This patch adds the capability for virtual guests to do IPv6
communication via a virtual network interface with no IPv6
(gateway) addresses specified.  This capability currently
exists for IPv4.

This patch allows creation of a completely isolated IPv6 network.

Note that virtual guests cannot communication with the virtualization
host via this interface.  Also note that:
      net.ipv6.conf.<interface_name>.disable_ipv6 = 1
---
 docs/formatnetwork.html.in  | 18 ++++++++++++++++++
 src/network/bridge_driver.c | 22 ++++++++++++++--------
 2 files changed, 32 insertions(+), 8 deletions(-)

diff --git a/docs/formatnetwork.html.in b/docs/formatnetwork.html.in
index 49206dd..7b3b25c 100644
--- a/docs/formatnetwork.html.in
+++ b/docs/formatnetwork.html.in
@@ -773,5 +773,23 @@
         &lt;/forward&gt;
       &lt;/network&gt;</pre>
 
+    <h3><a name="examplesNoGateway">Network config with no gateway 
addresses</a></h3>
+
+    <p>
+    A valid network definition can contain no IPv4 or IPv6 addresses.  Such a 
definition
+    can be used for a "very private" or "very isolated" network since it will 
not be
+    possible to communicate with the virtualization host via this network.  
However,
+    this virtual network interface can be used for communication between 
virtual guest
+    systems.  This works for IPv4 and <span class="since">(Since 1.0.1)</span> 
IPv6.
+    </p>
+
+    <pre>
+      &lt;network&gt;
+        &lt;name&gt;nogw&lt;/name&gt;
+        &lt;uuid&gt;7a3b7497-1ec7-8aef-6d5c-38dff9109e93&lt;/uuid&gt;
+        &lt;bridge name="virbr2" stp="on" delay="0" /&gt;
+        &lt;mac address='00:16:3E:5D:C7:9E'/&gt;
+      &lt;/network&gt;</pre>
+
   </body>
 </html>
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index c153d36..9c67348 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -1568,15 +1568,16 @@ networkRemoveRoutingIptablesRules(struct network_driver 
*driver,
     }
 }
 
-/* Add all once/network rules required for IPv6 (if any IPv6 addresses are 
defined) */
+/* Add all once/network rules required for IPv6.
+ * Even if no IPv6 addresses are defined, allow IPv6 commuinications
+ * between virtual systems.  If any IPv6 addresses are defined, then
+ * add the rules for regular operation.
+ */
 static int
 networkAddGeneralIp6tablesRules(struct network_driver *driver,
                                virNetworkObjPtr network)
 {
 
-    if (!virNetworkDefGetIpByIndex(network->def, AF_INET6, 0))
-        return 0;
-
     /* Catch all rules to block forwarding to/from bridges */
 
     if (iptablesAddForwardRejectOut(driver->iptables, AF_INET6,
@@ -1604,6 +1605,10 @@ networkAddGeneralIp6tablesRules(struct network_driver 
*driver,
         goto err3;
     }
 
+    /* if no IPv6 addresses are defined, we are done. */
+    if (!virNetworkDefGetIpByIndex(network->def, AF_INET6, 0))
+        return 0;
+
     /* allow DNS over IPv6 */
     if (iptablesAddTcpInput(driver->iptables, AF_INET6,
                             network->def->bridge, 53) < 0) {
@@ -1640,11 +1645,12 @@ static void
 networkRemoveGeneralIp6tablesRules(struct network_driver *driver,
                                   virNetworkObjPtr network)
 {
-    if (!virNetworkDefGetIpByIndex(network->def, AF_INET6, 0))
-        return;
+    if (virNetworkDefGetIpByIndex(network->def, AF_INET6, 0)) {
+        iptablesRemoveUdpInput(driver->iptables, AF_INET6, 
network->def->bridge, 53);
+        iptablesRemoveTcpInput(driver->iptables, AF_INET6, 
network->def->bridge, 53);
+    }
 
-    iptablesRemoveUdpInput(driver->iptables, AF_INET6, network->def->bridge, 
53);
-    iptablesRemoveTcpInput(driver->iptables, AF_INET6, network->def->bridge, 
53);
+    /* the following rules are there even if no IPv6 address has been defined 
*/
     iptablesRemoveForwardAllowCross(driver->iptables, AF_INET6, 
network->def->bridge);
     iptablesRemoveForwardRejectIn(driver->iptables, AF_INET6, 
network->def->bridge);
     iptablesRemoveForwardRejectOut(driver->iptables, AF_INET6, 
network->def->bridge);
-- 
1.7.11.7

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Reply via email to