Description of problem: After creation of some solated networks, libvirt does not setup IPv6 related ip6tables rules for bridge traffic. Version-Release number of selected component (if applicable): libvirt-0.7.1-15.fc12.i686 How reproducible: Always Steps to Reproduce: 1. Create an isolated network 2. try to communicate via IPv6 between nodes on this Actual results No IPv6 packets received by other host Expected results: Packets receiving on other host Additional info: Unlike for IPv6, libvirt totally ignores IPv6 firewall setup for bridges: IPv4: # iptables -vnL FORWARD Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- virbr1 virbr1 0.0.0.0/0 0.0.0.0/0 0 0 REJECT all -- * virbr1 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- virbr1 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable # ip6tables -vnL FORWARD Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 291 23568 REJECT all * * ::/0 ::/0 reject-with icmp6-adm-prohibited Just note that such ACCEPT rules are required for ip6tables, too, manual setup helps currently, but libvirt should setup such rules also for IPv6.
Here a small helper scriptlet, to be executed after related networks and IPv4 firewall rules are created by libvirtd. It supports at least isolated bridges: It copies the related rules from FORWARD chain of IPv4 to IPv6. r=0; iptables-save -t filter | grep '^-A FORWARD' | egrep '(-i virbr. -o virbr.|-i virbr. -j REJECT)' | sed 's/^-A FORWARD//' | sed 's/icmp/icmp6/' | while read line; do r=$[ $r + 1 ]; ip6tables -I FORWARD $r $line; done
This RFE isn't going to be resolved for Fedora 12. It is still being tracked in the upstream product though: https://bugzilla.redhat.com/show_bug.cgi?id=514749
This feature has been added as of libvirt 0.8.7 - see Bug 514749 for details.
(In reply to comment #3) > This feature has been added as of libvirt 0.8.7 - see Bug 514749 for details. I've tested now libvirt 0.8.8 with virt-manager 0.8.7. At least from GUI point of view there is no improvement, new networks are still requiring IPv4 setup. Also from firewalling point of view, no IPv6 forwarding rules are created by default after restart. Can one point me please to hints how to enable this IPv6 support in libvirt now? I want to have the ip6tables/forwarding rules and would be also glad, if the in the changelog mentioned radvd would be started somehow.
1) I've seen other reports that a build of 0.8.7 didn't properly do IPv6 (haven't investigated why, as 0.8.8 worked for them). Can you try updating to 0.8.8 or 0.9.0. The version in the fedora-virt-preview repo is currently 0.8.8-2, which should be plenty. radvd should be run, and the ip6tables forwarding rules added; those are both basic parts of the feature. Please try installing libvirt-0.8.8 and see if you now get IPv6 support (you will need to modify the XML config manually with virsh net-edit) 2) IPv6 support in the GUI is a feature of virt-manager, not libvirt. Seeing that there is currently no bug to track this, I just added Bug 694155 against upstream virt-manager.
(In reply to comment #5) > 1) I have already installed 0.8.8 > radvd should be run, and the ip6tables forwarding rules added; those are both > basic parts of the feature. > > Please try installing libvirt-0.8.8 and see if you now get IPv6 support (you > will need to modify the XML config manually with virsh net-edit) Can you please send a reference about valid XML entries regarding IPv6? I did not find anything useful using Google... > 2) IPv6 support in the GUI is a feature of virt-manager, not libvirt. Seeing > that there is currently no bug to track this, I just added Bug 694155 against > upstream virt-manager. Great.
Ah, sorry. Although I documented the addition of IPv6 in the *text* of the XML page, I somehow missed adding an IPv6 address to one of the examples. The description of the change is listed under the info for the "ip" element here: http://www.libvirt.org/formatnetwork.html#elementsAddress and here's an example of an IPv6 address element: <ip family='ipv6' address='2001:8794:ca2:2::1' prefix='64'> Note that you can now have multiple IP elements in a network (mixture of IPv4 and IPv6), although only the first <dhcp> element from an IPv4 ip is used. Also, radvd is always run for all ipv6 addresses, but due to the way ipv6 autoconf works, you will only get autoconf-ed ipv6 addresses if the prefix is 64.