From 51a5a5a5b7e2777032955fc9968d704ef7637f79 Mon Sep 17 00:00:00 2001 From: Hoang Nguyen Date: Sat, 20 Jan 2024 00:00:00 +0700 Subject: [PATCH] Some updates - auditd: migrate rules using deprecated syntax (`-w`, `-p` and `-k`). Also clean them up. - nftables: remove the usage of nexthdr for matching ipv6 packets. Also allow DHCP client traffic, IGMP and multicast DNS. --- TODO.md | 2 +- requirements/accepted_variables.yml | 1 + roles/auditd/templates/audit.rules.j2 | 209 +++++++++++++------------- roles/libvirt/tasks/main.yml | 2 +- roles/nftables/templates/nftables.j2 | 32 ++-- 5 files changed, 126 insertions(+), 120 deletions(-) diff --git a/TODO.md b/TODO.md index 04ac1f5..9276271 100644 --- a/TODO.md +++ b/TODO.md @@ -20,7 +20,7 @@ Stuff that are planned to be added/changed. ## Cosmetic -- [ ] Packer + Terraform / Pulumi (zfs + btrfs VMs) for testing the playbook (need implemented first) +- [ ] Packer + Terraform / Pulumi (zfs + btrfs VMs) for testing the playbook ## Just in case I forget diff --git a/requirements/accepted_variables.yml b/requirements/accepted_variables.yml index b846f3c..a2eb2e1 100644 --- a/requirements/accepted_variables.yml +++ b/requirements/accepted_variables.yml @@ -53,6 +53,7 @@ crond_provider: syslog_provider: - busybox + - logbookd - rsyslog - sysklogd diff --git a/roles/auditd/templates/audit.rules.j2 b/roles/auditd/templates/audit.rules.j2 index ba6212a..40e6b1c 100644 --- a/roles/auditd/templates/audit.rules.j2 +++ b/roles/auditd/templates/audit.rules.j2 @@ -23,24 +23,24 @@ ## Audit the audit logs ### Successful and unsuccessful attempts to read information from the audit records --w /var/log/audit/ -p wra -k auditlog +-a always,exit -F arch=b64 -F dir=/var/log/audit/ -F perm=wra -F key=auditlog ## Auditd configuration ### Modifications to audit configuration that occur while the audit collection functions are operating --w /etc/audit/ -p wa -k auditconfig --w /etc/libaudit.conf -p wa -k auditconfig +-a always,exit -F arch=b64 -F dir=/etc/audit/ -F perm=wa -F key=auditconfig +-a always,exit -F arch=b64 -F path=/etc/libaudit.conf -F perm=wa -F key=auditconfig ## Monitor for use of audit management tools --w /usr/sbin/auditctl -p x -k audittools --w /usr/sbin/auditd -p x -k audittools --w /usr/sbin/augenrules -p x -k audittools +-a always,exit -F arch=b64 -F path=/usr/sbin/auditctl -F perm=x -F key=audittools +-a always,exit -F arch=b64 -F path=/usr/sbin/auditd -F perm=x -F key=audittools +-a always,exit -F arch=b64 -F path=/usr/sbin/augenrules -F perm=x -F key=audittools ## Access to all audit trails --a always,exit -F path=/usr/sbin/ausearch -F perm=x -k auditlog_local_access --a always,exit -F path=/usr/sbin/aureport -F perm=x -k auditlog_local_access --a always,exit -F path=/usr/bin/aulast -F perm=x -k auditlog_local_access --a always,exit -F path=/usr/bin/aulastlog -F perm=x -k auditlog_local_access --a always,exit -F path=/usr/bin/auvirt -F perm=x -k auditlog_local_access +-a always,exit -F path=/usr/sbin/ausearch -F perm=x -F key=auditlog_local_access +-a always,exit -F path=/usr/sbin/aureport -F perm=x -F key=auditlog_local_access +-a always,exit -F path=/usr/bin/aulast -F perm=x -F key=auditlog_local_access +-a always,exit -F path=/usr/bin/aulastlog -F perm=x -F key=auditlog_local_access +-a always,exit -F path=/usr/bin/auvirt -F perm=x -F key=auditlog_local_access # Filters --------------------------------------------------------------------- @@ -59,80 +59,78 @@ {% endif %} ## High Volume Event Filter (especially on Linux Workstations) --a never,exit -F arch=b64 -F dir=/dev/shm -k sharedmemaccess --a never,exit -F arch=b64 -F dir=/var/lock/lvm -k locklvm +-a never,exit -F arch=b64 -F dir=/dev/shm -F key=sharedmemaccess +-a never,exit -F arch=b64 -F dir=/var/lock/lvm -F key=locklvm # Rules ----------------------------------------------------------------------- ## Kernel parameters --w /etc/sysctl.conf -p wa -k sysctl --w /etc/sysctl.d -p wa -k sysctl +-a always,exit -F arch=b64 -F path=/etc/sysctl.conf -F perm=wa -F key=sysctl +-a always,exit -F arch=b64 -F dir=/etc/sysctl.d/ -F perm=wa -F key=sysctl # Kernel module loading and unloading --a always,exit -F perm=x -F auid!=-1 -F path=/sbin/insmod -k modules --a always,exit -F perm=x -F auid!=-1 -F path=/sbin/modprobe -k modules --a always,exit -F perm=x -F auid!=-1 -F path=/sbin/rmmod -k modules --a always,exit -F arch=b64 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules +-a always,exit -F arch=b64 -F perm=x -F auid!=-1 -F path=/sbin/insmod -F key=modules +-a always,exit -F arch=b64 -F perm=x -F auid!=-1 -F path=/sbin/modprobe -F key=modules +-a always,exit -F arch=b64 -F perm=x -F auid!=-1 -F path=/sbin/rmmod -F key=modules +-a always,exit -F arch=b64 -S finit_module,init_module,delete_module -F auid!=-1 -F key=modules ## Modprobe configuration --w /etc/modprobe.conf -p wa -k modprobe --w /etc/modprobe.d -p wa -k modprobe +-a always,exit -F arch=b64 -F path=/etc/modprobe.conf -F perm=wa -F key=modprobe +-a always,exit -F arch=b64 -F dir=/etc/modprobe.d/ -F perm=wa -F key=modprobe ## KExec usage (all actions) --a always,exit -F arch=b64 -S kexec_load -k KEXEC +-a always,exit -F arch=b64 -S kexec_load -F key=KEXEC ## Special files --a always,exit -F arch=b64 -S mknod -S mknodat -k specialfiles +-a always,exit -F arch=b64 -S mknod,mknodat -F key=specialfiles ## Mount operations (only attributable) --a always,exit -F arch=b64 -S mount -S umount2 -F auid!=-1 -k mount +-a always,exit -F arch=b64 -S mount,umount2 -F auid!=-1 -F key=mount ## Change swap (only attributable) --a always,exit -F arch=b64 -S swapon -S swapoff -F auid!=-1 -k swap +-a always,exit -F arch=b64 -S swapon,swapoff -F auid!=-1 -F key=swap ## Time --a always,exit -F arch=b64 -F uid!=ntp -S adjtimex -S settimeofday -S clock_settime -k time +-a always,exit -F arch=b64 -F uid!=ntp -S adjtimex,settimeofday,clock_settime -F key=time ### Local time zone --w /etc/localtime -p wa -k localtime +-a always,exit -F arch=b64 -F path=/etc/localtime -F perm=wa -F key=localtime ## Cron configuration & scheduled jobs --w /etc/fcron.allow -p wa -k cron --w /etc/fcron.deny -p wa -k cron --w /etc/cron.allow -p wa -k cron --w /etc/cron.deny -p wa -k cron --w /etc/crontabs -p wa -k cron --w /etc/cron.d -p wa -k cron --w /var/spool/cron/ -p wa -k cron --w /etc/periodic/15min/ -p wa -k cron --w /etc/periodic/hourly/ -p wa -k cron --w /etc/periodic/daily/ -p wa -k cron --w /etc/periodic/weekly/ -p wa -k cron --w /etc/periodic/monthly/ -p wa -k cron +-a always,exit -F arch=b64 -F path=/etc/cron.allow -F perm=wa -F key=cron +-a always,exit -F arch=b64 -F path=/etc/cron.deny -F perm=wa -F key=cron +-a always,exit -F arch=b64 -F dir=/etc/fcron/ -F perm=wa -F key=cron +-a always,exit -F arch=b64 -F dir=/etc/crontabs/ -F perm=wa -F key=cron +-a always,exit -F arch=b64 -F dir=/etc/cron.d/ -F perm=wa -F key=cron +-a always,exit -F arch=b64 -F dir=/var/spool/cron/ -F perm=wa -F key=cron +-a always,exit -F arch=b64 -F dir=/var/spool/fcron/ -F perm=wa -F key=cron +-a always,exit -F arch=b64 -F dir=/etc/periodic/ -F perm=wa -F key=cron ## User, group, password databases --w /etc/group -p wa -k etcgroup --w /etc/passwd -p wa -k etcpasswd --w /etc/shadow -k etcpasswd +-a always,exit -F arch=b64 -F path=/etc/group -F perm=wa -F key=etcgroup +-a always,exit -F arch=b64 -F path=/etc/passwd -F perm=wa -F key=etcpasswd +-a always,exit -F arch=b64 -F path=/etc/shadow -F perm=wa -F key=etcpasswd -# doas.conf file changes --w /etc/doas.conf -p wa -k actions --w /etc/doas.d/ -p wa -k actions +# Changes to the privilege escalation programs' configurations +-a always,exit -F arch=b64 -F path=/etc/doas.conf -F perm=wa -F key=actions +-a always,exit -F arch=b64 -F path=/etc/please.ini -F perm=wa -F key=actions +-a always,exit -F arch=b64 -F path=/etc/sudoers -F perm=wa -F key=actions +-a always,exit -F arch=b64 -F dir=/etc/sudoers.d/ -F perm=wa -F key=actions ## Passwd --w /usr/bin/passwd -p x -k passwd_modification +-a always,exit -F arch=b64 -F path=/usr/bin/passwd -F perm=x -F key=passwd_modification ## Tools to change group identifiers --w /usr/sbin/addgroup -p x -k group_modification --w /usr/sbin/adduser -p x -k user_modification --w /usr/sbin/delgroup -p x -k user_modification --w /usr/sbin/deluser -p x -k user_modification +-a always,exit -F arch=b64 -F path=/usr/sbin/addgroup -F perm=x -F key=group_modification +-a always,exit -F arch=b64 -F path=/usr/sbin/adduser -F perm=x -F key=user_modification +-a always,exit -F arch=b64 -F path=/usr/sbin/delgroup -F perm=x -F key=user_modification +-a always,exit -F arch=b64 -F path=/usr/sbin/deluser -F perm=x -F key=user_modification ## Login configuration and information --w /etc/securetty -p wa -k login +-a always,exit -F arch=b64 -F path=/etc/securetty -F perm=wa -F key=login ## Network Environment ### Changes to hostname --a always,exit -F arch=b64 -S sethostname -S setdomainname -k network_modifications +-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=network_modifications ### Successful IPv4 Connections -a always,exit -F arch=b64 -S connect -F a2=16 -F success=1 -F key=network_connect_4 @@ -141,68 +139,70 @@ -a always,exit -F arch=b64 -S connect -F a2=28 -F success=1 -F key=network_connect_6 ### Changes to other files --w /etc/hosts -p wa -k network_modifications --w /etc/netconfig -p wa -k network_modifications --w /etc/network/ -p wa -k network +-a always,exit -F arch=b64 -F path=/etc/hosts -F perm=wa -F key=network_modifications +-a always,exit -F arch=b64 -F path=/etc/netconfig -F perm=wa -F key=network_modifications +-a always,exit -F arch=b64 -F dir=/etc/network/ -F perm=wa -F key=network ### Changes to issue --w /etc/issue -p wa -k etcissue +-a always,exit -F arch=b64 -F path=/etc/issue -F perm=wa -F key=etcissue ## System startup scripts and service configurations --w /etc/inittab -p wa -k init --w /etc/init.d/ -p wa -k init --w /etc/conf.d/ -p wa -k init +-a always,exit -F arch=b64 -F path=/etc/inittab -F perm=wa -F key=init +-a always,exit -F arch=b64 -F dir=/etc/init.d/ -F perm=wa -F key=init +-a always,exit -F arch=b64 -F dir=/etc/conf.d/ -F perm=wa -F key=init ## Pam configuration --w /etc/pam.d/ -p wa -k pam --w /etc/security/limits.conf -p wa -k pam --w /etc/security/limits.d -p wa -k pam --w /etc/security/pam_env.conf -p wa -k pam --w /etc/security/namespace.conf -p wa -k pam --w /etc/security/namespace.d -p wa -k pam --w /etc/security/namespace.init -p wa -k pam +-a always,exit -F arch=b64 -F dir=/etc/pam.d/ -F perm=wa -F key=pam +-a always,exit -F arch=b64 -F path=/etc/security/limits.conf -F perm=wa -F key=pam +-a always,exit -F arch=b64 -F path=/etc/security/limits.d -F perm=wa -F key=pam +-a always,exit -F arch=b64 -F path=/etc/security/pam_env.conf -F perm=wa -F key=pam +-a always,exit -F arch=b64 -F path=/etc/security/namespace.conf -F perm=wa -F key=pam +-a always,exit -F arch=b64 -F path=/etc/security/namespace.d -F perm=wa -F key=pam +-a always,exit -F arch=b64 -F path=/etc/security/namespace.init -F perm=wa -F key=pam ## Critical elements access failures --a always,exit -F arch=b64 -S open -F dir=/etc -F success=0 -k unauthedfileaccess --a always,exit -F arch=b64 -S open -F dir=/bin -F success=0 -k unauthedfileaccess --a always,exit -F arch=b64 -S open -F dir=/sbin -F success=0 -k unauthedfileaccess --a always,exit -F arch=b64 -S open -F dir=/usr/bin -F success=0 -k unauthedfileaccess --a always,exit -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -k unauthedfileaccess --a always,exit -F arch=b64 -S open -F dir=/var -F success=0 -k unauthedfileaccess --a always,exit -F arch=b64 -S open -F dir=/home -F success=0 -k unauthedfileaccess +-a always,exit -F arch=b64 -S open -F dir=/etc/ -F success=0 -F key=unauthedfileaccess +-a always,exit -F arch=b64 -S open -F dir=/bin/ -F success=0 -F key=unauthedfileaccess +-a always,exit -F arch=b64 -S open -F dir=/sbin/ -F success=0 -F key=unauthedfileaccess +-a always,exit -F arch=b64 -S open -F dir=/usr/bin/ -F success=0 -F key=unauthedfileaccess +-a always,exit -F arch=b64 -S open -F dir=/usr/sbin/ -F success=0 -F key=unauthedfileaccess +-a always,exit -F arch=b64 -S open -F dir=/var/ -F success=0 -F key=unauthedfileaccess +-a always,exit -F arch=b64 -S open -F dir=/home/ -F success=0 -F key=unauthedfileaccess ## Process ID change (switching accounts) applications --w /bin/su -p x -k priv_esc --w /usr/bin/doas -p x -k priv_esc --w /etc/doas.conf -p rw -k priv_esc --w /etc/doas.d/ -p rw -k priv_esc +-a always,exit -F arch=b64 -F path=/bin/su -F perm=x -F key=priv_esc +-a always,exit -F arch=b64 -F path=/usr/bin/doas -F perm=x -F key=priv_esc +-a always,exit -F arch=b64 -F path=/usr/bin/please -F perm=x -F key=priv_esc +-a always,exit -F arch=b64 -F path=/usr/bin/pleaseedit -F perm=x -F key=priv_esc +-a always,exit -F arch=b64 -F path=/usr/bin/sudo -F perm=x -F key=priv_esc +-a always,exit -F arch=b64 -F path=/usr/bin/sudoedit -F perm=x -F key=priv_esc ## Power state --w /sbin/poweroff -p x -k power --w /sbin/reboot -p x -k power --w /sbin/halt -p x -k power +-a always,exit -F arch=b64 -F path=/sbin/poweroff -F perm=x -F key=power +-a always,exit -F arch=b64 -F path=/sbin/reboot -F perm=x -F key=power +-a always,exit -F arch=b64 -F path=/sbin/halt -F perm=x -F key=power ## Session initiation information --w /var/log/swtmp -p wa -k session +-a always,exit -F arch=b64 -F dir=/var/log/swtmp/ -F perm=wa -F key=session # Special Rules --------------------------------------------------------------- ## dbus-send invocation ### may indicate privilege escalation CVE-2021-3560 --w /usr/bin/dbus-send -p x -k dbus_send --w /usr/bin/gdbus -p x -k gdubs_call +-a always,exit -F arch=b64 -F path=/usr/bin/dbus-send -F perm=x -F key=dbus_send +-a always,exit -F arch=b64 -F path=/usr/bin/gdbus -F perm=x -F key=gdubs_call ## pkexec invocation ### may indicate privilege escalation CVE-2021-4034 --w /usr/bin/pkexec -p x -k pkexec +-a always,exit -F arch=b64 -F path=/usr/bin/pkexec -F perm=x -F key=pkexec ## Injection ### These rules watch for code injection by the ptrace facility. ### This could indicate someone trying to do something bad or just debugging --a always,exit -F arch=b64 -S ptrace -F a0=0x4 -k code_injection --a always,exit -F arch=b64 -S ptrace -F a0=0x5 -k data_injection --a always,exit -F arch=b64 -S ptrace -F a0=0x6 -k register_injection --a always,exit -F arch=b64 -S ptrace -k tracing +-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -F key=code_injection +-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -F key=data_injection +-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -F key=register_injection +-a always,exit -F arch=b64 -S ptrace -F key=tracing ## Anonymous File Creation ### These rules watch the use of memfd_create @@ -212,24 +212,17 @@ ## Privilege Abuse ### The purpose of this rule is to detect when an admin may be abusing power by looking in user's home dir. --a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=-1 -k power_abuse +-a always,exit -F dir=/home/ -F auid=0 -F auid>=1000 -F auid!=-1 -F key=power_abuse # Socket Creations # will catch both IPv4 and IPv6 --a always,exit -F arch=b64 -S socket -F a0=2 -k exfiltration_over_other_network_medium --a always,exit -F arch=b64 -S socket -F a0=10 -k exfiltration_over_other_network_medium +-a always,exit -F arch=b64 -S socket -F a0=2 -F key=exfiltration_over_other_network_medium +-a always,exit -F arch=b64 -S socket -F a0=10 -F key=exfiltration_over_other_network_medium # Software Management --------------------------------------------------------- --w /usr/bin/flatpak -p x -k software_mgmt --w /sbin/apk -p x -k software_mgmt --w /etc/apk/ -p wa -k software_mgmt - -# Special Software ------------------------------------------------------------ - -## Virtualization stuff --w /usr/bin/qemu-system-x86_64 -p x -k qemu-system-x86_64 --w /usr/bin/qemu-img -p x -k qemu-img --w /usr/bin/virt-manager -p x -k virt-manager +-a always,exit -F arch=b64 -F path=/usr/bin/flatpak -F perm=x -F key=software_mgmt +-a always,exit -F arch=b64 -F path=/sbin/apk -F perm=x -F key=software_mgmt +-a always,exit -F arch=b64 -F dir=/etc/apk/ -F perm=wa -F key=software_mgmt # High Volume Events ---------------------------------------------------------- @@ -237,23 +230,23 @@ ## File Access ### Unauthorized Access (unsuccessful) --a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k file_access --a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k file_access +-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=file_access +-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=file_access ### Unsuccessful Creation --a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -k file_creation --a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -k file_creation +-a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -F key=file_creation +-a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -F key=file_creation ### Unsuccessful Modification --a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -k file_modification --a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -k file_modification +-a always,exit -F arch=b64 -S rename,renameat,truncate,chmod,setxattr,lsetxattr,removexattr,lremovexattr -F exit=-EACCES -F key=file_modification +-a always,exit -F arch=b64 -S rename,renameat,truncate,chmod,setxattr,lsetxattr,removexattr,lremovexattr -F exit=-EPERM -F key=file_modification ## 32bit API Exploitation ### If you are on a 64 bit platform, everything _should_ be running ### in 64 bit mode. This rule will detect any use of the 32 bit syscalls ### because this might be a sign of someone exploiting a hole in the 32 ### bit API. --a always,exit -F arch=b32 -S all -k 32bit_api +-a always,exit -F arch=b32 -S all -F key=32bit_api # Make The Configuration Immutable -------------------------------------------- diff --git a/roles/libvirt/tasks/main.yml b/roles/libvirt/tasks/main.yml index 5792ab6..4d1ce6c 100644 --- a/roles/libvirt/tasks/main.yml +++ b/roles/libvirt/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: libvirt | Install libvirt and qemu community.general.apk: - name: libvirt-daemon, qemu-img, qemu-system-x86_64, qemu-modules + name: libvirt-daemon, qemu-img, qemu-system-x86_64, qemu-system-arm, qemu-system-aarch64, qemu-modules state: present # This is for PulseAudio diff --git a/roles/nftables/templates/nftables.j2 b/roles/nftables/templates/nftables.j2 index 77f1a84..b2f4d82 100644 --- a/roles/nftables/templates/nftables.j2 +++ b/roles/nftables/templates/nftables.j2 @@ -76,7 +76,12 @@ table inet filter { iif != lo ip6 daddr ::1/128 drop \ comment "Block spoofing as localhost (IPv6)" - # Allow stuff first before the dynamic blacklisting + udp dport mdns ip daddr 224.0.0.251 accept \ + comment "Accept mDNS" + udp dport mdns ip6 daddr ff02::fb accept \ + comment "Accept mDNS" + + jump input_dhcp_client jump input_icmp # Blacklisting should be done before stateful accept rules @@ -120,8 +125,17 @@ table inet filter { type filter hook output priority 0; policy accept; } + chain input_dhcp_client { + udp sport 67 udp dport 68 accept \ + comment "Accept DHCP client input traffic" + + ip6 saddr fe80::/10 udp sport 547 udp dport 546 accept \ + comment "Accept DHCPv6 replies from IPv6 link-local addresses" + } + chain input_icmp { - # ICMPv4 + ip protocol igmp accept \ + comment "Accept IGMP" ip protocol icmp icmp type { echo-reply, # type 0 @@ -132,9 +146,7 @@ table inet filter { } limit rate 10/second burst 4 packets accept \ comment "Accept ICMP" - # ICMPv6 - - ip6 nexthdr icmpv6 icmpv6 type { + icmpv6 type { destination-unreachable, # type 1 packet-too-big, # type 2 time-exceeded, # type 3 @@ -144,7 +156,7 @@ table inet filter { } limit rate 10/second burst 4 packets accept \ comment "Accept basic IPv6 functionality" - ip6 nexthdr icmpv6 icmpv6 type { + icmpv6 type { nd-router-solicit, # type 133 nd-router-advert, # type 134 nd-neighbor-solicit, # type 135 @@ -152,15 +164,15 @@ table inet filter { } ip6 hoplimit 255 accept \ comment "Allow IPv6 SLAAC" - ip6 nexthdr icmpv6 icmpv6 type { + icmpv6 type { mld-listener-query, # type 130 mld-listener-report, # type 131 mld-listener-reduction, # type 132 mld2-listener-report, # type 143 } ip6 saddr fe80::/10 accept \ comment "Allow IPv6 multicast listener discovery on link-local" - - ip6 saddr fe80::/10 udp sport 547 udp dport 546 accept \ - comment "Accept DHCPv6 replies from IPv6 link-local addresses" } } + +# The state of stateful objects saved on the nftables service stop. +include "/var/lib/nftables/*.nft"