[pve-devel] firewall : ipv6 reject not working for udp
Thomas Lamprecht
t.lamprecht at proxmox.com
Mon Apr 29 13:12:50 CEST 2019
Hi,
Am 4/29/19 um 12:15 PM schrieb Alexandre DERUMIER:
> Looking on the net, the udp reject should be done with:
>
> -p udp -j REJECT --reject-with icmp6-adm-prohibited
>
I mean you added this like it is about 5 years ago:
https://git.proxmox.com/?p=pve-firewall.git;a=commitdiff;h=47a79ff21ca4e4502a48f71062687f4202f344ac
So not to sure, maybe it was just by accident and got unnoticed?
Would you like to prepare a patch for this?
> ----- Mail original -----
> De: "aderumier" <aderumier at odiso.com>
> À: "pve-devel" <pve-devel at pve.proxmox.com>
> Envoyé: Lundi 29 Avril 2019 11:48:32
> Objet: [pve-devel] firewall : ipv6 reject not working for udp
>
> Hi,
>
> I'm currently testing firewall with ipv6,
> and it seem than default reject is not working with udp.
>
> looking at code, I see that comment on udp/icmp.
>
> Is it a bug ?
>
>
> 'PVEFW-reject' => [
> # same as shorewall 'reject'
> #{ action => 'DROP', dsttype => 'BROADCAST' },
> #{ action => 'DROP', source => '224.0.0.0/4' },
> { action => 'DROP', proto => 'icmpv6' },
> { match => '-p tcp', target => '-j REJECT --reject-with tcp-reset' },
> #"-p udp -j REJECT --reject-with icmp-port-unreachable",
> #"-p icmp -j REJECT --reject-with icmp-host-unreachable",
> #"-j REJECT --reject-with icmp-host-prohibited",
> ],
More information about the pve-devel
mailing list