Hey Chip, Yeah, I want help :-)
I just committed the sysctl.conf changes for the systemvm. This morning i applied them to my test environment and they do the job. We could add the actual sysctl command to the vmops next to adding the IPv6 ip6tables statements I think. Cheers, Hugo -----Original Message----- From: Chip Childers [mailto:chip.child...@sungard.com] Sent: Monday, July 30, 2012 3:13 PM To: cloudstack-dev@incubator.apache.org Subject: Re: Disable IPv6 for systemvm On Mon, Jul 30, 2012 at 7:32 AM, Hugo Trippaers <htrippa...@schubergphilis.com> wrote: > By the way, we might want to add the same configuration to vmops for > XenServer. > > Currently it is possible to have a tenant vm send a router advertisement on > the isolated lan that is picked up by XenServer. Even though XenServer only > has a bridge interface in the tenant lan that interface will be > autoconfigured. A simple ping to the local all-node address (ff02::1) will > tell you the mac off of the XenServer interface. As XenServer has ssh active > on all interfaces you can directly connect to the ssh daemon on the > XenServer. We only push a IPv4 firewall to the XenServer so the IPv6 firewall > is default (ACCEPT everything). > > Still you only gain access to the ssh port, but that is something that should > not be possible from a tenant lan. > > Cheers, > > Hugo As a provider, this one is even more concerning. Unless someone has an objection, I'd agree with your solution. We can remove a DENY rule in the future, after IPv6 support is added properly / completely. If you want help working up the fix for this, please let me know! -chip
