3] v1: allow guest to guest IPv6 without gateway definition
This patch adds the capability for virtual guests to do IPv6
communication via a virtual network interface with no IPv6
(gateway) addresses specified. This capability currently
exists for IPv4.
This patch allows creation of a completely isolated IPv6 network.
Note that virtual guests cannot communication with the virtualization
host via this interface. Also note that:
net.ipv6.conf.<interface_name>.disable_ipv6 = 1
Also not that starting libvirtd has set the following:
net.bridge.bridge-nf-call-arptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
although /etc/syslog.conf has them all set to 0.
Note: If it is desired to control this behavior by having something like
ipv6='yes' on the <network> statement, then this should also be done for
ipv4.
---
docs/formatnetwork.html.in | 18 ++++++++++++++++++
src/network/bridge_driver.c | 22 ++++++++++++++--------
2 files changed, 32 insertions(+), 8 deletions(-)
diff --git a/docs/formatnetwork.html.in b/docs/formatnetwork.html.in
index 49206dd..7b3b25c 100644
--- a/docs/formatnetwork.html.in
+++ b/docs/formatnetwork.html.in
@@ -773,5 +773,23 @@
</forward>
</network></pre>
+ <h3><a name="examplesNoGateway">Network config with no gateway
addresses</a></h3>
+
+ <p>
+ A valid network definition can contain no IPv4 or IPv6 addresses. Such a definition
+ can be used for a "very private" or "very isolated" network since
it will not be
+ possible to communicate with the virtualization host via this network. However,
+ this virtual network interface can be used for communication between virtual guest
+ systems. This works for IPv4 and <span class="since">(Since
1.0.1)</span> IPv6.
+ </p>
+
+ <pre>
+ <network>
+ <name>nogw</name>
+ <uuid>7a3b7497-1ec7-8aef-6d5c-38dff9109e93</uuid>
+ <bridge name="virbr2" stp="on" delay="0"
/>
+ <mac address='00:16:3E:5D:C7:9E'/>
+ </network></pre>
+
</body>
</html>
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index 479ff29..c306d46 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -1616,15 +1616,16 @@ networkRemoveRoutingIptablesRules(struct network_driver *driver,
}
}
-/* Add all once/network rules required for IPv6 (if any IPv6 addresses are defined) */
+/* Add all once/network rules required for IPv6.
+ * Even if no IPv6 addresses are defined, allow IPv6 commuinications
+ * between virtual systems. If any IPv6 addresses are defined, then
+ * add the rules for regular operation.
+ */
static int
networkAddGeneralIp6tablesRules(struct network_driver *driver,
virNetworkObjPtr network)
{
- if (!virNetworkDefGetIpByIndex(network->def, AF_INET6, 0))
- return 0;
-
/* Catch all rules to block forwarding to/from bridges */
if (iptablesAddForwardRejectOut(driver->iptables, AF_INET6,
@@ -1652,6 +1653,10 @@ networkAddGeneralIp6tablesRules(struct network_driver *driver,
goto err3;
}
+ /* if no IPv6 addresses are defined, we are done. */
+ if (!virNetworkDefGetIpByIndex(network->def, AF_INET6, 0))
+ return 0;
+
/* allow DNS over IPv6 */
if (iptablesAddTcpInput(driver->iptables, AF_INET6,
network->def->bridge, 53) < 0) {
@@ -1688,11 +1693,12 @@ static void
networkRemoveGeneralIp6tablesRules(struct network_driver *driver,
virNetworkObjPtr network)
{
- if (!virNetworkDefGetIpByIndex(network->def, AF_INET6, 0))
- return;
+ if (virNetworkDefGetIpByIndex(network->def, AF_INET6, 0)) {
+ iptablesRemoveUdpInput(driver->iptables, AF_INET6, network->def->bridge,
53);
+ iptablesRemoveTcpInput(driver->iptables, AF_INET6, network->def->bridge,
53);
+ }
- iptablesRemoveUdpInput(driver->iptables, AF_INET6, network->def->bridge,
53);
- iptablesRemoveTcpInput(driver->iptables, AF_INET6, network->def->bridge,
53);
+ /* the following rules are there even if no IPv6 address has been defined */
iptablesRemoveForwardAllowCross(driver->iptables, AF_INET6,
network->def->bridge);
iptablesRemoveForwardRejectIn(driver->iptables, AF_INET6,
network->def->bridge);
iptablesRemoveForwardRejectOut(driver->iptables, AF_INET6,
network->def->bridge);
--
1.7.11.7