Re: [ovirt-users] selectively disabling IPv6 on bridges
On Thu, May 07, 2015 at 01:06:32PM +0200, Lukáš Nykrýn wrote:
Dan Kenigsberg píše v Čt 07. 05. 2015 v 11:46 +0100:
> On Wed, May 06, 2015 at 01:53:35PM +0100, Dan Kenigsberg wrote:
> > On Wed, May 06, 2015 at 01:28:30PM +0200, Rik Theys wrote:
> > > Hi,
> > >
> > > I'm looking for a way to selectively disable IPv6 on the bridge
interfaces
> > > on the oVirt hosts.
> > >
> > > When oVirt creates the bridges for all logical networks on the host, it
> > > keeps the default settings for IPv6 which means all bridges get a
link-local
> > > address and accept router advertisements.
> > >
> > > When a VM is created on the logical network, it can now reach the host
over
> > > IPv6 (but not over IPv4 if no IP address has been assigned on the host).
If
> > > it sends out a router advertisement it can even create a global IPv6
address
> > > (haven't tested this).
> > >
> > > How can I prevent this?
> > >
> > > I would like to prevent the guest from IPv6 access to the host but the
guest
> > > itself still needs IPv6 access (global IPv6 addresses).
> > >
> > > Is it sufficient to create a sysctl config file that says:
> > >
> > > net.ipv6.conf.default.disable_ipv6 = 1
> >
> > Yes, I believe that this would do the trick. For any newly-created
> > device on the system, regardless of ovirt bridges.
> >
> > I now see that el7 has changed the default for IPV6INIT to "yes". We
> > should be more prudent and set IPV6INIT=no on all our devices.
>
> Lukáš, it seems that setting IPV6INIT=no is not enough:
>
> IPV6INIT=yes|no
> Enable or disable IPv6 static, DHCP, or autoconf configuration for this
interface
> Default: yes
>
> The bridge still gets a link-local ipv6 address anyway. Is there an initscript
> means to disable this completely, or should we resort to
> /proc/sys/net/ipv6/conf/<bridge-name>/disable_ipv6 ?
>
> Dan.
You should disable this in kernel. IPV6INIT=no basically means that
network-scripts will not touch it. But kernel will setup the link-local
address.
Thanks.
On Thu, May 07, 2015 at 01:09:15PM +0200, Rik Theys wrote:
I think you also have to disable this on the physical interface that's part
of the bridge to fully disable this?
yes, we should disable ipv6 for all devices that have Layer-2
accessibility from the VMs.
Dan.