On 11/08/2012 04:44 PM, Daniel P. Berrange wrote: > On Thu, Nov 08, 2012 at 02:41:29PM -0500, Laine Stump wrote: >> On 11/07/2012 04:25 PM, Gene Czarcinski wrote: >>> IPv4 and IPv6 networks are suppose to have the same (more or less) >>> functionality so why isn't this OK. >> "Maintaining backward compatibility", both API and operational. In the >> past it wasn't the case that we simply did nothing about ipv6 on >> libvirt's networks, instead we explicitly set a sysctl to *disable* it. >> That must have been done for some reason. That reason may no longer be >> valid, but we don't know that yet (it happened before I was around). If >> the reason is no longer valid, we can go ahead as you suggest (and I >> would say we don't even need an option to not have ip6tables, just force >> people to build the full iptables package as God intended :-P). If the >> reason *is* still valid, then we need to only enable the ipv6 sysctl and >> add the ip6tables rule in response to some new flag attribute in the >> network config. > If you don't disable IPv6 on the bridge device, then when starting the > network device, the kernel will auto-assign an IPv6 link local address, > which the guest can then use to communicate with the host. In the IPv4 > case, if you don't specify any <ip> address, there is no "link local" > like address present, so there's no connectivity between guest and > host. So explicitly disabling IPv6 is in fact required in order to > give consistent behaviour between IPv6 and IPv4. Okay, so there's the straight dope :-) > I've no objections to anyone adding a new 'ipv6=on|off' attribute to > the network XML so that admins can explicitly choosen whether to allow > IPv6, indepedently of whether any <ip> element is set with an IPv6 address. Hmm - would it maybe be okay to always add the ip6tables rule to allow ipv6 traffic between interfaces on the bridge, while still setting disable_ipv6=1 (unless there is an <ip> with an ipv6 address)? The guests could then do IPv6 among themselves if they wanted, but there would be no way to get to the host via IPv6. -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list