[pve-devel] pve-firewall : ipv6 support ?

Alexandre DERUMIER aderumier at odiso.com
Fri Jun 27 06:45:46 CEST 2014


>>Not really. I first thought we can just add another section called [v6rules],
>>but it is maybe easier to simply add special rule types 'v6in' and 'v6out' instead.
>>Not sure what is easier.

I don't like to much the extra section.
Because a vm could have both ipv4 and ipv6, I think it could be better to not manage
twice the rules.

I thinked of simply duplicated rules in iptables and ip6tables,
   if a rule use src or dst ipv4 skip it in ip6tables
   if a rule use src or dst ipv6 skip it in iptables
   use -p icmp or -p icmpv6


I think we can generate ip6tables by default, it shouldn't slowdown rules processing,
because ipv4 never go in theses tables.


I'll do tests next week. (and also works on the wiki, I'll write some doc about ips option and suricata)




----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com>, "pve-devel" <pve-devel at pve.proxmox.com> 
Envoyé: Vendredi 27 Juin 2014 06:26:46 
Objet: RE: [pve-devel] pve-firewall : ipv6 support ? 

> what about to add ipv6 support to firewall ? 

Yes, we really need that, so it would be great if you can work on that. 

> do you think it's very different than ipv4 ? 

Not really. I first thought we can just add another section called [v6rules], 
but it is maybe easier to simply add special rule types 'v6in' and 'v6out' instead. 
Not sure what is easier. 

> I found theses differences: 
> 
> - ip6tables-save, ip6tables-restore 
> 
> - icmp rules : -p icmpv6 --icmpv6-type 

Yes, we need to call ip6tables. I think we will find any further differences when we implement that ;-) 

> ipset: 
> create xhash:net family inet6 

This should be easy to implement. 

> -venet don't support ipv6 I think (also not supported by proxmox gui ?) 

AFAIK venet supports ipv6 (you can even add v6 addresses on our GUI). 



More information about the pve-devel mailing list