[Pkg-libvirt-maintainers] Bug#923249: Bug#923249: libvirt0: libvirt sets disable_ipv6 on bridge, entirely breaking internal IPv6 networking

Mon Feb 25 14:53:00 GMT 2019

Hi Guido,

thanks for the quick reply!

>> After a recent upgrade, IPv6 communication between a virtual router and another
>> virtual client over an isolated network stopped working. I am seeing the rotuer
>> advertisments sent by the router on vnet0, which is attached to the bridge
>> virbr1, but when I capture packages on the bridge, the IPv6 traffic is gone.  It
>> just took me several hours of debugging to realize that the reason for this is
>> that /proc/sys/net/ipv6/conf/virbr1/disable_ipv6 is set to 1.  After setting it
>> to 0, IPv6 is working as expected now.
>>
>> This is a regression, IPv6 used to work between virtual clients just fine
>> without having to manually fiddle with the network configuration.
> 
> I'm not near a ipv6 setup atm but according to the git logs nothing
> changed in that area for quite some time. Please indicate which version
> you updated from so it's easier to check for related changes and also
> provide details about your setup (preferably network XML and domain XML).

I updated from 4.10.0-2 to 5.0.0-1.

Looking at the code in bridge_driver.c, I also came to the conclusion that
nothing changed, and that setting disable_ipv6 like this is intended behavior --
it happens whenever the network has no host IPv6 address.  The docs say that
guest-to-guest IPv6 communication can be enabled with the `ipv6` attribute, but
that attribute has no bearing on whether `disable_ipv6` gets set. It only
controls some firwall stuff. Maybe disable_ipv6 was always set but it somehow
used to not kill the entire IPv6 traffic on the bridge? A kernel update happened
together with all the other updates (from 4.19.12-1 to 4.19.16-1).

The network config now is (after adding the `ipv6` attribute, which however made
no difference):

> <network ipv6='yes'>
>   <name>ffnet</name>
>   <uuid>cfd2c92a-db77-4b27-ad78-a8a81ace32b6</uuid>
>   <bridge name='virbr1' stp='on' delay='0'/>
>   <mac address='52:54:00:27:6c:42'/>
>   <domain name='ffnet'/>
> </network>

The part where the virtual router gets attached is

>     <interface type='network'>
>       <mac address='52:54:00:28:0b:bb'/>
>       <source network='ffnet'/>
>       <model type='virtio'/>
>       <driver name='vhost' txmode='iothread' ioeventfd='on' event_idx='off' queues='5'>
>         <host csum='off' gso='off' tso4='off' tso6='off' ecn='off' ufo='off' mrg_rxbuf='off'/>
>         <guest csum='off' tso4='off' tso6='off' ecn='off' ufo='off'/>
>       </driver>
>       <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
>     </interface>

And for the virtual client

>     <interface type='network'>
>       <mac address='52:54:00:99:7b:1f'/>
>       <source network='ffnet'/>
>       <model type='virtio'/>
>       <driver name='vhost' txmode='iothread' ioeventfd='on' event_idx='off' queues='5'>
>         <host csum='off' gso='off' tso4='off' tso6='off' ecn='off' ufo='off' mrg_rxbuf='off'/>
>         <guest csum='off' tso4='off' tso6='off' ecn='off' ufo='off'/>
>       </driver>
>       <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
>     </interface>

> There were some ipv6 related changes with firewalld though which might be worth
> investigating.

firewalld got updated from 0.6.3-4 to 0.6.3-5 at the same time.
I have set `FirewallBackend=iptables` some time ago because the default
(`nftables`) broke libvirt.

; Ralf