On 11/19/2012 02:24 PM, Laine Stump wrote:
1. In a manner similar to what is done for IPV6, add ip6tables rules
>>>to permit virtual systems to communicate via a defined virtual
>>>interface which has no gateway addresses defined. This does mean that
>>>virtual systems will not be able to communicate with the host via this
>>>interface ... only with each other. Also, the following must be:
>>> net.ipv6.conf.virbr19.disable_ipv6 = 1
>>>so that the kernel does not start anything.
>>This discussion was left open at the end - Dan, do you see any problem
>>with adding the rules permitting IPv6 traffic between the guests as long
>>as the host has disable_ipv6 set? Or will we still need to add an
>>"ipv6='yes'" attribute to the toplevel <network> element?
>I have looked over the code as well as done some testing (the code is
>all in network/bridge_driver.c). Unless there really is an IPv6
>address specified, disable_ipv6=1.
Yes, technically it can be done. I just want to make sure that it
saitisfies everyone's "don't open a new hole by default"
Just trying to emphasize that the hole Dan is concerned about is not
opened and, besides doing testing, he can verify this by looking at
src/network/bridge_driver.c ... see networkAddGeneralIp6tablesRules()
for the ip6tables rules and see networkSetIPv6Sysctls() for setting
disable_ipv6.
Gene
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list