[pve-devel] tap && veth interfaces on host have ipv6 allocated

Alexandre DERUMIER aderumier at odiso.com
Wed Sep 28 09:00:28 CEST 2016 

Thanks wolfgang


>>I've been wondering whether there are any good uses for them. (I used 
>>them a couple of times for testing when working on ipv6 initially but 
>>have since had them disabled.) 
>>So it's probably better to just remove them upon creation in 
>>veth_create() and tap_create() (should be the only places where this 
>>needs to happen). 

yes, I think it could be great to remove them after tap/veth create


>>They don't really *conflict* since the veth and tap devices don't use 
>>the same MAC addresses on the host as they have in the guest. But if the 
>>admin doesn't realize that VMs are essentially connected to the host via 
>>link-local addresses this way it's easily possible to forget some 
>>firewall rules. 

yes, indeed, I never notice them ;)


>>However, note that the bridge, too, has a link local 
>>address they can connect to, which is just as easy to forget if you're 
>>not used to it (and that one's needed for neighbor discovery).

maybe add a bridge option in /etc/network/interface to enable it ?

----- Mail original -----
De: "Wolfgang Bumiller" <w.bumiller at proxmox.com>
À: "aderumier" <aderumier at odiso.com>
Cc: "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Mercredi 28 Septembre 2016 08:38:38
Objet: Re: [pve-devel] tap && veth interfaces on host have ipv6 allocated

On Tue, Sep 27, 2016 at 03:11:50PM +0200, Wolfgang Bumiller wrote: 
> On Tue, Sep 27, 2016 at 02:54:47PM +0200, Alexandre DERUMIER wrote: 
> > Hi, 
> > 
> > we have just notice during the training, 
> > that tap && veth interfaces on host have ipv6 addresses allocated. 
> 
> See http://pve.proxmox.com/pve-docs/chapter-pve-firewall.html#_avoiding_link_local_addresses_on_tap_and_veth_devices 

I've been wondering whether there are any good uses for them. (I used 
them a couple of times for testing when working on ipv6 initially but 
have since had them disabled.) 
So it's probably better to just remove them upon creation in 
veth_create() and tap_create() (should be the only places where this 
needs to happen). 

They don't really *conflict* since the veth and tap devices don't use 
the same MAC addresses on the host as they have in the guest. But if the 
admin doesn't realize that VMs are essentially connected to the host via 
link-local addresses this way it's easily possible to forget some 
firewall rules. However, note that the bridge, too, has a link local 
address they can connect to, which is just as easy to forget if you're 
not used to it (and that one's needed for neighbor discovery).

More information about the pve-devel mailing list