[ovirt-users] selectively disabling IPv6 on bridges

[Lukáš Nykrýn]

Dan Kenigsberg píše v Čt 07. 05. 2015 v 11:46 +0100:
> On Wed, May 06, 2015 at 01:53:35PM +0100, Dan Kenigsberg wrote:
> > On Wed, May 06, 2015 at 01:28:30PM +0200, Rik Theys wrote:
> > > Hi,
> > > 
> > > I'm looking for a way to selectively disable IPv6 on the bridge interfaces
> > > on the oVirt hosts.
> > > 
> > > When oVirt creates the bridges for all logical networks on the host, it
> > > keeps the default settings for IPv6 which means all bridges get a link-local
> > > address and accept router advertisements.
> > > 
> > > When a VM is created on the logical network, it can now reach the host over
> > > IPv6 (but not over IPv4 if no IP address has been assigned on the host). If
> > > it sends out a router advertisement it can even create a global IPv6 address
> > > (haven't tested this).
> > > 
> > > How can I prevent this?
> > > 
> > > I would like to prevent the guest from IPv6 access to the host but the guest
> > > itself still needs IPv6 access (global IPv6 addresses).
> > > 
> > > Is it sufficient to create a sysctl config file that says:
> > > 
> > > net.ipv6.conf.default.disable_ipv6 = 1
> > 
> > Yes, I believe that this would do the trick. For any newly-created
> > device on the system, regardless of ovirt bridges.
> > 
> > I now see that el7 has changed the default for IPV6INIT to "yes". We
> > should be more prudent and set IPV6INIT=no on all our devices.
> 
> Lukáš, it seems that setting IPV6INIT=no is not enough:
> 
>     IPV6INIT=yes|no
>       Enable or disable IPv6 static, DHCP, or autoconf configuration for this interface
>       Default: yes
> 
> The bridge still gets a link-local ipv6 address anyway. Is there an initscript
> means to disable this completely, or should we resort to
> /proc/sys/net/ipv6/conf/<bridge-name>/disable_ipv6 ?
> 
> Dan.

You should disable this in kernel.  IPV6INIT=no basically means that
network-scripts will not touch it. But kernel will setup the link-local
address.

Lukas