minor cleanups, use {pve} instead of {PVE}

[pve-docs.git] / pve-firewall.adoc

diff --git a/pve-firewall.adoc b/pve-firewall.adoc
index be85b114bb460ee91ff2e44bcdc656ab643b6319..5f76f5deaa0f36db0f75ca31d4940a430a844a49 100644 (file)
--- a/pve-firewall.adoc
+++ b/pve-firewall.adoc
@@ -6,7 +6,7 @@ include::attributes.txt[]
 NAME
 ----
 
-pve-firewall - The PVE Firewall Daemon
+pve-firewall - PVE Firewall Daemon
 
 
 SYNOPSYS
@@ -483,12 +483,31 @@ net.ipv6.conf.lo.disable_ipv6 = 0
 ----
 # /etc/network/interfaces
 (...)
+# Dual stack:
+iface vmbr0 inet static
+    address 1.2.3.4
+    netmask 255.255.255.128
+    gateway 1.2.3.5
 iface vmbr0 inet6 static
     address fc00::31
     netmask 16
     gateway fc00::1
     accept_ra 0
     pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6
+
+# With IPv6-only 'pre-up' is too early and 'up' is too late.
+# Work around this by creating the bridge manually
+iface vmbr1 inet manual
+    pre-up ip link add $IFACE type bridge
+    up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6
+iface vmbr1 inet6 static
+    address fc00:b:3::1
+    netmask 96
+    bridge_ports none
+    bridge_stp off
+    bridge_fd 0
+    bridge_vlan_aware yes
+    accept_ra 0
 (...)
 ----