Bug 567124 - RFE: support IPv6 on virtual networks
RFE: support IPv6 on virtual networks
Status: CLOSED UPSTREAM
Product: Fedora
Classification: Fedora
Component: libvirt (Show other bugs)
14
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Veillard
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-02-21 14:06 EST by Peter Bieringer
Modified: 2011-04-06 15:31 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 586124 (view as bug list)
Environment:
Last Closed: 2010-07-12 13:15:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Peter Bieringer 2010-02-21 14:06:20 EST
Description of problem:
After creation of some solated networks, libvirt does not setup IPv6 related ip6tables rules for bridge traffic.

Version-Release number of selected component (if applicable):
libvirt-0.7.1-15.fc12.i686

How reproducible:
Always

Steps to Reproduce:
1. Create an isolated network
2. try to communicate via IPv6 between nodes on this 
  
Actual results
No IPv6 packets received by other host


Expected results:
Packets receiving on other host


Additional info:
Unlike for IPv6, libvirt totally ignores IPv6 firewall setup for bridges:

IPv4:

# iptables -vnL FORWARD
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  virbr1 virbr1  0.0.0.0/0            0.0.0.0/0           
    0     0 REJECT     all  --  *      virbr1  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 
    0     0 REJECT     all  --  virbr1 *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 



# ip6tables -vnL FORWARD
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  291 23568 REJECT     all      *      *       ::/0                 ::/0                reject-with icmp6-adm-prohibited 


Just note that such ACCEPT rules are required for ip6tables, too, manual setup helps currently, but libvirt should setup such rules also for IPv6.
Comment 1 Peter Bieringer 2010-03-07 10:57:06 EST
Here a small helper scriptlet, to be executed after related networks and IPv4 firewall rules are created by libvirtd. It supports at least isolated bridges:

It copies the related rules from FORWARD chain of IPv4 to IPv6.

r=0; iptables-save -t filter | grep '^-A FORWARD' | egrep '(-i virbr. -o virbr.|-i virbr. -j REJECT)' | sed 's/^-A FORWARD//' | sed 's/icmp/icmp6/' | while read line; do r=$[ $r + 1 ]; ip6tables -I FORWARD $r $line; done
Comment 2 Daniel Berrange 2010-07-12 13:15:08 EDT
This RFE isn't going to be resolved for Fedora 12. It is still being tracked in the upstream product though:

https://bugzilla.redhat.com/show_bug.cgi?id=514749
Comment 3 Laine Stump 2011-01-03 11:10:48 EST
This feature has been added as of libvirt 0.8.7 - see Bug 514749 for details.
Comment 4 Peter Bieringer 2011-04-05 15:50:37 EDT
(In reply to comment #3)
> This feature has been added as of libvirt 0.8.7 - see Bug 514749 for details.

I've tested now libvirt 0.8.8 with virt-manager 0.8.7.

At least from GUI point of view there is no improvement, new networks are still requiring IPv4 setup.

Also from firewalling point of view, no IPv6 forwarding rules are created by default after restart.

Can one point me please to hints how to enable this IPv6 support in libvirt now? I want to have the ip6tables/forwarding rules and would be also glad, if the in the changelog mentioned radvd would be started somehow.
Comment 5 Laine Stump 2011-04-06 11:37:26 EDT
1) I've seen other reports that a build of 0.8.7 didn't properly do IPv6 (haven't investigated why, as 0.8.8 worked for them). Can you try updating to 0.8.8 or 0.9.0. The version in the fedora-virt-preview repo is currently 0.8.8-2, which should be plenty.

radvd should be run, and the ip6tables forwarding rules added; those are both basic parts of the feature.

Please try installing libvirt-0.8.8 and see if you now get IPv6 support (you will need to modify the XML config manually with virsh net-edit)


2) IPv6 support in the GUI is a feature of virt-manager, not libvirt. Seeing that there is currently no bug to track this, I just added Bug 694155 against upstream virt-manager.
Comment 6 Peter Bieringer 2011-04-06 14:53:49 EDT
(In reply to comment #5)
> 1) I have already installed 0.8.8

> radvd should be run, and the ip6tables forwarding rules added; those are both
> basic parts of the feature.
> 
> Please try installing libvirt-0.8.8 and see if you now get IPv6 support (you
> will need to modify the XML config manually with virsh net-edit)

Can you please send a reference about valid XML entries regarding IPv6? I did not find anything useful using Google...

> 2) IPv6 support in the GUI is a feature of virt-manager, not libvirt. Seeing
> that there is currently no bug to track this, I just added Bug 694155 against
> upstream virt-manager.

Great.
Comment 7 Laine Stump 2011-04-06 15:31:37 EDT
Ah, sorry. Although I documented the addition of IPv6 in the *text* of the XML page, I somehow missed adding an IPv6 address to one of the examples.

The description of the change is listed under the info for the "ip" element here:

  http://www.libvirt.org/formatnetwork.html#elementsAddress

and here's an example of an IPv6 address element:

  <ip family='ipv6' address='2001:8794:ca2:2::1' prefix='64'>

Note that you can now have multiple IP elements in a network (mixture of IPv4 and IPv6), although only the first <dhcp> element from an IPv4 ip is used. Also, radvd is always run for all ipv6 addresses, but due to the way ipv6 autoconf works, you will only get autoconf-ed ipv6 addresses if the prefix is 64.

Note You need to log in before you can comment on or make changes to this bug.