Hi Guido, thanks for the quick reply!
>> After a recent upgrade, IPv6 communication between a virtual router and >> another >> virtual client over an isolated network stopped working. I am seeing the >> rotuer >> advertisments sent by the router on vnet0, which is attached to the bridge >> virbr1, but when I capture packages on the bridge, the IPv6 traffic is gone. >> It >> just took me several hours of debugging to realize that the reason for this >> is >> that /proc/sys/net/ipv6/conf/virbr1/disable_ipv6 is set to 1. After setting >> it >> to 0, IPv6 is working as expected now. >> >> This is a regression, IPv6 used to work between virtual clients just fine >> without having to manually fiddle with the network configuration. > > I'm not near a ipv6 setup atm but according to the git logs nothing > changed in that area for quite some time. Please indicate which version > you updated from so it's easier to check for related changes and also > provide details about your setup (preferably network XML and domain XML). I updated from 4.10.0-2 to 5.0.0-1. Looking at the code in bridge_driver.c, I also came to the conclusion that nothing changed, and that setting disable_ipv6 like this is intended behavior -- it happens whenever the network has no host IPv6 address. The docs say that guest-to-guest IPv6 communication can be enabled with the `ipv6` attribute, but that attribute has no bearing on whether `disable_ipv6` gets set. It only controls some firwall stuff. Maybe disable_ipv6 was always set but it somehow used to not kill the entire IPv6 traffic on the bridge? A kernel update happened together with all the other updates (from 4.19.12-1 to 4.19.16-1). The network config now is (after adding the `ipv6` attribute, which however made no difference): > <network ipv6='yes'> > <name>ffnet</name> > <uuid>cfd2c92a-db77-4b27-ad78-a8a81ace32b6</uuid> > <bridge name='virbr1' stp='on' delay='0'/> > <mac address='52:54:00:27:6c:42'/> > <domain name='ffnet'/> > </network> The part where the virtual router gets attached is > <interface type='network'> > <mac address='52:54:00:28:0b:bb'/> > <source network='ffnet'/> > <model type='virtio'/> > <driver name='vhost' txmode='iothread' ioeventfd='on' event_idx='off' > queues='5'> > <host csum='off' gso='off' tso4='off' tso6='off' ecn='off' ufo='off' > mrg_rxbuf='off'/> > <guest csum='off' tso4='off' tso6='off' ecn='off' ufo='off'/> > </driver> > <address type='pci' domain='0x0000' bus='0x00' slot='0x03' > function='0x0'/> > </interface> And for the virtual client > <interface type='network'> > <mac address='52:54:00:99:7b:1f'/> > <source network='ffnet'/> > <model type='virtio'/> > <driver name='vhost' txmode='iothread' ioeventfd='on' event_idx='off' > queues='5'> > <host csum='off' gso='off' tso4='off' tso6='off' ecn='off' ufo='off' > mrg_rxbuf='off'/> > <guest csum='off' tso4='off' tso6='off' ecn='off' ufo='off'/> > </driver> > <address type='pci' domain='0x0000' bus='0x00' slot='0x03' > function='0x0'/> > </interface> > There were some ipv6 related changes with firewalld though which might be > worth > investigating. firewalld got updated from 0.6.3-4 to 0.6.3-5 at the same time. I have set `FirewallBackend=iptables` some time ago because the default (`nftables`) broke libvirt. ; Ralf
