Dan Kenigsberg píše v Čt 07. 05. 2015 v 11:46 +0100:
On Wed, May 06, 2015 at 01:53:35PM +0100, Dan Kenigsberg wrote:
On Wed, May 06, 2015 at 01:28:30PM +0200, Rik Theys wrote:
Hi,
I'm looking for a way to selectively disable IPv6 on the bridge interfaces on the oVirt hosts.
When oVirt creates the bridges for all logical networks on the host, it keeps the default settings for IPv6 which means all bridges get a link-local address and accept router advertisements.
When a VM is created on the logical network, it can now reach the host over IPv6 (but not over IPv4 if no IP address has been assigned on the host). If it sends out a router advertisement it can even create a global IPv6 address (haven't tested this).
How can I prevent this?
I would like to prevent the guest from IPv6 access to the host but the guest itself still needs IPv6 access (global IPv6 addresses).
Is it sufficient to create a sysctl config file that says:
net.ipv6.conf.default.disable_ipv6 = 1
Yes, I believe that this would do the trick. For any newly-created device on the system, regardless of ovirt bridges.
I now see that el7 has changed the default for IPV6INIT to "yes". We should be more prudent and set IPV6INIT=no on all our devices.
Lukáš, it seems that setting IPV6INIT=no is not enough:
IPV6INIT=yes|no Enable or disable IPv6 static, DHCP, or autoconf configuration for this interface Default: yes
The bridge still gets a link-local ipv6 address anyway. Is there an initscript means to disable this completely, or should we resort to /proc/sys/net/ipv6/conf/<bridge-name>/disable_ipv6 ?
Dan.
You should disable this in kernel. IPV6INIT=no basically means that network-scripts will not touch it. But kernel will setup the link-local address. Lukas