lxc
Add ipv6.ndp configuration option to managed bridges
Please add a configuration option to managed bridges to enable NDP proxying on the host side as is possible with routed nics.
The option would take the interface name(s?) where the NDP proxy entries should be added as shown down in the example (ip -6 neigh add proxy 2001:FFFF:AAAA::1234 dev ens3).
When a container is created the NDP proxy entries for the containers IPv6, which it got from the bridge, are added to the system by incus as is done with the routed nic.
The routed nic requires most of this being built into incus already. The checking of the sysctl config should be the same.
Example admin init dump:
networks:
- config:
ipv4.address: 10.0.0.1/9
ipv4.nat: "true"
ipv6.address: 2000:FFFF:AAAA::1/64
ipv6.dhcp: "false"
ipv6.nat: "false"
ipv6.routing: "true"
ipv6.ndp: "ens3"
description: ""
name: incusbr0
type: bridge
project: default
What is the best way to do without this feature currently? Manually adding a proxy rule for each container is not an option.
Right now, you need to do it by hand, but you can script it easily enough with incus list -c6 -fcsv or similar.
This generally feels a bit too magic to me which is why we've not really looked at implementing this one. Incus doesn't really know what the container IP address is, it's only when you run incus list that we go look at it live.
We can calculate the EUI64 and hope for the best which would work in most cases, but anyone manually adding an IP by hand would then be out of luck, not a very good consistent experience.
I managed to use ndppd as a solution.
I tried using this before, but I may have found a bug where ndppd does not work in daemon mode.
In any case I got ndppd working now with the following config.
proxy ens3 {
rule 2a04:dd00:26:9::/64 {
iface incusbr0
}
}
And I think this works for my needs, although it appears to be kind of finicky.
Ah yeah, if that works correctly, then it seems like a much more appropriate way to handle this.