[pve-devel] firewall : ipv6 reject not working for udp
Alexandre DERUMIER
aderumier at odiso.com
Mon Apr 29 14:31:54 CEST 2019
>>I mean you added this like it is about 5 years ago:
>>https://git.proxmox.com/?p=pve-firewall.git;a=commitdiff;h=47a79ff21ca4e4502a48f71062687f4202f344ac
lol ^_^
>>So not to sure, maybe it was just by accident and got unnoticed?
If I remember, I hadcopy/paste ipv4 chains and adapt them for ipv6. I just forgot to finish it.
>>Would you like to prepare a patch for this?
Yes sure.
I'll do tests today.
----- Mail original -----
De: "Thomas Lamprecht" <t.lamprecht at proxmox.com>
À: "pve-devel" <pve-devel at pve.proxmox.com>, "aderumier" <aderumier at odiso.com>
Envoyé: Lundi 29 Avril 2019 13:12:50
Objet: Re: [pve-devel] firewall : ipv6 reject not working for udp
Hi,
Am 4/29/19 um 12:15 PM schrieb Alexandre DERUMIER:
> Looking on the net, the udp reject should be done with:
>
> -p udp -j REJECT --reject-with icmp6-adm-prohibited
>
I mean you added this like it is about 5 years ago:
https://git.proxmox.com/?p=pve-firewall.git;a=commitdiff;h=47a79ff21ca4e4502a48f71062687f4202f344ac
So not to sure, maybe it was just by accident and got unnoticed?
Would you like to prepare a patch for this?
> ----- Mail original -----
> De: "aderumier" <aderumier at odiso.com>
> À: "pve-devel" <pve-devel at pve.proxmox.com>
> Envoyé: Lundi 29 Avril 2019 11:48:32
> Objet: [pve-devel] firewall : ipv6 reject not working for udp
>
> Hi,
>
> I'm currently testing firewall with ipv6,
> and it seem than default reject is not working with udp.
>
> looking at code, I see that comment on udp/icmp.
>
> Is it a bug ?
>
>
> 'PVEFW-reject' => [
> # same as shorewall 'reject'
> #{ action => 'DROP', dsttype => 'BROADCAST' },
> #{ action => 'DROP', source => '224.0.0.0/4' },
> { action => 'DROP', proto => 'icmpv6' },
> { match => '-p tcp', target => '-j REJECT --reject-with tcp-reset' },
> #"-p udp -j REJECT --reject-with icmp-port-unreachable",
> #"-p icmp -j REJECT --reject-with icmp-host-unreachable",
> #"-j REJECT --reject-with icmp-host-prohibited",
> ],
More information about the pve-devel
mailing list