> >>1.) Is there any reason you generally allowed IPv4 and IPv6? > >>Personally i would like to allow IPv4 but block IPv6. > > Do you want to do it by vm or globally ? > In my ebtables patch, I just accept for ipv4 and ipv6 at the begin, to manage > mac filtering at iptables level. > (for performance, because with conntrack established, we don't need to > check each packet)
maybe a new 'version' option for <vmid>.fw: [OPTIONS] allowed_versions: ipv4|ipv6|both and maybe new option for rules to indicate the version, so that we can block ipv4 or ipv6 only: [RULES] IN DROP -v6 IN ACCEPT -v4 _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
