similar to: Problems when filtering on icmpv6

http://bugzilla.netfilter.org/show_bug.cgi?id=761 Summary: Bug in ICMPv6 type and code fields processing Product: ipset Version: unspecified Platform: i386 OS/Version: Gentoo Status: NEW Severity: major Priority: P5 Component: default AssignedTo: netfilter-buglog at lists.netfilter.org

https://bugzilla.netfilter.org/show_bug.cgi?id=1250 Bug ID: 1250 Summary: extensions: libip6t_icmp6: unsupported ICMPv6 types Product: iptables Version: 1.6.x Hardware: x86_64 OS: All Status: NEW Severity: enhancement Priority: P5 Component: ip6tables Assignee:

http://bugzilla.netfilter.org/show_bug.cgi?id=567 Summary: Local multicast ICMPv6 and --state INVALID Product: netfilter/iptables Version: linux-2.6.x Platform: All OS/Version: Ubuntu Status: NEW Severity: blocker Priority: P1 Component: unknown AssignedTo: laforge at netfilter.org

I just wrote this to assist some Red Hat folks understanding what libvirt does with iptables, and thought it is useful info for the whole libvirt community. When I have time I'll adjust this content so that it can fit into the website in relevant pages/places. Firewall / network filtering in libvirt ======================================= There are three pieces of libvirt

http://bugzilla.netfilter.org/show_bug.cgi?id=766 Summary: Segmentation Fault using Hop Limit and ICMPV6-TYPE in same rule Product: iptables Version: unspecified Platform: x86_64 OS/Version: Debian GNU/Linux Status: NEW Severity: major Priority: P5 Component: ip6tables

https://bugzilla.netfilter.org/show_bug.cgi?id=1412 Bug ID: 1412 Summary: ip6tables-nft not accepting "icmp" as shorthand for "icmpv6" Product: nftables Version: unspecified Hardware: x86_64 OS: Debian GNU/Linux Status: NEW Severity: minor Priority: P5

On Fri, Jun 29, 2018 at 3:40 AM Thiago Oliveira <cpv.thiago@gmail.com> wrote: > Hi Ales, > > I would like to prevent the guests from different subnets start a > communication. In other words I have the subnet 192.168.1.0/24 and > 192.168.2.0/24 and the guests from 192.168.1.0/24 cannot reach/talk with > guests on 192.168.2.0/24 at the same host. Is this possible using a

Hi Sam, You can find the rules by below command, and it looks as below: # ebtables -t nat --list Bridge table: nat Bridge chain: PREROUTING, entries: 2, policy: ACCEPT -j PREROUTING_direct -i vnet0 -j libvirt-I-vnet0 Bridge chain: OUTPUT, entries: 1, policy: ACCEPT -j OUTPUT_direct Bridge chain: POSTROUTING, entries: 2, policy: ACCEPT -j POSTROUTING_direct -o vnet0 -j libvirt-O-vnet0 Bridge

On Thu, Jun 28, 2018 at 10:18:57AM +0200, Ales Musil wrote: > Hello, > > I would like to make filter that allows communication only between > specified VMs. Those VMs should be specified by their MAC address. The > filter should extend clean-traffic but I was not able to get it working > with that reference. I have came up with modified clean-traffic which works > fine [1].

Hi Ales, I would like to prevent the guests from different subnets start a communication. In other words I have the subnet 192.168.1.0/24 and 192.168.2.0/24 and the guests from 192.168.1.0/24 cannot reach/talk with guests on 192.168.2.0/24 at the same host. Is this possible using a filter like yours? Thank you. Thiago. Em qui, 28 de jun de 2018 às 09:37, Ales Musil <amusil@redhat.com>

Hello, I would like to make filter that allows communication only between specified VMs. Those VMs should be specified by their MAC address. The filter should extend clean-traffic but I was not able to get it working with that reference. I have came up with modified clean-traffic which works fine [1]. Is there a way to achieve the same behavior with reference to clean-traffic? Thank you. Best

Hi, I have a process which is running as a linux service and assigns IP addresses using netlink to configued interface in linux. For IPv4 addresses i do not see any issue with this assignment. When i try to assign an IPv6 address, the address gets assigned successfully to the interface, but the Neighbour Solication request received for that address is not responded with and hence ping6 from a

https://bugzilla.netfilter.org/show_bug.cgi?id=926 Summary: icmp: ICMPv6 types are not supported Product: nftables Version: unspecified Platform: x86_64 OS/Version: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: nft AssignedTo: pablo at netfilter.org ReportedBy:

Hi thank you for looking in to this. I haven't tried it before now. I cant get it to work. after running the commands you suggest I get this when I run ip6tables --list-rules root at JOTVPN:~# ip6tables --list-rules -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A FORWARD -i vpn -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j DROP -A FORWARD -o vpn -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j

hi It was not working when i applied the rules on the vpn card. But I wondered if maybe bridging of vpn and eth0 was messing this up. I thought it was enough to only apply it to the vpn card root at JOTVPN:~# brctl show bridge name bridge id STP enabled    interfaces bridge 8000.000c29638a7e no           eth0                                                                   vpn so I tried the

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=508 Summary: ip6tables conntrack marks all incoming packets as INVALID Product: netfilter/iptables Version: linux-2.6.x Platform: i386 OS/Version: Gentoo Status: NEW Severity: normal Priority: P2 Component: ip_conntrack

http://bugzilla.netfilter.org/show_bug.cgi?id=576 Summary: ip6tables maks auto configuration packages as INVALID Product: iptables Version: unspecified Platform: i386 OS/Version: Debian GNU/Linux Status: NEW Severity: blocker Priority: P1 Component: ip6tables AssignedTo: laforge at netfilter.org

On Wed, Feb 22, 2017 at 08:51:49PM +0000, Håvard Rabbe wrote: > thank you for looking in to this. I haven't tried it before now. I cant get it to work. > > after running the commands you suggest I get this when I run ip6tables --list-rules > > root at JOTVPN:~# ip6tables --list-rules > -P INPUT ACCEPT > -P FORWARD ACCEPT > -P OUTPUT ACCEPT > -A FORWARD -i vpn -p

Dear Yalang, that did the trick. If I look in the NAT table of the bridge I can see the generated rules. Probably wouldn't have though about that ever. Thanks a lot! Best Sam On 29.12.18 06:51, Yalan Zhang wrote: > Hi Sam, > > You can find the rules by below command, and it looks as below: > # ebtables -t nat --list > Bridge table: nat > > Bridge chain: PREROUTING,

Hi, I contact you as i have difficulties to use nwfilter with KVM host. I want to implemente flow filtering between my Linux guests. I created the following filter : cat admin-dmz-internet.xml <filter name='admin-dmz-internet'> <!-- this zone is an SSH ingoing only zone --> <!-- but SSH can go to an other SSH proxy --> <filterref