Saturday, December 2, 2017

IPv6 with macvtap and libvirt

From the "I wish I'd have known that earlier" files:

I'm posting this here in the hopes of saving some folk the trouble of running this down.

If you are trying to use macvtap onto an existing adapter for a libvirt guest and you're having odd problems with dropped IPv6 traffic, you'll need to add trustGuestRxFilters='yes' to the <interface> stanza in your XML.

An example:


    <interface type='direct' trustGuestRxFilters='yes'>
      <mac address='52:54:00:0d:42:ce'/>
      <source dev='eth0' mode='bridge'/>
      <model type='virtio'/>
      <address type='pci' domain='0x0000' bus='0x02' slot='0x01' function='0x0'/>
    </interface> 



The problem is caused by the macvtap not updating its multicast tables correctly. This is considered correct by design for security reasons. I hope with increased deployment of IPv6 this decision will be revisited.



Some of the reading that led me here:











Posted by



at







































3 comments:








  1. Steve DeeSeptember 7, 2018 at 11:51 AM
    This comment has been removed by the author.
    ReplyDelete
  2. Steve DeeSeptember 7, 2018 at 11:52 AM
    This is properly evil, but if you don't want to enable all multicast, this seems to work on the host:

    bridge fdb add 33:33:ff:<lower 24 bits of v6 address> dev <macvtap if>
    (enables reception of the just the solicited node multicast group for a particular v6 address)

    ReplyDelete
  3. Noel SandersonNovember 30, 2021 at 1:36 PM
    Man. Thank you.
    ReplyDelete




























        

      









Subscribe to:
Post Comments (Atom)