Re: [Xen-devel] [PATCH 4/5] hotplug/linux: Add IPv6 support to the iptables logic

[Jacek Konieczny <jajcus@xxxxxxxxxx>]

On 2014-05-14 17:23, Sylvain Munaut wrote:
> This adds the same functions for ip6tables as the one for iptables.
> The 'ip' variable can now contain ipv6s for the domain and add
> appropriate rules
> 
>  - If the 'ip' var is empty then both full IPv4 and IPv6 are allowed.
>  - If only IPv4 ips are present, then IPv6 will be completely disallowed.
>  - If only IPv6 ips are present, then IPv4 will be completely disallowed.
>  - You can use ::0/0 or 0.0.0.0/0 to allow v6 or v4 globally but filter
>    the other one.
> 
> This gracefully handles if the dom0 doesn't have IPv6. If
> the call to ip6tables doesn't succeed, it just ignores any
> IPv6 stuff.

I think it would be a good idea to allow autoconfigured IPv6 addresses.
These have the lower 64-bit of the address set to a value based on the
interface MAC address (EUI-64), which is known in the vif script.

Unfortunately it is not easy to compute that suffix in a shell script.
In my setup I use a helper Python script, but guess this might not be
the perfect solution for the standard scripts.

> +  # Always allow ICMP messages from link-local addresses (for ND)
> +  ip6tables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in "$dev" 
> \
> +    -s fe80::/64 -j ACCEPT 2>/dev/null &&

I wonder if checking this addresses against the MAC address may be
desirable, especially when bridging. This would be assured by the same
rule as the other auto-configured addresses.

Greets,
        Jacek

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel