Re: [PATCH 0/2] option to disable default gateway in IPv6 RA

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 06/30/2016 08:02 AM, Maxim Perevedentsev wrote:
Laine, many thanks for such a detailed reply.

On 06/29/2016 08:55 PM, Laine Stump wrote:

* Beyond that, I think it would make more sense to have the option defined in the <ip> element for the IPv6 address rather than at the toplevel
Why may we need it? We are talking about isolated networks, so what is the need for a gateway if all guests are in the same subnet? This is just what you fixed in a related commit 013427e6e733f7a662f4e8a9c11f7dad4cd65e3f.

Well, there is no config attached to that at all. And now that you compare your patch to that patch (and remind me that I wrote it - even after reading the commit log, I *still* don't remember doing it! :-O), I don't think yours needs config either. Rather, I think it is *always* a bug that we are causing guests to get a (bogus) default route on a network that is designated as isolated.



As I understand, the difference to IPv4 is that IPv6 RA cannot have empty default gateway. The link-local address of the source of RA is implicitly considered a gateway. And the only thing you can do is to set its lifetime to 0 to disable it.

It occured to me that these fixes can be treated as an extension of aforementioned commit, and we should just add "ra-param=*,0,0" to dnsmasq config if we have a new enough version.

Yes, I agree. Current behavior is a bug that nobody could possibly want (the entire point of a network being "isolated" is that nothing can escape via that network; we even force the dns server on that network to never forward unresolvable requests), so libvirt should always disable it if dnsmasq allows.


(I know there is already an option called "ipv6" at the toplevel, but that is a special case because it's telling what to do wrt IPv6 when there *aren't any* ipv6 <ip> elements in the network definition). A question: would it be possible to set multiple IPv6 addresses, and mark one of them as the default? If so, how would that be configured?

From "man dnsmasq":
"When RA is enabled, dnsmasq will advertise a prefix for each dhcp-range, with default router and recursive DNS server as the relevant link-local address on the machine running dnsmasq."

I guess I should spend some time brushing on on IPv6; I had thought that the link-local address on any interface was only used for things like address discovery, not for forwarding traffic.


So it looks like this is impossible, at least for dnsmasq (I have not manage to make it work). A little of googling gave me that radvd supports default route, but it is not the case.


* When you're checking for whether or not dnsmasq is able to support the option you're using, you base this on a dnsnasq version number. Is there any chance that the necessary info could be learned from the output of dnsmasq --help? Would it be adequate to just check for the presence of the string "--ra-param=" in the help output? This is already done to check for dnsmasq's use of SO_BINDTODEVICE - see dnsmasqCapsSetFromBuffer(). I'm guessing you based your addition on the existing code for DNSMASQ_DHCPv6_SUPPORT() and DNSMASQ_RA_SUPPORT(), but I think those were probably put in before the patches that added parsing of --help output to learn dnsmasq capabilities.
OK


--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]