Re: [Xen-devel] [PATCH 4/5] hotplug/linux: Add IPv6 support to the iptables logic

[Ian Campbell <Ian.Campbell@xxxxxxxxxx>]

On Tue, 2014-05-20 at 15:11 +0200, Sylvain Munaut wrote:
> Hi,
> 
> 
> > So here we deny DHCP whereas for v4 we don't? Why is that? And in other
> > cases for v4 we explicitly allow it?
> 
> Both for v4 and v6 it allows the VM to make DHCP requests (be a
> client) in the case not everything is allowed.

Ah, so it was blocking (from the guest PoV) outgoing responses and
incoming requests? But the guest could send a request and receive a
response? That makes sense.

> > I see you called this out in the
> > commit message, but I must confess I don't know v6 well enough to guess
> > why. Is allowing a guest to send DHCP responses more dangerous for v6
> > than with v4?
> 
> I'm not sure about "more dangerous" in absolute terms, but the fact
> many distribs comes with v6 enabled but people don't always take care
> to configure it properly by default, I thought it would be a good idea
> to be "safe by default".

OK. Can you include the rationale in the commit log please.

I'm not 100% sure about the argument that distros/admins might not
configure things properly and so we should help them to not hurt
themselves. Historically when we've gone down that path it's turned out
to be more rather than less confusing (essentially because Xen become
"special" in some way or another). For example this is why we no longer
try and setup networking and point people instead towards the distro
networking configuration tools.

IOW perhaps we should just write on
http://wiki.xen.org/wiki/HostConfiguration/Networking that people should
take care to setup IPv6 properly, or something.

> For v6, the Router Announcement can contain a flag compelling the
> client to not only do the classic autoconfig but to also make a DHCPv6
> requests to obtains missing parameters (like DNS which isn't part of
> RA). A lot of distribs have v6 autoconfig enabled by default, I'm not
> sure how many will actually obey this flag though.
> 
> Honestly maybe blocking dhcp server response for v4 by default would
> make sense, but this could break some existing config and I tried to
> stay away from implementing changes that would require people to do
> stuff for it to work again.

Yes, avoiding breaking changes is certainly a good idea.

> All the changes here should have no breaking impact if people don't
> change their config. They could however allow more stuff than before.
> If they had before a working ip6tables setup that was set to FORWARD
> policy DROP, and no 'ip' sets in the VIF config, their VMs wouldn't be
> able to exchange ipv6 before and they will be able to afterwards.

I think that's OK. Might be one for the release notes I suppose.

Ian.


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel