[pve-devel] pve-firewall : ebtables

Dietmar Maurer dietmar at proxmox.com
Tue Jul 15 12:50:01 CEST 2014


> >>1.) Is there any reason you generally allowed IPv4 and IPv6?
> >>Personally i would like to allow IPv4 but block IPv6.
> 
> Do you want to do it by vm  or globally ?
> In my ebtables patch, I just accept for ipv4 and ipv6 at the begin, to manage
> mac filtering at iptables level.
> (for performance, because with conntrack established, we don't need to
> check each packet)

maybe a new 'version' option for <vmid>.fw:

[OPTIONS]
allowed_versions: ipv4|ipv6|both

and maybe new option for rules to indicate the version, so that we can block ipv4 or ipv6 only:

[RULES]
IN DROP -v6
IN ACCEPT -v4


 


More information about the pve-devel mailing list