4:28 p.m.
I'm looking into adding IPv6 support to the nwfilter clean-traffic
rules, but I'm unsure of the best approach to this. I'm planning on
sending patches once I get this correct, so I'm trying to figure out
what way fits in best.
There's a couple different ways I can think of:
1) Explicitly add v6 rules to the existing clean-traffic rules. This
would enable IPv6 for guests whenever libvirt was upgraded, which may be
a problem.
2) Add another filter chain (clean-ipv6-traffic) that would do the same
thing as clean-traffic, just for IPv6
3) Add another filter chain (clean-ipv6-ipv4-traffic), that would clean
IPv6 traffic, and include the clean-traffic filter set
The limitation here is that IP learning will not work for IPv6, so
actually using IPv6 is going to require passing in parameters to filter
specifying what ranges the guest should be allowed to use. I think this
rules out #1.
Any suggestions?
3:55 a.m.
On Thu, Apr 03, 2014 at 05:28:35PM -0400, Brian Rak wrote:
I'm looking into adding IPv6 support to the nwfilter
clean-traffic
rules, but I'm unsure of the best approach to this. I'm planning on
sending patches once I get this correct, so I'm trying to figure out
what way fits in best.
There's a couple different ways I can think of:
1) Explicitly add v6 rules to the existing clean-traffic rules. This
would enable IPv6 for guests whenever libvirt was upgraded, which
may be a problem.
2) Add another filter chain (clean-ipv6-traffic) that would do the
same thing as clean-traffic, just for IPv6
3) Add another filter chain (clean-ipv6-ipv4-traffic), that would
clean IPv6 traffic, and include the clean-traffic filter set
The limitation here is that IP learning will not work for IPv6, so
actually using IPv6 is going to require passing in parameters to
filter specifying what ranges the guest should be allowed to use. I
think this rules out #1.
Why do you say IP learning won't work ? The current impl of IP
learning only supports IPv4, but AFAIK, it should be viable to
enhance it to detect an address from the first outbound IPv6
packet, or by snooping DHCPv6 responses, just as we do for IPv4
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
8:35 a.m.
On 4/4/2014 4:55 AM, Daniel P. Berrange wrote:
On Thu, Apr 03, 2014 at 05:28:35PM -0400, Brian Rak wrote:
> I'm looking into adding IPv6 support to the nwfilter clean-traffic
> rules, but I'm unsure of the best approach to this. I'm planning on
> sending patches once I get this correct, so I'm trying to figure out
> what way fits in best.
>
> There's a couple different ways I can think of:
>
> 1) Explicitly add v6 rules to the existing clean-traffic rules. This
> would enable IPv6 for guests whenever libvirt was upgraded, which
> may be a problem.
> 2) Add another filter chain (clean-ipv6-traffic) that would do the
> same thing as clean-traffic, just for IPv6
> 3) Add another filter chain (clean-ipv6-ipv4-traffic), that would
> clean IPv6 traffic, and include the clean-traffic filter set
>
> The limitation here is that IP learning will not work for IPv6, so
> actually using IPv6 is going to require passing in parameters to
> filter specifying what ranges the guest should be allowed to use. I
> think this rules out #1.
Why do you say IP learning won't work ? The current impl of IP
learning only supports IPv4, but AFAIK, it should be viable to
enhance it to detect an address from the first outbound IPv6
packet, or by snooping DHCPv6 responses, just as we do for IPv4
Regards,
Daniel
Right, that was mainly my point. Currently, IP learning does not
support IPv6. It's probably possible to add support for this, but
since we don't actually make use of IP learning at this point, it's not
something I was planning on implementing.
9:06 a.m.
On Fri, Apr 04, 2014 at 09:35:26AM -0400, Brian Rak wrote:
On 4/4/2014 4:55 AM, Daniel P. Berrange wrote:
>On Thu, Apr 03, 2014 at 05:28:35PM -0400, Brian Rak wrote:
>>I'm looking into adding IPv6 support to the nwfilter clean-traffic
>>rules, but I'm unsure of the best approach to this. I'm planning on
>>sending patches once I get this correct, so I'm trying to figure out
>>what way fits in best.
>>
>>There's a couple different ways I can think of:
>>
>>1) Explicitly add v6 rules to the existing clean-traffic rules. This
>>would enable IPv6 for guests whenever libvirt was upgraded, which
>>may be a problem.
>>2) Add another filter chain (clean-ipv6-traffic) that would do the
>>same thing as clean-traffic, just for IPv6
>>3) Add another filter chain (clean-ipv6-ipv4-traffic), that would
>>clean IPv6 traffic, and include the clean-traffic filter set
>>
>>The limitation here is that IP learning will not work for IPv6, so
>>actually using IPv6 is going to require passing in parameters to
>>filter specifying what ranges the guest should be allowed to use. I
>>think this rules out #1.
>Why do you say IP learning won't work ? The current impl of IP
>learning only supports IPv4, but AFAIK, it should be viable to
>enhance it to detect an address from the first outbound IPv6
>packet, or by snooping DHCPv6 responses, just as we do for IPv4
>
<
Right, that was mainly my point. Currently, IP learning does not
support IPv6. It's probably possible to add support for this, but
since we don't actually make use of IP learning at this point, it's
not something I was planning on implementing.
Ok, but from the POV of the default out-of-the-box 'clean-traffic' filter
that we ship, I think that relying on IP learning is the best behaviour.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
3885
days inactive
3886
days old
3 comments
2 participants
participants (2)
-
Brian Rak -
Daniel P. Berrange