From 74b864e2cb6030fd21a7b601c14147afb7ec11b9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gardais=20J=C3=A9r=C3=A9my?=
 <jeremy.gardais@univ-rennes1.fr>
Date: Tue, 21 Apr 2020 08:31:51 +0200
Subject: [PATCH] Block ipv6 multicast by default

---
 CHANGELOG.md      | 1 +
 defaults/main.yml | 9 +++++++++
 2 files changed, 10 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 80ed15b..f0c72b3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,7 @@
 
 ### Features
 * Able to manage a new NAT table (with prerouting and postrouting chains).
+* Block ipv6 multicast by default.
 
 ### Enhancements
 * Clean tasks name and comments in tasks/main.yml file.
diff --git a/defaults/main.yml b/defaults/main.yml
index aeee550..ac3a834 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -129,6 +129,10 @@ nft_define_default:
     desc: 'broadcast and multicast'
     name: badcast_addr
     value: '{ 255.255.255.255, 224.0.0.1, 224.0.0.251 }'
+  ip6 broadcast and multicast:
+    desc: 'broadcast and multicast'
+    name: ip6_badcast_addr
+    value: '{ ff02::16 }'
   input tcp accepted:
     name: in_tcp_accept
     value: '{ ssh }'
@@ -190,6 +194,9 @@ nft_set_default:
   blackhole:
     - type ipv4_addr;
     - elements = $badcast_addr
+  ip6blackhole:
+    - type ipv6_addr;
+    - elements = $ip6_badcast_addr
   in_tcp_accept:
     - type inet_service; flags interval;
     - elements = $in_tcp_accept
@@ -250,6 +257,8 @@ nft_input_default_rules:
     - jump global
   010 drop unwanted:
     - ip daddr @blackhole counter drop
+  011 drop unwanted ipv6:
+    - ip6 daddr @ip6blackhole counter drop
   015 localhost:
     - iif lo accept
   200 input udp accepted: