[pve-devel] [PATCH proxmox-firewall 1/1] firewall: properly reject ipv6 traffic

Stefan Hanreich s.hanreich at proxmox.com
Mon May 13 14:15:02 CEST 2024


v2 available:

https://lists.proxmox.com/pipermail/pve-devel/2024-May/063839.html

On 5/13/24 13:35, Stefan Hanreich wrote:
> ICMPv6 has different message types for rejecting traffic. With ICMP we
> used host-prohibited as rejection type, which doesn't exist in ICMPv6.
> Add an additional rule for IPv6, so it uses admin-prohibited.
> 
> Signed-off-by: Stefan Hanreich <s.hanreich at proxmox.com>
> ---
>  proxmox-firewall/resources/proxmox-firewall.nft | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/proxmox-firewall/resources/proxmox-firewall.nft b/proxmox-firewall/resources/proxmox-firewall.nft
> index f36bf3b..0a220bf 100644
> --- a/proxmox-firewall/resources/proxmox-firewall.nft
> +++ b/proxmox-firewall/resources/proxmox-firewall.nft
> @@ -75,8 +75,9 @@ table inet proxmox-firewall {
>          ip saddr 224.0.0.0/4 drop
>  
>          meta l4proto tcp reject with tcp reset
> -        meta l4proto icmp reject with icmp type port-unreachable
> +        meta l4proto icmp reject with icmpx type port-unreachable
>          reject with icmp type host-prohibited
> +        reject with icmpv6 type admin-prohibited
>      }
>  
>      set v4-dc/management {
> @@ -289,8 +290,9 @@ table bridge proxmox-firewall-guests {
>          ip saddr 224.0.0.0/4 drop
>  
>          meta l4proto tcp reject with tcp reset
> -        meta l4proto icmp reject with icmp type port-unreachable
> +        meta l4proto icmp reject with icmpx type port-unreachable
>          reject with icmp type host-prohibited
> +        reject with icmpv6 type admin-prohibited
>      }
>  
>      chain after-vm-in {




More information about the pve-devel mailing list