Re: Plan A or Plan B?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/19/2012 02:24 PM, Laine Stump wrote:
1.  In a manner similar to what is done for IPV6, add ip6tables rules
>>>to permit virtual systems to communicate via a defined virtual
>>>interface which has no gateway addresses defined.  This does mean that
>>>virtual systems will not be able to communicate with the host via this
>>>interface ... only with each other.  Also, the following must be:
>>>        net.ipv6.conf.virbr19.disable_ipv6 = 1
>>>so that the kernel does not start anything.
>>This discussion was left open at the end - Dan, do you see any problem
>>with adding the rules permitting IPv6 traffic between the guests as long
>>as the host has disable_ipv6 set? Or will we still need to add an
>>"ipv6='yes'" attribute to the toplevel <network> element?
>I have looked over the code as well as done some testing (the code is
>all in network/bridge_driver.c).  Unless there really is an IPv6
>address specified, disable_ipv6=1.
Yes, technically it can be done. I just want to make sure that it
saitisfies everyone's "don't open a new hole by default"

Just trying to emphasize that the hole Dan is concerned about is not opened and, besides doing testing, he can verify this by looking at src/network/bridge_driver.c ... see networkAddGeneralIp6tablesRules() for the ip6tables rules and see networkSetIPv6Sysctls() for setting disable_ipv6.

Gene

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]