[pve-devel] [PATCH pve-firewall] fix ipv6 PVEFW-reject
Alexandre Derumier
aderumier at odiso.com
Mon Apr 29 16:18:46 CEST 2019
Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
---
src/PVE/Firewall.pm | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 1607b74..806fd4b 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -666,14 +666,10 @@ $pve_std_chains_conf->{6} = {
#{ action => 'DROP', dest => '224.0.0.0/4' },
],
'PVEFW-reject' => [
- # same as shorewall 'reject'
- #{ action => 'DROP', dsttype => 'BROADCAST' },
- #{ action => 'DROP', source => '224.0.0.0/4' },
{ action => 'DROP', proto => 'icmpv6' },
{ match => '-p tcp', target => '-j REJECT --reject-with tcp-reset' },
- #"-p udp -j REJECT --reject-with icmp-port-unreachable",
- #"-p icmp -j REJECT --reject-with icmp-host-unreachable",
- #"-j REJECT --reject-with icmp-host-prohibited",
+ { match => '-p udp', target => '-j REJECT --reject-with icmp6-port-unreachable' },
+ { target => '-j REJECT --reject-with icmp6-adm-prohibited' },
],
'PVEFW-Drop' => [
# same as shorewall 'Drop', which is equal to DROP,
--
2.11.0
More information about the pve-devel
mailing list