Re: [PATCH] Add V6LOCAL parameter to nwfilter rules.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 4/4/2014 4:48 AM, Daniel P. Berrange wrote:
On Wed, Apr 02, 2014 at 03:40:14PM -0400, Brian Rak wrote:
@@ -163,6 +164,28 @@ virNWFilterVarHashmapAddStdValues(virNWFilterHashTablePtr table,
                             "%s", _("Could not add variable 'MAC' to hashmap"));
              return -1;
          }
+
+        virMacAddr parsedMac;
+        if (virMacAddrParse(macaddr, &parsedMac) == 0)
+        {
+            parsedMac.addr[0] ^= 2;
+
+            char euiMacAddr[26];
+            snprintf(euiMacAddr, sizeof(euiMacAddr), "fe80::%x%x:%xff:fe%x:%x%x", parsedMac.addr[0], parsedMac.addr[1], parsedMac.addr[2],
+                parsedMac.addr[3], parsedMac.addr[4], parsedMac.addr[5]);
Unfortunately this IPv6 addressing scheme isn't portable. Windows Vista
will create link local addresses which are completely random, not based
on the MAC address.

   http://technet.microsoft.com/en-us/magazine/2007.08.cableguy.aspx

I wonder if there's a way todo something more clever for IPv6 to learn
the addresses, we as do for IPv4 address learning, or snoop route
advertisment traffic as we do for DHCP


Regards,
Daniel
Vista can be configured to use the EUI64 format though (as per that link). I don't think that we can really trust that the guest is not malicious, so I'm not sure that trying to learn the link-local IPv6 address would be secure.

I'm not sure if there's other security issues or not, but a malicious guest using another guest's link local address would definitely cause some problems.

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]