From mboxrd@z Thu Jan  1 00:00:00 1970
From: Jacek Konieczny <jajcus@jajcus.net>
Subject: Re: [PATCH 4/5] hotplug/linux: Add IPv6 support to the
 iptables logic
Date: Fri, 16 May 2014 20:13:55 +0200
Message-ID: <53765563.1030604@jajcus.net>
References: <1400081005-23895-1-git-send-email-s.munaut@whatever-company.com>
	<1400081005-23895-5-git-send-email-s.munaut@whatever-company.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
Received: from mail6.bemta3.messagelabs.com ([195.245.230.39])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <jajcus@jajcus.net>) id 1WlMdr-0004O0-5s
	for xen-devel@lists.xenproject.org; Fri, 16 May 2014 18:13:59 +0000
In-Reply-To: <1400081005-23895-5-git-send-email-s.munaut@whatever-company.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Sylvain Munaut <s.munaut@whatever-company.com>, xen-devel@lists.xenproject.org
List-Id: xen-devel@lists.xenproject.org

On 2014-05-14 17:23, Sylvain Munaut wrote:
> This adds the same functions for ip6tables as the one for iptables.
> The 'ip' variable can now contain ipv6s for the domain and add
> appropriate rules
> 
>  - If the 'ip' var is empty then both full IPv4 and IPv6 are allowed.
>  - If only IPv4 ips are present, then IPv6 will be completely disallowed.
>  - If only IPv6 ips are present, then IPv4 will be completely disallowed.
>  - You can use ::0/0 or 0.0.0.0/0 to allow v6 or v4 globally but filter
>    the other one.
> 
> This gracefully handles if the dom0 doesn't have IPv6. If
> the call to ip6tables doesn't succeed, it just ignores any
> IPv6 stuff.

I think it would be a good idea to allow autoconfigured IPv6 addresses.
These have the lower 64-bit of the address set to a value based on the
interface MAC address (EUI-64), which is known in the vif script.

Unfortunately it is not easy to compute that suffix in a shell script.
In my setup I use a helper Python script, but guess this might not be
the perfect solution for the standard scripts.

> +  # Always allow ICMP messages from link-local addresses (for ND)
> +  ip6tables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in "$dev" \
> +    -s fe80::/64 -j ACCEPT 2>/dev/null &&

I wonder if checking this addresses against the MAC address may be
desirable, especially when bridging. This would be assured by the same
rule as the other auto-configured addresses.

Greets,
	Jacek