From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jacek Konieczny Subject: Re: [PATCH 4/5] hotplug/linux: Add IPv6 support to the iptables logic Date: Fri, 16 May 2014 21:47:41 +0200 Message-ID: <53766B5D.5050602@jajcus.net> References: <1400081005-23895-1-git-send-email-s.munaut@whatever-company.com> <1400081005-23895-5-git-send-email-s.munaut@whatever-company.com> <53765563.1030604@jajcus.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1WlO6b-000818-1T for xen-devel@lists.xenproject.org; Fri, 16 May 2014 19:47:45 +0000 In-Reply-To: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Sylvain Munaut Cc: xen-devel@lists.xenproject.org List-Id: xen-devel@lists.xenproject.org On 2014-05-16 21:33, Sylvain Munaut wrote: >> I think it would be a good idea to allow autoconfigured IPv6 addresses. >> These have the lower 64-bit of the address set to a value based on the >> interface MAC address (EUI-64), which is known in the vif script. >> >> Unfortunately it is not easy to compute that suffix in a shell script. >> In my setup I use a helper Python script, but guess this might not be >> the perfect solution for the standard scripts. > > The issue is how do you get the prefix ? The prefix doesn't really matter if the goal is to prevent spoofing other hosts' addresses. And ip6tables allows to match the lower half of an IPv6 address: '-d ::1111:2222:3333:4444/::ffff:ffff:ffff:ffff' This itself won't prevent spoofing the network part (and some policies in the network may rely of the network part of addresses), but this hole can be sealed with a single ip6tables added, with no need of Xen hotplug scripts cooperation. I don't know if that is acceptable. Greets, Jacek