Re: NWFilter and IPv6

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 12/04/2012 09:39 AM, Guido Winkelmann wrote:

Am Montag, 26. November 2012, 12:24:11 schrieb Stefan Berger:

On 11/26/2012 10:41 AM, Laine Stump wrote:

On 11/07/2012 03:22 AM, Guido Winkelmann wrote:

Hi,

Libvirt's nwfilter ships a number of useful filter scripts by default,
but
none to handle IPv6 traffic. Is there a particular reason for that, or is
that just because nobody has got around to that yet?

Hi Guido! I just saw this message you sent to the list a couple weeks ago.

Stefan Berger can confirm, but I believe the answer is the latter -
nobody has gotten around to it. I'm sure patches would be greatly
appreciated :-)

Yes, patches would be appreciated. The IP address detection methods may
also need to be extended for IPv6 support.
One problem I want to mention, though:  A bigger problem would be if a
machine wanted to use IPv4 and IPv6 (dual stack) and use DHCP for both ,
which in effect would result in two variables that need to have values
detected which in turn would require partial instantiation of filters
(since one variable may not have a value assigned while the other has),
which does not currently work...

Hm, how do you even do it with one variable? Do you leave the firewall
undefined until you could detect the dhcp-answer package and then pull it up?
We assume that DHCP is being used and for example put a filter in that only allows DHCP traffic to pass and once we grab the IP address we instantiate the user-provided filter. For that we use $IP. The variable is set once the IP address has been detected. For IPv6 we should probably use $IPV6 (reserved variable). 


Also as I recall for IPv4 the ARP-equivalent is NDP (Neighbor Discovery
Protocol based on ICMPv6), which may need support in ebtables. At least
a while ago there was no support for filtering that NDP subset of ICMPv6
in ebtables.

According to the ebtables man-page, you've got --ip6-icmp-type, which should
be enough for this. Router advertisements have ICMPv6 type 134 and multicast
router advertisements are 153. AFAICT, you can just filter by those...


I am not the expert on IPv6, but from reading on this page here

http://www.tcpipguide.com/free/t_ICMPv6NeighborAdvertisementandNeighborSolicitation-2.htm
I get the impression that for example the target address should be verified for possible 'abuse'. I don't think one can grab that field with ebtables and compare against allowed values. 

   Stefan

_______________________________________________
libvirt-users mailing list
libvirt-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvirt-users
[Index of Archives]     [Virt Tools]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux