On Fri, Apr 04, 2014 at 09:35:26AM -0400, Brian Rak wrote: > On 4/4/2014 4:55 AM, Daniel P. Berrange wrote: > >On Thu, Apr 03, 2014 at 05:28:35PM -0400, Brian Rak wrote: > >>I'm looking into adding IPv6 support to the nwfilter clean-traffic > >>rules, but I'm unsure of the best approach to this. I'm planning on > >>sending patches once I get this correct, so I'm trying to figure out > >>what way fits in best. > >> > >>There's a couple different ways I can think of: > >> > >>1) Explicitly add v6 rules to the existing clean-traffic rules. This > >>would enable IPv6 for guests whenever libvirt was upgraded, which > >>may be a problem. > >>2) Add another filter chain (clean-ipv6-traffic) that would do the > >>same thing as clean-traffic, just for IPv6 > >>3) Add another filter chain (clean-ipv6-ipv4-traffic), that would > >>clean IPv6 traffic, and include the clean-traffic filter set > >> > >>The limitation here is that IP learning will not work for IPv6, so > >>actually using IPv6 is going to require passing in parameters to > >>filter specifying what ranges the guest should be allowed to use. I > >>think this rules out #1. > >Why do you say IP learning won't work ? The current impl of IP > >learning only supports IPv4, but AFAIK, it should be viable to > >enhance it to detect an address from the first outbound IPv6 > >packet, or by snooping DHCPv6 responses, just as we do for IPv4 > > < > Right, that was mainly my point. Currently, IP learning does not > support IPv6. It's probably possible to add support for this, but > since we don't actually make use of IP learning at this point, it's > not something I was planning on implementing. Ok, but from the POV of the default out-of-the-box 'clean-traffic' filter that we ship, I think that relying on IP learning is the best behaviour. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list