[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 4/5] hotplug/linux: Add IPv6 support to the iptables logic

To: Sylvain Munaut <s.munaut@xxxxxxxxxxxxxxxxxxxx>
From: Ian Campbell <Ian.Campbell@xxxxxxxxxx>
Date: Thu, 15 May 2014 17:19:19 +0100
Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx
Delivery-date: Thu, 15 May 2014 16:19:55 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On Wed, 2014-05-14 at 17:23 +0200, Sylvain Munaut wrote:
> This adds the same functions for ip6tables as the one for iptables.
> The 'ip' variable can now contain ipv6s for the domain and add
> appropriate rules
> 
>  - If the 'ip' var is empty then both full IPv4 and IPv6 are allowed.
>  - If only IPv4 ips are present, then IPv6 will be completely disallowed.
>  - If only IPv6 ips are present, then IPv4 will be completely disallowed.
>  - You can use ::0/0 or 0.0.0.0/0 to allow v6 or v4 globally but filter
>    the other one.

Sounds sensible. Can you give examples of the rulesets create in each
case?

> This gracefully handles if the dom0 doesn't have IPv6. If
> the call to ip6tables doesn't succeed, it just ignores any
> IPv6 stuff.
> 
> By default, domains aren't allows to send Router Advertisement
> or DHCP responses, see the ipv6_allow_ra to enable them.

How does one go about setting this?

> +##
> +# Check if the given IP is IPv6 or not
> +#
> +is_ipv6()
> +{
> +        echo "$1" | perl -wane '/:/ && print "yes"'

Annoyingly I don't think we currently require Perl in the runtime
environment (it is used at build time). Luckily I think you can
implement this as
        case $addr in
                *:*) ipv6_addrs="$addrs $ipv6_addrs";;
                *) ipv4.... ;;
        esac

(probably inline in the handle_iptable function, no need for this helper
in that case) 

> @@ -182,25 +252,41 @@ handle_iptable()
>      return
>    fi
>  
> +  # User has a working IPv4 iptables, but maybe no IPv6 support ...
> +  local do_ipv6="yes"
> +
> +  if ! ip6tables -L -n >&/dev/null
> +  then
> +    do_ipv6="no"
> +  fi
> +
>    # Scan through the addresses
>    local ipv4_addrs
> +  local ipv6_addrs
>  
>    if [ "$ip" != "" ]
>    then
>      local addr
>      for addr in $ip

I see now why you had a loop in the previous patch.

>      do
> +      result=$(is_ipv6 "$addr")
> +      if [ -z "$result" ] ; then
>          ipv4_addrs="$addr $ipv4_addrs"
> +      else
> +        ipv6_addrs="$addr $ipv6_addrs"
> +      fi
>      done
>    else
>      # No IP addresses have been specified, so allow anything.
>      ipv4_addrs="any"
> +    ipv6_addrs="any"
>    fi
>  
>    # Actually add the rules
>    claim_lock "iptables"
>  
>    [ "$ipv4_addrs" != "" ] && frob_iptable "$ipv4_addrs"
> +  [ "$ipv6_addrs" != "" -a "$do_ipv6" = "yes" ] && frob_ip6table 
> "$ipv6_addrs"
>  
>    release_lock "iptables"
>  }



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH 4/5] hotplug/linux: Add IPv6 support to the iptables logic
  - From: Sylvain Munaut
- Re: [Xen-devel] [PATCH 4/5] hotplug/linux: Add IPv6 support to the iptables logic
  - From: Ian Campbell

References:
- [Xen-devel] Improvement to linux/hotplug scripts
  - From: Sylvain Munaut
- [Xen-devel] [PATCH 4/5] hotplug/linux: Add IPv6 support to the iptables logic
  - From: Sylvain Munaut

Prev by Date: Re: [Xen-devel] [PATCH 3/5] hotplug/linux: Improve iptables logic
Next by Date: Re: [Xen-devel] [PATCH 5/5] hotplug/linux: Add IPv6 support to vif-route
Previous by thread: [Xen-devel] [PATCH 4/5] hotplug/linux: Add IPv6 support to the iptables logic
Next by thread: Re: [Xen-devel] [PATCH 4/5] hotplug/linux: Add IPv6 support to the iptables logic
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.