29/11/12 17:06, intrigeri wrote:
> Hi,
>
> ticket: todo/really_block_ipv6
> branch: bugfix/disable-IPv6
> candidate for 0.16
> merged into experimental, design doc updated, no user doc needed.
>
> Two questions mainly aimed at anonym, but others' reviews are of
> course welcome too:
>
> 1. What was the purpose of `net.ipv6.conf.lo.disable_ipv6 = 1`
> suggested on the ticket? It looks useless once you have the
> "default" and "all" settings on.
No intention. Just ignore it.
> 2. May you please try to reproduce the IPv6 link-local multicast leak
> in your test environment?
I can still find ICMPv6 packets with the guest's IPv6 address as the
source. But now I think they're "spoofed" by libvirt/KVM, or something.
If I check the pcap file in wireshark, it lists the following info for
the packets:
Router Advertisement from <random MAC address>
Apparently that <random MAC address> is that of the virtual bridge that
libvirt is instructed to set up. Weird.
I merged this branch any way since it still makes sense. Defense in depth.
> I could reproduce it neither with nor without the bugfix branch.
Assuming you too use libvirt, what is your network setup and sniffer setup?
Cheers!