On Thu, May 07, 2015 at 01:06:32PM +0200, Lukáš Nykrýn wrote: > Dan Kenigsberg píše v Čt 07. 05. 2015 v 11:46 +0100: > > On Wed, May 06, 2015 at 01:53:35PM +0100, Dan Kenigsberg wrote: > > > On Wed, May 06, 2015 at 01:28:30PM +0200, Rik Theys wrote: > > > > Hi, > > > > > > > > I'm looking for a way to selectively disable IPv6 on the bridge > > > > interfaces > > > > on the oVirt hosts. > > > > > > > > When oVirt creates the bridges for all logical networks on the host, it > > > > keeps the default settings for IPv6 which means all bridges get a > > > > link-local > > > > address and accept router advertisements. > > > > > > > > When a VM is created on the logical network, it can now reach the host > > > > over > > > > IPv6 (but not over IPv4 if no IP address has been assigned on the > > > > host). If > > > > it sends out a router advertisement it can even create a global IPv6 > > > > address > > > > (haven't tested this). > > > > > > > > How can I prevent this? > > > > > > > > I would like to prevent the guest from IPv6 access to the host but the > > > > guest > > > > itself still needs IPv6 access (global IPv6 addresses). > > > > > > > > Is it sufficient to create a sysctl config file that says: > > > > > > > > net.ipv6.conf.default.disable_ipv6 = 1 > > > > > > Yes, I believe that this would do the trick. For any newly-created > > > device on the system, regardless of ovirt bridges. > > > > > > I now see that el7 has changed the default for IPV6INIT to "yes". We > > > should be more prudent and set IPV6INIT=no on all our devices. > > > > Lukáš, it seems that setting IPV6INIT=no is not enough: > > > > IPV6INIT=yes|no > > Enable or disable IPv6 static, DHCP, or autoconf configuration for > > this interface > > Default: yes > > > > The bridge still gets a link-local ipv6 address anyway. Is there an > > initscript > > means to disable this completely, or should we resort to > > /proc/sys/net/ipv6/conf/<bridge-name>/disable_ipv6 ? > > > > Dan. > > You should disable this in kernel. IPV6INIT=no basically means that > network-scripts will not touch it. But kernel will setup the link-local > address.
Thanks. On Thu, May 07, 2015 at 01:09:15PM +0200, Rik Theys wrote: > > I think you also have to disable this on the physical interface that's part > of the bridge to fully disable this? yes, we should disable ipv6 for all devices that have Layer-2 accessibility from the VMs. Dan. _______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
