Re: [libvirt] [PATCH 0/2] option to disable default gateway in IPv6 RA
On 06/30/2016 08:02 AM, Maxim Perevedentsev wrote:
Laine, many thanks for such a detailed reply.
On 06/29/2016 08:55 PM, Laine Stump wrote:
>
> * Beyond that, I think it would make more sense to have the option
> defined in the <ip> element for the IPv6 address rather than at the
> toplevel
Why may we need it? We are talking about isolated networks, so what is
the need for a gateway if all guests are in the same subnet? This is
just what you fixed in a related commit
013427e6e733f7a662f4e8a9c11f7dad4cd65e3f.
Well, there is no config attached to that at all. And now that you
compare your patch to that patch (and remind me that I wrote it - even
after reading the commit log, I *still* don't remember doing it! :-O), I
don't think yours needs config either. Rather, I think it is *always* a
bug that we are causing guests to get a (bogus) default route on a
network that is designated as isolated.
As I understand, the difference to IPv4 is that IPv6 RA cannot have
empty default gateway. The link-local address of the source of RA is
implicitly considered a gateway. And the only thing you can do is to
set its lifetime to 0 to disable it.
It occured to me that these fixes can be treated as an extension of
aforementioned commit,
and we should just add "ra-param=*,0,0" to dnsmasq config if we have a
new enough version.
Yes, I agree. Current behavior is a bug that nobody could possibly want
(the entire point of a network being "isolated" is that nothing can
escape via that network; we even force the dns server on that network to
never forward unresolvable requests), so libvirt should always disable
it if dnsmasq allows.
> (I know there is already an option called "ipv6" at the toplevel, but
> that is a special case because it's telling what to do wrt IPv6 when
> there *aren't any* ipv6 <ip> elements in the network definition). A
> question: would it be possible to set multiple IPv6 addresses, and
> mark one of them as the default? If so, how would that be configured?
From "man dnsmasq":
"When RA is enabled, dnsmasq will advertise a prefix for each
dhcp-range, with default router and recursive DNS server as the
relevant link-local address on the machine running dnsmasq."
I guess I should spend some time brushing on on IPv6; I had thought that
the link-local address on any interface was only used for things like
address discovery, not for forwarding traffic.
So it looks like this is impossible, at least for dnsmasq (I have not
manage to make it work).
A little of googling gave me that radvd supports default route, but it
is not the case.
>
> * When you're checking for whether or not dnsmasq is able to support
> the option you're using, you base this on a dnsnasq version number.
> Is there any chance that the necessary info could be learned from the
> output of dnsmasq --help? Would it be adequate to just check for the
> presence of the string "--ra-param=" in the help output? This is
> already done to check for dnsmasq's use of SO_BINDTODEVICE - see
> dnsmasqCapsSetFromBuffer(). I'm guessing you based your addition on
> the existing code for DNSMASQ_DHCPv6_SUPPORT() and
> DNSMASQ_RA_SUPPORT(), but I think those were probably put in before
> the patches that added parsing of --help output to learn dnsmasq
> capabilities.
OK