On 11/19/2012 02:24 PM, Laine Stump wrote:
1. In a manner similar to what is done for IPV6, add ip6tables rules
>to permit virtual systems to communicate via a defined virtual >interface which has no gateway addresses defined. This does mean that >virtual systems will not be able to communicate with the host via this >interface ... only with each other. Also, the following must be: > net.ipv6.conf.virbr19.disable_ipv6 = 1 >so that the kernel does not start anything. This discussion was left open at the end - Dan, do you see any problem with adding the rules permitting IPv6 traffic between the guests as long as the host has disable_ipv6 set? Or will we still need to add an "ipv6='yes'" attribute to the toplevel <network> element? I have looked over the code as well as done some testing (the code is all in network/bridge_driver.c). Unless there really is an IPv6 address specified, disable_ipv6=1. Yes, technically it can be done. I just want to make sure that it saitisfies everyone's "don't open a new hole by default"
Just trying to emphasize that the hole Dan is concerned about is not opened and, besides doing testing, he can verify this by looking at src/network/bridge_driver.c ... see networkAddGeneralIp6tablesRules() for the ip6tables rules and see networkSetIPv6Sysctls() for setting disable_ipv6. Gene