X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=src%2FPVE%2FFirewall.pm;h=a39cf6d46503dcded67f047387a8d50a3369fb36;hp=47a1aea7ad8966f712e63199d730e10b8266f973;hb=a86e183a06daea8268fb7424c74077ce5d98a3be;hpb=077323c33e8aa14bf67f8776d1f40d139e5ce72f

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 47a1aea..a39cf6d 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -137,6 +137,15 @@ my $pve_ipv6fw_macros = {
     'Ping' => [
 	{ action => 'PARAM', proto => 'icmpv6', dport => 'echo-request' },
     ],
+    'NeighborDiscovery' => [
+	"IPv6 neighbor solicitation, neighbor and router advertisement",
+	{ action => 'PARAM', proto => 'icmpv6', dport => 'router-advertisement' },
+	{ action => 'PARAM', proto => 'icmpv6', dport => 'neighbor-solicitation' },
+	{ action => 'PARAM', proto => 'icmpv6', dport => 'neighbor-advertisement' },
+    ],
+    'DHCPv6' => [
+	{ action => 'PARAM', proto => 'udp', dport => '546:547', sport => '546:547' },
+    ],
     'Trcrt' => [
 	{ action => 'PARAM', proto => 'udp', dport => '33434:33524' },
 	{ action => 'PARAM', proto => 'icmpv6', dport => 'echo-request' },
@@ -735,7 +744,9 @@ my $icmpv6_type_names = {
     'echo-reply' => 1,
     'router-solicitation' => 1,
     'router-advertisement' => 1,
+    'neighbor-solicitation' => 1,
     'neighbour-solicitation' => 1,
+    'neighbor-advertisement' => 1,
     'neighbour-advertisement' => 1,
     'redirect' => 1,
 };
@@ -1664,11 +1675,13 @@ sub ruleset_generate_cmdstr {
 	if ($rule->{dport}) {
 	    if ($rule->{proto} && $rule->{proto} eq 'icmp') {
 		# Note: we use dport to store --icmp-type
-		die "unknown icmp-type '$rule->{dport}'\n" if !defined($icmp_type_names->{$rule->{dport}});
+		die "unknown icmp-type '$rule->{dport}'\n"
+		    if $rule->{dport} !~ /^\d+$/ && !defined($icmp_type_names->{$rule->{dport}});
 		push @cmd, "-m icmp --icmp-type $rule->{dport}";
 	    } elsif ($rule->{proto} && $rule->{proto} eq 'icmpv6') {
 		# Note: we use dport to store --icmpv6-type
-		die "unknown icmpv6-type '$rule->{dport}'\n" if !defined($icmpv6_type_names->{$rule->{dport}});
+		die "unknown icmpv6-type '$rule->{dport}'\n"
+		    if $rule->{dport} !~ /^\d+$/ && !defined($icmpv6_type_names->{$rule->{dport}});
 		push @cmd, "-m icmpv6 --icmpv6-type $rule->{dport}";
 	    } else {
 		if ($nbdport > 1) {