[pve-devel] pve-firewall : ebtables
Alexandre DERUMIER
aderumier at odiso.com
Tue Jul 15 12:54:07 CEST 2014
>>[OPTIONS]
>>allowed_versions: ipv4|ipv6|both
yes, I think it's better than in rules.
(I'm thinking about permissions, if we want admin manage option and user rules for examples)
I can make a patch.
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>, "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
Cc: pve-devel at pve.proxmox.com
Envoyé: Mardi 15 Juillet 2014 12:50:01
Objet: RE: [pve-devel] pve-firewall : ebtables
> >>1.) Is there any reason you generally allowed IPv4 and IPv6?
> >>Personally i would like to allow IPv4 but block IPv6.
>
> Do you want to do it by vm or globally ?
> In my ebtables patch, I just accept for ipv4 and ipv6 at the begin, to manage
> mac filtering at iptables level.
> (for performance, because with conntrack established, we don't need to
> check each packet)
maybe a new 'version' option for <vmid>.fw:
[OPTIONS]
allowed_versions: ipv4|ipv6|both
and maybe new option for rules to indicate the version, so that we can block ipv4 or ipv6 only:
[RULES]
IN DROP -v6
IN ACCEPT -v4
More information about the pve-devel
mailing list