Re: [libvirt PATCH v2 3/3] network: wire up support for IPv6 NAT rules

[Laine Stump <laine@xxxxxxxxxx>]

On 6/10/20 12:14 AM, Laine Stump wrote:
> On 6/9/20 12:17 PM, Daniel P. Berrangé wrote:
> > Now that we have support for IPv6 in the iptables helpers, and a new
> > option in the XML schema, we can wire up support for it in the network
> > driver.
> >
> > Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx>
> > ---
> >   src/network/bridge_driver_linux.c             |  23 +-
> >   .../nat-ipv6-masquerade-linux.args            | 228 ++++++++++++++++++
> >   .../nat-ipv6-masquerade.xml                   |  17 ++
> >   tests/networkxml2firewalltest.c               |   1 +
> >   4 files changed, 262 insertions(+), 7 deletions(-)
> >   create mode 100644 
> > tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.args
> >   create mode 100644 
> > tests/networkxml2firewalldata/nat-ipv6-masquerade.xml
> >
> > diff --git a/src/network/bridge_driver_linux.c 
> > b/src/network/bridge_driver_linux.c
> > index b0bd207250..fcb3803965 100644
> > --- a/src/network/bridge_driver_linux.c
> > +++ b/src/network/bridge_driver_linux.c
> > @@ -307,7 +307,8 @@ int networkCheckRouteCollision(virNetworkDefPtr def)
> >       return ret;
> >   }
> >   -static const char networkLocalMulticast[] = "224.0.0.0/24";
> > +static const char networkLocalMulticastIPv4[] = "224.0.0.0/24";
> > +static const char networkLocalMulticastIPv6[] = "ffx2::/16";
>
>
> Once I got everything built and tried starting a network with ipv6 
> nat, I got this error message:
>
>
> virsh net-start ipv6 error: Failed to start network ipv6 error: 
> COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -w --table nat --insert 
> LIBVIRT_PRT --source 2001:4978:2ac:5::/80 --destination ffx2::/16 
> --jump RETURN' failed: ip6tables v1.8.3 (legacy): host/network 
> `ffx2::' not found Try `ip6tables -h' or 'ip6tables --help' for more 
> information.
>
>
> Do we need to do something different for multicast traffic in the case 
> of IPv6?
>
> Other than that it all looks good, so
>
>
> Reviewed-by: Laine Stump <laine@xxxxxxxxxx>
>
>
> once the problem with multicast ffx2::/16 as the destination of a rule 
> is resolved.


Based on discussion on IRC, apparently the "x" "ffx2" in the standards 
docs is intended to mean "any value for this digit", but so far only 
"ff02" is assigned/used, so we're in agreement that we should just 
change ffx2 (both here and in the test results file) to ff02.