selectively disabling IPv6 on bridges
Hi, I'm looking for a way to selectively disable IPv6 on the bridge interfaces on the oVirt hosts. When oVirt creates the bridges for all logical networks on the host, it keeps the default settings for IPv6 which means all bridges get a link-local address and accept router advertisements. When a VM is created on the logical network, it can now reach the host over IPv6 (but not over IPv4 if no IP address has been assigned on the host). If it sends out a router advertisement it can even create a global IPv6 address (haven't tested this). How can I prevent this? I would like to prevent the guest from IPv6 access to the host but the guest itself still needs IPv6 access (global IPv6 addresses). Is it sufficient to create a sysctl config file that says: net.ipv6.conf.default.disable_ipv6 = 1 ? Regards, Rik -- Rik Theys System Engineer KU Leuven - Dept. Elektrotechniek (ESAT) Kasteelpark Arenberg 10 bus 2440 - B-3001 Leuven-Heverlee +32(0)16/32.11.07 ---------------------------------------------------------------- <<Any errors in spelling, tact or fact are transmission errors>>
On Wed, May 06, 2015 at 01:28:30PM +0200, Rik Theys wrote:
Hi,
I'm looking for a way to selectively disable IPv6 on the bridge interfaces on the oVirt hosts.
When oVirt creates the bridges for all logical networks on the host, it keeps the default settings for IPv6 which means all bridges get a link-local address and accept router advertisements.
When a VM is created on the logical network, it can now reach the host over IPv6 (but not over IPv4 if no IP address has been assigned on the host). If it sends out a router advertisement it can even create a global IPv6 address (haven't tested this).
How can I prevent this?
I would like to prevent the guest from IPv6 access to the host but the guest itself still needs IPv6 access (global IPv6 addresses).
Is it sufficient to create a sysctl config file that says:
net.ipv6.conf.default.disable_ipv6 = 1
Yes, I believe that this would do the trick. For any newly-created device on the system, regardless of ovirt bridges. I now see that el7 has changed the default for IPV6INIT to "yes". We should be more prudent and set IPV6INIT=no on all our devices. Would you open a bug about this, so it is tracked? Regards, Dan.
?
Regards,
Rik
-- Rik Theys System Engineer KU Leuven - Dept. Elektrotechniek (ESAT) Kasteelpark Arenberg 10 bus 2440 - B-3001 Leuven-Heverlee +32(0)16/32.11.07 ---------------------------------------------------------------- <<Any errors in spelling, tact or fact are transmission errors>> _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Hi, On 05/06/2015 02:53 PM, Dan Kenigsberg wrote:
On Wed, May 06, 2015 at 01:28:30PM +0200, Rik Theys wrote:
Hi,
I'm looking for a way to selectively disable IPv6 on the bridge interfaces on the oVirt hosts.
When oVirt creates the bridges for all logical networks on the host, it keeps the default settings for IPv6 which means all bridges get a link-local address and accept router advertisements.
When a VM is created on the logical network, it can now reach the host over IPv6 (but not over IPv4 if no IP address has been assigned on the host). If it sends out a router advertisement it can even create a global IPv6 address (haven't tested this).
How can I prevent this?
I would like to prevent the guest from IPv6 access to the host but the guest itself still needs IPv6 access (global IPv6 addresses).
Is it sufficient to create a sysctl config file that says:
net.ipv6.conf.default.disable_ipv6 = 1
Yes, I believe that this would do the trick. For any newly-created device on the system, regardless of ovirt bridges.
I've tried that and it seems to work. But IPv6 seems partially broken anyway even without applying this trick :-(. When two VM's run on the same host and the host has ipv6 enabled (but no global addresses assigned), they can not reach each other when they are in the same network (and have statically configured IPv6 addresses). They can ping hosts in the same network that are on other physical boxes. When you migrate one of the hosts to another physical machine they can ping each other. But not when they're running on the same host. We have the same issue with hosts running on our CentOS 6 hosts with libvirt (no ovirt involved), so this isn't ovirt specific. The neighbor solicitations are visible on the vnet0 (tcpdump running on the host) interface of the VM running the ping, and on the ovirtmgmt bridge. But not on the vnet1 (tcpdump running on the host) of the target VM.
I now see that el7 has changed the default for IPV6INIT to "yes". We should be more prudent and set IPV6INIT=no on all our devices.
Would you open a bug about this, so it is tracked?
OK, will do. Regards, Rik -- Rik Theys System Engineer KU Leuven - Dept. Elektrotechniek (ESAT) Kasteelpark Arenberg 10 bus 2440 - B-3001 Leuven-Heverlee +32(0)16/32.11.07 ---------------------------------------------------------------- <<Any errors in spelling, tact or fact are transmission errors>>
Hi, On 05/06/2015 02:53 PM, Dan Kenigsberg wrote:
On Wed, May 06, 2015 at 01:28:30PM +0200, Rik Theys wrote:
I'm looking for a way to selectively disable IPv6 on the bridge interfaces on the oVirt hosts.
When oVirt creates the bridges for all logical networks on the host, it keeps the default settings for IPv6 which means all bridges get a link-local address and accept router advertisements.
When a VM is created on the logical network, it can now reach the host over IPv6 (but not over IPv4 if no IP address has been assigned on the host). If it sends out a router advertisement it can even create a global IPv6 address (haven't tested this).
How can I prevent this?
I would like to prevent the guest from IPv6 access to the host but the guest itself still needs IPv6 access (global IPv6 addresses).
Is it sufficient to create a sysctl config file that says:
net.ipv6.conf.default.disable_ipv6 = 1
Yes, I believe that this would do the trick. For any newly-created device on the system, regardless of ovirt bridges.
I now see that el7 has changed the default for IPV6INIT to "yes". We should be more prudent and set IPV6INIT=no on all our devices.
Would you open a bug about this, so it is tracked?
I've opened bug 1219363 for this. Regards, Rik -- Rik Theys System Engineer KU Leuven - Dept. Elektrotechniek (ESAT) Kasteelpark Arenberg 10 bus 2440 - B-3001 Leuven-Heverlee +32(0)16/32.11.07 ---------------------------------------------------------------- <<Any errors in spelling, tact or fact are transmission errors>>
On Wed, May 06, 2015 at 01:53:35PM +0100, Dan Kenigsberg wrote:
On Wed, May 06, 2015 at 01:28:30PM +0200, Rik Theys wrote:
Hi,
I'm looking for a way to selectively disable IPv6 on the bridge interfaces on the oVirt hosts.
When oVirt creates the bridges for all logical networks on the host, it keeps the default settings for IPv6 which means all bridges get a link-local address and accept router advertisements.
When a VM is created on the logical network, it can now reach the host over IPv6 (but not over IPv4 if no IP address has been assigned on the host). If it sends out a router advertisement it can even create a global IPv6 address (haven't tested this).
How can I prevent this?
I would like to prevent the guest from IPv6 access to the host but the guest itself still needs IPv6 access (global IPv6 addresses).
Is it sufficient to create a sysctl config file that says:
net.ipv6.conf.default.disable_ipv6 = 1
Yes, I believe that this would do the trick. For any newly-created device on the system, regardless of ovirt bridges.
I now see that el7 has changed the default for IPV6INIT to "yes". We should be more prudent and set IPV6INIT=no on all our devices.
Lukáš, it seems that setting IPV6INIT=no is not enough: IPV6INIT=yes|no Enable or disable IPv6 static, DHCP, or autoconf configuration for this interface Default: yes The bridge still gets a link-local ipv6 address anyway. Is there an initscript means to disable this completely, or should we resort to /proc/sys/net/ipv6/conf/<bridge-name>/disable_ipv6 ? Dan.
Dan Kenigsberg píše v Čt 07. 05. 2015 v 11:46 +0100:
On Wed, May 06, 2015 at 01:53:35PM +0100, Dan Kenigsberg wrote:
On Wed, May 06, 2015 at 01:28:30PM +0200, Rik Theys wrote:
Hi,
I'm looking for a way to selectively disable IPv6 on the bridge interfaces on the oVirt hosts.
When oVirt creates the bridges for all logical networks on the host, it keeps the default settings for IPv6 which means all bridges get a link-local address and accept router advertisements.
When a VM is created on the logical network, it can now reach the host over IPv6 (but not over IPv4 if no IP address has been assigned on the host). If it sends out a router advertisement it can even create a global IPv6 address (haven't tested this).
How can I prevent this?
I would like to prevent the guest from IPv6 access to the host but the guest itself still needs IPv6 access (global IPv6 addresses).
Is it sufficient to create a sysctl config file that says:
net.ipv6.conf.default.disable_ipv6 = 1
Yes, I believe that this would do the trick. For any newly-created device on the system, regardless of ovirt bridges.
I now see that el7 has changed the default for IPV6INIT to "yes". We should be more prudent and set IPV6INIT=no on all our devices.
Lukáš, it seems that setting IPV6INIT=no is not enough:
IPV6INIT=yes|no Enable or disable IPv6 static, DHCP, or autoconf configuration for this interface Default: yes
The bridge still gets a link-local ipv6 address anyway. Is there an initscript means to disable this completely, or should we resort to /proc/sys/net/ipv6/conf/<bridge-name>/disable_ipv6 ?
Dan.
You should disable this in kernel. IPV6INIT=no basically means that network-scripts will not touch it. But kernel will setup the link-local address. Lukas
Hi, On 05/07/2015 12:46 PM, Dan Kenigsberg wrote:
On Wed, May 06, 2015 at 01:53:35PM +0100, Dan Kenigsberg wrote:
On Wed, May 06, 2015 at 01:28:30PM +0200, Rik Theys wrote:
Hi,
I'm looking for a way to selectively disable IPv6 on the bridge interfaces on the oVirt hosts.
When oVirt creates the bridges for all logical networks on the host, it keeps the default settings for IPv6 which means all bridges get a link-local address and accept router advertisements.
When a VM is created on the logical network, it can now reach the host over IPv6 (but not over IPv4 if no IP address has been assigned on the host). If it sends out a router advertisement it can even create a global IPv6 address (haven't tested this).
How can I prevent this?
I would like to prevent the guest from IPv6 access to the host but the guest itself still needs IPv6 access (global IPv6 addresses).
Is it sufficient to create a sysctl config file that says:
net.ipv6.conf.default.disable_ipv6 = 1
Yes, I believe that this would do the trick. For any newly-created device on the system, regardless of ovirt bridges.
I now see that el7 has changed the default for IPV6INIT to "yes". We should be more prudent and set IPV6INIT=no on all our devices.
Lukáš, it seems that setting IPV6INIT=no is not enough:
IPV6INIT=yes|no Enable or disable IPv6 static, DHCP, or autoconf configuration for this interface Default: yes
The bridge still gets a link-local ipv6 address anyway. Is there an initscript means to disable this completely, or should we resort to /proc/sys/net/ipv6/conf/<bridge-name>/disable_ipv6 ?
I think you also have to disable this on the physical interface that's part of the bridge to fully disable this? Regards, Rik -- Rik Theys System Engineer KU Leuven - Dept. Elektrotechniek (ESAT) Kasteelpark Arenberg 10 bus 2440 - B-3001 Leuven-Heverlee +32(0)16/32.11.07 ---------------------------------------------------------------- <<Any errors in spelling, tact or fact are transmission errors>>
On Thu, May 07, 2015 at 01:06:32PM +0200, Lukáš Nykrýn wrote:
Dan Kenigsberg píše v Čt 07. 05. 2015 v 11:46 +0100:
On Wed, May 06, 2015 at 01:53:35PM +0100, Dan Kenigsberg wrote:
On Wed, May 06, 2015 at 01:28:30PM +0200, Rik Theys wrote:
Hi,
I'm looking for a way to selectively disable IPv6 on the bridge interfaces on the oVirt hosts.
When oVirt creates the bridges for all logical networks on the host, it keeps the default settings for IPv6 which means all bridges get a link-local address and accept router advertisements.
When a VM is created on the logical network, it can now reach the host over IPv6 (but not over IPv4 if no IP address has been assigned on the host). If it sends out a router advertisement it can even create a global IPv6 address (haven't tested this).
How can I prevent this?
I would like to prevent the guest from IPv6 access to the host but the guest itself still needs IPv6 access (global IPv6 addresses).
Is it sufficient to create a sysctl config file that says:
net.ipv6.conf.default.disable_ipv6 = 1
Yes, I believe that this would do the trick. For any newly-created device on the system, regardless of ovirt bridges.
I now see that el7 has changed the default for IPV6INIT to "yes". We should be more prudent and set IPV6INIT=no on all our devices.
Lukáš, it seems that setting IPV6INIT=no is not enough:
IPV6INIT=yes|no Enable or disable IPv6 static, DHCP, or autoconf configuration for this interface Default: yes
The bridge still gets a link-local ipv6 address anyway. Is there an initscript means to disable this completely, or should we resort to /proc/sys/net/ipv6/conf/<bridge-name>/disable_ipv6 ?
Dan.
You should disable this in kernel. IPV6INIT=no basically means that network-scripts will not touch it. But kernel will setup the link-local address.
Thanks. On Thu, May 07, 2015 at 01:09:15PM +0200, Rik Theys wrote:
I think you also have to disable this on the physical interface that's part of the bridge to fully disable this?
yes, we should disable ipv6 for all devices that have Layer-2 accessibility from the VMs. Dan.
participants (3)
-
Dan Kenigsberg -
Lukáš Nykrýn -
Rik Theys