We have set up IPv6 networking on openvz using bridged veth devices. The IPv6 traffic to and from the VEs works fine.
ip6tables works on the HN and iptables work on the VE. Inside the VE we can set up ip6tables rules without any error messages. They are completely ignored however.
What additional configuration options are necessary for ip6tables to work?
Seems you are using the containers under proxmox, right? You should then check from the graphical interface in proxmox that the networkd addresses are fine and known by PVE
In some cases, pve prevents to use some iptables modules, eg:
FATAL: Could not load /lib/modules/4.15.18-1-pve/modules.dep: No such file or directory
Note: On proxmox 5, OpenVZ containers will be converted to LXC, this might introduce some bias
Make sure you are applying the rules to the venet0 interface by explicitly.
OpenVZ containers inherit the kernel and modules from the host node. Because of this you cant load new kernel modules in an OpenVZ/LXC container. I would ensure that the hostnode has the
ip6_tableskernel module either compiled into the kernel or loaded as a module.This is a problem because OpenVZ is Paravirtualization, meaning that it shares the same kernel with the host node. Because you share the same kernel as the other OpenVZ containers, you can't load modules into the kernel. With Hardware virtual machines you get to run your own kernel and can then load/unload kernel modules, or compile your own kernel to use. The question linked below covers the differences in more detail.
What is the difference between Full, Para and Hardware assisted virtualization?
Sadly when you only have access to the Guest OpenVZ environment determining if the IPv6 IPtables module is loaded can be a bit hard as
lsmod,/proc/modules, and/proc/config.gzoften do not exist inside OpenVZ.Because of this, you might just have to contact your provider as someone with root access on the host node will have to load this kernel module for you.