Add support for IPv6 LXC network

Change-Id: If974bd8c3f8d6c5b5af14a3737ec5d89726cbe0f
2016-10-19 07:38:48 -05:00 · 2016-10-19 07:38:48 -05:00 · 7568621597
commit 7568621597
parent 6642af670f
3 changed files with 38 additions and 1 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -58,6 +58,11 @@ lxc_net_dhcp_config: ''
 lxc_net_dnsmasq_user: lxc-dnsmasq
 lxc_net_domain: ''

+# lxc network ipv6 settings
+lxc_net6_address: null ## ie. fd05:ffb8:32b4:1212::1
+lxc_net6_netmask: null ## ie. 64
+lxc_net6_nat: false
+
 # lxc_container_net_link variable should be set to the lxc-net bridge.
 lxc_container_net_link: "{{ lxc_net_bridge }}"  ## name of the host bridge to attach to
 lxc_container_net_type: veth  ## lxc network interface type (veth, phys, vlan, macvlan, empty)
--- a/releasenotes/notes/lxc-net-ipv6-255787db5db6fc75.yaml
+++ b/releasenotes/notes/lxc-net-ipv6-255787db5db6fc75.yaml
@ -0,0 +1,5 @@
+---
+features:
+  - IPv6 support has been added for the LXC bridge network. This can be
+    configured using ``lxc_net6_address``, ``lxc_net6_netmask``, and
+    ``lxc_net6_nat``.
--- a/templates/lxc-system-manage.j2
+++ b/templates/lxc-system-manage.j2
@ -26,6 +26,10 @@ export LXC_NETMASK="{{ lxc_net_netmask }}"
 export LXC_NETWORK="${LXC_ADDR}/${LXC_NETMASK}"
 export LXC_DHCP_RANGE="{{ lxc_net_dhcp_range }}"
 export LXC_DHCP_MAX="{{ lxc_net_dhcp_max }}"
+export LXC_IPV6_ADDR="{{ lxc_net6_address }}"
+export LXC_IPV6_MASK="{{ lxc_net6_netmask }}"
+export LXC_IPV6_NETWORK="${LXC_IPV6_ADDR}/${LXC_IPV6_MASK}"
+export LXC_IPV6_NAT="{{ lxc_net6_nat }}"
 export LXC_DHCP_CONFILE="{{ lxc_net_dhcp_config }}"
 export LXC_DNSMASQ_USER="{{ lxc_net_dnsmasq_user }}"
 export VARRUN="/run/lxc"
@ -72,6 +76,11 @@ function remove_rules {
                                  --dport 68 \
                                  -j CHECKSUM \
                                  --checksum-fill
+
+    if [ "$LXC_IPV6_NAT" = "true" ]; then
+        ip6tables ${USE_IPTABLES_LOCK} -t nat -D POSTROUTING -s ${LXC_IPV6_NETWORK} ! -d ${LXC_IPV6_NETWORK} -j MASQUERADE
+    fi
+
    success "LXC IPtables rules removed."
 }

@ -80,6 +89,17 @@ function add_rules {
    set -e
    # Set ip_prwarding
    sysctl -w net.ipv4.ip_forward=1 > /dev/null 2>&1
+    echo 0 > /proc/sys/net/ipv6/conf/${LXC_BRIDGE}/accept_dad || true
+
+    # Configure IPv6 if necessary
+    if [ -n "$LXC_IPV6_ADDR" ] && [ -n "$LXC_IPV6_MASK" ] && [ -n "$LXC_IPV6_NETWORK" ]; then
+        echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+        echo 0 > /proc/sys/net/ipv6/conf/${LXC_BRIDGE}/autoconf
+        ip -6 addr add dev ${LXC_BRIDGE} ${LXC_IPV6_ADDR}/${LXC_IPV6_MASK}
+        if [ "$LXC_IPV6_NAT" = "true" ]; then
+            ip6tables $use_iptables_lock -t nat -A POSTROUTING -s ${LXC_IPV6_NETWORK} ! -d ${LXC_IPV6_NETWORK} -j MASQUERADE
+        fi
+    fi

    # Add rules to the INPUT chain
    iptables ${USE_IPTABLES_LOCK} -I INPUT -i "${LXC_BRIDGE}" -p udp --dport 67 -j ACCEPT
@ -141,6 +161,13 @@ function pre_up {
 function start_dnsmasq {
    set -e
    info "Starting LXC dnsmasq."
+
+    # Configure IPv6 if necessary
+    LXC_IPV6_ARG=""
+    if [ -n "$LXC_IPV6_ADDR" ] && [ -n "$LXC_IPV6_MASK" ] && [ -n "$LXC_IPV6_NETWORK" ]; then
+        LXC_IPV6_ARG="--dhcp-range=${LXC_IPV6_ADDR},ra-only --listen-address ${LXC_IPV6_ADDR}"
+    fi
+
    dnsmasq "${LXC_DOMAIN_ARG}" --user="${LXC_DNSMASQ_USER}" \
                                --pid-file="${VARRUN}/dnsmasq.pid" \
                                --conf-file="${LXC_DHCP_CONFILE}" \
@ -153,7 +180,7 @@ function start_dnsmasq {
                                --dhcp-no-override \
                                --strict-order \
                                --bind-interfaces \
-                                --dhcp-authoritative
+                                --dhcp-authoritative $LXC_IPV6_ARG
    success "dnsmasq started."
 }