Arrfab's blog - Xenhttps://arrfab.net/2010-12-31T11:28:00+01:00Some tips and tricks, mostly around CentOSEnabling IPv6 for guests on an Hetzner CentOS 5.5 xen dom02010-12-31T11:28:00+01:002010-12-31T11:28:00+01:00Fabian Arrotintag:arrfab.net,2010-12-31:/posts/2010/Dec/31/enabling-ipv6-for-guests-on-an-hetzner-centos-5-5-xen-dom0/<p>I was playing with IPv6 in the last days (started to use a tunnel from
<a href="http://www.tunnelbroker.net/">he.net</a> as my current ISP doesn't
support native IPv6 and doesn't plan to support it in a short time) and
wanted to add IPv6 to some of my CentOS Xen domU's running on a
<a href="http://www.hetzner.de">Hetzner</a> box. This part was a little bit more
difficult than for a standard network. Due to their internal network
design, Hetzner <a href="http://translate.google.be/translate?u=http%3A%2F%2Fwiki.hetzner.de%2Findex.php%2FZusaetzliche_IP-Adressen&sl=de&tl=en&hl=&ie=UTF-8">only
allow</a>
'routed' xen networks and not standard 'bridged' ones. What I used for
IPv4 was just binding the public IPs on the dom0 and configured all my
iptables rules there to forward/SNAT/DNAT to the appropriate domU. But
you know that NAT is gone with IPv6 so normally it's supposed to be
easier, right ? Well, yes and no, depending on your network layout. Even
after having enabled ipv6 forwarding (net.ipv6.conf.all.forwarding=1 ),
I was just able to ping the dom0 but not the guests behind. Hmm, that
reminds me the <a href="http://en.wikipedia.org/wiki/Proxy_arp">proxy ARP</a> that
was used for IPv4 but not existing anymore for IPv6 (gone too ...) . ARP
was (more or less, not technically correct but read the RFCs if you
enough time) replaced by …</p><p>I was playing with IPv6 in the last days (started to use a tunnel from
<a href="http://www.tunnelbroker.net/">he.net</a> as my current ISP doesn't
support native IPv6 and doesn't plan to support it in a short time) and
wanted to add IPv6 to some of my CentOS Xen domU's running on a
<a href="http://www.hetzner.de">Hetzner</a> box. This part was a little bit more
difficult than for a standard network. Due to their internal network
design, Hetzner <a href="http://translate.google.be/translate?u=http%3A%2F%2Fwiki.hetzner.de%2Findex.php%2FZusaetzliche_IP-Adressen&sl=de&tl=en&hl=&ie=UTF-8">only
allow</a>
'routed' xen networks and not standard 'bridged' ones. What I used for
IPv4 was just binding the public IPs on the dom0 and configured all my
iptables rules there to forward/SNAT/DNAT to the appropriate domU. But
you know that NAT is gone with IPv6 so normally it's supposed to be
easier, right ? Well, yes and no, depending on your network layout. Even
after having enabled ipv6 forwarding (net.ipv6.conf.all.forwarding=1 ),
I was just able to ping the dom0 but not the guests behind. Hmm, that
reminds me the <a href="http://en.wikipedia.org/wiki/Proxy_arp">proxy ARP</a> that
was used for IPv4 but not existing anymore for IPv6 (gone too ...) . ARP
was (more or less, not technically correct but read the RFCs if you
enough time) replaced by
<a href="http://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol">NDP</a> but I
don't see such option for IPv6. Well, a kernel feature called proxy_ndp
(net.ipv6.conf.all.proxy_ndp=1) exists on newer kernels (like for
example the 2.6.32.x that is used on RHEL6 , and so in CentOS 6) but not
on CentOS 5.5 (using a 2.6.18.x) kernel .. Hmmm ...</p>
<p>On the other side, I was searching for a 'workaround' probably given by
libvirt, but the version included in RHEL5/CentOS5 doesn't know what to
do with IPv6. Okay so let's have a look at the Xen and kernel side at
the same time. If the proxy_ndp kernel feature is not present on my
CentOS 5.5 dom0, I can still 'advertise' my neighbors with the ip
command : yes, it supports it : " ip -6 neighbor add proxy
your:ipv6:long:address::1 dev eth0"</p>
<p>So we just need to create a modified vif-route script (in fact I decided
to call it vif-route6) that will be used for ipv6 guests :</p>
<blockquote>
<p>#!/bin/bash </p>
<p>#============================================================================<br>
# /etc/xen/scripts/vif-route6<br>
# Script for configuring a vif in routed mode for IPv6 only<br>
# Based on existing vif-route script in /etc/xen/scripts and adapted
for ipv6 </p>
<p>#============================================================================</p>
<p>dir=\$(dirname "\$0")<br>
. "\$dir/vif-common.sh"</p>
<p>main_ip=\$(dom0_ip)<br>
main_ip6=\$(ip -6 addr show eth0|grep 'scope global'|sort|head -n
1|awk '{print \$2}'|cut -f 1 -d '/')</p>
<p>case "\$command" in<br>
online)<br>
ifconfig \${vif} \${main_ip} netmask 255.255.255.255 up<br>
ip -6 addr add \${main_ip6} dev \${vif}<br>
ipcmd='add'<br>
cmdprefix=''<br>
;;<br>
offline)<br>
do_without_error ifdown \${vif}<br>
ipcmd='del'<br>
cmdprefix='do_without_error'<br>
;;<br>
esac</p>
<p>if [ "\${ip}" ] ; then<br>
# If we've been given a list of IP addresses, then add routes from
dom0 to<br>
# the guest using those addresses.<br>
for addr in \${ip} ; do<br>
\${cmdprefix} ip -6 neighbor \${ipcmd} proxy \${addr} dev
\${netdev:-eth0} 2>&1<br>
result=`\${cmdprefix} ip -6 route \${ipcmd} \${addr} dev \${vif} src
\${main_ip6} 2>&1`<br>
done<br>
fi</p>
<p>handle_iptable</p>
<p>log debug "Successful vif-route \$command for \$vif."<br>
if [ "\$command" = "online" ]<br>
then<br>
success<br>
fi</p>
</blockquote>
<p>Ok, so we have just now to modify our xen domU's config to add a vif
that will use that specific script and give it the IPv6 address that
we'll assign to that domU (from /etc/xen/your-domU-name):</p>
<blockquote>
<p>vif = [ \<snip of the first vif> ,
"mac=00:16:36:38:31:b8,vifname=test.ipv6,script=vif-route6,ip=2a01:4f8:100:4363::dead"
]</p>
</blockquote>
<p>You can now start your domU and configure it normally for IPv6 (using
obviously that 2a01:4f8:100:4363::dead IPv6 address and choosing the
dom0 main IPv6 address as gateway ...</p>
<p>Hope it will help some people in the same situation (using a routed and
not a bridged network layout for xen)</p>