Saturday, December 2, 2017

IPv6 with macvtap and libvirt

From the "I wish I'd have known that earlier" files:

I'm posting this here in the hopes of saving some folk the trouble of running this down.

If you are trying to use macvtap onto an existing adapter for a libvirt guest and you're having odd problems with dropped IPv6 traffic, you'll need to add trustGuestRxFilters='yes' to the <interface> stanza in your XML.

An example:

    <interface type='direct' trustGuestRxFilters='yes'>
      <mac address='52:54:00:0d:42:ce'/>
      <source dev='eth0' mode='bridge'/>
      <model type='virtio'/>
      <address type='pci' domain='0x0000' bus='0x02' slot='0x01' function='0x0'/>

The problem is caused by the macvtap not updating its multicast tables correctly. This is considered correct by design for security reasons. I hope with increased deployment of IPv6 this decision will be revisited.

Some of the reading that led me here:


  1. This comment has been removed by the author.

  2. This is properly evil, but if you don't want to enable all multicast, this seems to work on the host:

    bridge fdb add 33:33:ff:<lower 24 bits of v6 address> dev <macvtap if>
    (enables reception of the just the solicited node multicast group for a particular v6 address)