Re: ipv6 NAT; accept_ra errors and about network choice

The check comes from commit 00d28a78b5d1 ("network: check accept_ra before enabling ipv6 forwarding"), and it's there because the accept_ra flag works like this (from Documentation/networking/ip-sysctl.txt): 0 Do not accept Router Advertisements. 1 Accept Router Advertisements if forwarding is disabled. 2 Overrule forwarding behaviour. Accept Router Advertisements even if forwarding is enabled. Now, as libvirt enables IPv6 forwarding via /proc/sys/net/ipv6/conf/all/forwarding (in my opinion, this could be limited to the interfaces involved), router advertisements would start being discarded on all interfaces if this is '1'. Another half-baked idea I was thinking about is: if there's at least one address on a given interface with the 'noprefixroute' flag, that means they are added by userspace. In that case, virNetDevIPCheckIPv6ForwardingCallback() could set data->hasRARoutes to false, and if userspace is explicitly handling RAs, don't worry at all about accept_ra -- 0 is fine if it was set e.g. by NetworkManager. Otherwise, just go ahead and set it to 2, we're not conflicting with anything that would set addresses from RAs (other than the kernel).

Yes, that would be ideal. I don't think NAT with IPv6 is a wise thing to do, but my ISP just delegates a /64 prefix to me. So I need NDP proxying because my guests need to appear on the same network. I do it manually with something like: echo 1 > /proc/sys/net/ipv6/conf/<upstream interface>/proxy_ndp ip -6 neigh add proxy <guest address> dev <upstream interface> and passing my network prefix to libvirt: <ip family='ipv6' address='<my prefix>::1' prefix='64'> </ip>