Am Montag, 26. November 2012, 12:24:11 schrieb Stefan Berger:
On 11/26/2012 10:41 AM, Laine Stump wrote:
On 11/07/2012 03:22 AM, Guido Winkelmann wrote:
Hi,
Libvirt's nwfilter ships a number of useful filter scripts by default, but none to handle IPv6 traffic. Is there a particular reason for that, or is that just because nobody has got around to that yet? Hi Guido! I just saw this message you sent to the list a couple weeks ago.
Stefan Berger can confirm, but I believe the answer is the latter - nobody has gotten around to it. I'm sure patches would be greatly appreciated :-) Yes, patches would be appreciated. The IP address detection methods may also need to be extended for IPv6 support. One problem I want to mention, though: A bigger problem would be if a machine wanted to use IPv4 and IPv6 (dual stack) and use DHCP for both , which in effect would result in two variables that need to have values detected which in turn would require partial instantiation of filters (since one variable may not have a value assigned while the other has), which does not currently work... Hm, how do you even do it with one variable? Do you leave the firewall undefined until you could detect the dhcp-answer package and then pull it up? We assume that DHCP is being used and for example put a filter in that only allows DHCP traffic to pass and once we grab the IP address we instantiate the user-provided filter. For that we use $IP. The variable is set once the IP address has been detected. For IPv6 we should
On 12/04/2012 09:39 AM, Guido Winkelmann wrote: probably use $IPV6 (reserved variable).
Also as I recall for IPv4 the ARP-equivalent is NDP (Neighbor Discovery Protocol based on ICMPv6), which may need support in ebtables. At least a while ago there was no support for filtering that NDP subset of ICMPv6 in ebtables. According to the ebtables man-page, you've got --ip6-icmp-type, which should be enough for this. Router advertisements have ICMPv6 type 134 and multicast router advertisements are 153. AFAICT, you can just filter by those...
I am not the expert on IPv6, but from reading on this page here http://www.tcpipguide.com/free/t_ICMPv6NeighborAdvertisementandNeighborSolic... I get the impression that for example the target address should be verified for possible 'abuse'. I don't think one can grab that field with ebtables and compare against allowed values. Stefan