firewall: add a 'Notes on IPv6' section

diff --git a/pve-firewall.adoc b/pve-firewall.adoc
index 3ec1d3093feace5d1b05331a7f586565081569ea..68699390b5f44596b4db0da6a7d7c2333bb3bddb 100644 (file)
--- a/pve-firewall.adoc
+++ b/pve-firewall.adoc
@@ -263,6 +263,7 @@ Traffic from these ips is dropped by every host's and VM's firewall.
 213.87.123.0/24
 ----
 
 213.87.123.0/24
 ----
 

+[[ipfilter-section]]

 Standard IP set 'ipfilter-net*'
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 Standard IP set 'ipfilter-net*'
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 


@@ -369,3 +370,27 @@ ifdef::manvolnum[]
 include::copyright.adoc[]
 endif::manvolnum[]
 
 include::copyright.adoc[]
 endif::manvolnum[]
 

+Notes on IPv6
+^^^^^^^^^^^^^
+
+The firewall contains a few IPv6 specific options. One thing to note is that
+IPv6 does not use the ARP protocol anymore, and instead uses NDP (Neighbor
+Discovery Protocol) which works on IP level and thus needs IP addresses to
+succeed. For this purpose link-local addresses derived from the interface's MAC
+address are used. By default the 'NDP' option is enabled on both host and VM
+level to allow neighbor discovery (NDP) packets to be sent and received.
+
+Beside neighbor discovery NDP is also used for a couple of other things, like
+autoconfiguration and advertising routers.
+
+By default VMs are allowed to send out router solicitation messages (to query
+for a router), and to receive router advetisement packets. This allows them to
+use stateless auto configuration. On the other hand VMs cannot advertise
+themselves as routers unless the 'Allow Router Advertisement' (`radv: 1`) option
+is set.
+
+As for the link local addresses required for NDP, there's also an 'IP Filter'
+(`ipfilter: 1`) option which can be enabled which has the same effect as adding
+an `ipfilter-net*` ipset for each of the VM's network interfaces containing the
+corresponding link local addresses.  (See the
+<<ipfilter-section,Standard IP set 'ipfilter-net*'>> section for details.)