fix: enable ALLMULTI flag on macvtap interfaces

IPv6 neighbour solicitation, mDNS, and anything depending on multicast traffic requires the ALLMULTI flag to be set on macvtap interfaces. This allows the guest interface to influence the the multicast recieve mask of the physical link. Without this, the multicast traffic intended for the guest would be discarded, breaking a lot of stuff. libvirt makes this configurable with a setting called `trustGuestRxFilters`, since technically it grants the guest additional privileges that might not always be required. But realistically it is required in most scenarios, since multicast traffic is an integral part of networking. This patch also sets the `disable_ipv6` flag on the host-side link to avoid generating any ipv6 addresses. This does *not* actually disable ipv6 functionality on the interface, just prevents the host from acquring any addresses. This is necessary to prevent ipv6 packets destined for a guest from being delivered to the host system aswell.
astro · May 26, 2023 · 684cdc0 · 684cdc0
1 parent 583785a
commit 684cdc0
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/nixos-modules/host.nix b/nixos-modules/host.nix
@@ -211,6 +211,8 @@ in
               ${pkgs.iproute2}/bin/ip link del name $id
             fi
             ${pkgs.iproute2}/bin/ip link add link $link name $id address $mac type macvtap ''${mode[@]}
+            ${pkgs.iproute2}/bin/ip link set $id allmulticast on
+            echo 1 > /proc/sys/net/ipv6/conf/$id/disable_ipv6
             ${pkgs.iproute2}/bin/ip link set $id up
             ${pkgs.coreutils-full}/bin/chown ${user}:${group} /dev/tap$(< /sys/class/net/$id/ifindex)
           done