Block ipv6 multicast by default

This commit is contained in:
Jeremy Gardais 2020-04-21 08:31:51 +02:00
parent 8f36904af7
commit 74b864e2cb
2 changed files with 10 additions and 0 deletions

View File

@ -2,6 +2,7 @@
### Features ### Features
* Able to manage a new NAT table (with prerouting and postrouting chains). * Able to manage a new NAT table (with prerouting and postrouting chains).
* Block ipv6 multicast by default.
### Enhancements ### Enhancements
* Clean tasks name and comments in tasks/main.yml file. * Clean tasks name and comments in tasks/main.yml file.

View File

@ -129,6 +129,10 @@ nft_define_default:
desc: 'broadcast and multicast' desc: 'broadcast and multicast'
name: badcast_addr name: badcast_addr
value: '{ 255.255.255.255, 224.0.0.1, 224.0.0.251 }' value: '{ 255.255.255.255, 224.0.0.1, 224.0.0.251 }'
ip6 broadcast and multicast:
desc: 'broadcast and multicast'
name: ip6_badcast_addr
value: '{ ff02::16 }'
input tcp accepted: input tcp accepted:
name: in_tcp_accept name: in_tcp_accept
value: '{ ssh }' value: '{ ssh }'
@ -190,6 +194,9 @@ nft_set_default:
blackhole: blackhole:
- type ipv4_addr; - type ipv4_addr;
- elements = $badcast_addr - elements = $badcast_addr
ip6blackhole:
- type ipv6_addr;
- elements = $ip6_badcast_addr
in_tcp_accept: in_tcp_accept:
- type inet_service; flags interval; - type inet_service; flags interval;
- elements = $in_tcp_accept - elements = $in_tcp_accept
@ -250,6 +257,8 @@ nft_input_default_rules:
- jump global - jump global
010 drop unwanted: 010 drop unwanted:
- ip daddr @blackhole counter drop - ip daddr @blackhole counter drop
011 drop unwanted ipv6:
- ip6 daddr @ip6blackhole counter drop
015 localhost: 015 localhost:
- iif lo accept - iif lo accept
200 input udp accepted: 200 input udp accepted: