[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 4/5] hotplug/linux: Add IPv6 support to the iptables logic

To: Ian Campbell <Ian.Campbell@xxxxxxxxxx>
From: Sylvain Munaut <s.munaut@xxxxxxxxxxxxxxxxxxxx>
Date: Tue, 20 May 2014 15:11:09 +0200
Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx
Delivery-date: Tue, 20 May 2014 13:11:37 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

Hi,


> So here we deny DHCP whereas for v4 we don't? Why is that? And in other
> cases for v4 we explicitly allow it?

Both for v4 and v6 it allows the VM to make DHCP requests (be a
client) in the case not everything is allowed.


> I see you called this out in the
> commit message, but I must confess I don't know v6 well enough to guess
> why. Is allowing a guest to send DHCP responses more dangerous for v6
> than with v4?

I'm not sure about "more dangerous" in absolute terms, but the fact
many distribs comes with v6 enabled but people don't always take care
to configure it properly by default, I thought it would be a good idea
to be "safe by default".

For v6, the Router Announcement can contain a flag compelling the
client to not only do the classic autoconfig but to also make a DHCPv6
requests to obtains missing parameters (like DNS which isn't part of
RA). A lot of distribs have v6 autoconfig enabled by default, I'm not
sure how many will actually obey this flag though.

Honestly maybe blocking dhcp server response for v4 by default would
make sense, but this could break some existing config and I tried to
stay away from implementing changes that would require people to do
stuff for it to work again.

All the changes here should have no breaking impact if people don't
change their config. They could however allow more stuff than before.
If they had before a working ip6tables setup that was set to FORWARD
policy DROP, and no 'ip' sets in the VIF config, their VMs wouldn't be
able to exchange ipv6 before and they will be able to afterwards.


>> ip6tables:
>>  ACCEPT  all    ::216:3eff:fed0:da2d/::ffff:ffff:ffff:ffff  ::/0
>> PHYSDEV mat
>
> 216:3eff:fed0:da2d here is related to the mac address and therefore to
> the eui64 option?

yes.


> BTW, please can you update docs/misc/xl-network-configuration.markdown
> to reflect the ipv6 behaviour.

Ok, I will.


Cheers,

    Sylvain

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH 4/5] hotplug/linux: Add IPv6 support to the iptables logic
  - From: Ian Campbell

References:
- [Xen-devel] Improvement to linux/hotplug scripts
  - From: Sylvain Munaut
- [Xen-devel] [PATCH 4/5] hotplug/linux: Add IPv6 support to the iptables logic
  - From: Sylvain Munaut
- Re: [Xen-devel] [PATCH 4/5] hotplug/linux: Add IPv6 support to the iptables logic
  - From: Ian Campbell
- Re: [Xen-devel] [PATCH 4/5] hotplug/linux: Add IPv6 support to the iptables logic
  - From: Sylvain Munaut
- Re: [Xen-devel] [PATCH 4/5] hotplug/linux: Add IPv6 support to the iptables logic
  - From: Ian Campbell

Prev by Date: Re: [Xen-devel] libcacard is been installed to /usr/lib while libdir=/usr/lib64
Next by Date: Re: [Xen-devel] [PATCH V5 10/32] libxl: fix JSON generator for uint64_t
Previous by thread: Re: [Xen-devel] [PATCH 4/5] hotplug/linux: Add IPv6 support to the iptables logic
Next by thread: Re: [Xen-devel] [PATCH 4/5] hotplug/linux: Add IPv6 support to the iptables logic
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.