From 705e67d40b09a905cd6a4b8b418d5cb94eaa95a8 Mon Sep 17 00:00:00 2001 From: Gene Czarcinski Date: Mon, 3 Dec 2012 11:13:36 -0500 Subject: [PATCH] network: allow guest to guest IPv6 without gateway definition This patch adds the capability for virtual guests to do IPv6 communication via a virtual network interface with no IPv6 (gateway) addresses specified. This capability has always been enabled by default for IPv4, but disabled for IPv6 for security concerns, and because it requires the ip6tables command to be operational (which isn't the case on a system with the ipv6 module completely disabled). This patch adds a new attribute "ipv6" at the toplevel of a object. If ipv6='yes', the extra ip6tables rules required to permite inter-guest communications are added when the network is started. If it is 'no', or not present, those rules will not be added; thus the default behavior doesn't change, so there should be no compatibility issues with any existing installations. Note that virtual guests cannot communication with the virtualization host via this interface, because the following kernel tunable has been set: net.ipv6.conf..disable_ipv6 = 1 This assures that the bridge interface will not have an IPv6 link-local (fe80::) address. To control this behavior so that it is not enabled by default, the parameter ipv6='yes' on the statement has been added. Documentation related to this patch has been updated. The network schema has also been updated. --- docs/formatnetwork.html.in | 28 +++++++++++++++++++- docs/schemas/network.rng | 10 +++++++ src/conf/network_conf.c | 20 ++++++++++++++ src/conf/network_conf.h | 5 ++++ src/network/bridge_driver.c | 28 ++++++++++++++++---- tests/networkxml2xmlin/empty-allow-ipv6.xml | 6 +++++ tests/networkxml2xmlin/isolated-network.xml | 2 +- tests/networkxml2xmlout/empty-allow-ipv6.xml | 6 +++++ tests/networkxml2xmltest.c | 1 + 9 files changed, 99 insertions(+), 7 deletions(-) create mode 100644 tests/networkxml2xmlin/empty-allow-ipv6.xml create mode 100644 tests/networkxml2xmlout/empty-allow-ipv6.xml diff --git a/docs/formatnetwork.html.in b/docs/formatnetwork.html.in index 49206dda19..a3a5ced3e1 100644 --- a/docs/formatnetwork.html.in +++ b/docs/formatnetwork.html.in @@ -33,7 +33,7 @@ 

-      <network>
+      <network ipv6='yes'>
         <name>default</name>
         <uuid>3e3fce45-4f53-4fa7-bb32-11f34168b82b</uuid>
         ...
@@ -52,6 +52,12 @@ The format must be RFC 4122 compliant, eg 3e3fce45-4f53-4fa7-bb32-11f34168b82b. If omitted when defining/creating a new network, a random UUID is generated. Since 0.3.0 +
ipv6='yes'
+
The new, optional parameter ipv6='yes' enables + a network definition with no IPv6 gateway addresses specified + to have guest-to-guest communications. For further information, + see the example below for the example with no gateway addresses. + Since 1.0.1

Connectivity

@@ -773,5 +779,25 @@ </forward> </network> +

Network config with no gateway addresses

+ +

+ A valid network definition can contain no IPv4 or IPv6 addresses. Such a definition + can be used for a "very private" or "very isolated" network since it will not be + possible to communicate with the virtualization host via this network. However, + this virtual network interface can be used for communication between virtual guest + systems. This works for IPv4 and (Since 1.0.1) IPv6. + However, the new ipv6='yes' must be added for guest-to-guest IPv6 + communication. +

+ + 
+      <network ipv6='yes'>
+        <name>nogw</name>
+        <uuid>7a3b7497-1ec7-8aef-6d5c-38dff9109e93</uuid>
+        <bridge name="virbr2" stp="on" delay="0" />
+        <mac address='00:16:3E:5D:C7:9E'/>
+      </network>
+ diff --git a/docs/schemas/network.rng b/docs/schemas/network.rng index 4abfd915dd..0d67f7f902 100644 --- a/docs/schemas/network.rng +++ b/docs/schemas/network.rng @@ -17,6 +17,16 @@ + + + + + yes + no + + +