Re: [libvirt-users] NWFilter and IPv6
Am Montag, 26. November 2012, 12:24:11 schrieb Stefan Berger:
On 11/26/2012 10:41 AM, Laine Stump wrote:
> On 11/07/2012 03:22 AM, Guido Winkelmann wrote:
>> Hi,
>>
>> Libvirt's nwfilter ships a number of useful filter scripts by default,
>> but
>> none to handle IPv6 traffic. Is there a particular reason for that, or is
>> that just because nobody has got around to that yet?
>
> Hi Guido! I just saw this message you sent to the list a couple weeks ago.
>
> Stefan Berger can confirm, but I believe the answer is the latter -
> nobody has gotten around to it. I'm sure patches would be greatly
> appreciated :-)
Yes, patches would be appreciated. The IP address detection methods may
also need to be extended for IPv6 support.
One problem I want to mention, though: A bigger problem would be if a
machine wanted to use IPv4 and IPv6 (dual stack) and use DHCP for both ,
which in effect would result in two variables that need to have values
detected which in turn would require partial instantiation of filters
(since one variable may not have a value assigned while the other has),
which does not currently work...
Hm, how do you even do it with one variable? Do you leave the firewall
undefined until you could detect the dhcp-answer package and then pull it up?
Also as I recall for IPv4 the ARP-equivalent is NDP (Neighbor
Discovery
Protocol based on ICMPv6), which may need support in ebtables. At least
a while ago there was no support for filtering that NDP subset of ICMPv6
in ebtables.
According to the ebtables man-page, you've got --ip6-icmp-type, which should
be enough for this. Router advertisements have ICMPv6 type 134 and multicast
router advertisements are 153. AFAICT, you can just filter by those...
Guido