Block ipv6 multicast by default

CHANGELOG.md

@@ -2,6 +2,7 @@
 
 ### Features
 * Able to manage a new NAT table (with prerouting and postrouting chains).
+* Block ipv6 multicast by default.
 
 ### Enhancements
 * Clean tasks name and comments in tasks/main.yml file.

defaults/main.yml

@@ -129,6 +129,10 @@ nft_define_default:
     desc: 'broadcast and multicast'
     name: badcast_addr
     value: '{ 255.255.255.255, 224.0.0.1, 224.0.0.251 }'
+  ip6 broadcast and multicast:
+    desc: 'broadcast and multicast'
+    name: ip6_badcast_addr
+    value: '{ ff02::16 }'
   input tcp accepted:
     name: in_tcp_accept
     value: '{ ssh }'
@@ -190,6 +194,9 @@ nft_set_default:
   blackhole:
     - type ipv4_addr;
     - elements = $badcast_addr
+  ip6blackhole:
+    - type ipv6_addr;
+    - elements = $ip6_badcast_addr
   in_tcp_accept:
     - type inet_service; flags interval;
     - elements = $in_tcp_accept
@@ -250,6 +257,8 @@ nft_input_default_rules:
     - jump global
   010 drop unwanted:
     - ip daddr @blackhole counter drop
+  011 drop unwanted ipv6:
+    - ip6 daddr @ip6blackhole counter drop
   015 localhost:
     - iif lo accept
   200 input udp accepted: