Block ipv6 multicast by default
This commit is contained in:
parent
8f36904af7
commit
74b864e2cb
|
@ -2,6 +2,7 @@
|
|||
|
||||
### Features
|
||||
* Able to manage a new NAT table (with prerouting and postrouting chains).
|
||||
* Block ipv6 multicast by default.
|
||||
|
||||
### Enhancements
|
||||
* Clean tasks name and comments in tasks/main.yml file.
|
||||
|
|
|
@ -129,6 +129,10 @@ nft_define_default:
|
|||
desc: 'broadcast and multicast'
|
||||
name: badcast_addr
|
||||
value: '{ 255.255.255.255, 224.0.0.1, 224.0.0.251 }'
|
||||
ip6 broadcast and multicast:
|
||||
desc: 'broadcast and multicast'
|
||||
name: ip6_badcast_addr
|
||||
value: '{ ff02::16 }'
|
||||
input tcp accepted:
|
||||
name: in_tcp_accept
|
||||
value: '{ ssh }'
|
||||
|
@ -190,6 +194,9 @@ nft_set_default:
|
|||
blackhole:
|
||||
- type ipv4_addr;
|
||||
- elements = $badcast_addr
|
||||
ip6blackhole:
|
||||
- type ipv6_addr;
|
||||
- elements = $ip6_badcast_addr
|
||||
in_tcp_accept:
|
||||
- type inet_service; flags interval;
|
||||
- elements = $in_tcp_accept
|
||||
|
@ -250,6 +257,8 @@ nft_input_default_rules:
|
|||
- jump global
|
||||
010 drop unwanted:
|
||||
- ip daddr @blackhole counter drop
|
||||
011 drop unwanted ipv6:
|
||||
- ip6 daddr @ip6blackhole counter drop
|
||||
015 localhost:
|
||||
- iif lo accept
|
||||
200 input udp accepted:
|
||||
|
|
Loading…
Reference in New Issue