Difference between revisions of "IPv6"
m (→ip6tables) |
|||
| (11 intermediate revisions by 9 users not shown) | |||
| Line 1: | Line 1: | ||
[[Category:HOWTO]] | [[Category:HOWTO]] | ||
[[Category:Networking]] | [[Category:Networking]] | ||
| − | IPv6 works best when veth devices are used to bridge VEs to their host. | + | IPv6 works best when veth devices are used to bridge VEs to their host. An IPv6 compliant method of using veth interfaces for VEs can be found in the [[VEs and HNs in same subnets]] article. |
| − | venet devices are not fully IPv6 compliant. They do not properly support MAC addresses and consequently link local addresses and can not play nice with neighbor discovery or router advertisements, router discovery, or auto-conf. They also require additional modifications to the layer 3 forwarding behaviour of the host via sysctl. | + | venet devices are not fully IPv6 compliant, but still works if you statically assign IPv6 addresses. They do not properly support MAC addresses and consequently link local addresses and can not play nice with neighbor discovery or router advertisements, router discovery, or auto-conf. They also require additional modifications to the layer 3 forwarding behaviour of the host via sysctl. |
| − | + | == Configure the Node == | |
| + | In order for IPv6 to work for containers you must have a fully functioning IPv6 interface on the host node. | ||
| − | = See also = | + | == CentOS Node Configuration for IPv6 == |
| + | |||
| + | <pre>Add the below to the file /etc/sysconfig/network | ||
| + | |||
| + | NETWORKING_IPV6=yes | ||
| + | IPV6FORWARDING=yes | ||
| + | IPV6_DEFAULTDEV=eth0 | ||
| + | IPV6_DEFAULTGW=aaaa:bbbb:a01a::1 | ||
| + | IPV6_AUTOCONF=no | ||
| + | |||
| + | Add the below to the file /etc/sysconfig/network-scripts/ifcfg-ethX X being your interface number | ||
| + | |||
| + | IPV6INIT=yes | ||
| + | IPV6ADDR=aaaa:bbbb:cccc:0000:0100::1 | ||
| + | |||
| + | /etc/sysctl.conf also needs | ||
| + | |||
| + | net.ipv6.conf.default.forwarding = 1 | ||
| + | net.ipv6.conf.all.forwarding = 1 | ||
| + | net.ipv6.conf.all.proxy_ndp = 1 | ||
| + | </pre> | ||
| + | |||
| + | |||
| + | == venet example == | ||
| + | (tests done on CentOS kernel 2.6.18-194.26.1.el5.028stab079.2) | ||
| + | |||
| + | === Adding an IPv6 address to a container === | ||
| + | <pre> | ||
| + | # vzctl set <id> --ipadd <ipv6_addr> --save | ||
| + | </pre> | ||
| + | |||
| + | In my tests, the container had to be restarted before it would respond to ICMP6 echo requests. | ||
| + | |||
| + | In other tests on 2.6.32-042stab044.11 kernel, container failed to receive Neighbor Solicitation requests and replies, so I had to enable proxy_ndp: | ||
| + | |||
| + | <pre> | ||
| + | # sysctl -w net.ipv6.conf.all.proxy_ndp=1 | ||
| + | </pre> | ||
| + | |||
| + | (and later add appropriate line to /etc/sysctl.conf). | ||
| + | |||
| + | === Removing an IPv6 address from a container === | ||
| + | <pre> | ||
| + | # vzctl set <id> --ipdel <ipv6_addr> --save | ||
| + | </pre> | ||
| + | |||
| + | Removal is effective immediately and the host stops replying to echo requests. | ||
| + | |||
| + | ==ip6tables== | ||
| + | If you will be using connection tracking in any container ip6tables firewall rules (i.e. '-m state --state'), you'll need to enable additional kernel modules in the host /etc/vz.conf. Add 'ipt_state' to IPTABLES and 'nf_conntrack_ipv6' to IP6TABLES. They should look something like this: | ||
| + | |||
| + | <pre> | ||
| + | IPTABLES="ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state" | ||
| + | |||
| + | IP6TABLES="ip6_tables ip6table_filter ip6table_mangle ip6t_REJECT nf_conntrack_ipv6" | ||
| + | </pre> | ||
| + | |||
| + | ==See also== | ||
| + | * [[Virtual Ethernet device]] | ||
* [[Differences between venet and veth]] | * [[Differences between venet and veth]] | ||
| + | |||
| + | == External Links == | ||
| + | * A user success story / howto on SixXS wiki [https://www.sixxs.net/wiki/User:JNN2-SIXXS/OpenVZ]. | ||
Latest revision as of 04:35, 17 November 2013
IPv6 works best when veth devices are used to bridge VEs to their host. An IPv6 compliant method of using veth interfaces for VEs can be found in the VEs and HNs in same subnets article.
venet devices are not fully IPv6 compliant, but still works if you statically assign IPv6 addresses. They do not properly support MAC addresses and consequently link local addresses and can not play nice with neighbor discovery or router advertisements, router discovery, or auto-conf. They also require additional modifications to the layer 3 forwarding behaviour of the host via sysctl.
Contents
Configure the Node[edit]
In order for IPv6 to work for containers you must have a fully functioning IPv6 interface on the host node.
CentOS Node Configuration for IPv6[edit]
Add the below to the file /etc/sysconfig/network NETWORKING_IPV6=yes IPV6FORWARDING=yes IPV6_DEFAULTDEV=eth0 IPV6_DEFAULTGW=aaaa:bbbb:a01a::1 IPV6_AUTOCONF=no Add the below to the file /etc/sysconfig/network-scripts/ifcfg-ethX X being your interface number IPV6INIT=yes IPV6ADDR=aaaa:bbbb:cccc:0000:0100::1 /etc/sysctl.conf also needs net.ipv6.conf.default.forwarding = 1 net.ipv6.conf.all.forwarding = 1 net.ipv6.conf.all.proxy_ndp = 1
venet example[edit]
(tests done on CentOS kernel 2.6.18-194.26.1.el5.028stab079.2)
Adding an IPv6 address to a container[edit]
# vzctl set <id> --ipadd <ipv6_addr> --save
In my tests, the container had to be restarted before it would respond to ICMP6 echo requests.
In other tests on 2.6.32-042stab044.11 kernel, container failed to receive Neighbor Solicitation requests and replies, so I had to enable proxy_ndp:
# sysctl -w net.ipv6.conf.all.proxy_ndp=1
(and later add appropriate line to /etc/sysctl.conf).
Removing an IPv6 address from a container[edit]
# vzctl set <id> --ipdel <ipv6_addr> --save
Removal is effective immediately and the host stops replying to echo requests.
ip6tables[edit]
If you will be using connection tracking in any container ip6tables firewall rules (i.e. '-m state --state'), you'll need to enable additional kernel modules in the host /etc/vz.conf. Add 'ipt_state' to IPTABLES and 'nf_conntrack_ipv6' to IP6TABLES. They should look something like this:
IPTABLES="ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state" IP6TABLES="ip6_tables ip6table_filter ip6table_mangle ip6t_REJECT nf_conntrack_ipv6"
See also[edit]
External Links[edit]
- A user success story / howto on SixXS wiki [1].
