[pve-devel] pve-firewall : ebtables

Alexandre DERUMIER aderumier at odiso.com
Tue Jul 15 12:54:07 CEST 2014


>>[OPTIONS] 
>>allowed_versions: ipv4|ipv6|both 

yes, I think it's better than in rules.
(I'm thinking about permissions, if we want admin manage option and user rules for examples)

I can make a patch.


----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com>, "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Mardi 15 Juillet 2014 12:50:01 
Objet: RE: [pve-devel] pve-firewall : ebtables 

> >>1.) Is there any reason you generally allowed IPv4 and IPv6? 
> >>Personally i would like to allow IPv4 but block IPv6. 
> 
> Do you want to do it by vm or globally ? 
> In my ebtables patch, I just accept for ipv4 and ipv6 at the begin, to manage 
> mac filtering at iptables level. 
> (for performance, because with conntrack established, we don't need to 
> check each packet) 

maybe a new 'version' option for <vmid>.fw: 

[OPTIONS] 
allowed_versions: ipv4|ipv6|both 

and maybe new option for rules to indicate the version, so that we can block ipv4 or ipv6 only: 

[RULES] 
IN DROP -v6 
IN ACCEPT -v4 


More information about the pve-devel mailing list