>>Not really. I first thought we can just add another section called [v6rules], >>but it is maybe easier to simply add special rule types 'v6in' and 'v6out' >>instead. >>Not sure what is easier.
I don't like to much the extra section. Because a vm could have both ipv4 and ipv6, I think it could be better to not manage twice the rules. I thinked of simply duplicated rules in iptables and ip6tables, if a rule use src or dst ipv4 skip it in ip6tables if a rule use src or dst ipv6 skip it in iptables use -p icmp or -p icmpv6 I think we can generate ip6tables by default, it shouldn't slowdown rules processing, because ipv4 never go in theses tables. I'll do tests next week. (and also works on the wiki, I'll write some doc about ips option and suricata) ----- Mail original ----- De: "Dietmar Maurer" <[email protected]> À: "Alexandre DERUMIER" <[email protected]>, "pve-devel" <[email protected]> Envoyé: Vendredi 27 Juin 2014 06:26:46 Objet: RE: [pve-devel] pve-firewall : ipv6 support ? > what about to add ipv6 support to firewall ? Yes, we really need that, so it would be great if you can work on that. > do you think it's very different than ipv4 ? Not really. I first thought we can just add another section called [v6rules], but it is maybe easier to simply add special rule types 'v6in' and 'v6out' instead. Not sure what is easier. > I found theses differences: > > - ip6tables-save, ip6tables-restore > > - icmp rules : -p icmpv6 --icmpv6-type Yes, we need to call ip6tables. I think we will find any further differences when we implement that ;-) > ipset: > create xhash:net family inet6 This should be easy to implement. > -venet don't support ipv6 I think (also not supported by proxmox gui ?) AFAIK venet supports ipv6 (you can even add v6 addresses on our GUI). _______________________________________________ pve-devel mailing list [email protected] http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
