From nobody Tue May  7 04:49:13 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 216.205.24.124 as permitted sender) client-ip=216.205.24.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 216.205.24.124 as permitted sender) client-ip=216.205.24.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=fail(p=quarantine dis=quarantine)  header.from=virtuozzo.com
ARC-Seal: i=1; a=rsa-sha256; t=1603441827; cv=none;
	d=zohomail.com; s=zohoarc;
	b=K/wEA9Ey6nqIHzfN5GAoe6guwlY8xQZve7WXVnI3ut8AYqnqK7CxgNaqLthsHaXZE18Ptfqiut+3na4SspU9gL8nirbJc3zO4DVnd+cxF98c+mpGsTFktYwYw52znAalSF/MNU8fwtbhFbA+xElbWQH5IZGJOr3tLtwTZVwmXRM=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1603441827;
 h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=1BXbzy9sQf+7X+k0s3a9CeVhCsWVYansGJMQq7uM0uU=;
	b=L1eWVjW4lH/d2chmadlDEY74onQl8WW9IaW07H30KxuRzhUbOUPhdjAsT2Azil/OO16gkagMvDN/2F/xeYhptbuq2vpFPOIpru/SkdUl8aRqIdbNeCrdnAWUxMU7ooeMwTnBNW7akoYS3LiGM8BJVFrBhZ6MX2DOZOQ6uVQV/d4=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=fail header.from=<alexander.alekseev@virtuozzo.com> (p=quarantine
 dis=quarantine) header.from=<alexander.alekseev@virtuozzo.com>
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com
	with SMTPS id 160344182777325.060940243567075;
 Fri, 23 Oct 2020 01:30:27 -0700 (PDT)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-481-JDBSJvPpPMOh9GlMQ93ocQ-1; Fri, 23 Oct 2020 04:30:24 -0400
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com
 [10.5.11.12])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 743AE64144;
	Fri, 23 Oct 2020 08:30:18 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 54B3460C84;
	Fri, 23 Oct 2020 08:30:18 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 2038E92305;
	Fri, 23 Oct 2020 08:30:18 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com
	[10.11.54.3])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 09MJO175003947 for <libvir-list@listman.util.phx.redhat.com>;
	Thu, 22 Oct 2020 15:24:01 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id 19816110DBFF; Thu, 22 Oct 2020 19:24:01 +0000 (UTC)
Received: from mimecast-mx02.redhat.com
	(mimecast06.extmail.prod.ext.rdu2.redhat.com [10.11.55.22])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 156B1110DBFD
	for <libvir-list@redhat.com>; Thu, 22 Oct 2020 19:23:58 +0000 (UTC)
Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com
	[205.139.110.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id B43F2185A790
	for <libvir-list@redhat.com>; Thu, 22 Oct 2020 19:23:58 +0000 (UTC)
Received: from relay3.sw.ru (relay.sw.ru [185.231.240.75]) (Using TLS) by
	relay.mimecast.com with ESMTP id us-mta-150-0r0TYaalNSmkQY-mzCoCFw-1;
	Thu, 22 Oct 2020 15:23:56 -0400
Received: from [10.94.6.143] (helo=localhost.sw.ru)
	by relay3.sw.ru with esmtp (Exim 4.94)
	(envelope-from <alexander.alekseev@virtuozzo.com>)
	id 1kVf8L-005dYE-Fp
	for libvir-list@redhat.com; Thu, 22 Oct 2020 21:16:17 +0300
X-MC-Unique: JDBSJvPpPMOh9GlMQ93ocQ-1
X-MC-Unique: 0r0TYaalNSmkQY-mzCoCFw-1
From: Aleksandr Alekseev <alexander.alekseev@virtuozzo.com>
To: libvir-list@redhat.com
Subject: [PATCH 1/3] example: fix typo and formatting
Date: Thu, 22 Oct 2020 21:15:50 +0300
Message-Id: <20201022181552.486275-2-alexander.alekseev@virtuozzo.com>
In-Reply-To: <20201022181552.486275-1-alexander.alekseev@virtuozzo.com>
References: <20201022181552.486275-1-alexander.alekseev@virtuozzo.com>
MIME-Version: 1.0
X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection
	Definition; Similar Internal Domain=false;
	Similar Monitored External Domain=false;
	Custom External Domain=false; Mimecast External Domain=false;
	Newly Observed Domain=false; Internal User Name=false;
	Custom Display Name List=false; Reply-to Address Mismatch=false;
	Targeted Threat Dictionary=false;
	Mimecast Threat Dictionary=false; Custom Threat Dictionary=false
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3
X-loop: libvir-list@redhat.com
X-Mailman-Approved-At: Fri, 23 Oct 2020 04:30:01 -0400
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Signed-off-by: Aleksandr Alekseev <alexander.alekseev@virtuozzo.com>
Reviewed-by: J=C3=A1n Tomko <jtomko@redhat.com>
---
 src/nwfilter/xml/allow-dhcp-server.xml | 4 ++--
 src/nwfilter/xml/allow-dhcp.xml        | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/nwfilter/xml/allow-dhcp-server.xml b/src/nwfilter/xml/allo=
w-dhcp-server.xml
index 37e708ed4b..7fb426a660 100644
--- a/src/nwfilter/xml/allow-dhcp-server.xml
+++ b/src/nwfilter/xml/allow-dhcp-server.xml
@@ -1,7 +1,7 @@
 <filter name=3D'allow-dhcp-server' chain=3D'ipv4'>
=20
-    <!-- accept outgoing DHCP requests -->
-    <!-- note, this rule must be evaluated before general MAC broadcast
+    <!-- accept outgoing DHCP requests
+         note, this rule must be evaluated before general MAC broadcast
          traffic is discarded since DHCP requests use MAC broadcast -->
     <rule action=3D'accept' direction=3D'out' priority=3D'100'>
         <ip srcipaddr=3D'0.0.0.0'
diff --git a/src/nwfilter/xml/allow-dhcp.xml b/src/nwfilter/xml/allow-dhcp.=
xml
index d66d2b6668..d205176011 100644
--- a/src/nwfilter/xml/allow-dhcp.xml
+++ b/src/nwfilter/xml/allow-dhcp.xml
@@ -1,7 +1,7 @@
 <filter name=3D'allow-dhcp' chain=3D'ipv4'>
=20
-    <!-- accept outgoing DHCP requests -->
-    <!-- not, this rule must be evaluated before general MAC broadcast
+    <!-- accept outgoing DHCP requests
+         note, this rule must be evaluated before general MAC broadcast
          traffic is discarded since DHCP requests use MAC broadcast -->
     <rule action=3D'accept' direction=3D'out' priority=3D'100'>
         <ip srcipaddr=3D'0.0.0.0'
--=20
2.28.0.97.gdc04167d37

From nobody Tue May  7 04:49:13 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 63.128.21.124 as permitted sender) client-ip=63.128.21.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 63.128.21.124 as permitted sender) client-ip=63.128.21.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=fail(p=quarantine dis=quarantine)  header.from=virtuozzo.com
ARC-Seal: i=1; a=rsa-sha256; t=1603441826; cv=none;
	d=zohomail.com; s=zohoarc;
	b=FP7Cz6di8JwwtcFWaFQydbLjCU3dh0dXm25zuAQBqEToN4cC+0C1ZjDRGn38YTPmr9qZNO5S/T1fPukGpyDQgYxf8axpEx8w1ZukQiJo970SGc+S+9XpfCPJDNSRD4wA7jyWXm/Y1W5ESrnfTHvn9enVKU8Tdx2hV5A0t7bkXoI=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1603441826;
 h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=kB/AwC3hPNatDP9Lrau0F3S75rRwEFKCWjWjlAhC52A=;
	b=UR8G0ibBUuo6ktqZ3A6lPvVwbYRrPFoxDrCCeFVE75nVuRtbYss5aODrIh5Xuqbn0zDpa5fghZQzx5HyWUMZTuJmxpQXluhJQ3MvdAEpW2Jx9O32I2t7DCF0lKWm/TIhuzBABsng/uN97Ox8RkjWayGlYw98ma5jTYkFSBSn5ss=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=fail header.from=<alexander.alekseev@virtuozzo.com> (p=quarantine
 dis=quarantine) header.from=<alexander.alekseev@virtuozzo.com>
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [63.128.21.124]) by mx.zohomail.com
	with SMTPS id 1603441826221347.10547976161763;
 Fri, 23 Oct 2020 01:30:26 -0700 (PDT)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-574-gwqVEtv_PwOtR5dqRCDDqA-1; Fri, 23 Oct 2020 04:30:22 -0400
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com
 [10.5.11.12])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id DD8CD6414D;
	Fri, 23 Oct 2020 08:30:16 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id B842D60C84;
	Fri, 23 Oct 2020 08:30:16 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 807C1922F4;
	Fri, 23 Oct 2020 08:30:16 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com
	[10.11.54.4])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 09MJO2Rj003962 for <libvir-list@listman.util.phx.redhat.com>;
	Thu, 22 Oct 2020 15:24:02 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id 9899B201157E; Thu, 22 Oct 2020 19:24:02 +0000 (UTC)
Received: from mimecast-mx02.redhat.com
	(mimecast03.extmail.prod.ext.rdu2.redhat.com [10.11.55.19])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 93D132017F02
	for <libvir-list@redhat.com>; Thu, 22 Oct 2020 19:24:02 +0000 (UTC)
Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com [207.211.31.81])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 7AD5A811E79
	for <libvir-list@redhat.com>; Thu, 22 Oct 2020 19:24:02 +0000 (UTC)
Received: from relay3.sw.ru (relay.sw.ru [185.231.240.75]) (Using TLS) by
	relay.mimecast.com with ESMTP id us-mta-481-CKwc8zkmOiClYLsqyhQdhw-1;
	Thu, 22 Oct 2020 15:23:59 -0400
Received: from [10.94.6.143] (helo=localhost.sw.ru)
	by relay3.sw.ru with esmtp (Exim 4.94)
	(envelope-from <alexander.alekseev@virtuozzo.com>)
	id 1kVf8M-005dYE-TW
	for libvir-list@redhat.com; Thu, 22 Oct 2020 21:16:18 +0300
X-MC-Unique: gwqVEtv_PwOtR5dqRCDDqA-1
X-MC-Unique: CKwc8zkmOiClYLsqyhQdhw-1
From: Aleksandr Alekseev <alexander.alekseev@virtuozzo.com>
To: libvir-list@redhat.com
Subject: [PATCH 2/3] example: add ipv6 filters examples
Date: Thu, 22 Oct 2020 21:15:51 +0300
Message-Id: <20201022181552.486275-3-alexander.alekseev@virtuozzo.com>
In-Reply-To: <20201022181552.486275-1-alexander.alekseev@virtuozzo.com>
References: <20201022181552.486275-1-alexander.alekseev@virtuozzo.com>
MIME-Version: 1.0
X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection
	Definition; Similar Internal Domain=false;
	Similar Monitored External Domain=false;
	Custom External Domain=false; Mimecast External Domain=false;
	Newly Observed Domain=false; Internal User Name=false;
	Custom Display Name List=false; Reply-to Address Mismatch=false;
	Targeted Threat Dictionary=false;
	Mimecast Threat Dictionary=false; Custom Threat Dictionary=false
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4
X-loop: libvir-list@redhat.com
X-Mailman-Approved-At: Fri, 23 Oct 2020 04:30:01 -0400
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Signed-off-by: Aleksandr Alekseev <alexander.alekseev@virtuozzo.com>
Reviewed-by: J=C3=A1n Tomko <jtomko@redhat.com>
---
 src/nwfilter/xml/allow-dhcpv6-server.xml | 27 ++++++++++++++++++++++++
 src/nwfilter/xml/allow-dhcpv6.xml        | 24 +++++++++++++++++++++
 src/nwfilter/xml/allow-incoming-ipv6.xml |  3 +++
 src/nwfilter/xml/allow-ipv6.xml          |  3 +++
 src/nwfilter/xml/meson.build             |  6 ++++++
 src/nwfilter/xml/no-ipv6-multicast.xml   |  9 ++++++++
 src/nwfilter/xml/no-ipv6-spoofing.xml    | 15 +++++++++++++
 7 files changed, 87 insertions(+)
 create mode 100644 src/nwfilter/xml/allow-dhcpv6-server.xml
 create mode 100644 src/nwfilter/xml/allow-dhcpv6.xml
 create mode 100644 src/nwfilter/xml/allow-incoming-ipv6.xml
 create mode 100644 src/nwfilter/xml/allow-ipv6.xml
 create mode 100644 src/nwfilter/xml/no-ipv6-multicast.xml
 create mode 100644 src/nwfilter/xml/no-ipv6-spoofing.xml

diff --git a/src/nwfilter/xml/allow-dhcpv6-server.xml b/src/nwfilter/xml/al=
low-dhcpv6-server.xml
new file mode 100644
index 0000000000..214a95f412
--- /dev/null
+++ b/src/nwfilter/xml/allow-dhcpv6-server.xml
@@ -0,0 +1,27 @@
+<filter name=3D'allow-dhcpv6-server' chain=3D'ipv6'>
+
+    <!-- accept outgoing DHCP requests.
+         note, this rule must be evaluated before general MAC broadcast
+         traffic is discarded since DHCP requests use MAC broadcast.
+         according to https://tools.ietf.org/html/rfc3315#section-14,
+         client sends messages to FF02::1:2 from link-local addresses -->
+    <rule action=3D'accept' direction=3D'out' priority=3D'100'>
+        <ipv6 protocol=3D'udp'
+              srcipaddr=3D'FE80::'
+              srcipmask=3D'10'
+              dstipaddr=3D'FF02::1:2'
+              srcportstart=3D'546'
+              dstportstart=3D'547'/>
+    </rule>
+
+    <!-- accept incoming DHCP responses from a specific DHCP server
+         parameter DHPCSERVER needs to be passed from where this filter is
+         referenced -->
+    <rule action=3D'accept' direction=3D'in' priority=3D'100' >
+        <ipv6 srcipaddr=3D'$DHCPSERVER'
+              protocol=3D'udp'
+              srcportstart=3D'547'
+              dstportstart=3D'546'/>
+    </rule>
+
+</filter>
diff --git a/src/nwfilter/xml/allow-dhcpv6.xml b/src/nwfilter/xml/allow-dhc=
pv6.xml
new file mode 100644
index 0000000000..f3512af153
--- /dev/null
+++ b/src/nwfilter/xml/allow-dhcpv6.xml
@@ -0,0 +1,24 @@
+<filter name=3D'allow-dhcpv6' chain=3D'ipv6'>
+
+    <!-- accept outgoing DHCP requests.
+         note, this rule must be evaluated before general MAC broadcast
+         traffic is discarded since DHCP requests use MAC broadcast.
+         according to https://tools.ietf.org/html/rfc3315#section-14,
+         client sends messages to FF02::1:2 from link-local addresses -->
+    <rule action=3D'accept' direction=3D'out' priority=3D'100'>
+        <ipv6 protocol=3D'udp'
+              srcipaddr=3D'FE80::'
+              srcipmask=3D'10'
+              dstipaddr=3D'FF02::1:2'
+              srcportstart=3D'546'
+              dstportstart=3D'547'/>
+    </rule>
+
+    <!-- accept incoming DHCP responses from any DHCP server -->
+    <rule action=3D'accept' direction=3D'in' priority=3D'100' >
+        <ipv6 protocol=3D'udp'
+              srcportstart=3D'547'
+              dstportstart=3D'546'/>
+    </rule>
+
+</filter>
diff --git a/src/nwfilter/xml/allow-incoming-ipv6.xml b/src/nwfilter/xml/al=
low-incoming-ipv6.xml
new file mode 100644
index 0000000000..93e1b18784
--- /dev/null
+++ b/src/nwfilter/xml/allow-incoming-ipv6.xml
@@ -0,0 +1,3 @@
+<filter name=3D'allow-incoming-ipv6' chain=3D'ipv6'>
+  <rule direction=3D'in' action=3D'accept'/>
+</filter>
diff --git a/src/nwfilter/xml/allow-ipv6.xml b/src/nwfilter/xml/allow-ipv6.=
xml
new file mode 100644
index 0000000000..8da5188cb9
--- /dev/null
+++ b/src/nwfilter/xml/allow-ipv6.xml
@@ -0,0 +1,3 @@
+<filter name=3D'allow-ipv6' chain=3D'ipv6'>
+  <rule direction=3D'inout' action=3D'accept'/>
+</filter>
diff --git a/src/nwfilter/xml/meson.build b/src/nwfilter/xml/meson.build
index 95af75bb15..0d96c54ebe 100644
--- a/src/nwfilter/xml/meson.build
+++ b/src/nwfilter/xml/meson.build
@@ -2,8 +2,12 @@ nwfilter_xml_files =3D [
   'allow-arp.xml',
   'allow-dhcp-server.xml',
   'allow-dhcp.xml',
+  'allow-dhcpv6-server.xml',
+  'allow-dhcpv6.xml',
   'allow-incoming-ipv4.xml',
+  'allow-incoming-ipv6.xml',
   'allow-ipv4.xml',
+  'allow-ipv6.xml',
   'clean-traffic-gateway.xml',
   'clean-traffic.xml',
   'no-arp-ip-spoofing.xml',
@@ -11,6 +15,8 @@ nwfilter_xml_files =3D [
   'no-arp-spoofing.xml',
   'no-ip-multicast.xml',
   'no-ip-spoofing.xml',
+  'no-ipv6-multicast.xml',
+  'no-ipv6-spoofing.xml',
   'no-mac-broadcast.xml',
   'no-mac-spoofing.xml',
   'no-other-l2-traffic.xml',
diff --git a/src/nwfilter/xml/no-ipv6-multicast.xml b/src/nwfilter/xml/no-i=
pv6-multicast.xml
new file mode 100644
index 0000000000..a736366374
--- /dev/null
+++ b/src/nwfilter/xml/no-ipv6-multicast.xml
@@ -0,0 +1,9 @@
+<filter name=3D'no-ipv6-multicast' chain=3D'ipv6'>
+
+    <!-- drop if destination IP address is in the ff00::/8 subnet -->
+    <rule action=3D'drop' direction=3D'out'>
+        <ipv6 dstipaddr=3D'FF00::' dstipmask=3D'8' />
+    </rule>
+
+    <!-- not doing anything with receiving side ... -->
+</filter>
diff --git a/src/nwfilter/xml/no-ipv6-spoofing.xml b/src/nwfilter/xml/no-ip=
v6-spoofing.xml
new file mode 100644
index 0000000000..a9ca690345
--- /dev/null
+++ b/src/nwfilter/xml/no-ipv6-spoofing.xml
@@ -0,0 +1,15 @@
+<filter name=3D'no-ipv6-spoofing' chain=3D'ipv6-ip' priority=3D'-610'>
+  <!-- allow UDP sent from link-local addresses (DHCP);
+       filter more exact later -->
+  <rule action=3D'return' direction=3D'out' priority=3D'100'>
+    <ipv6 srcipaddr=3D'FE80::' srcipmask=3D'10' protocol=3D'udp'/>
+  </rule>
+
+  <!-- allow all known IP addresses -->
+  <rule direction=3D'out' action=3D'return' priority=3D'500'>
+    <ipv6 srcipaddr=3D'$IPV6'/>
+  </rule>
+
+  <!-- drop everything else -->
+  <rule direction=3D'out' action=3D'drop' priority=3D'1000'/>
+</filter>
--=20
2.28.0.97.gdc04167d37

From nobody Tue May  7 04:49:13 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 216.205.24.124 as permitted sender) client-ip=216.205.24.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 216.205.24.124 as permitted sender) client-ip=216.205.24.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=fail(p=quarantine dis=quarantine)  header.from=virtuozzo.com
ARC-Seal: i=1; a=rsa-sha256; t=1603441830; cv=none;
	d=zohomail.com; s=zohoarc;
	b=JXvhUP7r1SWE76Bp5bvSRaEHwzWYPam1p+oFchZfYmOT/CfYEd0gehVhEfMsaGfdVXNHH2v/9zCZ+/zPTFE/eh8LvFxkYOvvmhazl7sygRpjRCcbOqGFtAEjVknHtiMjXLyOsQUIW67e5dI4GtYl46cjle6Jc7zLUwbr6t+tjRU=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1603441830;
 h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=7mMEHQEJCgYWjV8Y12epYOrzPyfIBYmeP0P01YEqXSg=;
	b=lpm5BCzGm9VZt4MmjW11xsnRKaUeMZAsKvJapkXDP2YsG1ESYouXH48ncRGHK48oJwVYGWxFLRis2RUqO2+f/vhnt5/ND40DgVKmDlkLd50yd1t2fDipWDGVycjiNj1Q1eBJRoij1TIPv35amcvpcOT8Zeq1NSJ2z8Wly2qGjHU=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=fail header.from=<alexander.alekseev@virtuozzo.com> (p=quarantine
 dis=quarantine) header.from=<alexander.alekseev@virtuozzo.com>
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com
	with SMTPS id 1603441830564577.0188230316929;
 Fri, 23 Oct 2020 01:30:30 -0700 (PDT)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-177-AbiOgJeyNlavlqNnr8CUrg-1; Fri, 23 Oct 2020 04:30:27 -0400
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com
 [10.5.11.11])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 56D57106B3AC;
	Fri, 23 Oct 2020 08:30:21 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 348885B4CB;
	Fri, 23 Oct 2020 08:30:21 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id ECCB4180B65D;
	Fri, 23 Oct 2020 08:30:20 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com
	[10.11.54.4])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 09MJO47i003970 for <libvir-list@listman.util.phx.redhat.com>;
	Thu, 22 Oct 2020 15:24:04 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id 4CFCE200E1F0; Thu, 22 Oct 2020 19:24:04 +0000 (UTC)
Received: from mimecast-mx02.redhat.com
	(mimecast03.extmail.prod.ext.rdu2.redhat.com [10.11.55.19])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 483B02011579
	for <libvir-list@redhat.com>; Thu, 22 Oct 2020 19:24:04 +0000 (UTC)
Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [207.211.31.81])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 292768007D7
	for <libvir-list@redhat.com>; Thu, 22 Oct 2020 19:24:04 +0000 (UTC)
Received: from relay3.sw.ru (relay.sw.ru [185.231.240.75]) (Using TLS) by
	relay.mimecast.com with ESMTP id us-mta-467-Io9_8Gg0Nkis8U0r4emVfA-1;
	Thu, 22 Oct 2020 15:24:01 -0400
Received: from [10.94.6.143] (helo=localhost.sw.ru)
	by relay3.sw.ru with esmtp (Exim 4.94)
	(envelope-from <alexander.alekseev@virtuozzo.com>)
	id 1kVf8O-005dYE-DW
	for libvir-list@redhat.com; Thu, 22 Oct 2020 21:16:20 +0300
X-MC-Unique: AbiOgJeyNlavlqNnr8CUrg-1
X-MC-Unique: Io9_8Gg0Nkis8U0r4emVfA-1
From: Aleksandr Alekseev <alexander.alekseev@virtuozzo.com>
To: libvir-list@redhat.com
Subject: [PATCH 3/3] doc: document new filters and not documented ones
Date: Thu, 22 Oct 2020 21:15:52 +0300
Message-Id: <20201022181552.486275-4-alexander.alekseev@virtuozzo.com>
In-Reply-To: <20201022181552.486275-1-alexander.alekseev@virtuozzo.com>
References: <20201022181552.486275-1-alexander.alekseev@virtuozzo.com>
MIME-Version: 1.0
X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection
	Definition; Similar Internal Domain=false;
	Similar Monitored External Domain=false;
	Custom External Domain=false; Mimecast External Domain=false;
	Newly Observed Domain=false; Internal User Name=false;
	Custom Display Name List=false; Reply-to Address Mismatch=false;
	Targeted Threat Dictionary=false;
	Mimecast Threat Dictionary=false; Custom Threat Dictionary=false
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4
X-loop: libvir-list@redhat.com
X-Mailman-Approved-At: Fri, 23 Oct 2020 04:30:01 -0400
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Signed-off-by: Aleksandr Alekseev <alexander.alekseev@virtuozzo.com>
Reviewed-by: J=C3=A1n Tomko <jtomko@redhat.com>
---
 docs/firewall.html.in       |  9 ++++++++
 docs/formatnwfilter.html.in | 41 ++++++++++++++++++++++++++++++++++---
 2 files changed, 47 insertions(+), 3 deletions(-)

diff --git a/docs/firewall.html.in b/docs/firewall.html.in
index 62f37e0eea..15b4f397be 100644
--- a/docs/firewall.html.in
+++ b/docs/firewall.html.in
@@ -283,12 +283,21 @@ UUID                                  Name
 15b1ab2b-b1ac-1be2-ed49-2042caba4abb  allow-arp
 6c51a466-8d14-6d11-46b0-68b1a883d00f  allow-dhcp
 7517ad6c-bd90-37c8-26c9-4eabcb69848d  allow-dhcp-server
+7680776c-77aa-496f-90d6-13097664b925  allow-dhcpv6
+9cdaad60-7631-4172-8ccb-ef774be7485b  allow-dhcpv6-server
 3d38b406-7cf0-8335-f5ff-4b9add35f288  allow-incoming-ipv4
+908543c1-902e-45f6-a6ca-1a0ad35e7599  allow-incoming-ipv6
 5ff06320-9228-2899-3db0-e32554933415  allow-ipv4
+ce8904cc-ad3a-4454-896c-53452882f817  allow-ipv6
 db0b1767-d62b-269b-ea96-0cc8b451144e  clean-traffic
+6d6ddcc8-1242-4c43-ac63-63af80493132  clean-traffic-gateway
+4cf38077-c7d5-4e25-99bb-6c4c9efad294  no-arp-ip-spoofing
+0b11a636-ce58-497f-be90-17f63c92487a  no-arp-mac-spoofing
 f88f1932-debf-4aa1-9fbe-f10d3aa4bc95  no-arp-spoofing
 772f112d-52e4-700c-0250-e178a3d91a7a  no-ip-multicast
 7ee20370-8106-765d-f7ff-8a60d5aaf30b  no-ip-spoofing
+f8a51c43-a08f-49b3-b9e2-393d54522dc0  no-ipv6-multicast
+a7f0afe9-a428-44b8-8566-c8ee2a669271  no-ipv6-spoofing
 d5d3c490-c2eb-68b1-24fc-3ee362fc8af3  no-mac-broadcast
 fb57c546-76dc-a372-513f-e8179011b48a  no-mac-spoofing
 dba10ea7-446d-76de-346f-335bd99c1d05  no-other-l2-traffic
diff --git a/docs/formatnwfilter.html.in b/docs/formatnwfilter.html.in
index 796c16549d..04aeda06ec 100644
--- a/docs/formatnwfilter.html.in
+++ b/docs/formatnwfilter.html.in
@@ -467,8 +467,7 @@ DSTPORTS =3D [ 80, 8080 ]
        </tr>
        <tr>
          <td> IPV6 </td>
-         <td> Not currently implemented:
-              the list of IPV6 addresses in use by an interface </td>
+         <td> The list of IPV6 addresses in use by an interface </td>
        </tr>
        <tr>
          <td> DHCPSERVER </td>
@@ -2011,11 +2010,35 @@ echo 3 > /proc/sys/net/netfilter/nf_conntrack_icmp_=
timeout
               only allows ARP request and reply messages and enforces
               that those packets contain the MAC and IP addresses
               of the VM.</td>
+      </tr>
+       <tr>
+         <td> allow-arp </td>
+         <td> Allow ARP traffic in both directions</td>
+      </tr>
+       <tr>
+         <td> allow-ipv4 </td>
+         <td> Allow IPv4 traffic in both directions</td>
+      </tr>
+       <tr>
+         <td> allow-ipv6 </td>
+         <td> Allow IPv6 traffic in both directions</td>
+      </tr>
+       <tr>
+         <td> allow-incoming-ipv4 </td>
+         <td> Allow incoming IPv4 traffic</td>
+      </tr>
+       <tr>
+         <td> allow-incoming-ipv6 </td>
+         <td> Allow incoming IPv6 traffic</td>
       </tr>
        <tr>
          <td> allow-dhcp </td>
          <td> Allow a VM to request an IP address via DHCP (from any
               DHCP server)</td>
+      </tr>
+       <tr>
+         <td> allow-dhcpv6 </td>
+         <td> Similar to allow-dhcp, but for DHCPv6 </td>
       </tr>
        <tr>
          <td> allow-dhcp-server </td>
@@ -2023,16 +2046,28 @@ echo 3 > /proc/sys/net/netfilter/nf_conntrack_icmp_=
timeout
               DHCP server. The dotted decimal IP address of the DHCP
               server must be provided in a reference to this filter.
               The name of the variable must be <i>DHCPSERVER</i>.</td>
+      </tr>
+       <tr>
+         <td> allow-dhcpv6-server </td>
+         <td> Similar to allow-dhcp-server, but for DHCPv6 </td>
       </tr>
        <tr>
          <td> no-ip-spoofing </td>
-         <td> Prevent a VM from sending of IP packets with
+         <td> Prevent a VM from sending of IPv4 packets with
               a source IP address different from the one
               in the packet. </td>
+      </tr>
+       <tr>
+         <td> no-ipv6-spoofing </td>
+         <td> Similar to no-ip-spoofing, but for IPv6 </td>
       </tr>
        <tr>
          <td> no-ip-multicast </td>
          <td> Prevent a VM from sending IP multicast packets. </td>
+      </tr>
+       <tr>
+         <td> no-ipv6-multicast </td>
+         <td> Similar to no-ip-multicast, but for IPv6 </td>
       </tr>
        <tr>
          <td> clean-traffic </td>
--=20
2.28.0.97.gdc04167d37