[pve-devel] tap && veth interfaces on host have ipv6 allocated
Wolfgang Bumiller
w.bumiller at proxmox.com
Wed Sep 28 09:09:16 CEST 2016
On Wed, Sep 28, 2016 at 08:38:38AM +0200, Wolfgang Bumiller wrote:
> On Tue, Sep 27, 2016 at 03:11:50PM +0200, Wolfgang Bumiller wrote:
> > On Tue, Sep 27, 2016 at 02:54:47PM +0200, Alexandre DERUMIER wrote:
> > > Hi,
> > >
> > > we have just notice during the training,
> > > that tap && veth interfaces on host have ipv6 addresses allocated.
> >
> > See http://pve.proxmox.com/pve-docs/chapter-pve-firewall.html#_avoiding_link_local_addresses_on_tap_and_veth_devices
>
> I've been wondering whether there are any good uses for them. (I used
> them a couple of times for testing when working on ipv6 initially but
> have since had them disabled.)
> So it's probably better to just remove them upon creation in
> veth_create() and tap_create() (should be the only places where this
> needs to happen).
>
> They don't really *conflict* since the veth and tap devices don't use
> the same MAC addresses on the host as they have in the guest. But if the
> admin doesn't realize that VMs are essentially connected to the host via
> link-local addresses this way it's easily possible to forget some
> firewall rules. However, note that the bridge, too, has a link local
> address they can connect to, which is just as easy to forget if you're
> not used to it (and that one's needed for neighbor discovery).
Actually I had to remove them from the bridges for direct connections,
because when a bridge is involved it doesn't work this way anyway, so
they're pretty pointless. I'll prepare patches.
More information about the pve-devel
mailing list