[pve-devel] pve-firewall IPv6 patch

Flavius Bindea flav at flav.com
Sat May 9 12:42:55 CEST 2015


Hello,

The IPv6 protocol uses a lot for ICMP and multicast in order to allow
routing configuration.

After different searches I've found that some more ICMPv6 types have
to be enabled.

After reading post like this :
http://pivotallabs.com/configuring-f...6-dhcp-client/ and
http://www.cert.ssi.gouv.fr/site/CERTA-2006-INF-004/ (sorry in
French).

I've found that rules like this
https://www.cert.org/downloads/IPv6/ip6tables_rules.txt or from
shorewall /usr/share/shorewall6/action.AllowICMPs makes thinks working
better.

After reading RFC4890, I confirm all this kind of packets should not
be dropped (read section 4.3.2 and 4.3.3).

So here is a proposed patch.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Added-more-default-icmp6-rules-in-order-to-make-IPv6.patch
Type: application/octet-stream
Size: 4466 bytes
Desc: not available
URL: <http://pve.proxmox.com/pipermail/pve-devel/attachments/20150509/b8349a9e/attachment.obj>


More information about the pve-devel mailing list