Am Montag, 26. November 2012, 12:24:11 schrieb Stefan Berger: > On 11/26/2012 10:41 AM, Laine Stump wrote: > > On 11/07/2012 03:22 AM, Guido Winkelmann wrote: > >> Hi, > >> > >> Libvirt's nwfilter ships a number of useful filter scripts by default, > >> but > >> none to handle IPv6 traffic. Is there a particular reason for that, or is > >> that just because nobody has got around to that yet? > > > > Hi Guido! I just saw this message you sent to the list a couple weeks ago. > > > > Stefan Berger can confirm, but I believe the answer is the latter - > > nobody has gotten around to it. I'm sure patches would be greatly > > appreciated :-) > > Yes, patches would be appreciated. The IP address detection methods may > also need to be extended for IPv6 support. > One problem I want to mention, though: A bigger problem would be if a > machine wanted to use IPv4 and IPv6 (dual stack) and use DHCP for both , > which in effect would result in two variables that need to have values > detected which in turn would require partial instantiation of filters > (since one variable may not have a value assigned while the other has), > which does not currently work... Hm, how do you even do it with one variable? Do you leave the firewall undefined until you could detect the dhcp-answer package and then pull it up? > Also as I recall for IPv4 the ARP-equivalent is NDP (Neighbor Discovery > Protocol based on ICMPv6), which may need support in ebtables. At least > a while ago there was no support for filtering that NDP subset of ICMPv6 > in ebtables. According to the ebtables man-page, you've got --ip6-icmp-type, which should be enough for this. Router advertisements have ICMPv6 type 134 and multicast router advertisements are 153. AFAICT, you can just filter by those... Guido _______________________________________________ libvirt-users mailing list libvirt-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvirt-users
