Block ipv6 multicast by default
This commit is contained in:
parent
8f36904af7
commit
74b864e2cb
|
@ -2,6 +2,7 @@
|
||||||
|
|
||||||
### Features
|
### Features
|
||||||
* Able to manage a new NAT table (with prerouting and postrouting chains).
|
* Able to manage a new NAT table (with prerouting and postrouting chains).
|
||||||
|
* Block ipv6 multicast by default.
|
||||||
|
|
||||||
### Enhancements
|
### Enhancements
|
||||||
* Clean tasks name and comments in tasks/main.yml file.
|
* Clean tasks name and comments in tasks/main.yml file.
|
||||||
|
|
|
@ -129,6 +129,10 @@ nft_define_default:
|
||||||
desc: 'broadcast and multicast'
|
desc: 'broadcast and multicast'
|
||||||
name: badcast_addr
|
name: badcast_addr
|
||||||
value: '{ 255.255.255.255, 224.0.0.1, 224.0.0.251 }'
|
value: '{ 255.255.255.255, 224.0.0.1, 224.0.0.251 }'
|
||||||
|
ip6 broadcast and multicast:
|
||||||
|
desc: 'broadcast and multicast'
|
||||||
|
name: ip6_badcast_addr
|
||||||
|
value: '{ ff02::16 }'
|
||||||
input tcp accepted:
|
input tcp accepted:
|
||||||
name: in_tcp_accept
|
name: in_tcp_accept
|
||||||
value: '{ ssh }'
|
value: '{ ssh }'
|
||||||
|
@ -190,6 +194,9 @@ nft_set_default:
|
||||||
blackhole:
|
blackhole:
|
||||||
- type ipv4_addr;
|
- type ipv4_addr;
|
||||||
- elements = $badcast_addr
|
- elements = $badcast_addr
|
||||||
|
ip6blackhole:
|
||||||
|
- type ipv6_addr;
|
||||||
|
- elements = $ip6_badcast_addr
|
||||||
in_tcp_accept:
|
in_tcp_accept:
|
||||||
- type inet_service; flags interval;
|
- type inet_service; flags interval;
|
||||||
- elements = $in_tcp_accept
|
- elements = $in_tcp_accept
|
||||||
|
@ -250,6 +257,8 @@ nft_input_default_rules:
|
||||||
- jump global
|
- jump global
|
||||||
010 drop unwanted:
|
010 drop unwanted:
|
||||||
- ip daddr @blackhole counter drop
|
- ip daddr @blackhole counter drop
|
||||||
|
011 drop unwanted ipv6:
|
||||||
|
- ip6 daddr @ip6blackhole counter drop
|
||||||
015 localhost:
|
015 localhost:
|
||||||
- iif lo accept
|
- iif lo accept
|
||||||
200 input udp accepted:
|
200 input udp accepted:
|
||||||
|
|
Loading…
Reference in New Issue