On Tue, Sep 27, 2016 at 03:11:50PM +0200, Wolfgang Bumiller wrote: > On Tue, Sep 27, 2016 at 02:54:47PM +0200, Alexandre DERUMIER wrote: > > Hi, > > > > we have just notice during the training, > > that tap && veth interfaces on host have ipv6 addresses allocated. > > See > http://pve.proxmox.com/pve-docs/chapter-pve-firewall.html#_avoiding_link_local_addresses_on_tap_and_veth_devices
I've been wondering whether there are any good uses for them. (I used them a couple of times for testing when working on ipv6 initially but have since had them disabled.) So it's probably better to just remove them upon creation in veth_create() and tap_create() (should be the only places where this needs to happen). They don't really *conflict* since the veth and tap devices don't use the same MAC addresses on the host as they have in the guest. But if the admin doesn't realize that VMs are essentially connected to the host via link-local addresses this way it's easily possible to forget some firewall rules. However, note that the bridge, too, has a link local address they can connect to, which is just as easy to forget if you're not used to it (and that one's needed for neighbor discovery). _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel