[pve-devel] [PATCH proxmox-firewall 1/1] firewall: properly reject ipv6 traffic
Stefan Hanreich
s.hanreich at proxmox.com
Mon May 13 14:15:02 CEST 2024
v2 available:
https://lists.proxmox.com/pipermail/pve-devel/2024-May/063839.html
On 5/13/24 13:35, Stefan Hanreich wrote:
> ICMPv6 has different message types for rejecting traffic. With ICMP we
> used host-prohibited as rejection type, which doesn't exist in ICMPv6.
> Add an additional rule for IPv6, so it uses admin-prohibited.
>
> Signed-off-by: Stefan Hanreich <s.hanreich at proxmox.com>
> ---
> proxmox-firewall/resources/proxmox-firewall.nft | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/proxmox-firewall/resources/proxmox-firewall.nft b/proxmox-firewall/resources/proxmox-firewall.nft
> index f36bf3b..0a220bf 100644
> --- a/proxmox-firewall/resources/proxmox-firewall.nft
> +++ b/proxmox-firewall/resources/proxmox-firewall.nft
> @@ -75,8 +75,9 @@ table inet proxmox-firewall {
> ip saddr 224.0.0.0/4 drop
>
> meta l4proto tcp reject with tcp reset
> - meta l4proto icmp reject with icmp type port-unreachable
> + meta l4proto icmp reject with icmpx type port-unreachable
> reject with icmp type host-prohibited
> + reject with icmpv6 type admin-prohibited
> }
>
> set v4-dc/management {
> @@ -289,8 +290,9 @@ table bridge proxmox-firewall-guests {
> ip saddr 224.0.0.0/4 drop
>
> meta l4proto tcp reject with tcp reset
> - meta l4proto icmp reject with icmp type port-unreachable
> + meta l4proto icmp reject with icmpx type port-unreachable
> reject with icmp type host-prohibited
> + reject with icmpv6 type admin-prohibited
> }
>
> chain after-vm-in {
More information about the pve-devel
mailing list