[pve-devel] [PATCH proxmox-firewall 1/1] firewall: properly reject ipv6 traffic

* [pve-devel] [PATCH proxmox-firewall 1/1] firewall: properly reject ipv6 traffic
@ 2024-05-13 11:35 Stefan Hanreich
  2024-05-13 12:15 ` Stefan Hanreich
  0 siblings, 1 reply; 2+ messages in thread
From: Stefan Hanreich @ 2024-05-13 11:35 UTC (permalink / raw)
  To: pve-devel

ICMPv6 has different message types for rejecting traffic. With ICMP we
used host-prohibited as rejection type, which doesn't exist in ICMPv6.
Add an additional rule for IPv6, so it uses admin-prohibited.

Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
 proxmox-firewall/resources/proxmox-firewall.nft | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/proxmox-firewall/resources/proxmox-firewall.nft b/proxmox-firewall/resources/proxmox-firewall.nft
index f36bf3b..0a220bf 100644
--- a/proxmox-firewall/resources/proxmox-firewall.nft
+++ b/proxmox-firewall/resources/proxmox-firewall.nft
@@ -75,8 +75,9 @@ table inet proxmox-firewall {
         ip saddr 224.0.0.0/4 drop
 
         meta l4proto tcp reject with tcp reset
-        meta l4proto icmp reject with icmp type port-unreachable
+        meta l4proto icmp reject with icmpx type port-unreachable
         reject with icmp type host-prohibited
+        reject with icmpv6 type admin-prohibited
     }
 
     set v4-dc/management {
@@ -289,8 +290,9 @@ table bridge proxmox-firewall-guests {
         ip saddr 224.0.0.0/4 drop
 
         meta l4proto tcp reject with tcp reset
-        meta l4proto icmp reject with icmp type port-unreachable
+        meta l4proto icmp reject with icmpx type port-unreachable
         reject with icmp type host-prohibited
+        reject with icmpv6 type admin-prohibited
     }
 
     chain after-vm-in {
-- 
2.39.2


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


^ permalink raw reply	[flat|nested] 2+ messages in thread