Hello @ all With the rebuilding of my Server from Debian 9 to Debian 10, I also switch from Virtual Box to Libvirt/KVM. Due to new requirements for the VMs, now I have an actual problem, which unfortunately I can not solve. The problem has already been discussed in the German Debian-Forum ... unfortunately also without success. The facts: - ISP = Dual Stack with daily separation - Host and VM = Debian 10 - The VMs are via macvtap-device regular LAN-Clients - IPv4 = DHCP and NAT by DSL-Router - IPv6 = GUA via RA and SLAAC (2003::/3) - IPv4 works fine in the VM - IPv6 (NDP, RA, SLAAC) works basically also fine in the VM The existing problem in the VM: - MAC-Based GUA (2000::/3) is ok, both inbound and outbound - Outbound traffic via the second GUA (PE-Based) is filtered apparently, but not via packetfiltering, I don't know where. There are no error messages. On the part of the kernel in the VM and the IPv6-stack, everything looks completely ok, no error messages, except that Outbound-Traffic by the PE-Address is quietly blocked. The MAC- Based IPv6 works unchanged and without error as before. My questions: 1. Is there a special setting for the VM, to allow the use of Privacy Extensions for IPv6 unlimited? 2. Or is that possibly even a known and at the moment unsolved problem? 3. Or is this a intended limitation of virtualization? Can anyone help me with a solution or a hint? Thank you. BR, Tom
Daniel P. Berrangé
2019-Sep-23 10:09 UTC
Re: [libvirt-users] Privacy Extension not working in VM
On Sat, Sep 21, 2019 at 11:28:56AM +0200, Thomas Luening wrote:> Hello @ all > > With the rebuilding of my Server from Debian 9 to Debian 10, I also switch > from Virtual Box to Libvirt/KVM. Due to new requirements for the VMs, now I > have an actual problem, which unfortunately I can not solve. The problem has > already been discussed in the German Debian-Forum ... unfortunately also > without success. > > The facts: > - ISP = Dual Stack with daily separation > - Host and VM = Debian 10 > - The VMs are via macvtap-device regular LAN-Clients > - IPv4 = DHCP and NAT by DSL-Router > - IPv6 = GUA via RA and SLAAC (2003::/3) > - IPv4 works fine in the VM > - IPv6 (NDP, RA, SLAAC) works basically also fine in the VM > > The existing problem in the VM: > - MAC-Based GUA (2000::/3) is ok, both inbound and outbound > > - Outbound traffic via the second GUA (PE-Based) is filtered apparently, > but not via packetfiltering, I don't know where. There are no error > messages. On the part of the kernel in the VM and the IPv6-stack, > everything looks completely ok, no error messages, except that > Outbound-Traffic by the PE-Address is quietly blocked. The MAC- > Based IPv6 works unchanged and without error as before. > > My questions: > 1. Is there a special setting for the VM, to allow the use of Privacy > Extensions for IPv6 unlimited? > 2. Or is that possibly even a known and at the moment unsolved problem? > 3. Or is this a intended limitation of virtualization? > > Can anyone help me with a solution or a hint? Thank you.You mention you used 'macvtap' but not which mode of macvtap ? None the less if you're using it in bridge mode, or passthroug hmode, there should be no filtering of guest traffic in general, since the guest traffic is forwarding at the ethernet layer, not IP layer. The exception would be if you hve the br-netfilter extension loaded which causes guest traffic to be processed by the host firewall. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
Thomas Luening
2019-Sep-23 16:21 UTC
Re: [libvirt-users] Privacy Extension not working in VM
Hi Daniel, thanks for your response.> You mention you used 'macvtap' but not which mode of macvtap ? None the > less if you're using it in bridge mode, or passthroug hmode, there should > be no filtering of guest traffic in general, since the guest traffic is > forwarding at the ethernet layer, not IP layer. > > The exception would be if you hve the br-netfilter extension loaded which > causes guest traffic to be processed by the host firewall.The macvtap-Device is started in bridge mode via a systemd-service-unit before the VM is started, see below. The kernel module br-netfilter for Packetfiltering is not loaded. But the PE-based IPv6 is still blocked furthermore. The MAC-based IPv6 works fine. BR, Tom # cat /etc/systemd/system/kvm-network-lan.service [Unit] Description=kvm-local-network.service Setup a macvtap-Bridge for Client-Integration in LAN After=network.target Wants=network.target [Service] Type=oneshot RemainAfterExit=yes ExecStartPre=/usr/sbin/ip link add link enp2s0 macvtap0 address d0:50:99:0a:0a:0a type macvtap mode bridge ExecStartPre=/usr/sbin/ip link set macvtap0 up ExecStart=/usr/sbin/ip link show macvtap0 ExecStop=/usr/sbin/ip link set macvtap0 down ExecStopPost=/usr/sbin/ip link del macvtap0 [Install] WantedBy=multi-user.target # cat /etc/libvirt/qemu/vm1.xml | grep "<interface" -A 5 <interface type='direct'> <mac address='d0:50:99:0b:0b:0b'/> <source dev='macvtap0' mode='bridge'/> <model type='virtio'/> <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/> </interface>